Land #5112, Nessus REST Login Module
commit
284ef5bbbb
|
@ -0,0 +1,94 @@
|
|||
|
||||
require 'metasploit/framework/login_scanner/http'
|
||||
|
||||
module Metasploit
|
||||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
class Nessus < HTTP
|
||||
|
||||
DEFAULT_PORT = 8834
|
||||
PRIVATE_TYPES = [ :password ]
|
||||
LIKELY_SERVICE_NAMES = [ 'nessus' ]
|
||||
LOGIN_STATUS = Metasploit::Model::Login::Status # Shorter name
|
||||
|
||||
|
||||
# Checks if the target is a Tenable Nessus server.
|
||||
#
|
||||
# @return [Boolean] TrueClass if target is Nessus server, otherwise FalseClass
|
||||
def check_setup
|
||||
login_uri = "/server/properties"
|
||||
res = send_request({'uri'=> login_uri})
|
||||
if res && res.body.include?('Nessus')
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
# Actually doing the login. Called by #attempt_login
|
||||
#
|
||||
# @param username [String] The username to try
|
||||
# @param password [String] The password to try
|
||||
# @return [Hash]
|
||||
# * :status [Metasploit::Model::Login::Status]
|
||||
# * :proof [String] the HTTP response body
|
||||
def get_login_state(username, password)
|
||||
login_uri = "#{uri}"
|
||||
|
||||
res = send_request({
|
||||
'uri' => login_uri,
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'username' => username,
|
||||
'password' => password
|
||||
}
|
||||
})
|
||||
|
||||
unless res
|
||||
return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s}
|
||||
end
|
||||
if res.code == 200 && res.body =~ /token/
|
||||
return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.body.to_s}
|
||||
end
|
||||
|
||||
{:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
|
||||
end
|
||||
|
||||
|
||||
# Attempts to login to Nessus.
|
||||
#
|
||||
# @param credential [Metasploit::Framework::Credential] The credential object
|
||||
# @return [Result] A Result object indicating success or failure
|
||||
def attempt_login(credential)
|
||||
result_opts = {
|
||||
credential: credential,
|
||||
status: Metasploit::Model::Login::Status::INCORRECT,
|
||||
proof: nil,
|
||||
host: host,
|
||||
port: port,
|
||||
protocol: 'tcp'
|
||||
}
|
||||
|
||||
begin
|
||||
result_opts.merge!(get_login_state(credential.public, credential.private))
|
||||
rescue ::Rex::ConnectionError => e
|
||||
# Something went wrong during login. 'e' knows what's up.
|
||||
result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
|
||||
end
|
||||
|
||||
Result.new(result_opts)
|
||||
end
|
||||
|
||||
def set_sane_defaults
|
||||
super
|
||||
# nessus_rest_login has the same default in TARGETURI, but rspec doesn't check nessus_rest_login
|
||||
# so we have to set the default here, too.
|
||||
self.uri = '/session'
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,140 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'metasploit/framework/login_scanner/nessus'
|
||||
require 'metasploit/framework/credential_collection'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Nessus RPC Interface Login Utility',
|
||||
'Description' => %q{
|
||||
This module will attempt to authenticate to a Nessus server RPC interface.
|
||||
},
|
||||
'Author' => [ 'void_in' ],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8834),
|
||||
OptString.new('TARGETURI', [ true, 'The path to the Nessus server login API', '/session']),
|
||||
OptBool.new('SSL', [true, 'Negotiate SSL for outgoing connections', true]),
|
||||
OptEnum.new('SSLVersion', [false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
# Initializes CredentialCollection and Nessus Scanner
|
||||
def init(ip)
|
||||
@cred_collection = Metasploit::Framework::CredentialCollection.new(
|
||||
blank_passwords: datastore['BLANK_PASSWORDS'],
|
||||
pass_file: datastore['PASS_FILE'],
|
||||
password: datastore['PASSWORD'],
|
||||
user_file: datastore['USER_FILE'],
|
||||
userpass_file: datastore['USERPASS_FILE'],
|
||||
username: datastore['USERNAME'],
|
||||
user_as_pass: datastore['USER_AS_PASS']
|
||||
)
|
||||
|
||||
@scanner = Metasploit::Framework::LoginScanner::Nessus.new(
|
||||
host: ip,
|
||||
port: datastore['RPORT'],
|
||||
uri: datastore['TARGETURI'],
|
||||
cred_details: @cred_collection,
|
||||
stop_on_success: datastore['STOP_ON_SUCCESS'],
|
||||
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
|
||||
connection_timeout: 5
|
||||
)
|
||||
@scanner.ssl = datastore['SSL']
|
||||
@scanner.ssl_version = datastore['SSLVERSION']
|
||||
end
|
||||
|
||||
|
||||
# Reports a good login credential
|
||||
def do_report(ip, port, result)
|
||||
service_data = {
|
||||
address: ip,
|
||||
port: port,
|
||||
service_name: 'http',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
module_fullname: self.fullname,
|
||||
origin_type: :service,
|
||||
private_data: result.credential.private,
|
||||
private_type: :password,
|
||||
username: result.credential.public,
|
||||
}.merge(service_data)
|
||||
|
||||
login_data = {
|
||||
core: create_credential(credential_data),
|
||||
last_attempted_at: DateTime.now,
|
||||
status: result.status,
|
||||
proof: result.proof
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
|
||||
# Attempts to login
|
||||
def bruteforce(ip)
|
||||
@scanner.scan! do |result|
|
||||
case result.status
|
||||
when Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
|
||||
do_report(ip, rport, result)
|
||||
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
|
||||
vprint_brute :level => :verror, :ip => ip, :msg => result.proof
|
||||
invalidate_login(
|
||||
