2016-03-02 15:09:00
The past few weeks I've spent at $CLIENT, working on their Nexpose virtual appliances. Nexpose is Rapid7's automated vulnerability scanning tool, which may also be used in unison with Rapid7's more famous product: Metasploit. It's a pretty nice tool, but it certainly needs some work to get it all up and running in a large, corporate environment.
One of the more practical aspects of our setup, is the creation of user accounts in Nexpose's web interface. Usually, you'd have to click a few times and enter a bunch of textfields for each user. This gets boring for larger groups of users, especially if you have more than one Security Console host. To make our lives just a little easier, we have at least setup the hosts to authenticate against AD.
I've fiddled around with Nexpose's API this afternoon, and after a lot of learning and trying ("Van proberen ga je het leren!" as I always tell my daughter) I've gotten things to work very nicely! I now have a basic Linux shell script (bash, but should also work in ksh) that creates user accounts in the Nexpose GUI for you!
Below is a small PoC, which should be easily adjusted to suit your own needs. Enjoy!
=====================================
#!/bin/bash # In order to make API calls to Nexpose, we need to setup a session. # A successful login returns the following: # <LoginResponse success="1" session-id="F7377393AEC8877942E321FBDD9782C872BA8AE3"/> NexposeLogin() { NXUSER="" NXPASS="" NXSERVER="127.0.0.1" NXPORT="3780" API="1.1" URI="https://${NXSERVER}:${NXPORT}/api/${API}/xml" NXSESSION="" echo -e "\n====================================" echo -e " LOGGING IN TO NEXPOSE, FOR API CALLS." echo -e "\n====================================" echo -e "Admin username: \c"; read NXUSER echo -e "Admin password: \c"; read NXPASS LOGIN="<LoginRequest synch-id='0' password='${NXPASS}' user-id='${NXUSER}'></LoginRequest>" export NXSESSION=$(echo "${LOGIN}" | curl -s -k -H "Content-Type:text/xml" -d @- ${URI} | head -1 | awk -F\" '{print $4}') } # Now that we have a session, we can make new users. # You will need to know the ID number for the desired authenticator. # You can get this with: <UserAuthenticatorListingRequest session-id='...'/> # A user request takes the following shape, based on the API v1.1 docu. # <UserSaveRequest session-id='...'> # <UserConfig id="-1" role-name="user" authsrcid="9" authModule="LDAP" name="apitest2" # fullname="Test van de API" administrator="0" enabled="1"> # </UserConfig> # </UserSaveRequest> # On success, this returns: # <UserSaveResponse success="1" id="41"> # </UserSaveResponse> NexposeCreateUser() { NEWUSER="${1}" SUCCESS="0" NXAUTHENTICATOR="9" # You must figure this out from Nexpose, see above NXROLE="user" SCRATCHFILE="/tmp/$(basename ${0}).temp" echo "<UserSaveRequest session-id='${NXSESSION}'>" > ${SCRATCHFILE} echo "<UserConfig id='-1' role-name='${NXROLE}' authsrcid='${NXAUTHENTICATOR}' authModule='LDAP' name='${NEWUSER}' fullname='${NEWUSER}' administrator='0' enabled='1'>" >> ${SCRATCHFILE} echo "</UserConfig>" >> ${SCRATCHFILE} echo "</UserSaveRequest>" >> ${SCRATCHFILE} SUCCESS=$(cat ${SCRATCHFILE} | curl -s -k -H "Content-Type:text/xml" -d @- ${URI} | head -1 | awk -F\" '{print $2}') [[ ${SUCCESS} -eq 0 ]] && logger ERROR "Failed to create Nexpose user ${NEWUSER}." rm ${SCRATCHFILE} } NexposeLogin NexposeCreateUser apitest1
kilala.nl tags: work, sysadmin,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.