On the heels of Steve Kaplan's Hackfest presentation of a Rapid7 evaluation licensed Nexpose Application Scanner install, [which allows for actual point and click escalation/exploit of targeted vulnerability signatures (which are updated upon initialization of Nexpose and match those available in Metasploit) discovered (via point and click (provided you have loaded the correct modules, and payload, similar to Metasploit)] we would like to showcase for you Ladies and Gents, the Developer API Guide.
FAST and EASY - NO Rapid7 License key NEEDED!
While Metasploit has automation for mfsconsole via resource files that provide all the "command line typed" basic elements required to be matched for any "service" as part of the exploit pentest.
$ ./msfconsole -r documentation/msfconsole_rc_ruby_example.rc
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 542 exploits - 295 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8873 updated today (2010.03.22)
resource (documentation/msfconsole_rc_ruby_example.rc)> use exploit/multi/handler
resource (documentation/msfconsole_rc_ruby_example.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
resource (documentation/msfconsole_rc_ruby_example.rc)> set LPORT 4444
resource (documentation/msfconsole_rc_ruby_example.rc)> set LHOST
resource (documentation/msfconsole_rc_ruby_example.rc)> set ExitOnSession false
While some 3.500 possibilities are available, generally our application is only going using a limited number of these, which can be preconfigured and called after the scan process using the NeXpose (Free Community Edition) API via an application that sends and receives XML messages to and from the NeXpose Security Console. There are no restrictions on which language you use to write this program, except that the language needs libraries or routines to send POST requests over HTTPS. The API does not support requests over HTTP.
It is helpful if your client language has a library or routines to support XML processing, since all messages sent to and received from NeXpose are XML messages.
You access the API through a URL of the form:
The application connecting to NeXpose must use HTTPS to engage the console. The application must then log on with valid NeXpose credentials. Upon successful logon, NeXpose returns a session ID to the application. Use the session ID for subsequent requests rather than resubmitting the credentials. The following is a typical login sequence:
1. Open an HTTPS connection to the Web console, usually on port 3780.
2. Construct a LoginRequest XML request containing valid NeXpose credentials.
3. Verify that the Content-type HTTP header is set to "text/xml".
4. Send the XML request to https://ncs:3780/api/1.1/xml using HTTP POST Method.
5. Parse the returned LoginResponse.
6. If the success attribute is set to 1, extract the session-id attribute for use in subsequent requests.
7. If the success attribute is set to 0, extract the Failure information and report it.
The session-id is subject to timeout from inactivity regardless of how much work NeXpose is performing. You can specify the timeout period on the NeXpose Security Console Configuration page of the Web interface. See the NeXpose Administrator's Guide for details.
All subsequent requests must include the appropriate session-id in their respective request XML structure. This inclusion will allow the API program to perform actions on behalf of the credentials specified.
If the API request results in a failure, the response XML document will have the success attribute set to 0 and the Failure element will be returned. The format of the Failure element is as follows: <!-- The failure description, consisting of one or more message and/or exception --> <!ELEMENT Failure ((message|Exception)*)> <!-- the message describing the failure --> <!ELEMENT message (#PCDATA)> <!-- the source of the message, such as the module that caused the error --> <!ATTLIST message source CDATA #IMPLIED> <!-- the source specific message code --> <!ATTLIST message code CDATA #IMPLIED> <!-- the exception causing the failure --> <!ELEMENT Exception (message, stacktrace?)> <!-- the name of the Exception class (for Java or C++ exceptions) --> <!ATTLIST Exception name CDATA #IMPLIED> <!ELEMENT stacktrace (#PCDATA)>
As the success and failure information is stored within the returned XML document, all requests processed by the NeXpose API will return HTTP status code 200. Any other status code implies a problem on the NeXpose server. Common causes of server errors include an older version of NeXpose that do not have API support built-in, out of memory conditions, etc.
If you use a command that is not listed in the in NeXpose Administrator's Guide, NeXpose will return the XMLResponse.
For a sample implementation of some of the API functionality, see the Code samples section in the API Development v.1.1.2 Guide
Here's the list of all the functions used:
API applications
The API can be used for various applications, not limited to the following:
NeXpose API data interface
Since the NeXpose API responses are XML, it is straightforward to write scripts that extract relevant data from the
responses, rather than exporting the data from the NeXpose Web interface. The extracted data can then be processed
according to the needs of your organization. The API simplifies the process of integrating NeXpose data with other
applications such as databases or third-party security tools.