address: ip,
|
||||
port: rport,
|
||||
protocol: 'tcp',
|
||||
public: result.credential.public,
|
||||
private: result.credential.private,
|
||||
realm_key: result.credential.realm_key,
|
||||
realm_value: result.credential.realm,
|
||||
status: result.status,
|
||||
proof: result.proof
|
||||
)
|
||||
when Metasploit::Model::Login::Status::INCORRECT
|
||||
vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
|
||||
invalidate_login(
|
||||
address: ip,
|
||||
port: rport,
|
||||
protocol: 'tcp',
|
||||
public: result.credential.public,
|
||||
private: result.credential.private,
|
||||
realm_key: result.credential.realm_key,
|
||||
realm_value: result.credential.realm,
|
||||
status: result.status,
|
||||
proof: result.proof
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Start here
|
||||
def run_host(ip)
|
||||
init(ip)
|
||||
unless @scanner.check_setup
|
||||
print_brute :level => :error, :ip => ip, :msg => 'Target is not a Tenable Nessus server'
|
||||
return
|
||||
end
|
||||
|
||||
bruteforce(ip)
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,122 @@
|
|||
require 'spec_helper'
|
||||
require 'metasploit/framework/login_scanner/nessus'
|
||||
|
||||
describe Metasploit::Framework::LoginScanner::Nessus do
|
||||
|
||||
subject(:http_scanner) { described_class.new }
|
||||
|
||||
it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: true, has_default_realm: false
|
||||
it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
|
||||
|
||||
let(:username) do
|
||||
'username'
|
||||
end
|
||||
|
||||
let(:good_password) do
|
||||
'good_password'
|
||||
end
|
||||
|
||||
let(:bad_password) do
|
||||
'bad_password'
|
||||
end
|
||||
|
||||
let(:successful_auth_response) do
|
||||
res = Rex::Proto::Http::Response.new(200, 'OK')
|
||||
res.body = 'token'
|
||||
res
|
||||
end
|
||||
|
||||
let(:fail_auth_response) do
|
||||
Rex::Proto::Http::Response.new(401, 'Unauthorized')
|
||||
end
|
||||
|
||||
let(:response) do
|
||||
Rex::Proto::Http::Response.new(200, 'OK')
|
||||
end
|
||||
|
||||
before(:each) do
|
||||
allow_any_instance_of(Rex::Proto::Http::Client).to receive(:request_cgi).with(any_args)
|
||||
allow_any_instance_of(Rex::Proto::Http::Client).to receive(:send_recv).with(any_args).and_return(response)
|
||||
allow_any_instance_of(Rex::Proto::Http::Client).to receive(:set_config).with(any_args)
|
||||
allow_any_instance_of(Rex::Proto::Http::Client).to receive(:close)
|
||||
allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect)
|
||||
end
|
||||
|
||||
describe '#check_setup' do
|
||||
let(:msp_html_response) do
|
||||
res = Rex::Proto::Http::Response.new(200, 'OK')
|
||||
res.body = 'Nessus'
|
||||
res
|
||||
end
|
||||
|
||||
context 'when target is Nessus' do
|
||||
let(:response) { msp_html_response }
|
||||
it 'returns true' do
|
||||
expect(http_scanner.check_setup).to be_truthy
|
||||
end
|
||||
end
|
||||
|
||||
context 'when target is not Nessus' do
|
||||
it 'returns false' do
|
||||
expect(http_scanner.check_setup).to be_falsey
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#get_login_state' do
|
||||
it 'sends a login request to /session' do
|
||||
allow(http_scanner).to receive(:send_request).with(hash_including('uri'=>'/session')).and_return(response)
|
||||
http_scanner.get_login_state(username, good_password)
|
||||
end
|
||||
|
||||
it 'sends a login request containing the username and password' do
|
||||
expected_hash = {
|
||||
'vars_post' => {
|
||||
"username" => username,
|
||||
"password" => good_password
|
||||
}
|
||||
}
|
||||
allow(http_scanner).to receive(:send_request).with(hash_including(expected_hash)).and_return(response)
|
||||
http_scanner.get_login_state(username, good_password)
|
||||
end
|
||||
|
||||
context 'when the credential is valid' do
|
||||
let(:response) { successful_auth_response }
|
||||
it 'returns a hash indicating a successful login' do
|
||||
successful_status = Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
expect(http_scanner.get_login_state(username, good_password)[:status]).to eq(successful_status)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the creential is invalid' do
|
||||
let(:response) { fail_auth_response }
|
||||
it 'returns a hash indicating an incorrect cred' do
|
||||
incorrect_status = Metasploit::Model::Login::Status::INCORRECT
|
||||
expect(http_scanner.get_login_state(username, good_password)[:status]).to eq(incorrect_status)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#attempt_login' do
|
||||
context 'when the credential is valid' do
|
||||
let(:response) { successful_auth_response }
|
||||
|
||||
it 'returns a Result object indicating a successful login' do
|
||||
cred_obj = Metasploit::Framework::Credential.new(public: username, private: good_password)
|
||||
result = http_scanner.attempt_login(cred_obj)
|
||||
expect(result).to be_kind_of(::Metasploit::Framework::LoginScanner::Result)
|
||||
expect(result.status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the credential is invalid' do
|
||||
let(:response) { fail_auth_response }
|
||||
it 'returns a Result object indicating an incorrect cred' do
|
||||
cred_obj = Metasploit::Framework::Credential.new(public: username, private: bad_password)
|
||||
result = http_scanner.attempt_login(cred_obj)
|
||||
expect(result).to be_kind_of(::Metasploit::Framework::LoginScanner::Result)
|
||||
expect(result.status).to eq(Metasploit::Model::Login::Status::INCORRECT)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue