Building Weak Credential Vulnerability Checks

Nexpose includes a framework for creating complex vulnerability checks using a simple XML format. Nexpose vulnerability checks are split across two or more files which are parsed by Nexpose when the scan engine is started.

There are 2 types of XML files that make up a vulnerability check:

  • Vulnerability descriptor - A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
  • Vulnerability check - A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by Nexpose to verify the existence (or non-existence) of the vulnerability described in the descriptor.


Usage: [Options]

Input options:
    -s  --services [service(s)]     Service(s) to generate weak creds checks for (comma-seperated)
    -u  --usernames [file]          File of usernames (one per line)
    -p  --passwords [file]          File of passwords (one per line)
    -r  --realms [file]             File of realms (one per line) - (*optional*)
    -d  --dir [dir]                 Output directory (default: $service/) - (*optional*)

For databases, the realm represents the database name. If a realm file is not passed, uses the default database name.

Supported Services include db2, tds, mysql, postgres, ssh, ftp, telnet, rsh, oracle, cifs, tomcat, and as400


Running will generate the new .vck and .xml file(s) within a directory corresponding to the service for the checks.

$ ./  -s ssh -u usernames.txt  -p passwords.txt 
$ ls ssh/*

Deploying your vulnerability checks

To deploy this vulnerability check into Nexpose, simply copy your .xml and .vck files file(s) into the following directory:

cp -vf ssh/* /opt/rapid7/nexpose/plugins/java/1/SshScanner/1/

and restart Nexpose. You should see something like the following message in the log:

NSC  3/13/10 11:10 AM: Imported 1 new and 0 modified vulnerabilities in 22 seconds

When Nexpose has restarted, log in and browse to https://<nexpose>:3780/vulnerability.html?vulnid=ssh-weak-creds-account-foo-pass word-bar. You should see the details of your new vulnerability check.

Building Weak Credential Vulnerability Checks