Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# This plugin provides integration with OpenVAS.
2
# Written by kost and averagesecurityguy.
3
#
4
# Distributed under MIT license:
5
# http://www.opensource.org/licenses/mit-license.php
6

7
require 'openvas-omp'
8

9
module Msf
10
  class Plugin::OpenVAS < Msf::Plugin
11
    class OpenVASCommandDispatcher
12
      include Msf::Ui::Console::CommandDispatcher
13

14
      def name
15
        'OpenVAS'
16
      end
17

18
      def commands
19
        {
20
          'openvas_help' => 'Displays help',
21
          'openvas_version' => 'Display the version of the OpenVAS server',
22
          'openvas_debug' => 'Enable/Disable debugging',
23
          'openvas_connect' => 'Connect to an OpenVAS manager using OMP',
24
          'openvas_disconnect' => 'Disconnect from OpenVAS manager',
25

26
          'openvas_task_create' => 'Create a task (name, comment, target, config)',
27
          'openvas_task_delete' => 'Delete task by ID',
28
          'openvas_task_list' => 'Display list of tasks',
29
          'openvas_task_start' => 'Start task by ID',
30
          'openvas_task_stop' => 'Stop task by ID',
31
          'openvas_task_pause' => 'Pause task by ID',
32
          'openvas_task_resume' => 'Resume task by ID',
33
          'openvas_task_resume_or_start' => 'Resume task or start task by ID',
34

35
          'openvas_target_create' => 'Create target (name, hosts, comment)',
36
          'openvas_target_delete' => 'Delete target by ID',
37
          'openvas_target_list' => 'Display list of targets',
38

39
          'openvas_config_list' => 'Quickly display list of configs',
40

41
          'openvas_format_list' => 'Display list of available report formats',
42

43
          'openvas_report_list' => 'Display a list of available report formats',
44
          'openvas_report_delete' => 'Delete a report specified by ID',
45
          'openvas_report_download' => 'Save a report to disk',
46
          'openvas_report_import' => 'Import report specified by ID into framework'
47
        }
48
      end
49

50
      def cmd_openvas_help
51
        print_status('openvas_help                  Display this help')
52
        print_status('openvas_debug                 Enable/Disable debugging')
53
        print_status('openvas_version               Display the version of the OpenVAS server')
54
        print_status
55
        print_status('CONNECTION')
56
        print_status('==========')
57
        print_status('openvas_connect               Connects to OpenVAS')
58
        print_status('openvas_disconnect            Disconnects from OpenVAS')
59
        print_status
60
        print_status('TARGETS')
61
        print_status('=======')
62
        print_status('openvas_target_create         Create target')
63
        print_status('openvas_target_delete         Deletes target specified by ID')
64
        print_status('openvas_target_list           Lists targets')
65
        print_status
66
        print_status('TASKS')
67
        print_status('=====')
68
        print_status('openvas_task_create           Create task')
69
        print_status('openvas_task_delete           Delete a task and all associated reports')
70
        print_status('openvas_task_list             Lists tasks')
71
        print_status('openvas_task_start            Starts task specified by ID')
72
        print_status('openvas_task_stop             Stops task specified by ID')
73
        print_status('openvas_task_pause            Pauses task specified by ID')
74
        print_status('openvas_task_resume           Resumes task specified by ID')
75
        print_status('openvas_task_resume_or_start  Resumes or starts task specified by ID')
76
        print_status
77
        print_status('CONFIGS')
78
        print_status('=======')
79
        print_status('openvas_config_list           Lists scan configurations')
80
        print_status
81
        print_status('FORMATS')
82
        print_status('=======')
83
        print_status('openvas_format_list           Lists available report formats')
84
        print_status
85
        print_status('REPORTS')
86
        print_status('=======')
87
        print_status('openvas_report_list           Lists available reports')
88
        print_status('openvas_report_delete         Delete a report specified by ID')
89
        print_status('openvas_report_import         Imports an OpenVAS report specified by ID')
90
        print_status('openvas_report_download       Downloads an OpenVAS report specified by ID')
91
      end
92

