Knowledge Base

Ask A Question

Questions

1
ANSWERED

Nexpose: Exclude All Vulnerabilities in an Asset Group [Kyle Burk]

It's not unheard of for me to recieve a request to whitelist a particular subset of machines in Nexpose. After looking around on the forums and contacting Rapid7 support, I was told it is not possible to exclude all vulnerabilities in an asset group. Then I saw Chris Brown's script where he excludes a single vuln across an asset group. So I decided to learn some ruby and came up with our own solution. Excuse my lack of formatting and the places where I didn't know how to handle certain input (I promise it still works). If you need a similar solution, you can run this script: ~~~~ruby #!/usr/bin/env ruby require 'nexpose' require 'highline/import' # Default values @host = 'nexpose.domain.com' @port = 3780 puts "Connecting to Nexpose Console..." puts "" puts "" puts "" puts "Please input your username for nexpose." puts "" puts "" puts "" def get_username(prompt = 'Username: ') ask(prompt) { |query| query.echo = true } end @user = get_username puts "Please input your password." puts "" puts "" puts "" def get_password(prompt = 'Password: ') ask(prompt) { |query| query.echo = false } end @password = get_password puts "logging in..." #create object for the nexpose connection nsc = Nexpose::Connection.new(@host, @user, @password, @port) nsc.login puts "listing asset groups..." #query list of asset groups assetGroupList = nsc.list_asset_groups assetGroupList.each do |groupid| puts "GroupID: #{groupid.id} --- Group Name: #{groupid.name}" end puts "" puts "" puts "" def get_target(prompt = 'Please input target group ID') ask(prompt) {|query| query.echo = true } end @target = get_target t = @target.to_i puts "" puts "" puts "" puts "-----------------------------------------------" puts "We will now begin excluding all vulnerabilities" puts "on all assets in the selected asset group." puts "-----------------------------------------------" puts "" puts "" puts "" puts "Please select a reason for the Exception" puts "I haven't figured out how to handle 'other' yet" puts "so if you choose anything other than what is " puts "below, I'm going to make this script exit." puts "" puts "1 -- False Positive" puts "2 -- Compensating Control" puts "3 -- Acceptable Use" puts "4 -- Acceptable Risk" def get_reason(prompt = 'Select Your Reason (1-5):') ask(prompt) {|query| query.echo = true } end rsn = get_reason case rsn when "1" rsn = Nexpose::VulnException::Reason::FALSE_POSITIVE when "2" rsn = Nexpose::VulnException::Reason::COMPENSATING_CONTROL when "3" rsn = Nexpose::VulnException::Reason::ACCEPTABLE_USE when "4" rsn = Nexpose::VulnException::Reason::ACCEPTABLE_RISK else puts "I dont know how to handle other, exiting now." abort end puts "" puts "" puts "" puts "Please enter the comment/justification for the exclusion. ('EXC-1234')" def get_comment(prompt = 'Comment:') ask(prompt) {|query| query.echo = true } end @comment = get_comment puts "" puts "" puts "" puts "To properly format the expiration date, we need to collect" puts " the month, day and year separately. sorry about this." def get_year(prompt = 'Provide the expiration year (1999):') ask(prompt) {|query| query.echo = true } end @year = get_year y = @year.to_i puts "" puts "" puts "" def get_month(prompt = 'Provide the 2-digit expiration month (12):') ask(prompt) {|query| query.echo = true } end @month = get_month m = @month.to_i puts "" puts "" puts "" def get_day(prompt = 'Provide the 2-digit expiration day (22):') ask(prompt) {|query| query.echo = true } end @day = get_day d = @day.to_i expiration_date = Date.new(y,m,d).to_date review_comments = "Auto approved by submitter." scope = Nexpose::VulnException::Scope::ALL_INSTANCES_ON_A_SPECIFIC_ASSET assets = nsc.group_assets(t) assets.each do |asset| vulns = nsc.list_asset_vulns(asset.id) vulns.each do |vuln| exc = Nexpose::VulnException.new(vuln.id, scope, rsn) exc.asset_id = asset.id exc.save(nsc, @comment) exc.update_expiration_date(nsc, expiration_date) exc.approve(nsc, review_comments) end end ~~~~

Posted by Edward Sheehy about a year ago

1
ANSWERED

Metasploit: Is there AutoMigrate Flag in MsfPayload? Any Alternative? [engr.ali]

Hello everyone! Before I pose my questions, I would like to introduce myself. I am a computer systems Engineer, more interested in Information Security, thus recently qualified to become a Certified Security Analyst. However I'm still learning and I have been playing with Metasploit for quite some time now. I have been through all its internal frameworks, and I wouldn't be surprised to see this as a new Wonder of this world. Simply Fascinating. I'll come straight to my question now. I agree that most of the attacks today are Client-Side attacks. Infecting Word/PDF documents is probably the best way to get into a network, but my query was about AutoMigration. Since an attacker may miss a session migration, and the document most likely will be closed within the next few seconds, obviously one cannot stay 24/7 waiting for a session to come up, and then run `-PS` to list the running processes because the command `-Migrate` itself does not take 'Name of a Process' but instead takes the 'PID' of that Process, and after all, there might be privilege escalation before all this and etc. So my question was to ask whether it's possible to AutoMigrate a Payload the moment it's run? If not, what are the alternatives to this? Since it won't be of much use infecting a page which the client closes in ~5 seconds. If scripts are the only way, how do I embed/encode that script in the MsfPayload command? Thank you and grateful for any suggestions.

Posted by Edward Sheehy about a year ago