fidius-evasiondb 0.0.1

data/lib/evasion-db/knowledge.rb

@@ -0,0 +1,128 @@
+module FIDIUS
+  module EvasionDB
+    # This module provides active-record classes for the knowledge database.
+    # Some handy query methods are also available.
+    module Knowledge
+      # used in find_events_for_exploit
+      # to indicate that the exploit with minimal events should be searched
+      MIN_EVENTS = 1
+      # used in find_events_for_exploit
+      # to indicate that the exploit with maximal events should be searched
+      MAX_EVENTS = 2
+
+      autoload :AttackModule,  'evasion-db/knowledge/attack_module'
+      autoload :AttackOption,  'evasion-db/knowledge/attack_option'
+      autoload :AttackPayload, 'evasion-db/knowledge/attack_payload'
+      autoload :Connection,    'evasion-db/knowledge/connection'
+      autoload :IdmefEvent,    'evasion-db/knowledge/idmef_event'
+      autoload :Packet,        'evasion-db/knowledge/packet'
+
+      # returns all modules(exploits) in knowledge database
+      def self.get_exploits
+        AttackModule.all
+      end
+
+      def self.get_exploit(id)
+        AttackModule.find(id)
+      end
+
+      # finds a packet within an id
+      #
+      #@param [integer] packet id
+      def self.get_packet(id)
+        Packet.find(id)
+      end
+
+      # returns all idmef-events
+      def self.get_events
+        IdmefEvent.all
+      end
+
+      # return an certain event
+      #
+      #@param [integer] event id
+      def self.get_event(event_id)
+        IdmefEvent.find(event_id)
+      end
+
+      # returns a certain packet
+      #
+      #@param [integer] packet id
+      def self.get_packet(pid)
+        Packet.find(pid)
+      end
+
+      # returns all exploits for the given service
+      #
+      #@param [integer] port
+      def self.find_exploits_for_service(port)
+        option_set = AttackOption.where(:option_key => "RPORT",
+                                        :option_value => port)
+        exploits = []
+        option_set.each { |opt| exploits << opt.attack_module }
+        exploits
+      end
+
+      # returns the packets which might be responsible for the given event
+      #
+      # @param [integer] event id
+      def self.get_packet_for_event(event_id)
+        event = IdmefEvent.find(event_id)
+        FIDIUS::EvasionDB::LogMatchesHelper.find_packets_for_event(event,Packet.all)
+      end
+
+      # find out the events raised by the given payload
+      #
+      #@param [string] payload
+      def self.get_events_for_payload(payload)
+        #TODO: Search all packets which belong to this event
+        events = []
+        search_payload = FIDIUS::EvasionDB::LogMatchesHelper.to_hex(payload)
+        IdmefEvent.find_each do |event|
+          event_payload = FIDIUS::EvasionDB::LogMatchesHelper.to_hex(event.payload)
+          events << event if event_payload.include?(search_payload)
+        end
+
+        events
+      end
+
+      # find events for an module(exploit). you can restrict your results by setting options
+      # which sould be used by the exploit. You can even determine if minimal or maximal size of
+      # events should be returned
+      #
+      #@param [string] exploit/module name
+      #@param [hash] options which should be used
+      #@param [integer] MIN_EVENTS||MAX_EVENTS
+      def self.find_events_for_exploit(name,options={},result = MIN_EVENTS)
+        attacks = AttackModule.find_all_by_name(name).delete_if do |attack|
+          !attack.has_options(options)
+        end
+
+        if attacks.size > 0
+          res = nil
+          if result == MIN_EVENTS
+            min_cnt = 1073741823 #max value
+            attacks.each do |attack|
+              events_cnt = attack.idmef_events.size
+              if events_cnt < min_cnt
+                min_cnt = events_cnt
+                res = attack
+              end
+            end
+          elsif result == MAX_EVENTS
+            min_cnt = 0 #min value
+            attacks.each do |attack|
+              events_cnt = attack.idmef_events.size
+              if events_cnt > min_cnt
+                min_cnt = events_cnt
+                res = attack
+              end
+            end
+          end
+          return res.idmef_events if result
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/evasion-db/log_matches_helper.rb

