Add Nagios XI mixin and auxiliary scanner module and docs #14697
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Feb 1, 2021
Notes:
|
|
Sanity test failures usually indicate that payloads are not generating in |
|
This looks to be related to the |
|
Thanks for looking into this @jmartin-r7! I guess I can leave this for now since it shouldn't affect manual testing? Then I or the dev who'll take this on can fix this before landing. |
|
There's an edge case when scanning a remote host (with I'm not sure if this is something you want to deal with. There may be value if:
In the case of the latter, there may be value (maybe?) in writing a module which can do this. Example (Nagios XI 5.4.4) : |
bcoles
reviewed
Feb 6, 2021
bcoles
reviewed
Feb 6, 2021
bcoles
reviewed
Feb 6, 2021
bcoles
reviewed
Feb 6, 2021
|
There might be another edge case here where Nagios XI is installed, but the license agreement has not been accepted. Here's the output. I messed up the cookie parsing (which didn't help) before accepting the license. So I'm not sure if this poses a problem, and I can't be bothered to rebuild this test system at the moment.
Edit: Confirmed. The module bails if the license has not yet been accepted, as the appplication redirects to the license acceptance page as the first page after login. |
bcoles
reviewed
Feb 6, 2021
Comment on lines
30
to
41
| if nsp.blank? | ||
| return Msf::Exploit::CheckCode::Unknown('Unable to obtain the value of the `nsp_str` token required for authentication') | ||
| end |
There was a problem hiding this comment.
This check failed on a (very) old version of Nagios XI (version 2012R2.9). I haven't bothered to look into why.
Here's the HTML.
msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
####################
# Request:
####################
GET /nagiosxi/login.php HTTP/1.1
Host: 10.1.1.111
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Sat, 06 Feb 2021 03:29:29 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: nagiosxi=uk2g58fkahi5q65h0ki2n7b497; expires=Sat, 06-Feb-2021 03:59:29 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<!-- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<!-- Produced by Nagios XI. Copyyright (c) 2008-2011 Nagios Enterprises, LLC (www.nagios.com). All Rights Reserved. -->
<!-- Powered by the Nagios Synthesis Framework -->
<title>Nagios XI - Login</title>
<meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="shortcut icon" href="http://10.1.1.111/nagiosxi/images/favicon.ico" type="image/ico" />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/css/jquery.autocomplete.css' />
<script type='text/javascript'>
//javascript:alert(document.documentMode);
var base_url="http://10.1.1.111/nagiosxi/";
var backend_url="http%3A%2F%2F10.1.1.111%2Fnagiosxi%2Flogin.php";
var ajax_helper_url="http://10.1.1.111/nagiosxi/ajaxhelper.php";
var ajax_proxy_url="http://10.1.1.111/nagiosxi/ajaxproxy.php";
var suggest_url="http://10.1.1.111/nagiosxi/suggest.php";
var request_uri="%2Fnagiosxi%2Flogin.php";
var permalink_base="http://10.1.1.111/nagiosxi/login.php?";
var demo_mode=0;
var nsp_str="fb3798156288cc818e648fbf2725464a";
</script>
<!-- FIREBUG LITE! -->
<!--
<script type='text/javascript'
src='http://getfirebug.com/releases/lite/1.2/firebug-lite-compressed.js'></script>
//-->
<!-- main jquery libraries -->
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery-1.8.2.min.js?2012R2.9'></script>
<link type="text/css" href="http://10.1.1.111/nagiosxi/includes/js/jquery/css/smoothness/jquery-ui-1.9.0.custom.min.css?2012R2.9" rel="stylesheet" />
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.colorBlend.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.timers-1.1.3.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery-ui-1.9.0.custom.min.js?2012R2.9'></script>
<!-- DEPRECATED JQUERY PLUGINS
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.autocomplete.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.checkboxes.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.bgiframe.pack.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.tooltip.pack.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.sparkline.js'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.inview.min.js'></script>
-->
<!-- colorpicker -->
<link rel="stylesheet" href="http://10.1.1.111/nagiosxi/includes/js/jquery/colorpicker/css/colorpicker.css" type="text/css" />
