dap 0.0.8 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f74b17e0330d6261df8774f00b69b6e80375a2b1
-  data.tar.gz: d6a82f589b94862ebfbf50f06632e8f694cf51ac
+  metadata.gz: 487ec0ed128ac49a84730159ed2561cc0abe5a0b
+  data.tar.gz: 4709517322ef8b40ea7527ff852b7f664a256d19
 SHA512:
-  metadata.gz: 70aa78c8471a4fc77d72bc00024cbbe8450233aae4e2cfdbf873c008b9d1ea564fb92479ca0868e9272b6d1241e91132403db27f4800c127fd4954e95ef73bc4
-  data.tar.gz: b716811bb124e3b2a3c37947972d4db4bf1317bdd64c261d4576b87df8b65d144a11ef37e46d222ec6776c443415c57a5dbbbe0e555cae409437d2944910bb83
+  metadata.gz: 102e072962fc919016d7261e26c1b05c85c3017006810216761202dc0109b4d40ac72db361325058fa1e76798d27c2f38bd474aff386760621aebac5e306693e
+  data.tar.gz: d7667a595feeb261c0109f94d304097f1bcad3b47e70d7dd655cdbf3efa829d806c209f5b4807f92a5f69bd762b41115c07b021321dc26830506d498e0998518

data/.rspec

@@ -1,2 +1,3 @@
 --colour
 --format d
+--require spec_helper

data/lib/dap/filter.rb

@@ -9,3 +9,4 @@ require 'dap/filter/recog'
 require 'dap/filter/vulnmatch'
 require 'dap/filter/ssh_keyscan'
 require 'dap/filter/smbclient'
+require 'dap/filter/ldap'

data/lib/dap/filter/ldap.rb

@@ -0,0 +1,55 @@
+module Dap
+module Filter
+
+require 'openssl'
+
+require 'dap/proto/ldap'
+
+#
+# Decode an LDAP SearchRequest probe response
+#
+class FilterDecodeLdapSearchResult
+  include BaseDecoder
+
+  #
+  # Decode an LDAP SearchRequest probe response
+  #
+  # @param data [String] Binary string containing raw response from server
+  # @return [Hash] Hash containing all LDAP responses
+  #
+  def decode(data)
+    info = {}
+
+    # RFC 4511 - 4.5.2 SearchResult contains zero or more SearchResultEntry or
+    # SearchResultReference messages followed by a single SearchResultDone
+    # message.  OpenSSL::ASN1.decode doesn't handle the back to back Sequences
+    # well, so identify the lengths and split them into individual ASN1 elements
+    messages = Dap::Proto::LDAP.split_messages(data)
+
+    if messages.empty?
+      err_msg = 'FilterDecodeLdapSearchResult - Unable to parse response'
+      info['Error'] = { 'errorMessage' => err_msg }
+    end
+
+
+    messages.each do |element|
+      begin
+        elem_decoded = OpenSSL::ASN1.decode(element)
+      rescue Exception => e
+        err_msg = 'FilterDecodeLdapSearchResult - Unable to decode ANS1 element'
+        $stderr.puts "#{err_msg}: #{e}"
+        $stderr.puts e.backtrace
+        info['Error'] = { 'errorMessage' => err_msg }
+        next
+      end
+      parsed_type, parsed_data = Dap::Proto::LDAP.parse_message(elem_decoded)
+      info[parsed_type] = parsed_data if parsed_type && parsed_data
+    end
+
+    info
+  end
+
+end
+
+end
+end

