dradis-nexpose 3.6.0

data/spec/fixtures/files/simple.xml

@@ -0,0 +1,53 @@
+<NeXposeSimpleXML version="1.0">
+  <generated>20111128T142609232</generated>
+  <devices>
+    <device address="1.1.1.1">
+      <fingerprint certainty="0.80">
+        <description>Linux 2.6.9-89.ELsmp</description>
+        <vendor>Linux</vendor>
+        <family>Linux</family>
+        <product>Linux</product>
+        <version>0.0.0</version>
+        <device-class></device-class>
+        <architecture>i686</architecture>
+      </fingerprint>
+      <vulnerabilities>
+      </vulnerabilities>
+      <services>
+        <service name="NTP" port="000" protocol="udp">
+        <fingerprint certainty="0.20">
+          <description>NTP 4.2</description>
+          <vendor></vendor>
+          <family>NTP</family>
+          <product>NTP</product>
+          <version>4.2</version>
+        </fingerprint>
+        <vulnerabilities>
+          <vulnerability id="ntpd-crypto" resultCode="VV">
+            <id type="cve">CVE-2009-1252</id>
+            <id type="bid">35017</id>
+            <id type="secunia">35137</id>
+            <id type="secunia">35138</id>
+            <id type="secunia">35166</id>
+            <id type="secunia">35169</id>
+            <id type="secunia">35243</id>
+            <id type="secunia">35253</id>
+            <id type="secunia">35308</id>
+            <id type="secunia">35336</id>
+            <id type="secunia">35388</id>
+            <id type="secunia">35416</id>
+            <id type="secunia">35630</id>
+            <id type="secunia">37470</id>
+            <id type="secunia">37471</id>
+            <id type="url">http://bugs.ntp.org/1151</id>
+            <id type="url">http://www.kb.cert.org/vuls/id/853097</id>
+            <id type="url">https://lists.ntp.org/pipermail/announce/2009-May/000062.html</id>
+          </vulnerability>
+          <vulnerability id="ntp-clock-radio, he cannot afford, wah wah wee wah" resultCode="VE">
+          </vulnerability>
+        </vulnerabilities>
+        </service>
+      </services>
+    </device>
+  </devices>
+  </NeXposeSimpleXML>

