Metasploit Exploit CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.22.0 |
| Support Tier | ThreatQ Supported |
Introduction
Metasploit is a very popular exploitation framework for building and executing exploits against known vulnerabilities. This feed consumes data from the public Metasploit code repository on Github about exploits published and available in the framework. The feed identifies the CVEs (where referenced) and can therefore be used for vulnerability prioritization. It is updated frequently and the recommended poll period for the source is daily.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description Verify Host SSL If checked, validates the server's certificate and checks whether the server's hostname matches. This parameter is enabled by default. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Metasploit Exploits
Sample Response:
{
"auxiliary_admin/2wire/xslt_password_reset": {
"name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
"fullname": "auxiliary/admin/2wire/xslt_password_reset",
"aliases": [],
"rank": 300,
"disclosure_date": "2007-08-15",
"type": "auxiliary",
"author": ["hkm <hkm@hakim.ws>", "Travis Phillips"],
"description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.",
"references": [
"CVE-2007-4387",
"OSVDB-37667",
"BID-36075",
"URL-https://seclists.org/bugtraq/2007/Aug/225"
],
"platform": "",
"arch": "",
"rport": 80,
"autofilter_ports": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443],
"autofilter_services": ["http", "https"],
"targets": null,
"mod_time": "2018-09-15 18:54:45 +0000",
"path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb",
"is_install_path": true,
"ref_name": "admin/2wire/xslt_password_reset",
"check": false,
"post_auth": false,
"default_credential": false,
"notes": {}
}
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .name | malware.value | N/A | .mod_time | 2Wire Cross-Site Request Forgery Password Reset Vulnerability | |
| .description | malware.description | N/A | .mod_time | This module will reset the admin password on a 2Wire... | Mapped after some processing |
| N/A | malware.attribute | Type | .mod_time | Exploit | Hard coded |
| .references | malware.attribute | Reference URL | .mod_time | https://seclists.org/bugtraq/2007/Aug/225 | Only if value starts with URL- |
| .references | malware.attribute | Reference | .mod_time | BID-36075 | Excludes URL, CVE, and CWE refs |
| .references | malware.attribute | Disclosure Date | .mod_time | 2007-08-15 | |
| .author | malware.attribute | Author | .mod_time | Travis Phillips | |
| .references | vulnerability.value | N/A | .mod_time | CVE-2007-4387 | Only if value starts with CVE- |
| .references | vulnerability.value | N/A | .mod_time | CWE-12345 | Only if value starts with CWE- |
| N/A | vulnerability.attribute | Exploit Exists | .mod_time | True | Hard coded |
| N/A | vulnerability.attribute | Exploit in Metasploit | .mod_time | True | Hard coded |
| .references | indicator.value | CVE | .mod_time | CVE-2007-4387 | Only if value starts with CVE- |
| N/A | indicator.attribute | Exploit Exists | .mod_time | True | Hard coded |
| N/A | indicator.attribute | Exploit in Metasploit | .mod_time | True | Hard coded |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Metasploit Exploits CDF Guide v1.0.0 | 4.22.0 or Greater |