dradis-nexpose 3.6.0

data/lib/dradis-nexpose.rb

@@ -0,0 +1,12 @@
+# Hook into the framework
+require 'dradis-plugins'
+
+# Load this engine
+require 'dradis/plugins/nexpose'
+
+# Non-dradis related files
+require 'nexpose/endpoint'
+require 'nexpose/node'
+require 'nexpose/scan'
+require 'nexpose/service'
+require 'nexpose/vulnerability'

data/lib/dradis/plugins/nexpose.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module Nexpose
+    end
+  end
+end
+
+require 'dradis/plugins/nexpose/engine'
+require 'dradis/plugins/nexpose/field_processor'
+require 'dradis/plugins/nexpose/importer'
+require 'dradis/plugins/nexpose/version'

data/lib/dradis/plugins/nexpose/engine.rb

@@ -0,0 +1,9 @@
+module Dradis::Plugins::Nexpose
+  class Engine < ::Rails::Engine
+    isolate_namespace Dradis::Plugins::Nexpose
+
+    include ::Dradis::Plugins::Base
+    description 'Processes Nexpose XML format'
+    provides :upload
+  end
+end

data/lib/dradis/plugins/nexpose/field_processor.rb

@@ -0,0 +1,89 @@
+module Dradis::Plugins::Nexpose
+
+  # This processor defers to ::Acunetix::Scan for the scan template and to
+  # ::Acunetix::ReportItem for the report_item and evidence templates.
+  class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+    def post_initialize(args={})
+      if data.kind_of?(Hash) ||
+          data.kind_of?(Nexpose::Scan) ||
+          data.kind_of?(Nexpose::Node) ||
+          data.kind_of?(Nexpose::Service) ||
+          data.kind_of?(Nexpose::Vulnerability)
+        @nexpose_object = data
+      else
+        # XML from Plugin Manager
+        if (data.name == 'scan')
+          @nexpose_object = Nexpose::Scan.new(data)
+        elsif (data.name == 'node')
+          # Full - node
+          @nexpose_object = Nexpose::Node.new(data)
+        elsif (data.name == 'service')
+          # Full - service
+          @nexpose_object = Nexpose::Service.new(data)
+        else
+          if data['added']
+            # Full - vulnerability
+            @nexpose_object = Nexpose::Vulnerability.new(data)
+          else
+            # Simple - port
+            @nexpose_object = {
+              id: data['id'],
+              finding: data.xpath('//id').collect{ |id_node| "#{id_node['type']} : #{id_node.text}" }.join("\n")
+            }
+          end
+        end
+      end
+    end
+
+    def value(args={})
+      field = args[:field]
+
+      # fields in the template are of the form <foo>.<field>, where <foo>
+      # is common across all fields for a given template (and meaningless).
+      _, name = field.split('.')
+
+      # Simple - port
+      if @nexpose_object.kind_of?(Hash)
+        @nexpose_object[name.to_sym]
+      else
+        # Full - scan / node / service vulnerability
+        result = @nexpose_object.try(name, nil)
+        if result.kind_of?(Array)
+          result << 'n/a' if result.empty?
+          if result.first.is_a?(String)
+            result.join("\n")
+          else
+            # we have an array of hashes
+            format_array_as_table(result)
+          end
+        else
+          result || 'n/a'
+        end
+      end
+    end
+
+    private
+    # Return an array as a table:
+    #
+    #   [
+    #     {:a => 1, :b => 2},
+    #     {:a => 3, :b => 4}
+    #   ]
+    #
+    # becomes
+    #
+    #  |_. a |_. b |
+    #  | 1 | 2 |
+    #  | 3 | 4 |
+    #
+    def format_array_as_table(array)
+      rows = []
+      rows << "|_. #{array.first.keys.join(' |_. ')} |"
+      array.each do |hash|
+        rows << "| #{hash.collect{|_,v| v}.join(" | ")} |"
+      end
+      rows.join("\n")
+    end
+  end
+end

