Nexpose Building Weak Credential Vulnerability Checks

Document created by techeditor on Apr 8, 2011Last modified by Maria Varmazis on Mar 3, 2016
Version 10Show Document
  • View in full screen mode

This is a tutorial on generating weak credential vulnerability checks for Nexpose. This tutorial assumes that you have Nexpose installed. You can download Nexpose Community Edition for free.

 

See also:

 

Introduction

................................................................................ ................................................................................ .......................................................................

 

Nexpose includes a framework for creating complex vulnerability checks using a simple XML format. Nexpose vulnerability checks are split across two or more files which are parsed by Nexpose when the scan engine is started.

 

There are 2 types of XML files that make up a vulnerability check:

 

  • Vulnerability descriptor : A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
  • Vulnerability check: A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by Nexpose to verify the existence (or non-existence) of the vulnerability described in the descriptor.

 

Usage

................................................................................ ................................................................................ ...................................................................

 

Usage: weak_creds.pl [Options]

Input options:

    -s  --services [service(s)]     Service(s) to generate weak creds checks for (comma-seperated)

    -u  --usernames [file]          File of usernames (one per line)

    -p  --passwords [file]          File of passwords (one per line)

    -r  --realms [file]             File of realms (one per line) - (*optional*)

 

    -d  --dir [dir]                 Output directory (default: $service/) - (*optional*)

 

For databases, the realm represents the database name. If a realm file is not passed,

weak_creds.pl uses the default database name.

 

Supported Services include:

db2,tds,mysql,postgres,ssh,ftp,telnet,rsh,oracle,cifs,tomcat,as400

 

Example

................................................................................ ................................................................................ ...................................................................

 

Running weak_creds.pl will generate the new .vck and .xml file(s) within a directory corresponding to the service for the checks.

 

$ ./weak_creds.pl  -s ssh -u usernames.txt  -p passwords.txt
$ ls ssh/*
ssh/ssh-weak-creds-account-foo-password-bar.vck
ssh/ssh-weak-creds-account-foo-password-bar.xml

 

Deploying your vulnerability checks

................................................................................ ................................................................................ ...................................................................

 

To deploy this vulnerability check into Nexpose, simply copy your .xml and .vck files file(s) into the following directory:

 

cp -vf ssh/* /opt/rapid7/nexpose/plugins/java/1/SshScanner/1/

 

and restart Nexpose. You should see something like the following message in the log:

 

NSC  3/13/10 11:10 AM: Imported 1 new and 0 modified vulnerabilities in 22 seconds

 

When Nexpose has restarted, log in and browse to https://<nexpose>:3780/vulnerability.html?vulnid=ssh-weak-creds-account-foo-pass word-bar . You should see the details of your new vulnerability check.

1 person found this helpful

Attachments

Outcomes