data/spec/nexpose_upload_spec.rb

@@ -0,0 +1,154 @@
+require 'spec_helper'
+require 'ostruct'
+
+describe 'Nexpose upload plugin' do
+  before(:each) do
+    # Stub template service
+    templates_dir = File.expand_path('../../templates', __FILE__)
+    expect_any_instance_of(Dradis::Plugins::TemplateService)
+    .to receive(:default_templates_dir).and_return(templates_dir)
+
+    # Init services
+    plugin = Dradis::Plugins::Nexpose
+
+    @content_service = Dradis::Plugins::ContentService.new(plugin: plugin)
+    template_service = Dradis::Plugins::TemplateService.new(plugin: plugin)
+
+    @importer = plugin::Importer.new(
+      content_service: @content_service,
+      template_service: template_service
+    )
+
+    # Stub dradis-plugins methods
+    #
+    # They return their argument hashes as objects mimicking
+    # Nodes, Issues, etc
+    allow(@content_service).to receive(:create_node) do |args|
+      OpenStruct.new(args)
+    end
+    allow(@content_service).to receive(:create_note) do |args|
+      OpenStruct.new(args)
+    end
+    allow(@content_service).to receive(:create_issue) do |args|
+      OpenStruct.new(args)
+    end
+    allow(@content_service).to receive(:create_evidence) do |args|
+      OpenStruct.new(args)
+    end
+  end
+
+  describe "Importer: Simple" do
+    it "creates nodes, issues, notes and an evidences as needed" do
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: '1.1.1.1', type: :host).once
+
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("Host Description : Linux 2.6.9-89.ELsmp")
+        expect(args[:text]).to include("Scanner Fingerprint certainty : 0.80")
+        expect(args[:node].label).to eq("1.1.1.1")
+      end.once
+
+      expect(@content_service).to receive(:create_node) do |args|
+        expect(args[:label]).to eq('Generic Findings')
+        expect(args[:parent].label).to eq("1.1.1.1")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_node) do |args|
+        expect(args[:label]).to eq('udp-000')
+        expect(args[:parent].label).to eq("1.1.1.1")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Id]#\nntpd-crypto")
+        expect(args[:text]).to include("#[host]#\n1.1.1.1")
+        expect(args[:node].label).to eq("udp-000")
+      end.once
+
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Id]#\nntp-clock-radio")
+        expect(args[:text]).to include("#[host]#\n1.1.1.1")
+        expect(args[:node].label).to eq("udp-000")
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/simple.xml')
+    end
+  end
+
+  describe "Importer: Full" do
+    it "creates nodes, issues, notes and an evidences as needed" do
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: "Nexpose Scan Summary").once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Title]#\nUSDA_Internal (4)")
+        expect(args[:node].label).to eq("Nexpose Scan Summary")
+      end.once
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: "1.1.1.1", type: :host).once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Host]#\n1.1.1.1")
+        expect(args[:node].label).to eq("1.1.1.1")
+      end.once
+
+      expect(@content_service).to receive(:create_node) do |args|
+        expect(args[:label]).to eq("123/udp (open)")
+        expect(args[:parent].label).to eq("1.1.1.1")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Title]#\nService name: NTP")
+        expect(args[:node].label).to eq("123/udp (open)")
+      end.once
+
+      expect(@content_service).to receive(:create_node) do |args|
+        expect(args[:label]).to eq("161/udp (open)")
+        expect(args[:parent].label).to eq("1.1.1.1")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[Title]#\nService name: SNMP")
+        expect(args[:node].label).to eq("161/udp (open)")
+      end.once
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: "Definitions").once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nApache HTTPD: error responses can expose cookies (CVE-2012-0053)")
+        expect(args[:id]).to eq("ntp-clock-variables-disclosure")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nApache HTTPD: ETag Inode Information Leakage (CVE-2003-1418)")
+        expect(args[:id]).to eq("ntp-clock-variables-disclosure")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_node).with(hash_including label: "1.1.1.1", type: :host).once
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("n/a")
+        expect(args[:issue].id).to eq("ntp-clock-variables-disclosure")
+        expect(args[:node].label).to eq("1.1.1.1")
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/full.xml')
+    end
+
+    # Regression test for github.com/dradis/dradis-nexpose/issues/1
+    it "populates solutions regardless they are wrapped in paragraphs or lists" do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Solution]#\nApache HTTPD >= 2.0 and < 2.0.65")
+        OpenStruct.new(args)
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Solution]#\nYou can remove inode information from the ETag header")
+        OpenStruct.new(args)
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/full.xml')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,13 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'nokogiri'
+
+require 'combustion'
+
+Combustion.initialize!
+
+RSpec.configure do |config|
+  # Filter which specs to run
+  config.filter_run :focus => true
+  config.run_all_when_everything_filtered = true
+end

data/templates/full_node.fields

@@ -0,0 +1,8 @@
+node.address
+node.device_id
+node.fingerprints
+node.hardware_address
+node.names
+node.tests
+node.status
+node.software

data/templates/full_node.sample

@@ -0,0 +1,65 @@
+<node
+  address="10.0.0.1"
+  status="alive"
+  device-id="211"
+  hardware-address="00:de:ad:be:ef:00">
+
+  <names>
+      <name>iPad.local</name>
+      <name>Ted's iPad</name>
+  </names>
+
+  <fingerprints>
+    <os
+      certainty="1.00"
+      device-class="Server"
+      vendor="Microsoft"
+      family="Windows"
+      product="Windows Server 2003, Standard Edition"
+      version="SP2"
+      arch="x86_64"/>
+
+    <os
+      certainty="0.85"
+      device-class="General"
+      vendor="Microsoft"
+      family="Windows"
+      product="Windows Server 2003"
+      version="SP2"/>
+  </fingerprints>
+
+  <software>
+    <fingerprint
+      certainty="1.00"
+      software-class="General"
+      vendor="Sun"
+      family="Java"
+      product="JRE"
+      version="1.6.0.22"/>
+
+    <fingerprint
+      certainty="1.00"
+      software-class="General"
+      vendor="Sun"
+      family="Java"
+      product="JRE"
+      version="1.6.0.24"/>
+  </software>
+
+  <tests>
+    <test status="not-vulnerable" id="cifs-generic-0001">
+      <Paragraph>
+        <Paragraph>Running vulnerable CIFS service.</Paragraph>
+        Was not able to authenticate to the CIFS service with no credentials.
+      </Paragraph>
+    </test>
+
+    <test status="vulnerable" id="cifs-generic-0001">
+      <Paragraph>
+        <Paragraph>Something vulnerable or bad.</Paragraph>
+        Stuff
+      </Paragraph>
+    </test>
+  </tests>
+  <endpoints/>
+</node>