@@ -0,0 +1,43 @@
+module FIDIUS
+  module EvasionDB
+    # This helper is indented to find matches between logged packets and idmef-events
+    # by comparing their payload.
+    module LogMatchesHelper
+
+      # this method is from Rex::Text of metasploit
+	    def self.to_hex(str, prefix = "\\x", count = 1)
+		    raise ::RuntimeError, "unable to chunk into #{count} byte chunks" if ((str.length % count) > 0)
+
+		    # XXX: Regexp.new is used here since using /.{#{count}}/o would compile
+		    # the regex the first time it is used and never check again.  Since we
+		    # want to know how many to capture on every instance, we do it this
+		    # way.
+		    return str.unpack('H*')[0].gsub(Regexp.new(".{#{count * 2}}", nil, 'n')) { |s| prefix + s }
+	    end
+
+      # tries to find the packet which generated the given event
+      #
+      #@param [IdmefEvent] a certain idmef event
+      #@param [Array] Array of Packet
+      #@return [hash] {:packet=>:index,:length} index and length are indicating where the match between both payloads is.
+      def self.find_packets_for_event(event,packets)
+        event_payload = nil
+        return unless event.payload
+        if event.payload.size > 0
+          event_payload = self.to_hex(event.payload).gsub("\\x","")
+        end
+        return unless event_payload
+
+        packets.each do |packet|
+          str = nil
+          # lets find the payload of the prelude event
+          # in one of the logged payloads
+          packet_payload = self.to_hex(packet.payload).gsub("\\x","")
+          str = packet_payload[event_payload]
+          return {:packet=>packet,:index=>packet.payload.index(event.payload),:length=>event.payload.size} if str != nil
+        end
+        nil
+      end
+    end#module LogMatchesHelper
+  end#module EvasionDB
+end#module FIDIUS

data/lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb

@@ -0,0 +1,78 @@
+module FIDIUS
+  module EvasionDB
+    # This recorder provides an interface for the metasploit console
+    # it is used to have callbacks when modules are executed. 
+    # 
+    # @see {file:msf-plugins/evasiondb.rb}
+    module MsfRecorder
+      def module_started(module_instance)
+        @@current_exploit = FIDIUS::EvasionDB::Knowledge::AttackModule.find_or_create_by_name_and_options(module_instance.fullname,module_instance.datastore)
+        FIDIUS::EvasionDB.current_fetcher.begin_record
+      end
+
+      def module_completed(module_instance)
+        begin
+        # TODO: refactor this
+        if module_instance.datastore["RHOST"]
+          FIDIUS::EvasionDB.current_fetcher.local_ip = FIDIUS::Common.get_my_ip(module_instance.datastore["RHOST"])
+        end
+        if module_instance.datastore["RHOSTS"]
+          FIDIUS::EvasionDB.current_fetcher.local_ip = FIDIUS::Common.get_my_ip(module_instance.datastore["RHOSTS"])
+        end
+        unless @@current_exploit.finished
+          $logger.debug("module #{module_instance} finished")
+          idmef_events = FIDIUS::EvasionDB.current_fetcher.fetch_events(module_instance)
+          $logger.debug("found #{idmef_events.size} events")
+          idmef_events.each do |idmef_event|
+            if module_instance && module_instance.respond_to?("fullname")
+              $logger.debug "idmef_events << #{idmef_event}"
+              @@current_exploit.idmef_events << idmef_event
+              # meterpreter is not a module and does not respond to fullname 
+              # we handle this seperatly
+            elsif module_instance == "Meterpreter"
+              $logger.debug "attack_payload.idmef_events << #{idmef_event}"
+              @@current_exploit.attack_payload.idmef_events << idmef_event
+            end
+          end
+          @@current_exploit.finished = true
+          @@current_exploit.save
+        end
+        rescue
+          $logger.error $!.message+":"+$!.backtrace.to_s
+        end
+      end
+
+      def module_error(module_instance,exception)
+        module_completed(module_instance)
+      end
+
+      def log_packet(module_instance,data,socket)
+        begin
+          # set local ip, if there is no
+          #FIDIUS::EvasionDB.current_fetcher.local_ip = FIDIUS::Common.get_my_ip(socket.peerhost)
+          $logger.debug "logged module_instance: #{module_instance} with #{data.size} bytes payload"
+          # TODO: what shall we do with meterpreter? 
+          # it has not options and no fullname, logger assigns only the string "meterpreter"
+          if module_instance.respond_to?("fullname")
+            unless @@current_exploit.finished
+              @@current_exploit.packets << FIDIUS::EvasionDB::Knowledge::Packet.create(:payload=>data,:src_addr=>socket.localhost,:src_port=>socket.localport,:dest_addr=>socket.peerhost,:dest_port=>socket.peerport)
+              @@current_exploit.save
+            end
+          # meterpreter is not a module and does not respond to fullname 
+          # we handle this seperatly
+          elsif module_instance == "Meterpreter"
+            $logger.debug "module_instance is meterpreter"
+            $logger.debug "putting package to attack_payload"
+            @@current_exploit.attack_payload.packets << FIDIUS::EvasionDB::Knowledge::Packet.create(:payload=>data,:src_addr=>socket.localhost,:src_port=>socket.localport,:dest_addr=>socket.peerhost,:dest_port=>socket.peerport)
+            @@current_exploit.save
+          end
+          $logger.debug "LOG: #{module_instance} #{data.size} Bytes on #{socket}"
+        rescue ActiveRecord::StatementInvalid
+          $logger.error "StatementInvalid"
+        rescue 
+          $logger.error "error:" # "#{$!.message}" ##{$!.inspect}:#{$!.backtrace}"
+        end
+      end
+    end
+  end
+end