<script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/js/jquery/colorpicker/js/colorpicker.js"></script>
<!-- clipboard plugin -->
<script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.zclip.min.js"></script>
<!-- XI JS Scripts -->
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/core.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/commands.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/views.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/dashboards.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/dashlets.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/tables.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/users.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/perfdata.js?2012R2.9'></script>
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/wizards.js?2012R2.9'></script>
<!-- XI CSS -->
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/css/nagiosxi.css?2012R2.9' />
<!-- Highcharts Graphing Library -->
<script type="text/javascript" src="http://10.1.1.111/nagiosxi//includes/js/highcharts/highcharts.js?320"></script>
<script type="text/javascript" src="http://10.1.1.111/nagiosxi//includes/js/highcharts/modules/exporting.js?320"></script><script type="text/javascript" src="http://10.1.1.111/nagiosxi//includes/js/highcharts/themes/gray.js?320"></script>
<!-- D3 Graphing Library -->
<script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/js/d3/d3.v3.min.js?2012R2.9'></script>
<!-- styles needed by jScrollPane -->
<link type="text/css" href="http://10.1.1.111/nagiosxi/includes/js/jquery/css/jquery.jscrollpane.css" rel="stylesheet" media="all" />
<!-- the jScrollPane script -->
<script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.jscrollpane.min.js"></script>
<!-- the mousewheel plugin - optional to provide mousewheel support -->
<script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/js/jquery/jquery.mousewheel.js"></script>
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/dashlets/internethealthreport/internethealthreport.css' />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/dashlets/internettrafficreport/internettrafficreport.css' />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/dashlets/rss_dashlet/rss_dashlet.css' />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/dashlets/sansrisingports/sansrisingports.css' />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/dashlets/worldtimeserver/worldtimeserver.css' />
<link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/components/ccm/css/style.css?2.1' /><script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/components/ccm/javascript/main_js.js?2.1"></script><style type="text/css">
#contentWrapper { margin: 0px auto; width: 95%; }
</style>
<script type="text/javascript">
var NAGIOSXI=true
</script><script type="text/javascript" src="http://10.1.1.111/nagiosxi/includes/components/graphexplorer/includes/graphexplorerinclude.js"></script><script type='text/javascript' src='http://10.1.1.111/nagiosxi/includes/components/helpsystem/helpsysteminclude.js?0.3'></script><link rel='stylesheet' type='text/css' href='http://10.1.1.111/nagiosxi/includes/components/helpsystem/helpsystem.css?0.3' /></head>
<body class=' parent' >
<div class="parentpage"><!-- page-->
<div id="header" class="parenthead" >
<!--- HEADER START -->
<div id="toplogo">
<a href="http://www.nagios.com/products/nagiosxi/" target="_blank"><img src="http://10.1.1.111/nagiosxi/images/nagiosxi-logo-small.png" border="0" alt="Nagios XI" title="Nagios XI"></a>
</div>
<div id="pagetopalertcontainer">
</div>
<div id="authinfo">
</div>
<div id="topmenucontainer">
<ul class="menu">
<li><a href="http://10.1.1.111/nagiosxi/login.php">Login</a></li>
</ul>
</div>
<div id="feedback_layer">
<div id="feedback_content">
<div id="feedback_close">
<a id="close_feedback_link" href="#"><img src="http://10.1.1.111/nagiosxi/images/b_close.png" border="0" alt="Close" title="Close"> Close</a>
</div>
<div id="feedback_container">
<div id="feedback_header">
<b>Send Us Feedback</b>
<p>We love input! Tell us what you think about this product and you'll directly drive future innovation!</p>
</div><!-- feedback_header -->
<div id="feedback_data">
<form id="feedback_form" method="get" action="http://10.1.1.111/nagiosxi/ajaxproxy.php">
<input type="hidden" name="proxyurl" value="http://api.nagios.com/feedback/">