NeXpose API custom interfaces
Most NeXpose users will only use a subset of NeXpose functions on a regular basis. Since all major functionality is
available through the API, you can write your own custom interface that exposes only necessary functions to the
user—either a graphic user interface, or a text-only interface.
Control of NeXpose scanning
The API is a convenient way to configure and run scans. You can run scans as needed without using the NeXpose
Web interface, and write scripts to run scans at scheduled intervals.
Lists of all commands in the NeXpose API
Session management commands
Log on to the security console and establish a session.
Log off from from the security console, free
ing the session and all related resources.
Site management commands
Provide a list of all sites the user is authorized to view or manage.
Provide the configuration of the site, including its associated assets.
Save changes to a new or existing site.
Delete the specified site and all associated scan data.
Scan the specified site.
Provide a list of all previous scans of the site
Provide a list of all of the assets in a site. If no site
id is specified, then this will return all of the assets
for the scan engine, grouped by site id.
Scan a specified subset of site assets.
Asset management commands
Delete the specified asset
Asset group management commands
Provide a list of all asset groups the user is authorized to view or manage.
Provide the configuration of the asset group, including its associated devices.
Save changes to a new or existing asset group.
Delete the specified asset group and all associated scan data.
Scan commands
Provide a list of all scanning engines managed by the security console.
Provide a list of current scan activities for a specific scan engine.
Provide a list of current scan activities across all scan engines managed by the security console.
Pause a running scan.
Resume a running scan.
Stop a running scan.
Check the current status of a scan.
Get scan statistics, including node and vulnerability breakdowns.
Vulnerability assessment commands
Provide a list of vulnerabilities checked by NeXpose.
Provide the full details of a vulnerability, including its description, cross-references, and solution.
Reporting commands
Provide a list of all report templates the user can access on the security console.
Retrieve the configuration for a report template.
Save the configuration for a report template.
Provide a listing of all report definitions the user can access on the security console.
Provide a history of all reports generated with the specified report definition.
Retrieve the configuration for a report definition.
Save the configuration for a report definition.
Generate a new report using the specified report definition.
Delete a previously generated report or report definition.
Generate a report once using a simple configuration, and send it back in a multipart mime
User management commands
Provide a list of user accounts and information about those accounts.
Provide a list of user authentication sources.
List information about a given user account.
Create a new user account, or update the settings for an existing account.
Delete a user account. Note that you cannot delete a user account that is associated with reports or tickets.
General management and diagnostic commands
Execute an arbitrary NeXpose console command that is supplied as text via an API parameter. The NeXpose console commands are documented in the
NeXpose Administrator's Guide. If you use a command that is not listed in the in NeXpose Administrator's Guide, NeXpose will return the XMLResponse.
Obtain NeXpose system data, such as total RAM, free RAM, total disk space, free disk space, CPU
speed, number of CPU cores, and other vital information.
Induce NeXpose to retrieve required updates and restart if necessary.
Induce NeXpose to restart.
Output diagnostic information into log files, zip the files, and encrypt the archive with a PGP public key that is provided as a parameter for the API call. Then, either email this archive to an address that is specified as an API parameter, or upload the archive using HTTP or HTTPS to a URL that is specified as an API parameter.
If you do not specify a key, the SendLogRequest uses a Rapid7 default key.
Session Management
Log on to the security console and establish a session.
Exact syntax for each command available with additional information from
mfsconsole automation Resource files:
NOTE: These don't include the spidering functions in API_12.
NeXpose XML API Examples http://community.rapid7.com/redmine/projects/nexpose/wiki/XML_API_11_Examples
Ben Hamilton's GitHub Project for Ruby XML_API 11 https://github.com/beingben/r7api11-r
And my OpenVAS friend KOST's NeXpose API Perl gitHub https://github.com/kost
See also Rapid7/Metasploit Exploit Engineer Wanted: http://plug.phoenix.az.us/rapid7
(503) 754-4452
(623) 688-3392
Catch My MetaSploit & IP CAM Surveillence
Presentations @ ABLEConf.com in April!