Nessus auxiliary scanner for updated REST API

Author: void-in

lib/metasploit/framework/login_scanner/nessus.rb

@@ -0,0 +1,90 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      class Nessus < HTTP
+
+        DEFAULT_PORT  = 8834
+        PRIVATE_TYPES = [ :password ]
+        LIKELY_SERVICE_NAMES = [ 'nessus' ]
+        LOGIN_STATUS  = Metasploit::Model::Login::Status # Shorter name
+
+
+        # Checks if the target is a Tenable Nessus server.
+        #
+        # @return [Boolean] TrueClass if target is Nessus server, otherwise FalseClass
+        def check_setup
+          login_uri = "/server/properties"
+          res = send_request({'uri'=> login_uri})
+          if res && res.body.include?('Nessus')
+            return true
+          end
+
+          false
+        end
+
+        # Actually doing the login. Called by #attempt_login
+        #
+        # @param username [String] The username to try
+        # @param password [String] The password to try
+        # @return [String]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def get_login_state(username, password)
+          # Prep the data needed for login
+          #protocol  = ssl ? 'https' : 'http'
+          #peer      = "#{host}:#{port}"
+          login_uri = "#{uri}"
+
+          res = send_request({
+            'uri' => login_uri,
+            'method' => 'POST',
+            'vars_post' => {
+              'username' => username,
+              'password' => password
+            }
+          })
+
+          unless res
+            return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s}
+          end
+          if res.code == 200 && res.body =~ /token/
+            return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.body.to_s}
+          end
+
+          {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
+        end
+
+
+        # Attempts to login to Nessus.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          begin
+            result_opts.merge!(get_login_state(credential.public, credential.private))
+          rescue ::Rex::ConnectionError => e
+            # Something went wrong during login. 'e' knows what's up.
+            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
+

modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb

@@ -1,120 +1,140 @@
-##
-# nessus_xmlrpc_login.rb
-##
-
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/nessus'
+require 'metasploit/framework/credential_collection'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
 
-  def initialize
-    super(
-      'Name'           => 'Nessus XMLRPC Interface Login Utility',
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Nessus RPC Interface Login Utility',
       'Description'    => %q{
-        This module simply attempts to login to a Nessus XMLRPC interface using a
-        specific user/pass.
+        This module will attempt to authenticate to a Nessus server RPC interface.
       },
-      'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+      'Author'         => [ 'void_in' ],
       'License'        => MSF_LICENSE
-    )
-
+    ))
     register_options(
       [
         Opt::RPORT(8834),
-        OptString.new('URI', [true, "URI for Nessus XMLRPC login. Default is /login", "/login"]),
-        OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false])
+        OptString.new('TARGETURI', [ true,  'The path to the Nessus server login API', '/session']),
+        OptBool.new('SSL', [true, 'Negotiate SSL for outgoing connections', true]),
+        OptEnum.new('SSLVersion', [false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']])
       ], self.class)
-
-    register_advanced_options(
-    [
-      OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
-    ], self.class)
   end
 
-  def run_host(ip)
-    begin
-      res = send_request_cgi({
-        'uri'     => datastore['URI'],
-        'method'  => 'GET'
-        }, 25)
-      http_fingerprint({ :response => res })
-    rescue ::Rex::ConnectionError => e
-      vprint_error("#{datastore['URI']} - #{e}")
-      return
-    end
 
-    if not res
-      vprint_error("#{datastore['URI']} - No response")
-      return
-    end
-    if res.code != 403
-      vprint_error("Authorization not requested")
-      return
-    end
+  # Initializes CredentialCollection and Nessus Scanner
+  def init(ip)
+    @cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file:       datastore['PASS_FILE'],
+      password:        datastore['PASSWORD'],
+      user_file:       datastore['USER_FILE'],
+      userpass_file:   datastore['USERPASS_FILE'],
+      username:        datastore['USERNAME'],
+      user_as_pass:    datastore['USER_AS_PASS']
+    )
 
-    each_user_pass do |user, pass|
-      do_login(user, pass)
-    end
+    @scanner = Metasploit::Framework::LoginScanner::Nessus.new(
+        host: ip,
+        port: datastore['RPORT'],
+        uri: datastore['TARGETURI'],
+        cred_details:       @cred_collection,
+        stop_on_success:    datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed:   datastore['BRUTEFORCE_SPEED'],
+        connection_timeout: 5
+    )
+    @scanner.ssl         = datastore['SSL']
+    @scanner.ssl_version = datastore['SSLVERSION']
   end
 
-  def do_login(user='nessus', pass='nessus')
-    vprint_status("Trying username:'#{user}' with password:'#{pass}'")
-    headers = {}
-
-    begin
-      res = send_request_cgi({
-        'encode'    => true,
-        'uri'       => datastore['URI'],
-        'method'    => 'POST',
-        'headers'   => headers,
-        'vars_post' => {
-          'login'    => user,
-          'password' => pass
-        }
-      }, 25)
-
-    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
-      print_error("HTTP Connection Failed, Aborting")
-      return :abort
-    end
 
-    if not res
-      print_error("Connection timed out, Aborting")
-      return :abort
-    end
+  # Reports a good login credential
+  def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
+      status: result.status,
+      proof: result.proof
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 
-    if res.code != 200
-      vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
-      return :skip_pass
-    end
 
-    if res.code == 200
-      if res.body =~ /<status>OK<\/status>/
-        print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
-
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'nessus-xmlrpc',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
-        return :next_user
+  # Attempts to login
+  def bruteforce(ip)
+    @scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+        do_report(ip, rport, result)
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        vprint_brute :level => :verror, :ip => ip, :msg => result.proof
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status,
+            proof: result.proof
+        )
+      when Metasploit::Model::Login::Status::INCORRECT
+        vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status,
+            proof: result.proof
+        )
       end
     end
-    vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
-    return :skip_pass
   end
+
+
+  # Start here
+  def run_host(ip)
+    init(ip)
+    unless @scanner.check_setup
+      print_brute :level => :error, :ip => ip, :msg => 'Target is not a Tenable Nessus server'
+      return
+    end
+
+    bruteforce(ip)
+  end
+
 end