<input type="hidden" name="proxymethod" value="post">
<input type="hidden" name="product" value="nagiosxi">
<input type="hidden" name="version" value="2012R2.9">
<input type="hidden" name="build" value="20140211">
<label for="feedbackCommentBox">Comments:</label><br class="nobr" />
<textarea class="textarea" name="comment" cols="40" rows="3"></textarea><br class="nobr" />
<label for="feedbackNameBox">Your Name (Optional):</label><br class="nobr" />
<input type="text" size="30" name="name" id="feedbackNameBox" value="" class="textfield" /><br class="nobr" />
<label for="feedbackEmailAddressBox">Your Email Address (Optional):</label><br class="nobr" />
<input type="text" size="30" name="email" id="feedbackEmailAddressBox" value="" class="textfield" /><br class="nobr" />
<div id="feedbackFormButtons">
<input type="submit" class="submitbutton" name="submitButton" value="Submit" id="submitFeedbackButton">
</div>
<br clear="all">
<p>
<a href="http://www.nagios.com/legal/privacypolicy/" target="_blank">Privacy Policy</a>
</p>
</form>
</div><!-- feedback_data -->
</div><!-- feedback_container-->
</div><!--feedback_content-->
</div><!--feedback_layer-->
<div id="popup_layer">
<div id="popup_content">
<div id="popup_close">
<a id="close_popup_link" href="#"><img src="http://10.1.1.111/nagiosxi/images/b_close.png" border="0" alt="Close" title="Close"> Close</a>
</div>
<div id="popup_container">
</div>
</div>
</div>
<!-- HEADER END -->
<div id="throbber"></div>
</div><!--header -->
<div id="mainframe">
<div id="parentcontentthrobber"><img src='http://10.1.1.111/nagiosxi/images/throbber1.gif' /></div>
<h1>Login</h1>
<div style="float: left; margin-right: 25px; width: 50%;">
<form id="loginForm" method="post" action="/nagiosxi/login.php">
<input type='hidden' name='nsp' value='fb3798156288cc818e648fbf2725464a'>
<fieldset>
<legend>Login</legend>
<input type="hidden" name="page" value="auth">
<input type="hidden" name="debug" value="">
<input type="hidden" name="pageopt" value="login">
<label for="usernameBox">Username:</label><br class="nobr" />
<input type="text" size="10" name="username" id="usernameBox" class="textfield" /><br class="nobr" />
<label for="passwordBox">Password:</label><br class="nobr" />
<input type="password" size="10" name="password" id="passwordBox" class="textfield" /><br class="nobr" />
<div id="formButtons">
<input type="submit" class="submitbutton" value="Login" id="loginButton" name="loginButton"><br class="nobr" />
</div>
</fieldset>
</form>
<script type="text/javascript" language="JavaScript">
document.forms['loginForm'].elements['usernameBox'].focus();
</script>
<br class="nobr" />
<p>
<a href="?forgotpass">Forgot your password?</a>
</p>
<label>Select Language:</label>
<br class="nobr" />
<div id='languageopts'>
<a href='?locale=en_US' class='locale-icon en_US' title='English'></a>
<a href='?locale=de_DE' class='locale-icon de_DE' title='German'></a>
<a href='?locale=es_ES' class='locale-icon es_ES' title='Spanish'></a>
<a href='?locale=fr_FR' class='locale-icon fr_FR' title='French'></a>
<a href='?locale=it_IT' class='locale-icon it_IT' title='Italian'></a>
<a href='?locale=ko_KR' class='locale-icon ko_KR' title='Korean'></a>
<a href='?locale=pt_PT' class='locale-icon pt_PT' title='Portuguese'></a>
<a href='?locale=ru_RU' class='locale-icon ru_RU' title='Russian'></a>
<a href='?locale=zh_CN' class='locale-icon zh_CN' title='Simplified Chinese'></a>
<a href='?locale=zh_TW' class='locale-icon zh_TW' title='Traditional Chinese'></a>
<a href='?locale=ja_JP' class='locale-icon ja_JP' title='Japanese'></a>
</div>
</div>
<div style="float: left; width: 40%;">
<img src="http://10.1.1.111/nagiosxi/images/loginsplash.png"><br clear="all">
<h3>About Nagios XI</h3>
<p>
Nagios XI is an enterprise-class monitoring and alerting solution that provides organizations with extended insight of their IT infrastructure before problems affect critical business processes. For more information on Nagios XI, visit
<a href="http://www.nagios.com/products/nagiosxi/" target="_blank">www.nagios.com/products/nagiosxi/</a>
</p>
<h3>Nagios Learning Opportunities</h3>
<p>
Learn about Nagios
<a href="http://www.nagios.com/services/training" target="_blank"><strong>training</strong></a>
and <a href="http://www.nagios.com/services/certification" target="_blank">
<strong>certification</strong></a>.
