require 'English'
require 'nexpose'
require 'rest-client'
module Msf
Nexpose_yaml = "#{Msf::Config.config_directory}/nexpose.yaml".freeze
class Plugin::Nexpose < Msf::Plugin
class NexposeCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
def name
'Nexpose'
end
def commands
{
'nexpose_connect' => 'Connect to a running Nexpose instance ( user:pass@host[:port] )',
'nexpose_save' => 'Save credentials to a Nexpose instance',
'nexpose_activity' => 'Display any active scan jobs on the Nexpose instance',
'nexpose_scan' => 'Launch a Nexpose scan against a specific IP range and import the results',
'nexpose_discover' => 'Launch a scan but only perform host and minimal service discovery',
'nexpose_exhaustive' => 'Launch a scan covering all TCP ports and all authorized safe checks',
'nexpose_dos' => 'Launch a scan that includes checks that can crash services and devices (caution)',
'nexpose_disconnect' => 'Disconnect from an active Nexpose instance',
'nexpose_sites' => 'List all defined sites',
'nexpose_site_devices' => 'List all discovered devices within a site',
'nexpose_site_import' => 'Import data from the specified site ID',
'nexpose_report_templates' => 'List all available report templates',
'nexpose_command' => 'Execute a console command on the Nexpose instance',
'nexpose_sysinfo' => 'Display detailed system information about the Nexpose instance'
}
end
def nexpose_verify_db
if !(framework.db && framework.db.usable && framework.db.active)
print_error('No database has been configured, please use db_connect first')
return false
end
true
end
def nexpose_verify
return false if !nexpose_verify_db
if !@nsc
print_error("No active Nexpose instance has been configured, please use 'nexpose_connect'")
return false
end
true
end
def cmd_nexpose_save(*args)
if args[0] == '-h'
print_status('Usage: ')
print_status(' nexpose_save')
return
end
if args[0]
print_status('Usage: ')
print_status(' nexpose_save')
return
end
group = 'default'
if ((@user && !@user.empty?) && (@host && !@host.empty?) && (@port && !@port.empty? && (@port.to_i > 0)) && (@pass && !@pass.empty?))
config = { group.to_s => { 'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port, 'trust_cert' => @trust_cert } }
::File.open(Nexpose_yaml.to_s, 'wb') { |f| f.puts YAML.dump(config) }
print_good("#{Nexpose_yaml} created.")
else
print_error('Missing username/password/server/port - relogin and then try again.')
return
end
end
def cmd_nexpose_connect(*args)
return if !nexpose_verify_db
if !args[0] && ::File.readable?(Nexpose_yaml.to_s)
lconfig = YAML.load_file(Nexpose_yaml.to_s)
@user = lconfig['default']['username']
@pass = lconfig['default']['password']
@host = lconfig['default']['server']
@port = lconfig['default']['port']
@trust_cert = lconfig['default']['trust_cert']
unless @trust_cert
@sslv = 'ok'
end
nexpose_login
return
end
if (args.empty? || args[0].empty? || (args[0] == '-h'))
nexpose_usage
return
end
@user = @pass = @host = @port = @sslv = @trust_cert = @trust_cert_file = nil
case args.length
when 1, 2
cred, _split, targ = args[0].rpartition('@')
@user, @pass = cred.split(':', 2)
targ ||= '127.0.0.1:3780'
@host, @port = targ.split(':', 2)
@port ||= '3780'
unless args.length == 1
@trust_cert_file = args[1]
if File.exist? @trust_cert_file
@trust_cert = File.read(@trust_cert_file)
else
@sslv = @trust_cert_file
end
end
when 4, 5
@user, @pass, @host, @port, @trust_cert = args
unless args.length == 4
@trust_cert_file = @trust_cert
if File.exist? @trust_cert_file
@trust_cert = File.read(@trust_cert_file)
else
@sslv = @trust_cert_file
end
end
else
nexpose_usage
return
end
nexpose_login
end
def nexpose_usage
print_status('Usage: ')
print_status(' nexpose_connect username:password@host[:port] <ssl-confirm || trusted_cert_file>')
print_status(' -OR- ')
print_status(' nexpose_connect username password host port <ssl-confirm || trusted_cert_file>')
end
def nexpose_login
if !((@user && !@user.empty?) && (@host && !@host.empty?) && (@port && !@port.empty? && (@port.to_i > 0)) && (@pass && !@pass.empty?))