data/lib/dradis/plugins/nexpose/formats/full.rb

@@ -0,0 +1,152 @@
+module Dradis::Plugins::Nexpose::Formats
+
+  # This module knows how to parse Nexpose Ful XML format.
+  module Full
+    private
+
+    def process_full(doc)
+      note_text = nil
+
+      @vuln_list = []
+      evidence = Hash.new { |h, k| h[k] = {} }
+      hosts = Array.new
+
+      # First, extract scans
+      scan_node = content_service.create_node(label: 'Nexpose Scan Summary')
+      logger.info{ "\tProcessing scan summary" }
+
+      doc.xpath('//scans/scan').each do |xml_scan|
+        note_text = template_service.process_template(template: 'full_scan', data: xml_scan)
+        content_service.create_note(node: scan_node, text: note_text)
+      end
+
+
+      # Second, we parse the nodes
+      doc.xpath('//nodes/node').each do |xml_node|
+        nexpose_node = Nexpose::Node.new(xml_node)
+
+        host_node = content_service.create_node(label: nexpose_node.address, type: :host)
+        logger.info{ "\tProcessing host: #{nexpose_node.address}" }
+
+        # add the summary note for this host
+        note_text = template_service.process_template(template: 'full_node', data: nexpose_node)
+        content_service.create_note(node: host_node, text: note_text)
+
+        if host_node.respond_to?(:properties)
+          logger.info{ "\tAdding host properties: :ip and :hostnames"}
+          host_node.set_property(:ip, nexpose_node.address)
+          host_node.set_property(:hostnames, nexpose_node.names)
+        end
+
+        # inject this node's address into any vulnerabilities identified
+        #
+        # TODO: There is room for improvement here, we could have a hash that
+        # linked vulns with test/service and host to create proper content for
+        # Evidence.
+        nexpose_node.tests.each do |node_test|
+          test_id = node_test[:id].to_s.downcase
+
+          # We can't use the straightforward version below because Nexpose uses
+          # mixed-case some times (!)
+          #   xml_vuln = doc.xpath("//VulnerabilityDefinitions/vulnerability[@id='#{node_test[:id]}']").first
+          # See:
+          #   http://stackoverflow.com/questions/1625446/problem-with-upper-case-and-lower-case-xpath-functions-in-selenium-ide/1625859#1625859
+          xml_vuln = doc.xpath("//VulnerabilityDefinitions/vulnerability[translate(@id,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='#{test_id}']").first
+          xml_vuln.add_child("<hosts/>") unless xml_vuln.last_element_child.name == "hosts"
+
+          if xml_vuln.xpath("./hosts/host[text()='#{nexpose_node.address}']").empty?
+            xml_vuln.last_element_child.add_child( "<host>#{nexpose_node.address}</host>")
+          end
+        end
+
+        nexpose_node.endpoints.each do |endpoint|
+          # endpoint_node = content_service.create_node(label: endpoint.label, parent: host_node)
+          logger.info{ "\t\tEndpoint: #{endpoint.label}" }
+
+          if host_node.respond_to?(:properties)
+            logger.info{ "\t\tAdding to Services table" }
+            host_node.set_property(:services, {
+              port: endpoint.port.to_i,
+              protocol: endpoint.protocol,
+              state: endpoint.status,
+              name: endpoint.services.map(&:name).join(', ')
+              # reason: port.reason,
+              # product: port.try('service').try('product'),
+              # version: port.try('service').try('version')
+            })
+          end
+