</p>
<p>
Want to learn about how other experts are utilizing Nagios? Don't miss your chance to attend the next <a href="http://go.nagios.com/nwcna" target="_blank"> <strong> Nagios World Conference</strong></a>.
</p>
<h3>Contact Us</h3>
<p>
Have a question or technical problem? Contact us today: </p>
<table border="0">
<tr><td valign="top">Support:</td>
<td><a href="http://support.nagios.com/forum/" target="_blank">Online Support Forum</a></td></tr>
<tr><td valign="top">Sales:</td><td>Phone: (651) 204-9102
<br />Fax: (651) 204-9103
<br />Email: sales@nagios.com</td></tr>
<tr><td valign="top">Web:</td>
<td><a href="http://www.nagios.com/" target="_blank">www.nagios.com</a></td></tr>
</table>
</div>
</div><!--mainframe-->
<!-- <div id="footer"> //there should only be one div with id of footer on any given page, moved to footer.inc.php -->
<!-- FOOTER START -->
<div id="footer">
<div id="footermenucontainer">
<div id="footernotice">Nagios XI 2012R2.9 Copyright © 2008-2021 <a href="http://www.nagios.com/" target="_blank">Nagios Enterprises, LLC</a>.</div>
<ul class="footermenu">
<li><a href="http://10.1.1.111/nagiosxi/about/">About</a></li>
<li><a href="http://10.1.1.111/nagiosxi/about/?legal">Legal</a></li>
</ul>
</div>
<script type="text/javascript">
function get_tray_alert_content() {
var optsarr = {
"func": "get_tray_alert_html",
"args": ""
}
var opts = array2json(optsarr);
get_ajax_data_with_callback("getxicoreajax", opts, "process_tray_alert_content");
}
function process_tray_alert_content(edata) {
data = unescape(edata);
$("#tray_alerter_popup_content").html(data);
var status = $("#tray_alerter_status").html();
$("#tray_alerter").html(status);
}
$(document).ready(function() {
get_tray_alert_content();
$("#tray_alerter").everyTime(30000, "timer-tray_alerter", function(i) {
get_tray_alert_content();
});
$("#tray_alerter").click(function() {
var vis = $("#tray_alerter_popup").css("visibility");
if (vis == "hidden") {
$("#tray_alerter_popup").css("visibility", "visible");
} else {
$("#tray_alerter_popup").css("visibility", "hidden");
}
});
});
</script>
<div id="keepalive"></div>
</div> <!-- end footer div -->
<!-- FOOTER END --> <!-- </div> -->
</div><!--page-->
<noframes>
<!-- This page requires a web browser which supports frames. -->
<h2>Nagios XI</h2>
<p align="center">
<a href="http://www.nagios.com/">www.nagios.com</a><br>
Copyright (c) 2009-2012 Nagios Enterprises, LLC<br>
</p>
<p>
<i>Note: These pages require a browser which supports frames</i>
</p>
</noframes>
<script type='text/javascript'>
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2887186-1']);
_gaq.push(['_setAllowLinker', true]);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</body>
</html>
[-] Cannot reliably check exploitability. Unable to obtain the value of the `nsp_str` token required for authentication
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/nagios_xi_scanner) >
This also fails when using VERSION as 2012R2.9 is not in the expected format.
