Building weak credential vulnerability checks

The Security Console includes a framework for creating complex vulnerability checks using a simple XML format. These vulnerability checks are split across two or more files which are parsed by the Security Console when the scan engine is started.

There are 2 required types of XML files that make up a vulnerability check:

  • Vulnerability descriptor - A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
  • Vulnerability check - A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by the Security Console to verify the existence (or non-existence) of the vulnerability described in the descriptor.

A third optional XML file type exists:

  • Vulnerability Solution File - A file ending in the .sol extension contains vulnerability solution information which may optionally be included in the vulnerability definition .xml file or broken out into a .sol for re-use for other vulnerabilities. Solutions contain information about how to remediate the vulnerability. A solution file allows the solution to be written once and updated in one place when the recommended solution changes for many vulnerabilities that use the same solution.

External reference for solution files

Usage

1
Usage: weak_creds.pl [Options]
2
3
Input options:
4
-s --services [service(s)] Service(s) to generate weak creds checks for (comma-seperated)
5
-u --usernames [file] File of usernames (one per line)
6
-p --passwords [file] File of passwords (one per line)
7
-r --realms [file] File of realms (one per line) - (*optional*)
8
-d --dir [dir] Output directory (default: $service/) - (*optional*)
9
10
For databases, the realm represents the database name. If a realm file is not passed, weak_creds.pl uses the default database name.
11
12
Supported Services include db2, tds, mysql, postgres, ssh, ftp, telnet, rsh, oracle, cifs, tomcat, and as400

Example

Running weak_creds.pl will generate the new .vck and .xml file(s) within a directory corresponding to the service for the checks.

1
$ ./weak_creds.pl -s ssh -u usernames.txt -p passwords.txt
2
$ ls ssh/*
3
ssh/ssh-weak-creds-account-foo-password-bar.vck
4
ssh/ssh-weak-creds-account-foo-password-bar.xml

External Link to https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/weak_creds.pl

Deploying your vulnerability checks

To deploy this vulnerability check into the Security Console, simply copy your .xml and .vck files file(s) into the following directory for the scan console and any attached scan engines:

1
cp -vf ssh/* /opt/rapid7/nexpose/plugins/java/1/CustomScanner/1/

and restart the Security Console. You should see something like the following message in the log:

1
NSC 3/13/10 11:10 AM: Imported 1 new and 0 modified vulnerabilities in 22 seconds

Undocumented Command

Within the the Security Console and scan engines command line interfaces new vulnerability checks and descriptions may be loaded without restarting the respective services. The 'load content' command initiates a background re-load of vulnerability information.

1
> load content
2
2018-01-03T11:29:21 [INFO] > load content
3
2018-01-03T11:29:28 [INFO] Loading vulnerability and solution managers.
4
2018-01-03T11:29:35 [INFO] [Started: 2018-01-03T16:29:28] [Duration: 0:00:07.102] Completed loading vulnerability and solution managers
5
2018-01-03T11:29:35 [INFO] Loading vulnerability check manager.
6
... content trimmed for this article ...
7
2018-01-03T11:35:02 [INFO] Load Content command complete.
8