data/lib/dap/proto/ldap.rb

@@ -0,0 +1,127 @@
+module Dap
+module Proto
+class LDAP
+
+
+  #
+  # Parse ASN1 element and extract the length.
+  # See The BER length section here:
+  #    https://blogs.oracle.com/directorymanager/entry/a_quick_introduction_to_asn
+  #
+  # @param data [String] Binary string containing ASN1 element(s)
+  # @return [Fixnum, nil] Total length of of the ASN1 element, nil on error
+  #
+  def self.decode_elem_length(data)
+    return unless data.length > 2
+
+    # Length of element starts counting after the length
+    elem_start = 2
+
+    # Unpack the second byte as an integer
+    length = data.byteslice(1).unpack('C')[0]
+
+    if length > 127
+      # Length will take more than one byte to store
+      len_bytes = length - 128
+      return unless data.length > len_bytes + 2
+
+      if len_bytes == 2
+        length = data.byteslice(2, len_bytes).unpack('S>')[0]
+      else
+        length = data.byteslice(2, len_bytes).unpack('L>')[0]
+      end
+      elem_start += len_bytes
+    end
+
+    elem_start + length
+  end
+
+  #
+  # Split binary string into ASN1 elements.
+  #
+  # @param data [String] Binary string containing raw response from LDAP server
+  # @return [Array] Array of binary strings containing ASN1 elements
+  #
+  def self.split_messages(data)
+    messages = []
+    return messages unless data.length > 2
+    pos = 0
+    while pos < data.length
+      break unless data.byteslice(pos) == '0'
+      elem_len = Dap::Proto::LDAP.decode_elem_length(data.byteslice(pos..data.length - 1))
+      break unless elem_len
+
+      # Sanity check and then carve out the current element
+      if data.length >= elem_len + pos
+        current_elem = data.byteslice(pos, elem_len)
+        messages.push(current_elem)
+      end
+      pos += elem_len
+    end
+    messages
+  end
+
+  #
+  # Parse an LDAP SearchResult entry.
+  #
+  # @param data [OpenSSL::ASN1::Sequence] LDAP message to parse
+  # @return [Array] Array containing
+  #   result_type - Message type (SearchResultEntry, SearchResultDone, etc.)
+  #   results     - Hash containing nested decoded LDAP response
+  #
+  def self.parse_message(data)
+    # RFC 4511 - Section 4.5.2
+
+    result_type = ''
+    results = {}
+
+    unless data.class == OpenSSL::ASN1::Sequence
+      result_type = 'Error'
+      results['errorMessage'] = 'parse_message: Message is not of type OpenSSL::ASN1::Sequence'
+      return [result_type, results]
+    end
+
+    if data.value[1].tag == 4
+      # SearchResultEntry found..
+      result_type = 'SearchResultEntry'
+      if data.value[1].value[0].tag == 4
+        results['objectName'] = data.value[1].value[0].value
+      end
+
+      attrib_hash = {}
+
+      # Handle PartialAttributeValues
+      data.value[1].value[1].each do |partial_attrib|
+
+        value_array = []
+        attrib_type = partial_attrib.value[0].value
+
+        partial_attrib.value[1].each do |part_attrib_value|
+          value_array.push(part_attrib_value.value)
+        end
+
+        attrib_hash[attrib_type] = value_array
+      end
+
+      results['PartialAttributes'] = attrib_hash
+
+    elsif data.value[1].tag == 5
+      # SearchResultDone found..
+      result_type = 'SearchResultDone'
+      results['resultCode'] = data.value[1].value[0].value.to_i if data.value[1].value[0].value
+      results['resultMatchedDN'] = data.value[1].value[1].value if data.value[1].value[1].value
+      results['resultdiagMessage'] = data.value[1].value[2].value if data.value[1].value[2].value
+    else
+      # Unhandled tag
+      result_type = 'UnhandledTag'
+      results['tagNumber'] = data.value[1].tag.to_i if data.value[1].tag
+    end
+
+    [result_type, results]
+  end
+
+
+end
+
+end
+end