93
      # Verify the database is connected and usable
94
      def database?
95
        if !(framework.db && framework.db.usable)
96
          return false
97
        else
98
          return true
99
        end
100
      end
101

102
      # Verify there is an active OpenVAS connection
103
      def openvas?
104
        if @ov
105
          return true
106
        else
107
          print_error('No OpenVAS connection available. Please use openvas_connect.')
108
          return false
109
        end
110
      end
111

112
      # Verify correct number of arguments and verify -h was not given. Return
113
      # true if correct number of arguments and help was not requested.
114
      def args?(args, min = 1, max = nil)
115
        if !max then max = min end
116
        if ((args.length < min) || (args.length > max) || (args[0] == '-h'))
117
          return false
118
        end
119

120
        return true
121
      end
122

123
      #--------------------------
124
      # Basic Functions
125
      #--------------------------
126
      def cmd_openvas_debug(*args)
127
        return unless openvas?
128

129
        if args?(args)
130
          begin
131
            resp = @ov.debug(args[0].to_i)
132
            print_good(resp)
133
          rescue OpenVASOMP::OMPError => e
134
            print_error(e.to_s)
135
          end
136
        else
137
          print_status('Usage:')
138
          print_status('openvas_debug integer')
139
        end
140
      end
141

142
      def cmd_openvas_version
143
        return unless openvas?
144

145
        begin
146
          ver = @ov.version_get
147
          print_good("Using OMP version #{ver}")
148
        rescue OpenVASOMP::OMPError => e
149
          print_error(e.to_s)
150
        end
151
      end
152

153
      #--------------------------
154
      # Connection Functions
155
      #--------------------------
156
      def cmd_openvas_connect(*args)
157
        # Is the database configured?
158
        if !database?
159
          print_error('No database has been configured.')
160
          return
161
        end
162

163
        # Don't allow duplicate sessions
164
        if @ov
165
          print_error('Session already open, please use openvas_disconnect first.')
166
          return
167
        end
168

169
        # Make sure the correct number of arguments are present.
170
        if args?(args, 4, 5)
171

172
          user, pass, host, port, sslv = args
173

174
          # SSL warning. User is required to confirm.
175
          if ((host != 'localhost') && (host != '127.0.0.1') && (sslv != 'ok'))
176
            print_error('Warning: SSL connections are not verified in this release, it is possible for an attacker')
177
            print_error('         with the ability to man-in-the-middle the OpenVAS traffic to capture the OpenVAS')
178
            print_error("         credentials. If you are running this on a trusted network, please pass in 'ok'")
179
            print_error('         as an additional parameter to this command.')
180
            return
181
          end
182

183
          begin
184
            print_status("Connecting to OpenVAS instance at #{host}:#{port} with username #{user}...")
185
            ov = OpenVASOMP::OpenVASOMP.new('user' => user, 'password' => pass, 'host' => host, 'port' => port)
186
          rescue OpenVASOMP::OMPAuthError => e
187
            print_error("Authentication failed: #{e.reason}")
188
            return
189
          rescue OpenVASOMP::OMPConnectionError => e
190
            print_error("Connection failed: #{e.reason}")
191
            return
192
          end
193
          print_good('OpenVAS connection successful')
194
          @ov = ov
195

196
        else
197
          print_status('Usage:')
198
          print_status('openvas_connect username password host port <ssl-confirm>')
199
        end
200
      end
201

202
      # Disconnect from an OpenVAS manager
203
      def cmd_openvas_disconnect
204
        return unless openvas?
205

206
        @ov.logout
207
        @ov = nil
208
      end
209

210
      #--------------------------
211
      # Target Functions
212
      #--------------------------
213
      def cmd_openvas_target_create(*args)
214
        return unless openvas?
215