msf6 auxiliary(scanner/http/nagios_xi_scanner) > set version 2012R2.9
version => 2012R2.9
rmsf6 auxiliary(scanner/http/nagios_xi_scanner) > run
[-] Invalid version format: `2012R2.9`. Please provide an existing Nagios XI version or use `unset VERSION` to cancel
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
As per the version history, the versioning scheme changed from <YYYY>r<version> in 2015 with the release of the 5.x branch.
bcoles
reviewed
Feb 6, 2021
documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md
Outdated
Show resolved
Hide resolved
bcoles
reviewed
Feb 6, 2021
|
After resolving the comments above (locally), the scanner works on several of my Nagios XI test systems (but not on 2012R2.9, released 2014-02-11): |
|
Thanks a ton for testing all of this and for the great suggestions @bcoles!! I will dig into this next week :) |
|
The latest commit fixes the most straightforward issues found by @bcoles . I still need to set up an older Nagios XI version so I can test it though. I also want to look into some of the edge cases that were mentioned, though I personally don't think it's necessary to try and make this compatible with very old versions like Regarding the issues with the cookie jar, I think I found a fix for this by simply using |
I used 2012R2.9 as a sample of a very old version. The versioning scheme changing in 2015 which is "only" 6 years ago. It's probably not necessary to support these old versions, but it would be a "nice to have" feature, especially as Metasploit contains at least two modules which target these versions:
Edit: To clarify: it's a "nice to have", but totally ok not to include it. This module is specifically a NagiosXI scanner, not a Nagios3 scanner.
I think it changed somewhere around 5.4, but I'm not sure that it was consistent. I changed |
bcoles
reviewed
Feb 13, 2021
bcoles
reviewed
Feb 13, 2021
|
Rebasing this to pull in recent changes and since there are other modules in the queue that depend on this PR being landed so it would be good to get this into the framework so we can start looking at those in more detail. Edit: Also so I can check if the failure on the sanity checks is due to something in the code here or just due to a lack of rebasing. |
|
Thanks for rebasing @gwillcox-r7 ! I have made a few more changes that I am hoping to push this week. I have successfully tested my new approach for dealing with cookies on a 5.3.0 system and I also added functionality to finish the Nagios XI installation and / or sign the license agreement if this hasn't been done yet. I still need to do a little more testing before I can push this though. |
|
@kalba-security Can I go ahead and mark your PRs as draft for now then until they are ready to be merged in? |
|
@gwillcox-r7 I assume that doesn't affect this PR other than that it's being labeled differently here? In that case, go ahead! |
|
Sounds good! Let me know if you want me to do a final test run at that point. I've got 4-5 different versions set up and can also use snapshots to test from before the full installation for at least 2 of them. |
Only concern with this is the way the CVE numbers are represented, however I can understand that this might make sense for reducing output length so I'm 50/50 on this as whilst it does reduce output length it may not be obvious to some people which CVE is being referenced here. Going to update this as part of my fixes since some people mentioned this reduces the copy paste ability. |
|
Okay pushing up a fix for several issues now, still remains the outstanding issue of several functions returning |
Yeah @gwillcox-r7 honestly I wasn't sure about this myself either. As you mentioned, my goal was to strike a balance between output length and readability. A solution for this might be to make the hash key into an Array that we can then populate with multiple CVEs if necessary. Then while printing we could print the CVEs on one line and the module on the next so you'd get something like this: But this may also be confusing. I'm not sure what the best way to go is here, so feel free to pick whatever you think works. |
1dbf165 should contain some fixes to address this output issue. |
Are you working on this or would you like me to have a look? |
