Nexpose includes a framework for creating complex vulnerability checks using a simple XML format. Nexpose vulnerability checks are split across two or more files which are parsed by Nexpose when the scan engine is started.
There are 2 types of XML files that make up a vulnerability check:
- Vulnerability descriptor - A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
- Vulnerability check - A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by Nexpose to verify the existence (or non-existence) of the vulnerability described in the descriptor.
Usage: weak_creds.pl [Options] Input options: -s --services [service(s)] Service(s) to generate weak creds checks for (comma-seperated) -u --usernames [file] File of usernames (one per line) -p --passwords [file] File of passwords (one per line) -r --realms [file] File of realms (one per line) - (*optional*) -d --dir [dir] Output directory (default: $service/) - (*optional*) For databases, the realm represents the database name. If a realm file is not passed, weak_creds.pl uses the default database name. Supported Services include db2, tds, mysql, postgres, ssh, ftp, telnet, rsh, oracle, cifs, tomcat, and as400
Running weak_creds.pl will generate the new .vck and .xml file(s) within a directory corresponding to the service for the checks.
$ ./weak_creds.pl -s ssh -u usernames.txt -p passwords.txt $ ls ssh/* ssh/ssh-weak-creds-account-foo-password-bar.vck ssh/ssh-weak-creds-account-foo-password-bar.xml
To deploy this vulnerability check into Nexpose, simply copy your .xml and .vck files file(s) into the following directory:
cp -vf ssh/* /opt/rapid7/nexpose/plugins/java/1/SshScanner/1/
and restart Nexpose. You should see something like the following message in the log:
NSC 3/13/10 11:10 AM: Imported 1 new and 0 modified vulnerabilities in 22 seconds
When Nexpose has restarted, log in and browse to https://<nexpose>:3780/vulnerability.html?vulnid=ssh-weak-creds-account-foo-pass word-bar. You should see the details of your new vulnerability check.
|Writing Vulnerability Checks|