Nexpose API - SiteSave with SSH Public Key Credentials using Burp Suite

Document created by mburstein Employee on Jan 29, 2013Last modified by mburstein Employee on Jan 29, 2013
Version 2Show Document
  • View in full screen mode

In this tutorial I’ll outline a simple method for interfacing with the Nexpose API to create a new Nexpose Site with SSH Public Key Authentication credentials using Burp Suite (http://portswigger.net/burp/download.html), without the need for scripting.

 

What is SSH Public Key Authentication?

 

When creating a Nexpose site you have the option to configure scan credentials to perform deep checks, inspecting assets for a wider range of vulnerabilities, such as policy violations, or adware or spyware exposures.

SSH Public Key authentication is a method, also known as asymmetric key encryption, involving the creation of two related keys:

  • a public key that any entity can use to encrypt authentication information
  • a private key that only trusted entities can use to decrypt the information encrypted by its paired public key

These keys are used to authenticate access to remote hosts.

For further information, check out the Nexpose Administrator’s Guide.

 

Before you get started

 

For Nexpose to utilize SSH Public Key authentication you will need to create an SSH key pair for Nexpose and copy your public key to a target host machine.

For detailed instructions on creating key pairs and initial setup, check the Nexpose help section “Using SSH public key authentication in Nexpose”.

Credential management is handled through API v1.1 calls using the SiteSaveRequest and follows the Site DTD outlined in the Nexpose API Guide.

 

How it’s done!

 

You can easily send XML requests to the Nexpose API using the Burp Suite Repeater.  Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses (courtesy of http://portswigger.net/burp/repeater.html).

Now for this to work, you’ll need to follow the standard Nexpose API Overview workflow outlined in Nexpose API Guide.  Without out going into too much detail:

  1. Open an HTTPS connection to the Web console, usually on port 3780.
  2. Construct a LoginRequest XML request containing valid Nexpose credentials.
  3. Verify that the Content-type HTTP header is set to “text/xml”.
  4. Send the XML request to https://<host>:<port>/api/1.1/xml using HTTP POST Method (substitute 1.2 for 1.1 when using API v1.2 calls).
  5. Parse the returned LoginResponse.
  6. If the success attribute is set to 1, extract the session-id attribute for use in subsequent requests.
  7. If the success attribute is set to 0, extract the Failure information and report it.

 

We’re going to do all of this with 3 easy steps!


Step 1 - LoginRequest

SSH-Pub1.png

  1. Enter the IP address of your Nexpose Console.
  2. Enter the port, generally 3780.
  3. LoginRequest is an API v1.1 request, send the XML request to https://<host>:<port>/api/1.1/xml using HTTP POST Method .
  4. The host IP address, once again.
  5. Content type is “text/xml” for our purposes.
  6. Construct a LoginRequest XML request containing valid Nexpose credentials.
  7. Take note of the session-id in the response, you’ll need this for subsequent requests.


Step 2 - SiteSaveRequest

SSH-Pub2.png

You will need to use the same request headers as the previous request (c,d,e above).

  1. SiteSaveRequest is an API v1.1 request, Send the XML request to https://<host>:<port>/api/1.1/xml using HTTP POST Method.  Use the session-id from the previous LoginRequest success.
  2. Enter the Site id and name of your site, description is optional.  If you are creating a new site, use id=”-1” for your Site ID.
  3. Enter the hosts you want to scan either as individual assets or a range.  Use  <host>192.168.1.1</host>  tags for individual assets or  a <range from=”192.168.1.1” to=”192.168.1.10”> tag for range.
  4. Enter the username and password for your SSH key-pair
  5. Paste the contents of your Private Key PEM file between the <PEMKey> </PEMKey> tags.
  6. In the ScanConfig tag you can specify additional site details like scan template and scan engine
  7. If you create a new site, you will get a response with the newly created site-id

 

Step 3 – LogoutRequest

SSH-Pub3.png

  1. LogoutRequest is an API v1.1 request, Send the XML request to https://<host>:<port>/api/1.1/xml using HTTP POST Method.
  2. Use the previously recorded session-id to logout and close the session.

  Once everything is said and done, you’ll notice your Site in your Nexpose UI Site listing.


Wrap up

 

While Burp Suite and raw XML might not be the easiest thing in regards to automation, this will allow you to use some of the features only available to the Nexpose API.  You can also accomplish a number of other Nexpose API tasks without the hassle of parsing XML through scripts.  Give it a try with some of the other API requests outlined in the API Guide and let me know what you think!

Outcomes