data/templates/full_node.template

@@ -0,0 +1,13 @@
+#[Host]#
+%node.address%
+
+#[Details]#
+Status: %node.status%
+Device id: %node.device_id%
+HW address: %node.hardware_address%
+
+#[Names]#
+%node.names%
+
+#[Software]#
+%node.software%

data/templates/full_scan.fields

@@ -0,0 +1,5 @@
+scan.end_time
+scan.name
+scan.scan_id
+scan.start_time
+scan.status

data/templates/full_scan.sample

@@ -0,0 +1,6 @@
+<scan
+  id="287"
+  name="Localnet2"
+  startTime="20120104T100557571"
+  endTime="20120104T100629244"
+  status="finished"/>

data/templates/full_scan.template

@@ -0,0 +1,9 @@
+#[Title]#
+%scan.name% (%scan.scan_id%)
+
+#[Timing]#
+Start time: %scan.start_time%
+End time: %scan.end_time%
+
+#[Status]#
+%scan.status%

data/templates/full_service.fields

@@ -0,0 +1,4 @@
+service.configurations
+service.fingerprints
+service.name
+service.tests

data/templates/full_service.sample

@@ -0,0 +1,17 @@
+<service name="CIFS Name Service">
+  <fingerprints>
+    <fingerprint certainty="1.00" product="Windows Server 2003 R2 5.2"/>
+  </fingerprints>
+
+  <configuration>
+    <config name="advertised-name-1">DC1 (Computer Name)</config>
+    <config name="advertised-name-2">localdomain (Domain Name)</config>
+    <config name="advertised-name-3">xxxxx (File Server Service)</config>
+    <config name="advertised-name-4">TOR (Browser Service Elections)</config>
+    <config name="advertised-name-count">4</config>
+    <config name="mac-address">00:de:ad:be:ef:00</config>
+  </configuration>
+
+  <tests>
+  </tests>
+</service>

data/templates/full_service.template

@@ -0,0 +1,11 @@
+#[Title]#
+Service name: %service.name%
+
+#[Fingerprinting]#
+%service.fingerprints%
+
+#[Configuration]#
+%service.configurations%
+
+#[Tests]#
+%service.tests%

data/templates/full_vulnerability.fields

@@ -0,0 +1,13 @@
+vulnerability.added
+vulnerability.cvss_score
+vulnerability.cvss_vector
+vulnerability.description
+vulnerability.modified
+vulnerability.nexpose_id
+vulnerability.pci_severity
+vulnerability.published
+vulnerability.references
+vulnerability.severity
+vulnerability.solution
+vulnerability.tags
+vulnerability.title

data/templates/full_vulnerability.sample

@@ -0,0 +1,59 @@
+<vulnerability
+  id="CIFS-GENERIC-0001"
+  title="No password on CIFS Administrator account"
+  severity="8"
+  pciSeverity="5"
+  cvssScore="7.5"
+  cvssVector="(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
+  published="19970101T000000000"
+  added="20041101T000000000"
+  modified="20111117T000000000">
+
+  <description>
+    <ContainerBlockElement>
+      <Paragraph>
+        Windows systems come with an administration account, "Administrator" in the default
+        installation. Furthermore, a Unix system administrator may choose the username "Administrator"
+        when configuring SAMBA.  A common password used for this account is "" (no password). It is best
+        practice to remove default accounts, if possible. For accounts required by the system,
+        the default password should be changed.
+      </Paragraph>
+
+      <Paragraph>
+      This account grants full access to the system, making it most critical to secure.
+      </Paragraph>
+    </ContainerBlockElement>
+  </description>
+
+  <references>
+    <reference source="CVE">CVE-1999-0504</reference>
+    <reference source="CVE">CVE-1999-0506</reference>
+    <reference source="SANS-04">W5</reference>
+  </references>
+
+  <tags>
+    <tag>CIFS/SMB/NetBIOS</tag>
+    <tag>Default Account</tag>
+    <tag>Samba</tag>
+    <tag>UNIX</tag>
+    <tag>Windows</tag>
+  </tags>
+
+  <solution>
+    <ContainerBlockElement>
+      <Paragraph>
+        Choose a better password for the administrator account.  A good
+        password should consist of a mix of lower- and upper-case characters,
+        numbers, and punctuation and should be at least 8 characters long.
+      </Paragraph>
+
+      <Paragraph>
+        In addition, the default account name of "Administrator" should be
+        changed to something less obvious. This will make simple brute force attempts
+        harder, as the malicious user must use other means to find the account name.
+        In all cases, the password should be changed to a well thought out (hard
+        to crack) value.
+      </Paragraph>
+    </ContainerBlockElement>
+  </solution>
+</vulnerability>