nexpose_usage
return
end
if ((@host != 'localhost') && (@host != '127.0.0.1') && (@trust_cert.nil? && @sslv != 'ok'))
print_error('Warning: SSL connections are not verified in this release, it is possible for an attacker')
print_error(' with the ability to man-in-the-middle the Nexpose traffic to capture the Nexpose')
print_error(" credentials. If you are running this on a trusted network, please pass in 'ok'")
print_error(' as an additional parameter to this command.')
return
end
begin
cmd_nexpose_disconnect
rescue ::Interrupt
raise $ERROR_INFO
rescue ::Exception
end
begin
print_status("Connecting to Nexpose instance at #{@host}:#{@port} with username #{@user}...")
nsc = Nexpose::Connection.new(@host, @user, @pass, @port, nil, nil, @trust_cert)
nsc.login
rescue ::Nexpose::APIError => e
print_error("Connection failed: #{e.reason}")
return
end
@nsc = nsc
nexpose_compatibility_check
nsc
end
def cmd_nexpose_activity(*_args)
return if !nexpose_verify
scans = @nsc.scan_activity || []
case scans.length
when 0
print_status('There are currently no active scan jobs on this Nexpose instance')
when 1
print_status('There is 1 active scan job on this Nexpose instance')
else
print_status("There are currently #{scans.length} active scan jobs on this Nexpose instance")
end
scans.each do |scan|
print_status(" Scan ##{scan.scan_id} is running on Engine ##{scan.engine_id} against site ##{scan.site_id} since #{scan.start_time}")
end
end
def cmd_nexpose_sites(*_args)
return if !nexpose_verify
sites = @nsc.list_sites || []
case sites.length
when 0
print_status('There are currently no active sites on this Nexpose instance')
end
sites.each do |site|
print_status(" Site ##{site.id} '#{site.name}' Risk Factor: #{site.risk_factor} Risk Score: #{site.risk_score}")
end
end
def cmd_nexpose_site_devices(*args)
return if !nexpose_verify
site_id = args.shift
if !site_id
print_error('No site ID was specified')
return
end
devices = @nsc.list_site_devices(site_id) || []
case devices.length
when 0
print_status('There are currently no devices within this site')
end
devices.each do |device|
print_status(" Host: #{device.address} ID: #{device.id} Risk Factor: #{device.risk_factor} Risk Score: #{device.risk_score}")
end
end
def cmd_nexpose_report_templates(*_args)
return if !nexpose_verify
res = @nsc.list_report_templates || []
res.each do |report|
print_status(" Template: #{report.id} Name: '#{report.name}' Description: #{report.description}")
end
end
def cmd_nexpose_command(*args)
return if !nexpose_verify
if args.empty?
print_error('No command was specified')
return
end
res = @nsc.console_command(args.join(' ')) || ''
print_status('Command Output')
print_line(res)
print_line('')
end
def cmd_nexpose_sysinfo(*_args)
return if !nexpose_verify
res = @nsc.system_information
print_status('System Information')
res.each_pair do |k, v|
print_status(" #{k}: #{v}")
end
end
def nexpose_compatibility_check
res = @nsc.console_command('ver')
if res !~ /^(NSC|Console) Version ID:\s*4[89]0\s*$/m
print_error('')
print_error('Warning: This version of Nexpose has not been tested with Metasploit!')
print_error('')
end
end
def cmd_nexpose_site_import(*args)
site_id = args.shift
if !site_id
print_error('No site ID was specified')
return
end
msfid = Time.now.to_i
report_formats = ['raw-xml-v2', 'ns-xml']
report_format = report_formats.shift
report = Nexpose::ReportConfig.build(@nsc, site_id, "Metasploit Export #{msfid}", 'pentest-audit', report_format, true)
report.delivery = Nexpose::Delivery.new(true)
begin
report.format = report_format
report.save(@nsc)
rescue ::Exception => e
report_format = report_formats.shift
if report_format
retry
end
raise e
end
print_status('Generating the export data file...')
last_report = nil
until last_report
last_report = @nsc.last_report(report.id)
select(nil, nil, nil, 1.0)
end
url = last_report.uri
print_status('Downloading the export data...')
data = @nsc.download(url)
@nsc.delete_report_config(report.id)
print_status('Importing Nexpose data...')
process_nexpose_data(report_format, data)
end
def cmd_nexpose_discover(*args)
args << '-h' if args.empty?
args << '-t'
args << 'aggressive-discovery'
cmd_nexpose_scan(*args)
end
def cmd_nexpose_exhaustive(*args)
args << '-h' if args.empty?
args << '-t'
args << 'exhaustive-audit'
cmd_nexpose_scan(*args)
end
def cmd_nexpose_dos(*args)
args << '-h' if args.empty?