+          endpoint.services.each do |service|
+
+            # add the summary note for this service
+            note_text = template_service.process_template(template: 'full_service', data: service)
+            # content_service.create_note(node: endpoint_node, text: note_text)
+            content_service.create_note(node: host_node, text: note_text)
+
+            # inject this node's address into any vulnerabilities identified
+            service.tests.each do |service_test|
+              test_id = service_test[:id].to_s.downcase
+
+              # For some reason Nexpose fails to include the 'http-iis-0011' vulnerability definition
+              next if test_id == 'http-iis-0011'
+
+              # We can't use the straightforward version below because Nexpose uses
+              # mixed-case some times (!)
+              #   xml_vuln = doc.xpath("//VulnerabilityDefinitions/vulnerability[@id='#{service_test[:id]}']").first
+              # See:
+              #   http://stackoverflow.com/questions/1625446/problem-with-upper-case-and-lower-case-xpath-functions-in-selenium-ide/1625859#1625859
+              #
+              xml_vuln = doc.xpath("//VulnerabilityDefinitions/vulnerability[translate(@id,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='#{test_id}']").first
+              xml_vuln.add_child("<hosts/>") unless xml_vuln.last_element_child.name == "hosts"
+
+              if xml_vuln.xpath("./hosts/host[text()='#{nexpose_node.address}']").empty?
+                xml_vuln.last_element_child.add_child( "<host>#{nexpose_node.address}</host>")
+              end
+
+              evidence[test_id][nexpose_node.address] = service_test[:content]
+            end
+          end
+        end
+
+        # add note under this node for each vulnerable ./node/test/
+        host_node.save
+      end
+
+      # Third, parse vulnerability definitions
+      definitions_node = content_service.create_node(label: 'Definitions')
+      logger.info{ "\tProcessing issue definitions:" }
+
+      doc.xpath('//VulnerabilityDefinitions/vulnerability').each do |xml_vulnerability|
+        id = xml_vulnerability['id'].downcase
+        # if @vuln_list.include?(id)
+          issue_text = template_service.process_template(template: 'full_vulnerability', data: xml_vulnerability)
+
+          # retrieve hosts affected by this issue (injected in step 2)
+          #
+          # There is no need for the below as Issues are linked to hosts via the
+          # corresponding Evidence instance
+          #
+          # note_text << "\n\n#[host]#\n"
+          # note_text << xml_vulnerability.xpath('./hosts/host').collect(&:text).join("\n")
+          # note_text << "\n\n"
+
+          # 3.1 create the Issue
+          issue = content_service.create_issue(text: issue_text, id: id)
+          logger.info{ "\tIssue: #{issue.fields ? issue.fields['Title'] : id}" }
+
+
+          # 3.2 associate with the nodes via Evidence.
+          #   TODO: there is room for improvement here by providing proper Evidence content
+          xml_vulnerability.xpath('./hosts/host').collect(&:text).each do |host_name|
+            # if the node exists, this just returns it
+            host_node = content_service.create_node(label: host_name, type: :host)
+
+            evidence_content = evidence[id][host_name]
+            content_service.create_evidence(content: evidence_content, issue: issue, node: host_node)
+          end
+
+        # end
+      end
+    end # /parse_nexpose_full_xml
+  end
+end