Happy for you to have a look, you might have a slightly better idea how you want the program to perform r.e |
|
Okay will do! I saw your messages on slack btw. We can continue the conversation there :) |
Hey @gwillcox-r7 I just went through all the code and I didn't find any unchecked potential login.rb:
version.rb
install.rb
Please let me know in case I missed something. |
|
btw, 83e31ae simply adds a minor change to use safe navigation instead of |
|
Added a small change because I noticed that your change in 9039b56 broke the regex in |
Woops thanks I typoed that it seems 😓 |
gwillcox-r7
approved these changes
Mar 26, 2021
Nagios 5.6.5 |
|
Hmm seems there is a slight issue with the auto install setup on Nagios 5.8.2, wouldn't install until after I had proceeded past the first few steps and it was on to trying to sign the license. See below. Otherwise works fine: Nagios 5.8.2``` msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOSTS 172.30.211.121 RHOSTS => 172.30.211.121 msf6 auxiliary(scanner/http/nagios_xi_scanner) > run[] Attempting to authenticate to Nagios XI... [] Attempting to authenticate to Nagios XI... [] Attempting to authenticate to Nagios XI... [] Attempting to authenticate to Nagios XI... |
|
Nagios 5.5.6 is working well as well: |
I haven't tested this module on any of the 3.8.x versions, so I suppose they changed something in the installation, probably starting at 3.8.0. With older versions completing the installation was as simple as grabbing cookies and tokens from one page and then sending a single POST request. You could check if there's an easy way to get it working for 3.8.x targets as well, but I don't think it's very important atm since we don't have any modules to exploit 3.8.x targets yet anyway. When a module for later versions is added at some point, this functionality can always be added along with that PR. |
Yep that was my thought, just wanted to make you aware of it but agree its not a blocker for this PR. |
|
Testing 5.2.8 now as this was a special case, had to use https://webcache.googleusercontent.com/search?q=cache:nR-QXLUIq3cJ:https://support.nagios.com/forum/viewtopic.php%3Ff%3D6%26t%3D41204+&cd=1&hl=en&ct=clnk&gl=us to fix up a typo in the |
|
Oof I'm an idiot it was version prior to 5.2.8, but at least here is the output from 5.2.8 showing it works and that testing the edge case doesn't result in a false positive. |
|
Nagios 5.2.7 showing that the newly added check is working correctly. Only one more version check to do (random really old version prior to Nagios XI 5.x to make sure we return the right info). |
|
Okay awesome this also correctly detects that older versions prior to version 5 can't be tested, but it still works with finishing the setup: |
|
Everything looks, going to merge this in so long. Thanks for your patience @kalba-security! |
gwillcox-r7
added
the
rn-modules
Release NotesNew module |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
About
This change adds a new mixin for Nagios XI web applications to
lib/msf/core/exploit/remote/http/nagios_xi. It also adds anauxiliary/scanner/httpmodule (and docs) that takes advantage of this mixin. The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. It supports the following exploit modules.Vulnerable system
This depends on the specific exploit module, but probably most if not all Nagios XI versions between 5.4.0 and 5.8.0 are vulnerable to at least one exploit, and perhaps this goes for older versions as well.
Verification Steps
use auxiliary/scanner/http/nagios_xi_scannerset RHOSTS [IP]set USERNAME [username for a valid Nagios XI account]set PASSWORD [password for a valid Nagios XI account]runOptions
PASSWORD
The password for the Nagios XI account to authenticate with.
TARGETURI
The base path to Nagios XI. The default value is
/nagiosxi/.USERNAME
The username for the Nagios XI account to authenticate with. The default value is
nagiosadmin.VERSION
The Nagios XI version to check against existing exploit modules. If this option is selected, the module will not probe the target, so it is not necessary to provide credentials.
Scenarios
Nagios XI 5.7.3 running on CentOS 7
Nagios XI 5.7.9 version provided via VERSION