args << '-t'
args << 'dos-audit'
cmd_nexpose_scan(*args)
end
def cmd_nexpose_scan(*args)
opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'This help menu'],
'-t' => [ true, 'The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)'],
'-c' => [ true, 'Specify credentials to use against these targets (format is type:user:pass'],
'-n' => [ true, 'The maximum number of IPs to scan at a time (default is 32)'],
'-s' => [ true, 'The directory to store the raw XML files from the Nexpose instance (optional)'],
'-P' => [ false, 'Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)'],
'-v' => [ false, 'Display diagnostic information about the scanning process'],
'-d' => [ false, 'Scan hosts based on the contents of the existing database'],
'-I' => [ true, 'Only scan systems with an address within the specified range'],
'-E' => [ true, 'Exclude hosts in the specified range from the scan']
)
opt_template = 'pentest-audit'
opt_maxaddrs = 32
opt_verbose = false
opt_savexml = nil
opt_preserve = false
opt_rescandb = false
opt_addrinc = nil
opt_addrexc = nil
opt_scanned = []
opt_credentials = []
opt_ranges = []
opts.parse(args) do |opt, _idx, val|
case opt
when '-h'
print_line('Usage: nexpose_scan [options] <Target IP Ranges>')
print_line(opts.usage)
return
when '-t'
opt_template = val
when '-n'
opt_maxaddrs = val.to_i
when '-s'
opt_savexml = val
when '-c'
if (val =~ /^([^:]+):([^:]+):(.+)/)
type = Regexp.last_match(1)
user = Regexp.last_match(2)
pass = Regexp.last_match(3)
msfid = Time.now.to_i
newcreds = {
"name": "Metasploit Site Credential #{msfid}",
"enabled": true,
"account": {
"service": type,
"username": user,
"password": pass,
},
}
opt_credentials << newcreds
else
print_error("Unrecognized Nexpose scan credentials: #{val}")
return
end
when '-v'
opt_verbose = true
when '-P'
opt_preserve = true
when '-d'
opt_rescandb = true
when '-I'
opt_addrinc = OptAddressRange.new('TEMPRANGE', [ true, '' ]).normalize(val)
when '-E'
opt_addrexc = OptAddressRange.new('TEMPRANGE', [ true, '' ]).normalize(val)
else
opt_ranges << val
end
end
return if !nexpose_verify
if opt_rescandb
print_status('Loading scan targets from the active database...') if opt_verbose
framework.db.hosts.each do |host|
next if host.state != ::Msf::HostState::Alive
opt_ranges << host.address
end
end
possible_files = opt_ranges
possible_files.each do |file|
next unless ::File.readable? file
print_status "Parsing ranges from #{file}"
range_list = ::File.open(file, 'rb') { |f| f.read f.stat.size }
range_list.each_line { |subrange| opt_ranges << subrange }
opt_ranges.delete(file)
end
opt_ranges = opt_ranges.join(' ')
if opt_ranges.strip.empty?
print_line('Usage: nexpose_scan [options] <Target IP Ranges>')
print_line(opts.usage)
return
end
if opt_verbose
print_status("Creating a new scan using template #{opt_template} and #{opt_maxaddrs} concurrent IPs against #{opt_ranges}")
end
range_inp = ::Msf::OptAddressRange.new('TEMPRANGE', [ true, '' ]).normalize(opt_ranges)
range = ::Rex::Socket::RangeWalker.new(range_inp)
include_range = opt_addrinc ? ::Rex::Socket::RangeWalker.new(opt_addrinc) : nil
exclude_range = opt_addrexc ? ::Rex::Socket::RangeWalker.new(opt_addrexc) : nil
completed = 0
total = range.num_ips
count = 0
print_status("Scanning #{total} addresses with template #{opt_template} in sets of #{opt_maxaddrs}")
while (completed < total)
count += 1
queue = []
while ((ip = range.next_ip) && (queue.length < opt_maxaddrs))
if (exclude_range && exclude_range.include?(ip))
print_status(" >> Skipping host #{ip} due to exclusion") if opt_verbose
next
end
if (include_range && !include_range.include?(ip))
print_status(" >> Skipping host #{ip} due to inclusion filter") if opt_verbose
next
end
opt_scanned << ip
queue << ip
end
break if queue.empty?