216
        if args?(args, 3)
217
          begin
218
            resp = @ov.target_create('name' => args[0], 'hosts' => args[1], 'comment' => args[2])
219
            print_status(resp)
220
            cmd_openvas_target_list
221
          rescue OpenVASOMP::OMPError => e
222
            print_error(e.to_s)
223
          end
224

225
        else
226
          print_status('Usage: openvas_target_create <name> <hosts> <comment>')
227
        end
228
      end
229

230
      def cmd_openvas_target_delete(*args)
231
        return unless openvas?
232

233
        if args?(args)
234
          begin
235
            resp = @ov.target_delete(args[0])
236
            print_status(resp)
237
            cmd_openvas_target_list
238
          rescue OpenVASOMP::OMPError => e
239
            print_error(e.to_s)
240
          end
241
        else
242
          print_status('Usage: openvas_target_delete <target_id>')
243
        end
244
      end
245

246
      def cmd_openvas_target_list(*_args)
247
        return unless openvas?
248

249
        begin
250
          tbl = Rex::Text::Table.new(
251
            'Columns' => ['ID', 'Name', 'Hosts', 'Max Hosts', 'In Use', 'Comment']
252
          )
253
          @ov.target_get_all.each do |target|
254
            tbl << [
255
              target['id'], target['name'], target['hosts'], target['max_hosts'],
256
              target['in_use'], target['comment']
257
            ]
258
          end
259
          print_good('OpenVAS list of targets')
260
          print_line
261
          print_line tbl.to_s
262
          print_line
263
        rescue OpenVASOMP::OMPError => e
264
          print_error(e.to_s)
265
        end
266
      end
267

268
      #--------------------------
269
      # Task Functions
270
      #--------------------------
271
      def cmd_openvas_task_create(*args)
272
        return unless openvas?
273

274
        if args?(args, 4)
275
          begin
276
            resp = @ov.task_create('name' => args[0], 'comment' => args[1], 'config' => args[2], 'target' => args[3])
277
            print_status(resp)
278
            cmd_openvas_task_list
279
          rescue OpenVASOMP::OMPError => e
280
            print_error(e.to_s)
281
          end
282

283
        else
284
          print_status('Usage: openvas_task_create <name> <comment> <config_id> <target_id>')
285
        end
286
      end
287

288
      def cmd_openvas_task_delete(*args)
289
        return unless openvas?
290

291
        if args?(args, 2)
292

293
          # User is required to confirm before deleting task.
294
          if (args[1] != 'ok')
295
            print_error('Warning: Deleting a task will also delete all reports associated with the ')
296
            print_error("task, please pass in 'ok' as an additional parameter to this command.")
297
            return
298
          end
299

300
          begin
301
            resp = @ov.task_delete(args[0])
302
            print_status(resp)
303
            cmd_openvas_task_list
304
          rescue OpenVASOMP::OMPError => e
305
            print_error(e.to_s)
306
          end
307
        else
308
          print_status('Usage: openvas_task_delete <id> ok')
309
          print_error('This will delete the task and all associated reports.')
310
        end
311
      end
312

313
      def cmd_openvas_task_list(*_args)
314
        return unless openvas?
315

316
        begin
317
          tbl = Rex::Text::Table.new(
318
            'Columns' => ['ID', 'Name', 'Comment', 'Status', 'Progress']
319
          )
320
          @ov.task_get_all.each do |task|
321
            tbl << [ task['id'], task['name'], task['comment'], task['status'], task['progress'] ]
322
          end
323
          print_good('OpenVAS list of tasks')
324
          print_line
325
          print_line tbl.to_s
326
          print_line
327
        rescue OpenVASOMP::OMPError => e
328
          print_error(e.to_s)
329
        end
330
      end
331

332
      def cmd_openvas_task_start(*args)
333
        return unless openvas?
334

