[nexpose-users] Custom Checks for Microsoft AD Account access

Marc Bevand Marc_Bevand at rapid7.com
Tue Mar 23 16:17:54 PDT 2010 

Rowland Johnson wrote:
>
> I have read the previous posts, and can see a number of threads around custom
> check for account/password enumeration.
>
> I was wondering if someone might be able to help provide some guidance on a
> custom check that tests usernames extracted from AD, against a small list of
> passwords.  For instance, as part of a test, I might be able to enumerate
> 50 usernames, such as fbloggs, sjones, mpatterson etc. from AD.  It would be
> really helpful if I could devise a check to provide a default password test against
> each of these accounts with a password of 'password1', or 'customer' as the
> password.

It is possible, but requires the use of Jess. Know that Rapid7 doesn't encourage or support
endusers writing custom Jess-based checks, due to the fact it is very much tied to our
framework (there is no _public_ documentation for it), and we may change the API at
anytime. In the near future we will hopefully make it possible to write more complex
XML-based checks, without using Jess.

Try the following. In plain english: for each user found on a CIFS endpoint, uses the
CifsAuthenticator to verify if the account can authenticate with the specified password
("qwery" in the example):

<VulnerabilityCheck id="custom-my-default-pw-check" scope="endpoint">
   <JessRule>
      <query><![CDATA[
         (ServiceAdvertisement (endpoint ?j_endpoint) (name "CIFS"))
         (NodeUser
            (networkNode ?j_networkNode &: (call ?j_networkNode equals (call ?j_endpoint getNetworkNode)))
            (user ?j_user))
      ]]></query>
      <body><![CDATA[
   (bind ?j_pw "qwerty")
   (bind ?j_realm "")
   (log-debug ?j_endpoint "Checking user " ?j_user " password " ?j_pw)
   (bind ?j_credentials (new com.rapid7.auth.UserCredentials ?j_user ?j_pw ?j_realm))
   (bind ?j_authenticator (new com.rapid7.net.cifs.CifsAuthenticator))    
   (if (call ?j_authenticator authenticate ?j_endpoint ?j_credentials) then 
      (vulnerability-test-exploited ?j_vulnCkRes (str-cat "Authenticated as " ?j_user " with password " ?j_pw ""))
      (return)
   )
   (vulnerability-test-not-vulnerable ?j_vulnCkRes "No default password in use")
      ]]></body>
  </JessRule>
</VulnerabilityCheck>

-mrb

More information about the nexpose-users mailing list