data/lib/dap/version.rb

@@ -1,3 +1,3 @@
 module Dap
-  VERSION = "0.0.8"
+  VERSION = "0.0.9"
 end

data/spec/dap/filter/ldap_filter_spec.rb

@@ -0,0 +1,45 @@
+describe Dap::Filter::FilterDecodeLdapSearchResult do
+  describe '.decode' do
+
+    original = ['3030020107642b040030273025040b6f626a656374436c61'\
+                '737331160403746f70040f4f70656e4c444150726f6f7444'\
+                '5345300c02010765070a010004000400']
+
+    data = original.pack('H*')
+
+    let(:filter) { described_class.new(['data']) }
+
+    context 'testing full ldap response message' do
+      let(:decode) { filter.decode(data) }
+      it 'returns Hash as expected' do
+        expect(decode.class).to eq(::Hash)
+      end
+
+      it 'returns expected value' do
+        test_val = { 'SearchResultDone' => {
+                       'resultCode' => 0,
+                       'resultMatchedDN' => '',
+                       'resultdiagMessage' => ''
+                   },
+                     'SearchResultEntry' => {
+                       'objectName' => '',
+                       'PartialAttributes' => {
+                         'objectClass' => ['top', 'OpenLDAProotDSE']
+                       }
+        } }
+
+        expect(decode).to eq(test_val)
+      end
+    end
+
+    context 'testing invalid ldap response message' do
+      let(:decode) { filter.decode('303030303030') }
+      it 'returns error message as expected' do
+        test_val = { 'Error' => {
+                       'errorMessage' =>
+                       'FilterDecodeLdapSearchResult - Unable to parse response' } }
+        expect(decode).to eq(test_val)
+      end
+    end
+  end
+end

data/spec/dap/proto/ipmi_spec.rb

@@ -1,19 +1,20 @@
-require 'bit-struct'
-require_relative '../../../lib/dap/proto/ipmi'
+describe Dap::Proto::IPMI::Channel_Auth_Reply do
+  describe '.valid?' do
 
-module Dap
-module Proto
-module IPMI
+    context 'testing with valid rmcp version and message length' do
+      it 'returns true as expected' do
+        expect(described_class.new(rmcp_version: 6).valid?).to be false
+        expect(described_class.new(message_length: 16).valid?).to be false
+        expect(described_class.new(rmcp_version: 6, message_length: 16).valid?).to be true
+      end
+    end
 
-describe Channel_Auth_Reply do
-  it "valid with the proper rmcp version and message length" do
-    expect(subject.valid?).to be false
-    expect(Channel_Auth_Reply.new(rmcp_version: 6).valid?).to be false
-    expect(Channel_Auth_Reply.new(message_length: 16).valid?).to be false
-    expect(Channel_Auth_Reply.new(rmcp_version: 6, message_length: 16).valid?).to be true
-  end
-end
+    context 'testing with invalid data' do
+      let(:reply) { described_class.new }
 
-end
-end
+      it 'returns false as expected' do
+        expect(reply.valid?).to be false
+      end
+    end
+  end
 end