335
        if args?(args)
336
          begin
337
            resp = @ov.task_start(args[0])
338
            print_status(resp)
339
          rescue OpenVASOMP::OMPError => e
340
            print_error(e.to_s)
341
          end
342
        else
343
          print_status('Usage: openvas_task_start <id>')
344
        end
345
      end
346

347
      def cmd_openvas_task_stop(*args)
348
        return unless openvas?
349

350
        if args?(args)
351
          begin
352
            resp = @ov.task_stop(args[0])
353
            print_status(resp)
354
          rescue OpenVASOMP::OMPError => e
355
            print_error(e.to_s)
356
          end
357
        else
358
          print_status('Usage: openvas_task_stop <id>')
359
        end
360
      end
361

362
      def cmd_openvas_task_pause(*args)
363
        return unless openvas?
364

365
        if args?(args)
366
          begin
367
            resp = @ov.task_pause(args[0])
368
            print_status(resp)
369
          rescue OpenVASOMP::OMPError => e
370
            print_error(e.to_s)
371
          end
372
        else
373
          print_status('Usage: openvas_task_pause <id>')
374
        end
375
      end
376

377
      def cmd_openvas_task_resume(*args)
378
        return unless openvas?
379

380
        if args?(args)
381
          begin
382
            resp = @ov.task_resume_paused(args[0])
383
            print_status(resp)
384
          rescue OpenVASOMP::OMPError => e
385
            print_error(e.to_s)
386
          end
387
        else
388
          print_status('Usage: openvas_task_resume <id>')
389
        end
390
      end
391

392
      def cmd_openvas_task_resume_or_start(*args)
393
        return unless openvas?
394

395
        if args?(args)
396
          begin
397
            resp = @ov.task_resume_or_start(args[0])
398
            print_status(resp)
399
          rescue OpenVASOMP::OMPError => e
400
            print_error(e.to_s)
401
          end
402
        else
403
          print_status('Usage: openvas_task_resume_or_start <id>')
404
        end
405
      end
406

407
      #--------------------------
408
      # Config Functions
409
      #--------------------------
410
      def cmd_openvas_config_list(*_args)
411
        return unless openvas?
412

413
        begin
414
          tbl = Rex::Text::Table.new(
415
            'Columns' => [ 'ID', 'Name' ]
416
          )
417

418
          @ov.config_get_all.each do |config|
419
            tbl << [ config['id'], config['name'] ]
420
          end
421
          print_good('OpenVAS list of configs')
422
          print_line
423
          print_line tbl.to_s
424
          print_line
425
        rescue OpenVASOMP::OMPError => e
426
          print_error(e.to_s)
427
        end
428
      end
429

430
      #--------------------------
431
      # Format Functions
432
      #--------------------------
433
      def cmd_openvas_format_list(*_args)
434
        return unless openvas?
435

436
        begin
437
          tbl = Rex::Text::Table.new(
438
            'Columns' => ['ID', 'Name', 'Extension', 'Summary']
439
          )
440
          format_get_all.each do |format|
441
            tbl << [ format['id'], format['name'], format['extension'], format['summary'] ]
442
          end
443
          print_good('OpenVAS list of report formats')
444
          print_line
445
          print_line tbl.to_s
446
          print_line
447
        rescue OpenVASOMP::OMPError => e
448
          print_error(e.to_s)
449
        end
450
      end
451

452
      #--------------------------
453
      # Report Functions
454
      #--------------------------
455
      def cmd_openvas_report_list(*_args)
456
        return unless openvas?
457

458
        begin
459
          tbl = Rex::Text::Table.new(
460
            'Columns' => ['ID', 'Task Name', 'Start Time', 'Stop Time']
461
          )
462

463
          resp = @ov.report_get_raw
464

465
          resp.elements.each('//get_reports_response/report') do |report|
466
            report_id = report.elements['report'].attributes['id']
467
            report_task = report.elements['task/name'].get_text
468
            report_start_time = report.elements['creation_time'].get_text
469
            report_stop_time = report.elements['modification_time'].get_text
470