print_status("Scanning #{queue[0]}-#{queue[-1]}...") if opt_verbose
msfid = Time.now.to_i
create_site_payload = {
description: "Autocreated by the Metasploit Framework'",
scanTemplateId: opt_template,
name: "Metasploit-#{msfid}",
scan: {
assets: {
includedTargets: {
addresses: queue,
},
},
},
}
response = post_v3(resource: "sites", payload: create_site_payload)
@site_id = response["id"]
print_status(" >> Created temporary site ##{@site_id}") if opt_verbose
opt_credentials.each do |credential|
response = post_v3(resource: "sites/#{@site_id}/site_credentials", payload: credential)
credential_id = response["id"]
print_status(" >> Created site credential ##{credential_id}: #{credential['name']}")
end
report_formats = ['raw-xml-v2', 'ns-xml']
report_format = report_formats.shift
report = Nexpose::ReportConfig.build(@nsc, @site_id, create_site_payload[:name], opt_template, report_format, true)
report.delivery = Nexpose::Delivery.new(true)
begin
report.format = report_format
report.save(@nsc, true)
rescue ::Exception => e
report_format = report_formats.shift
if report_format
retry
end
raise e
end
print_status(" >> Created temporary report configuration ##{report.id}") if opt_verbose
response = post_v3(resource: "sites/#{@site_id}/scans", payload: { name: opt_template })
sid = response["id"]
print_status(" >> Scan has been launched with ID ##{sid}") if opt_verbose
rep = true
begin
prev = nil
while true
info = @nsc.scan_statistics(sid)
break if info.status != 'running'
stat = "Found #{info.nodes.live} devices and #{info.nodes.dead} unresponsive"
if (stat != prev) && opt_verbose
print_status(" >> #{stat}")
end
prev = stat
select(nil, nil, nil, 5.0)
end
print_status(" >> Scan has been completed with ID ##{sid}") if opt_verbose
rescue ::Interrupt
rep = false
print_status(" >> Terminating scan ID ##{sid} due to console interrupt") if opt_verbose
@nsc.stop_scan(sid)
break
end
if rep
print_status(' >> Waiting on the report to generate...') if opt_verbose
last_report = nil
until last_report
last_report = @nsc.last_report(report.id)
select(nil, nil, nil, 1.0)
end
url = last_report.uri
print_status(' >> Downloading the report data from Nexpose...') if opt_verbose
data = @nsc.download(url)
if opt_savexml
::FileUtils.mkdir_p(opt_savexml)
path = ::File.join(opt_savexml, "nexpose-#{msfid}-#{count}.xml")
print_status(" >> Saving scan data into #{path}") if opt_verbose
::File.open(path, 'wb') { |fd| fd.write(data) }
end
process_nexpose_data(report_format, data)
end
next if opt_preserve
loop do
info = @nsc.scan_statistics(sid)
break if info.status == 'stopped' || info.status == 'finished'
select(nil, nil, nil, 5.0)
end
print_status(' >> Deleting the temporary site and report...') if opt_verbose
begin
@nsc.delete_site(@site_id)
rescue ::Nexpose::APIError => e
print_status(" >> Deletion of temporary site and report failed: #{e.inspect}")
end
end
print_status("Completed the scan of #{total} addresses")
end
def cmd_nexpose_disconnect(*_args)
@nsc.logout if @nsc
@nsc = nil
end
def process_nexpose_data(fmt, data)
case fmt
when 'raw-xml-v2'
framework.db.import({ data: data })
when 'ns-xml'
framework.db.import({ data: data })
else
print_error("Unsupported Nexpose data format: #{fmt}")
end
end
def nexpose_vuln_lookup(doc, vid, refs, host, serv = nil)
doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef|
title = vulndef.attributes['title']
vulndef.elements['references'].elements.each('reference') do |ref|
if ref.attributes['source'] == 'BID'
refs['BID-' + ref.text] = true
elsif ref.attributes['source'] == 'CVE'
refs[ref.text] = true
elsif ref.attributes['source'] == 'MS'
refs['MSB-MS-' + ref.text] = true
end
end
refs['NEXPOSE-' + vid.downcase] = true
vuln = framework.db.find_or_create_vuln(
host: host,
service: serv,
name: 'NEXPOSE-' + vid.downcase,
data: title
)
rids = []
refs.each_key do |r|
rids << framework.db.find_or_create_ref(name: r)
end
vuln.refs << (rids - vuln.refs)
end
end
def post_v3(resource: "", payload: {})
response = RestClient::Request.execute(
verify_ssl: false,
method: :post,
url: nexpose_v3_url(resource: resource),
