Prometheus API & Prometheus Node Exporter Interrogator

[h00die]

This PR creates 2 modules, a library and spec to handle various Prometheus things based on https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ .

1. prometheus API interrogator will check a few API calls for any credentials/tokens/etc and print them as well as store the configs as loot.
2. prometheus node exporter module (also works with windows exporter) will look for valuable information. PNE is almost SNMP like in nature, and you can expect 1,000-20,000 lines of output. Automating pulling valuable fields is a crucial timesaver.
3. a library to parse a bunch of this information
4. tests to ensure this is working

I based the library for Prometheus on the example in their docs, however this product looks almost infinitely configurable. I've covered as many cases as I found in the test case AND on the Internet that were accessible. However I'm sure I've missed some.

Verification

• make sure spec passes
• install prometheus and test the prometheus docker module, or just scan one on the internet.
• install node exporter and/or windows exporter, scan with the module
• Document for both modules

[h00die]

If you find any other pieces of information that are valuable anywhere, let me know, easy to add things in, I've only tackled the ones I found.

[bwatters-r7]

I don't like being "that guy," but this is a 450-line conditional statement. Is there any chance we might rework it to dispatch to methods rather than contain everything into one?

[h00die]

you aren't wrong. when I wrote it to exploit a customer they only had a few fields so it was simple. then when I got into the example config from prometheus, it kinda got out of hand. I'll see what I can do about re-writing it

[bwatters-r7]

I went through testing the Prometheus API, but when I went to test the node, the docs look incomplete.

[h00die]

you are 100% correct, lemme get that fixed real quick

[h00die]

fixed up.

[bwatters-r7]

Prometheus Node

msf6 auxiliary(gather/prometheus_node_exporter_gather) > show options

Module options (auxiliary/gather/prometheus_node_exporter_gather):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      9100             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Prometheus Node Exporter
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(gather/prometheus_node_exporter_gather) > set rhost 10.5.134.129
rhost => 10.5.134.129
msf6 auxiliary(gather/prometheus_node_exporter_gather) > run
[*] Running module against 10.5.134.129

[+] Go Version: go1.20.6
[+] SELinux enabled: 0
[+] Timezone: UTC
[+] BIOS Information
================

  Field              Value
  -----              -----
  Asset Tag
  Board Name         440BX Desktop Reference Platform
  Board Vendor       Intel Corporation
  Board Version      None
  Chassis Asset Tag  No Asset Tag
  Chassis Vendor     No Enclosure
  Date               11/12/2020
  Product Family
  Product Name       VMware Virtual Platform
  System Vendor      VMware, Inc.
  Vendor             Phoenix Technologies LTD
  Version            6.00

[+] OS Information
==============

  Field             Value
  -----             -----
  Family            ubuntu
  Name              Ubuntu
  Pretty Name       Ubuntu 22.04.3 LTS
  Version           22.04.3 LTS (Jammy Jellyfish)
  Version Codename  jammy
  Version ID        22.04

[+] Network Interfaces
==================

  Device   MAC                Broadcast          State
  ------   ---                ---------          -----
  docker0  02:42:69:cf:b5:8b  ff:ff:ff:ff:ff:ff  down
  ens32    00:0c:29:93:02:de  ff:ff:ff:ff:ff:ff  up
  lo       00:00:00:00:00:00  00:00:00:00:00:00  unknown

[+] File Systems
============

  Device     Mount Point                             FS Type
  ------     -----------                             -------
  /dev/sda2  /boot/efi                               vfat
  /dev/sda3  /                                       ext4
  /dev/sda3  /var/snap/firefox/common/host-hunspell  ext4
  tmpfs      /run                                    tmpfs
  tmpfs      /run/lock                               tmpfs
  tmpfs      /run/snapd/ns                           tmpfs
  tmpfs      /run/user/1000                          tmpfs

[+] uname Information
=================

  Field        Value
  -----        -----
  Arch         x86_64
  Domain Name  (none)
  Node Name    ubuntu2204x64
  OS Type      Linux
  Release      5.15.0-43-generic
  Version      #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022

[*] Auxiliary module execution completed

Prometheus API

msf6 auxiliary(gather/prometheus_api_gather) > run
[*] Running module against 10.5.134.129

[+] Prometheus found, version: 2.47.0
[+] YAML config saved to /home/tmoose/.msf4/loot/20230908124659_default_10.5.134.129_PrometheusYAML_564243.yaml
[+] JSON targets saved to /home/tmoose/.msf4/loot/20230908124659_default_10.5.134.129_PrometheusJSON_004145.json
[+] Config file: /etc/prometheus/prometheus.yml
[*] Auxiliary module execution completed

[bwatters-r7]

Release Notes

This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.