data/spec/dap/proto/ldap_proto_spec.rb

@@ -0,0 +1,142 @@
+describe Dap::Proto::LDAP do
+  subject { described_class }
+
+  describe '.decode_elem_length' do
+    context 'testing lengths shorter than 128 bits' do
+      data = ['301402'].pack('H*')
+      let(:decode_len) { subject.decode_elem_length(data) }
+      it 'returns a Fixnum' do
+        expect(decode_len.class).to eq(::Fixnum)
+      end
+      it 'returns value correctly' do
+        expect(decode_len).to eq(22)
+      end
+    end
+
+    context 'testing lengths greater than 128 bits' do
+      data = ['308400000bc102010'].pack('H*')
+      let(:decode_len) { subject.decode_elem_length(data) }
+      it 'returns a Fixnum' do
+        expect(decode_len.class).to eq(::Fixnum)
+      end
+      it 'returns value correctly' do
+        expect(decode_len).to eq(3015)
+      end
+    end
+
+    context 'testing invalid length' do
+      data = ['308400000bc1'].pack('H*')
+      let(:decode_len) { subject.decode_elem_length(data) }
+      it 'returns nil as expected' do
+        expect(decode_len).to eq(nil)
+      end
+
+    end
+  end
+
+  describe '.split_messages' do
+
+    original = ['3030020107642b040030273025040b6f626a656374436c61'\
+                '737331160403746f70040f4f70656e4c444150726f6f7444'\
+                '5345300c02010765070a010004000400']
+
+    data = original.pack('H*')
+
+    entry = ['3030020107642b040030273025040b6f626a656374436c6173'\
+             '7331160403746f70040f4f70656e4c444150726f6f74445345']
+
+    done = ['300c02010765070a010004000400']
+
+    context 'testing full message' do
+      let(:split_messages) { subject.split_messages(data) }
+      it 'returns Array as expected' do
+        expect(split_messages.class).to eq(::Array)
+      end
+
+      it 'returns SearchResultEntry value as expected' do
+        expect(split_messages[0].unpack('H*')).to eq(entry)
+      end
+
+      it 'returns SearchResultDone value as expected' do
+        expect(split_messages[1].unpack('H*')).to eq(done)
+      end
+    end
+
+    context 'testing invalid message' do
+      let(:split_messages) { subject.split_messages('FF') }
+      it 'returns Array as expected' do
+        expect(split_messages.class).to eq(::Array)
+      end
+    end
+
+    context 'testing short message' do
+      let(:split_messages) { subject.split_messages('00') }
+      it 'returns Array as expected' do
+        expect(split_messages.class).to eq(::Array)
+      end
+    end
+  end
+
+  describe '.parse_messages' do
+
+    context 'testing SearchResultEntry' do
+      hex = ['3030020107642b040030273025040b6f626a656374436c6173'\
+             '7331160403746f70040f4f70656e4c444150726f6f74445345']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_message) { subject.parse_message(data) }
+      it 'returns Array as expected' do
+        expect(parse_message.class).to eq(::Array)
+      end
+
+      it 'returns SearchResultEntry value as expected' do
+        test_val = ['SearchResultEntry', {
+                      'objectName' => '',
+                      'PartialAttributes' => {
+                          'objectClass' => [
+                            'top',
+                            'OpenLDAProotDSE'
+                            ]
+                      }
+        }]
+        expect(parse_message).to eq(test_val)
+      end
+    end
+
+    context 'testing SearchResultDone' do
+      hex = ['300c02010765070a010004000400']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_message) { subject.parse_message(data) }
+      it 'returns Array as expected' do
+        expect(parse_message.class).to eq(::Array)
+      end
+
+      it 'returns SearchResultDone value as expected' do
+        test_val = ['SearchResultDone', {
+                      'resultCode' => 0,
+                      'resultMatchedDN' => '',
+                      'resultdiagMessage' => ''
+        }]
+        expect(parse_message).to eq(test_val)
+      end
+    end
+
+    context 'testing UnhandledTag' do
+      hex = ['300c02010767070a010004000400']
+      data = OpenSSL::ASN1.decode(hex.pack('H*'))
+
+      let(:parse_message) { subject.parse_message(data) }
+      it 'returns Array as expected' do
+        expect(parse_message.class).to eq(::Array)
+      end
+
+      it 'returns UnhandledTag value as expected' do
+        test_val = ['UnhandledTag', { 'tagNumber' => 7 }]
+        expect(parse_message).to eq(test_val)
+      end
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,91 @@
+require 'dap'
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause this
+# file to always be loaded, without a need to explicitly require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    # be_bigger_than(2).and_smaller_than(4).description
+    #   # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #   # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is recommended.
+  # For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dap
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9
 platform: ruby
 authors:
 - Rapid7 Research
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-28 00:00:00.000000000 Z
+date: 2016-07-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -181,6 +181,7 @@ files:
 - lib/dap/filter/base.rb
 - lib/dap/filter/geoip.rb
 - lib/dap/filter/http.rb
+- lib/dap/filter/ldap.rb
 - lib/dap/filter/names.rb
 - lib/dap/filter/openssl.rb
 - lib/dap/filter/recog.rb
@@ -196,6 +197,7 @@ files:
 - lib/dap/proto/addp.rb
 - lib/dap/proto/dtls.rb
 - lib/dap/proto/ipmi.rb
+- lib/dap/proto/ldap.rb
 - lib/dap/proto/mssql.rb
 - lib/dap/proto/natpmp.rb
 - lib/dap/proto/wdbrpc.rb
@@ -217,7 +219,10 @@ files:
 - samples/ssl_certs_org.sh
 - samples/udp-netbios.csv.bz2
 - samples/udp-netbios.sh
+- spec/dap/filter/ldap_filter_spec.rb
 - spec/dap/proto/ipmi_spec.rb
+- spec/dap/proto/ldap_proto_spec.rb
+- spec/spec_helper.rb
 - tools/geo-ip-summary.rb
 - tools/ipmi-vulns.rb
 - tools/json-summarize.rb
@@ -243,9 +248,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: 'DAP: The Data Analysis Pipeline'
-test_files: []
-has_rdoc: 
+test_files:
+- spec/dap/filter/ldap_filter_spec.rb
+- spec/dap/proto/ipmi_spec.rb
+- spec/dap/proto/ldap_proto_spec.rb
+- spec/spec_helper.rb