payload: payload.to_json,
headers: nexpose_shared_headers
)
dlog "Response body: #{response.body}"
JSON.parse(response.body)
end
def nexpose_v3_url(resource: "")
"https://#{@host}:#{@port}/api/3/#{resource}"
end
def nexpose_basic_auth_credentials
"Basic #{Base64::encode64([@user, @pass].join(':'))}"
end
def nexpose_shared_headers
{
content_type: :json,
accept: :json,
Authorization: nexpose_basic_auth_credentials,
}
end
end
def initialize(framework, opts)
super
add_console_dispatcher(NexposeCommandDispatcher)
banner = ['0a205f5f5f5f202020202020202020202020205f20202020205f205f5f5f5f5f2020205f2020205f20202020205f5f20205f5f2020202020202020202020202020202020202020200a7c20205f205c205f5f205f205f205f5f20285f29205f5f7c207c5f5f5f20207c207c205c207c207c205f5f5f5c205c2f202f5f205f5f2020205f5f5f20205f5f5f20205f5f5f200a7c207c5f29202f205f60207c20275f205c7c207c2f205f60207c20202f202f20207c20205c7c207c2f205f205c5c20202f7c20275f205c202f205f205c2f205f5f7c2f205f205c0a7c20205f203c20285f7c207c207c5f29207c207c20285f7c207c202f202f2020207c207c5c20207c20205f5f2f2f20205c7c207c5f29207c20285f29205c5f5f205c20205f5f2f0a7c5f7c205c5f5c5f5f2c5f7c202e5f5f2f7c5f7c5c5f5f2c5f7c2f5f2f202020207c5f7c205c5f7c5c5f5f5f2f5f2f5c5f5c202e5f5f2f205c5f5f5f2f7c5f5f5f2f5c5f5f5f7c0a20202020202020202020207c5f7c20202020202020202020202020202020202020202020202020202020202020202020207c5f7c202020202020202020202020202020202020200a0a0a'].pack('H*')
lang = Rex::Compat.getenv('LANG')
if (lang && lang =~ (/UTF-8/))
banner = ['202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200a20e29684e29684e29684202020e29684e29684202020202020202020202020e29684e29684e296842020e29684e29684e2968420202020202020202020202020202020202020202020202020202020202020202020202020202020200a20e29688e29688e29688202020e29688e2968820202020202020202020202020e29688e2968820e29684e29688e296882020202020202020202020202020202020202020202020202020202020202020202020202020202020200a20e29688e29688e29680e296882020e29688e29688202020e29684e29688e29688e29688e29688e296842020202020e29688e29688e29688e2968820202020e29688e29688e29684e29688e29688e29688e2968420202020e29684e29688e29688e29688e29688e29684202020e29684e29684e29688e29688e29688e29688e29688e29684202020e29684e29688e29688e29688e29688e2968420200a20e29688e2968820e29688e2968820e29688e296882020e29688e29688e29684e29684e29684e29684e29688e296882020202020e29688e296882020202020e29688e29688e296802020e29680e29688e296882020e29688e29688e296802020e29680e29688e296882020e29688e29688e29684e29684e29684e2968420e296802020e29688e29688e29684e29684e29684e29684e29688e29688200a20e29688e296882020e29688e29684e29688e296882020e29688e29688e29680e29680e29680e29680e29680e2968020202020e29688e29688e29688e2968820202020e29688e2968820202020e29688e296882020e29688e2968820202020e29688e29688202020e29680e29680e29680e29680e29688e29688e296842020e29688e29688e29680e29680e29680e29680e29680e29680200a20e29688e29688202020e29688e29688e296882020e29680e29688e29688e29684e29684e29684e29684e29688202020e29688e296882020e29688e29688202020e29688e29688e29688e29684e29684e29688e29688e296802020e29680e29688e29688e29684e29684e29688e29688e296802020e29688e29684e29684e29684e29684e29684e29688e296882020e29680e29688e29688e29684e29684e29684e29684e29688200a20e29680e29680202020e29680e29680e2968020202020e29680e29680e29680e29680e29680202020e29680e29680e296802020e29680e29680e296802020e29688e2968820e29680e29680e29680202020202020e29680e29680e29680e296802020202020e29680e29680e29680e29680e29680e296802020202020e29680e29680e29680e29680e2968020200a20202020202020202020202020202020202020202020202020202020202020e29688e29688202020202020202020202020202020202020202020202020202020202020202020202020200a202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200a'].pack('H*')
end
print(banner)
print_status('Nexpose integration has been activated')
end
def cleanup
remove_console_dispatcher('Nexpose')
end
def name
'nexpose'
end
def desc
'Integrates with the Rapid7 Nexpose vulnerability management product'
end
end
end
module Nexpose
class IPRange
def to_json(*_args)
if @to.present?
"#{@from} - #{@to}".to_json
else
@from.to_json
end
end
end
end
