Building Weak Credential Vulnerability Checks

Nexpose includes a framework for creating complex vulnerability checks using a simple XML format. Nexpose vulnerability checks are split across two or more files which are parsed by Nexpose when the scan engine is started.

There are 2 types of XML files that make up a vulnerability check:

  • Vulnerability descriptor - A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
  • Vulnerability check - A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by Nexpose to verify the existence (or non-existence) of the vulnerability described in the descriptor.

Usage

Usage: weak_creds.pl [Options]

Input options:
    -s  --services [service(s)]     Service(s) to generate weak creds checks for (comma-seperated)
    -u  --usernames [file]          File of usernames (one per line)
    -p  --passwords [file]          File of passwords (one per line)
    -r  --realms [file]             File of realms (one per line) - (*optional*)
    -d  --dir [dir]                 Output directory (default: $service/) - (*optional*)

For databases, the realm represents the database name. If a realm file is not passed, weak_creds.pl uses the default database name.

Supported Services include db2, tds, mysql, postgres, ssh, ftp, telnet, rsh, oracle, cifs, tomcat, and as400

Example

Running weak_creds.pl will generate the new .vck and .xml file(s) within a directory corresponding to the service for the checks.

$ ./weak_creds.pl  -s ssh -u usernames.txt  -p passwords.txt 
$ ls ssh/*
ssh/ssh-weak-creds-account-foo-password-bar.vck 
ssh/ssh-weak-creds-account-foo-password-bar.xml

Deploying your vulnerability checks

To deploy this vulnerability check into Nexpose, simply copy your .xml and .vck files file(s) into the following directory:

cp -vf ssh/* /opt/rapid7/nexpose/plugins/java/1/SshScanner/1/

and restart Nexpose. You should see something like the following message in the log:

NSC  3/13/10 11:10 AM: Imported 1 new and 0 modified vulnerabilities in 22 seconds

When Nexpose has restarted, log in and browse to https://<nexpose>:3780/vulnerability.html?vulnid=ssh-weak-creds-account-foo-pass word-bar. You should see the details of your new vulnerability check.


Building Weak Credential Vulnerability Checks