data/lib/dradis/plugins/nexpose/formats/simple.rb

@@ -0,0 +1,76 @@
+module Dradis::Plugins::Nexpose::Formats
+
+  # This module knows how to parse Nexpose Simple XML format.
+  module Simple
+    private
+
+    def process_simple(doc)
+      hosts = process_nexpose_simple_xml(doc)
+      notes_simple(hosts)
+    end
+
+    def notes_simple(hosts)
+      return if hosts.nil?
+
+      hosts.each do |host|
+        host_node = content_service.create_node(label: host['address'], type: :host)
+        content_service.create_note node: host_node, text: "Host Description : #{host['description']} \nScanner Fingerprint certainty : #{host['fingerprint']}"
+
+        generic_findings_node = content_service.create_node(label: 'Generic Findings', parent: host_node)
+        host['generic_vulns'].each do |id, finding|
+          content_service.create_note node: generic_findings_node, text: "Finding ID : #{id} \n \n Finding Refs :\n-------\n #{finding}"
+        end
+
+        port_text = nil
+        host['ports'].each do |port_label, findings|
+          port_node = content_service.create_node(label: port_label, parent: host_node)
+
+          findings.each do |id, finding|
+            port_text = template_service.process_template(template: 'simple_port', data: {id: id, finding: finding})
+            port_text << "\n#[host]#\n#{host['address']}\n\n"
+            content_service.create_note node: port_node, text: port_text
+          end
+        end
+      end
+    end
+
+    def process_nexpose_simple_xml(doc)
+      results = doc.search('device')
+      hosts = Array.new
+      results.each do |host|
+        current_host = Hash.new
+        current_host['address'] = host['address']
+        current_host['fingerprint'] = host.search('fingerprint')[0].nil? ? "N/A" : host.search('fingerprint')[0]['certainty']
+        current_host['description'] = host.search('description')[0].nil? ? "N/A" : host.search('description')[0].text
+        #So there's two sets of vulns in a NeXpose simple XML report for each host
+        #Theres some generic ones at the top of the report
+        #And some service specific ones further down the report.
+        #So we need to get the generic ones before moving on
+        current_host['generic_vulns'] = Hash.new
+        host.xpath('vulnerabilities/vulnerability').each do |vuln|
+          current_host['generic_vulns'][vuln['id']] = ''
+          vuln.xpath('id').each do |id|
+            current_host['generic_vulns'][vuln['id']] << id['type'] + " : " + id.text + "\n"
+          end
+        end
+
+        current_host['ports'] = Hash.new
+        host.xpath('services/service').each do |service|
+          protocol = service['protocol']
+          portid = service['port']
+          port_label = protocol + '-' + portid
+          current_host['ports'][port_label] = Hash.new
+          service.xpath('vulnerabilities/vulnerability').each do |vuln|
+            current_host['ports'][port_label][vuln['id']] = ''
+            vuln.xpath('id').each do |id|
+              current_host['ports'][port_label][vuln['id']] << id['type'] + " : " + id.text + "\n"
+            end
+          end
+        end
+
+        hosts << current_host
+      end
+      return hosts
+    end
+  end
+end

data/lib/dradis/plugins/nexpose/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Nexpose
+      # Returns the version of the currently loaded Nexpose as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 6
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/nexpose/importer.rb

@@ -0,0 +1,34 @@
+require 'dradis/plugins/nexpose/formats/full'
+require 'dradis/plugins/nexpose/formats/simple'
+
+module Dradis::Plugins::Nexpose
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    include Formats::Full
+    include Formats::Simple
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+      file_content = File.read( params[:file] )
+
+      logger.info { 'Parsing NeXpose output file...' }
+      doc = Nokogiri::XML(file_content)
+      logger.info { 'Done.' }
+
+      if doc.root.name == 'NeXposeSimpleXML'
+        logger.info { 'NeXpose-Simple format detected' }
+        process_simple(doc)
+      elsif doc.root.name == 'NexposeReport'
+        logger.info { 'NeXpose-Full format detected' }
+        process_full(doc)
+      else
+        error = "The document doesn't seem to be in either NeXpose-Simple or NeXpose-Full XML format. Ensure you uploaded a Nexpose XML report."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+    end
+  end
+end

data/lib/dradis/plugins/nexpose/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Nexpose
+      # Returns the version of the currently loaded Nexpose as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/nexpose/endpoint.rb

@@ -0,0 +1,81 @@
+module Nexpose
+  # This class represents each of the /NexposeReport[@version='1.0']/nodes/node/endpoints/endpoint
+  # elements in the Nexpose Full XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Endpoint
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # meta
+        :label,
+
+        # attributes
+        :protocol, :port, :status,
+
+        # simple tags
+
+        # multiple tags
+        :services
+      ]
+    end
+
+    # Save some time with a meta attribute, e.g. 80/tcp (open)
+    def label
+      "#{self.port}/#{self.protocol} (#{self.status})"
+    end
+
+    # Each of the services associated with this endpoint. Returns an array of
+    # Nexpose::Service objects
+    def services
+      @xml.xpath('./services/service').collect { |xml_service| Service.new(xml_service) }
+    end
+
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      return nil
+    end
+  end
+end