Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/nessus/nessus_rest_login.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/nessus'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Nessus RPC Interface Login Utility',

20
        'Description' => %q{

21
          This module will attempt to authenticate to a Nessus server RPC interface.

22
        },

23
        'Author' => [ 'void_in' ],

24
        'License' => MSF_LICENSE,

25
        'DefaultOptions' => {

26
          'SSL' => true,

27
        },

28
        'Notes' => {

29
          'Reliability' => UNKNOWN_RELIABILITY,

30
          'Stability' => UNKNOWN_STABILITY,

31
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

32
        }

33
      )

34
    )

35
    register_options(

36
      [

37
        Opt::RPORT(8834),

38
        OptString.new('TARGETURI', [ true, 'The path to the Nessus server login API', '/session']),

39
      ]

40
    )

41


42
    deregister_options('HttpUsername', 'HttpPassword')

43
  end

44


45
  # Initializes CredentialCollection and Nessus Scanner

46
  def init(ip)

47
    @cred_collection = build_credential_collection(

48
      password: datastore['PASSWORD'],

49
      username: datastore['USERNAME']

50
    )

51


52
    @scanner = Metasploit::Framework::LoginScanner::Nessus.new(

53
      configure_http_login_scanner(

54
        host: ip,

55
        port: datastore['RPORT'],

56
        uri: datastore['TARGETURI'],

57
        proxies: datastore['PROXIES'],

58
        cred_details: @cred_collection,

59
        stop_on_success: datastore['STOP_ON_SUCCESS'],

60
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

61
        connection_timeout: 5

62
      )

63
    )

64
    @scanner.ssl = datastore['SSL']

65
    @scanner.ssl_version = datastore['SSLVERSION']

66
  end

67


68
  # Reports a good login credential

69
  def do_report(ip, port, result)

70
    service_data = {

71
      address: ip,

72
      port: port,

73
      service_name: 'http',

74
      protocol: 'tcp',

75
      workspace_id: myworkspace_id

76
    }

77


78
    credential_data = {

79
      module_fullname: self.fullname,

80
      origin_type: :service,

81
      private_data: result.credential.private,

82
      private_type: :password,

83
      username: result.credential.public,

84
    }.merge(service_data)

85


86
    login_data = {

87
      core: create_credential(credential_data),

88
      last_attempted_at: DateTime.now,

89
      status: result.status,

90
      proof: result.proof

91
    }.merge(service_data)

92


93
    create_credential_login(login_data)

94
  end

95


96
  # Attempts to login

97
  def bruteforce(ip)

98
    @scanner.scan! do |result|

99
      case result.status

100
      when Metasploit::Model::Login::Status::SUCCESSFUL

101
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

102
        do_report(ip, rport, result)

103
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

104
        vprint_brute :level => :verror, :ip => ip, :msg => result.proof

105
        invalidate_login(

106
          address: ip,

107
          port: rport,

108
          protocol: 'tcp',

109
          public: result.credential.public,

110
          private: result.credential.private,

111
          realm_key: result.credential.realm_key,

112
          realm_value: result.credential.realm,

113
          status: result.status,

114
          proof: result.proof

115
        )

116
      when Metasploit::Model::Login::Status::INCORRECT

117
        vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"

118
        invalidate_login(

119
          address: ip,

120
          port: rport,

121
          protocol: 'tcp',

122
          public: result.credential.public,

123
          private: result.credential.private,

124
          realm_key: result.credential.realm_key,

125
          realm_value: result.credential.realm,

126
          status: result.status,

127
          proof: result.proof

128
        )

129
      end

130
    end

131
  end

132


133
  # Start here

134
  def run_host(ip)

135
    init(ip)

136
    unless @scanner.check_setup

137
      print_brute :level => :error, :ip => ip, :msg => 'Target is not a Tenable Nessus server'

138
      return

139
    end

140


141
    bruteforce(ip)

142
  end

143
end

144


145