Introduction

Nexpose includes a framework for creating complex vulnerability checks using a simple XML format. Nexpose vulnerability checks are split across two or more files which are parsed by Nexpose when the scan engine is started.

There are 2 types of XML files that make up a vulnerability check:

  • Vulnerability descriptor : A file ending in the .xml extension which contains information about a specific vulnerability (title, description, severity, CVE IDs, CVSS score, etc.).
  • Vulnerability check: A file ending in the .vck extension containing multiple tests which are compiled at runtime and used by Nexpose to verify the existence (or non-existence) of the vulnerability described in the descriptor.

One vulnerability can have multiple different types of checks (vck's) associated with it.

Related tutorials

The following describes how to create a custom check for /etc/shadow permissions. We will be using the generic-passwd-group-file-permissions as our template check that by default checks the permissions of /etc/shadow files.

The default template check can be found in /opt/rapid7/nexpose/plugins/java/1/UnixScanner/vulns.jar.

In this example, we will modify the existing check to check for the 600.

The goal of this custom check is to modify the acceptable permissions for /etc/shadow from 400 to 600.

Modifying the existing check

  • We will be make modifications to the template check and save as a custom check. The existing check, generic-passwd-shadow-group-file-permissions.vck will be extracted from /opt/rapid7/nexpose/plugins/java/1/UnixScanner/vulns.jar.
  • We will create a new xml file per the instructions from the community post.
  • We will create a new vck file per the instructions from the community post.
  • The vulnerability in Nexpose is called "Weak Permissions for Password, Shadow, and Group Files".
  • In this example, we will be modifying (by creating a new check) to check for the acceptable permissions of 600 for the /etc/shadow file.

The existing check...

(try
 
  (bind ?mode400 (get-member com.rapid7.io.BasicFile A_OWNER_READ))

Modified check to change 400 permissions to 600...

  (try
 
  (bind ?mode600 (bit-or
  (get-member com.rapid7.io.BasicFile A_OWNER_READ)
  (get-member com.rapid7.io.BasicFile A_OWNER_WRITE)))

Deploying your vulnerability check

Once the modifications are made to the vck and corresponding xml files have been created, then placing the two files into the /opt/rapid7/nexpose/plugins/java/1/CustomScanner/1 folder and restarting Nexpose will activate the modified check. Once Nexpose has restarted, we can then modify any of the default scan templates in Nexpose to exclude the original checks for /etc/shadow permissions, and include our modified checks that we created.

Run a scan with your new vulnerability

The next step will require the template to include the custom check and disable the default check before running a scan on your assets.

The following screen shot shows the existing check and the modified one that we will need to select when running the scan.

Summary

In summary, the two files that were created for this custom check are as follows. The modified check allows Nexpose to check for permissions other than the default of 400.

custom-generic-passwd-shadow-group-file-permissions.xml

custom-unix-passwd-shadow-group-file-permissions.vck

These files when copied into the folder /opt/rapid7/nexpose/plugins/java/1/CustomScanner/1 can be used as a replacement for the default check.