From e17adf741c5e1ffdbac38f4bb09bf4516272a264 Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:19:54 +1300 Subject: [PATCH 1/4] Add additional password to Wazuh default cred check --- http/default-logins/wazuh-default-login.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml index d2bd97b963..95abefdfad 100644 --- a/http/default-logins/wazuh-default-login.yaml +++ b/http/default-logins/wazuh-default-login.yaml @@ -9,6 +9,7 @@ info: reference: - https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html - https://wazuh.com + - https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#single-node-deployment metadata: verified: true max-request: 4 @@ -36,6 +37,7 @@ http: password: - "admin" - "wazuh" + - "SecretPassword" stop-at-first-match: true matchers-condition: and From 28285e2eb12ba69e2805578901d483ae7ac3f3ff Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:20:59 +1300 Subject: [PATCH 2/4] Add author to wazuh default login check --- http/default-logins/wazuh-default-login.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml index 95abefdfad..5b470a64d6 100644 --- a/http/default-logins/wazuh-default-login.yaml +++ b/http/default-logins/wazuh-default-login.yaml @@ -2,7 +2,7 @@ id: wazuh-default-login info: name: Wazuh - Default Login - author: theamanrawat + author: theamanrawat,denandz severity: high description: | Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. From c6443247ecb541248ef91ca4e941400eb400fd7b Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Tue, 2 Apr 2024 18:12:19 +1300 Subject: [PATCH 3/4] Fix Wazuh extractor logic --- http/default-logins/wazuh-default-login.yaml | 32 +++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml index 5b470a64d6..de2b2a816d 100644 --- a/http/default-logins/wazuh-default-login.yaml +++ b/http/default-logins/wazuh-default-login.yaml @@ -2,7 +2,7 @@ id: wazuh-default-login info: name: Wazuh - Default Login - author: theamanrawat,denandz + author: theamanrawat,denandz,PulseSecurity.co.nz severity: high description: | Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. @@ -12,24 +12,35 @@ info: - https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#single-node-deployment metadata: verified: true - max-request: 4 + max-request: 6 shodan-query: title:"Wazuh" tags: wazuh,default-login http: + - method: GET + path: + - "{{BaseURL}}/app/login" + + extractors: + - type: regex + part: body + name: osd + group: 1 + internal: true + regex: + - '"version":"([0-9.]+)"' + - raw: - - | - GET /app/login?nextUrl=%2Fapp%2Fwazuh HTTP/1.1 - Host: {{Hostname}} - | POST /auth/login HTTP/1.1 Host: {{Hostname}} Osd-Version: {{osd}} + osd-xsrf: osd-fetch Content-Type: application/json {"username":"{{username}}","password":"{{password}}"} - attack: pitchfork + attack: clusterbomb payloads: username: - "admin" @@ -59,12 +70,3 @@ http: status: - 200 - extractors: - - type: regex - name: osd - group: 1 - regex: - - '"version":"([0-9.]+)"' - internal: true - -# digest: 4b0a00483046022100de2c876067d0aa43fb62771bff3c3adea76873a9f0982f98856a1ed321b58d48022100a60ef9271fd209ecadc68b365c82e4176cd78fe24526dcbe7a8cd8772b0337cf:922c64590222798bb761d5b6d8e72950 From 967fcdd3a14c2e88bbfe02603c9d63fc7332ec77 Mon Sep 17 00:00:00 2001 From: DoI <5291556+denandz@users.noreply.github.com> Date: Tue, 2 Apr 2024 21:40:28 +1300 Subject: [PATCH 4/4] Update wazuh-default-login.yaml YAML linting --- http/default-logins/wazuh-default-login.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml index de2b2a816d..2c2c323160 100644 --- a/http/default-logins/wazuh-default-login.yaml +++ b/http/default-logins/wazuh-default-login.yaml @@ -19,7 +19,7 @@ info: http: - method: GET path: - - "{{BaseURL}}/app/login" + - "{{BaseURL}}/app/login" extractors: - type: regex @@ -69,4 +69,3 @@ http: - type: status status: - 200 -