471
            tbl << [ report_id, report_task, report_start_time, report_stop_time ]
472
          end
473
          print_good('OpenVAS list of reports')
474
          print_line
475
          print_line tbl.to_s
476
          print_line
477
        rescue OpenVASOMP::OMPError => e
478
          print_error(e.to_s)
479
        end
480
      end
481

482
      def cmd_openvas_report_delete(*args)
483
        return unless openvas?
484

485
        if args?(args)
486
          begin
487
            resp = @ov.report_delete(args[0])
488
            print_status(resp)
489
            cmd_openvas_report_list
490
          rescue OpenVASOMP::OMPError => e
491
            print_error(e.to_s)
492
          end
493
        else
494
          print_status('Usage: openvas_report_delete <id>')
495
        end
496
      end
497

498
      def cmd_openvas_report_download(*args)
499
        return unless openvas?
500

501
        if args?(args, 4)
502
          begin
503
            report = @ov.report_get_raw('report_id' => args[0], 'format' => args[1])
504
            ::FileUtils.mkdir_p(args[2])
505
            name = ::File.join(args[2], args[3])
506
            print_status("Saving report to #{name}")
507
            output = ::File.new(name, 'w')
508
            data = nil
509
            report.elements.each('//get_reports_response') { |r| data = r.to_s }
510
            output.puts(data)
511
            output.close
512
          rescue OpenVASOMP::OMPError => e
513
            print_error(e.to_s)
514
          end
515
        else
516
          print_status('Usage: openvas_report_download <report_id> <format_id> <path> <report_name>')
517
        end
518
      end
519

520
      def cmd_openvas_report_import(*args)
521
        return unless openvas?
522

523
        if args?(args, 2)
524
          begin
525
            report = @ov.report_get_raw('report_id' => args[0], 'format' => args[1])
526
            data = nil
527
            report.elements.each('//get_reports_response') { |r| data = r.to_s }
528
            print_status('Importing report to database.')
529
            framework.db.import({ data: data })
530
          rescue OpenVASOMP::OMPError => e
531
            print_error(e.to_s)
532
          end
533
        else
534
          print_status('Usage: openvas_report_import <report_id> <format_id>')
535
          print_status('Only the NBE and XML formats are supported for importing.')
536
        end
537
      end
538

539
      #--------------------------
540
      # Format Functions
541
      #--------------------------
542
      # Get a list of report formats
543
      def format_get_all
544
        resp = @ov.omp_request_xml('<get_report_formats/>')
545
        if @debug then print resp end
546

547
        list = Array.new
548
        resp.elements.each('//get_report_formats_response/report_format') do |report|
549
          td = Hash.new
550
          td['id'] = report.attributes['id']
551
          td['name'] = report.elements['name'].text
552
          td['extension'] = report.elements['extension'].text
553
          td['summary'] = report.elements['summary'].text
554
          list.push td
555
        end
556
        @formats = list
557
        return list
558
      rescue StandardError
559
        raise OMPResponseError
560
      end
561

562
    end
563

564
    #------------------------------
565
    # Plugin initialization
566
    #------------------------------
567

568
    def initialize(framework, opts)
569
      super
570
      add_console_dispatcher(OpenVASCommandDispatcher)
571
      print_status('Welcome to OpenVAS integration by kost and averagesecurityguy.')
572
      print_status
573
      print_status('OpenVAS integration requires a database connection. Once the ')
574
      print_status('database is ready, connect to the OpenVAS server using openvas_connect.')
575
      print_status('For additional commands use openvas_help.')
576
      print_status
577
      @ov = nil
578
      @formats = nil
579
      @debug = nil
580
    end
581

582
    def cleanup
583
      remove_console_dispatcher('OpenVAS')
584
    end
585

586
    def name
587
      'OpenVAS'
588
    end
589

590
    def desc
591
      'Integrates with the OpenVAS - open source vulnerability management'
592
    end
593
  end
594
end
595

596