Writing advanced custom vulnerability checks in Nexpose

Vulnerability scanners are a must have for any company that want to actively protect itself from threats.

They enables recognizing, categorizing and characterizing vulnerabilities, among computers, network infrastructure, software, and hardware systems.

One of the deciding factors when choosing a vulnerability scanner is its vulnerabilities database and the checks applied to verify the existence of these vulnerabilities.

However, as much as vendors like to praise their products on how much they are effective at finding these stuff. One crucial aspect of any product is the level of customization that it provides to the user.

A product who depends only on its own definitions and functions can sometimes be very limited in practicality for some users and companies.

Luckily, the product that we will be looking at today offers such level of customization.

Rapid7’s Nexpose contains a lot of vulnerability checks, and I mean a lot. As the time of this writing, he is sitting at 475460 checks.

But there are times when writing vulnerability checks is necessary such as scanning the network for any usage of default passwords unique to the company or scanning for an old vulnerability that isn’t available in the built-in checks.

So how easy it is to write these checks on Nexpose, one might ask. The answer is quite easy.

The documentation provided by Rapid7 could get us started in no time, and can be very useful in understanding how Nexpose handles its vulnerability checks [Link below].

Also another great resource that contain multiple examples to get you started, and to help you understand more about Nexpose custom checks is @BrianWGray github repo [Link below].

Unfortunately, after writing your first check and starting to get familiar with the subject matter you will encounter the issue that many people (including me) have all met when starting and that is

Where can I find more resource and more examples to write checks that are more complex and advanced?

Well the irony is that even though Rapid7 doesn’t provide us with the necessary documentation to write these advance checks, but Nexpose does.

How you may ask? Let’s take a look.

Nexpose Built-In checks

As we’ve explained before Nexpose comes with a lot of vulnerability checks. In addition, all of those checks available for us to look at.

If you followed the tutorial and built, your first check. You have certainly come across this folder.

Path : “[Installation Folder]\nexpose\plugins\java\1\”

Image for post
Image for post
Nexpose Built-In plugins

These folders contains majority of the built-in vulnerability checks. Inside of each one of them, you’ll find a structure similar to this.

Image for post
Image for post
Nexpose HttpScanner plugin

The file “checks.jar” contains multiples (.vck) files related to the plugin. A simple extract of the jar file with “7z” for example will reveal this.

Image for post
Image for post
Content of “checks.jar”

Looking at these “checks.jar” files should be a great resource for learning and writing more advanced checks.

A big thanks to @BrianWGray and his work on this subject. Here is a link to his github page.

Thanks for reading.

Questions? Comments? Contact me via twitter @nas_bench

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store