CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/nessus/nessus_rest_login.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/login_scanner/nessus'

7
require 'metasploit/framework/credential_collection'

8


9
class MetasploitModule < Msf::Auxiliary

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::AuthBrute

12
  include Msf::Auxiliary::Report

13
  include Msf::Auxiliary::Scanner

14


15
  def initialize(info={})

16
    super(update_info(info,

17
      'Name'           => 'Nessus RPC Interface Login Utility',

18
      'Description'    => %q{

19
        This module will attempt to authenticate to a Nessus server RPC interface.

20
      },

21
      'Author'         => [ 'void_in' ],

22
      'License'        => MSF_LICENSE,

23
      'DefaultOptions' =>

24
      {

25
        'SSL'        => true,

26
      }

27
    ))

28
    register_options(

29
      [

30
        Opt::RPORT(8834),

31
        OptString.new('TARGETURI', [ true,  'The path to the Nessus server login API', '/session']),

32
      ])

33


34
    deregister_options('HttpUsername', 'HttpPassword')

35
  end

36


37


38
  # Initializes CredentialCollection and Nessus Scanner

39
  def init(ip)

40
    @cred_collection = build_credential_collection(

41
      password:        datastore['PASSWORD'],

42
      username:        datastore['USERNAME']

43
    )

44


45
    @scanner = Metasploit::Framework::LoginScanner::Nessus.new(

46
      configure_http_login_scanner(

47
        host: ip,

48
        port: datastore['RPORT'],

49
        uri: datastore['TARGETURI'],

50
        proxies: datastore['PROXIES'],

51
        cred_details:       @cred_collection,

52
        stop_on_success:    datastore['STOP_ON_SUCCESS'],

53
        bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],

54
        connection_timeout: 5

55
      )

56
    )

57
    @scanner.ssl         = datastore['SSL']

58
    @scanner.ssl_version = datastore['SSLVERSION']

59
  end

60


61


62
  # Reports a good login credential

63
  def do_report(ip, port, result)

64
    service_data = {

65
      address: ip,

66
      port: port,

67
      service_name: 'http',

68
      protocol: 'tcp',

69
      workspace_id: myworkspace_id

70
    }

71


72
    credential_data = {

73
      module_fullname: self.fullname,

74
      origin_type: :service,

75
      private_data: result.credential.private,

76
      private_type: :password,

77
      username: result.credential.public,

78
    }.merge(service_data)

79


80
    login_data = {

81
      core: create_credential(credential_data),

82
      last_attempted_at: DateTime.now,

83
      status: result.status,

84
      proof: result.proof

85
    }.merge(service_data)

86


87
    create_credential_login(login_data)

88
  end

89


90


91
  # Attempts to login

92
  def bruteforce(ip)

93
    @scanner.scan! do |result|

94
      case result.status

95
      when Metasploit::Model::Login::Status::SUCCESSFUL

96
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"

97
        do_report(ip, rport, result)

98
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

99
        vprint_brute :level => :verror, :ip => ip, :msg => result.proof

100
        invalidate_login(

101
            address: ip,

102
            port: rport,

103
            protocol: 'tcp',

104
            public: result.credential.public,

105
            private: result.credential.private,

106
            realm_key: result.credential.realm_key,

107
            realm_value: result.credential.realm,

108
            status: result.status,

109
            proof: result.proof

110
        )

111
      when Metasploit::Model::Login::Status::INCORRECT

112
        vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"

113
        invalidate_login(

114
            address: ip,

115
            port: rport,

116
            protocol: 'tcp',

117
            public: result.credential.public,

118
            private: result.credential.private,

119
            realm_key: result.credential.realm_key,

120
            realm_value: result.credential.realm,

121
            status: result.status,

122
            proof: result.proof

123
        )

124
      end

125
    end

126
  end

127


128


129
  # Start here

130
  def run_host(ip)

131
    init(ip)

132
    unless @scanner.check_setup

133
      print_brute :level => :error, :ip => ip, :msg => 'Target is not a Tenable Nessus server'

134
      return

135
    end

136


137
    bruteforce(ip)

138
  end

139
end

140


141