data/lib/evasion-db/recorders/msf-recorder/recorder.rb

@@ -0,0 +1,6 @@
+FIDIUS::EvasionDB.recorder "Msf-Recorder" do
+  install do
+    require (File.join File.dirname(__FILE__), 'lib', 'msf-recorder.rb')
+    self.extend FIDIUS::EvasionDB::MsfRecorder
+  end
+end

data/lib/evasion-db/recorders/recorders.rb

@@ -0,0 +1,61 @@
+module FIDIUS
+  module EvasionDB
+    def self.recorder(name,&block)
+      FIDIUS::EvasionDB::Recorder.new(name,&block)
+    end
+
+    def self.install_recorders
+      $logger.debug "installing recoders"
+      FIDIUS::EvasionDB::Recorder.all.each do |recorder|
+        recorder.run_install
+      end
+    end
+
+    # A Recorder us used to log packets for an executed attack
+    class Recorder
+      @@recorders = []
+      attr_accessor :name
+
+      def initialize(name,&block)
+        self.instance_eval(&block)
+        @name = name
+        @@recorders << self
+      end
+
+      def install(&block)
+        $logger.debug "setting installblock"
+        @install = block
+      end
+
+      def run_install
+        raise "no install block given" unless @install
+        $logger.debug "run install of #{@name}"
+        @install.call
+      end
+
+      def self.all
+        @@recorders
+      end
+
+      def self.by_name(name)
+        self.all.each do |recorder|
+          return recorder if recorder.name == name
+        end
+        nil
+      end
+
+      def start
+        raise "overwrite this"
+      end
+
+      def log_packet
+        raise "overwrite this"
+      end
+    end
+  end
+end
+
+Dir[File.join(File.dirname(__FILE__), "*/recorder.rb")].each{|fetch_require|
+  $logger.debug "load #{fetch_require}"
+  require fetch_require
+} 

data/lib/evasion-db/version.rb

@@ -0,0 +1,5 @@
+module FIDIUS
+  module EvasionDB
+    VERSION = "0.0.1"
+  end
+end

data/lib/fidius-evasiondb.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+
+require 'logger'
+require 'fidius-common'
+require 'active_record'
+require 'evasion-db/base'
+
+module FIDIUS
+  module EvasionDB
+    $logger       = Logger.new(STDOUT)
+    $logger.level = Logger::ERROR
+    GEM_BASE      = File.expand_path('..', __FILE__)
+    $logger.debug "GEM_BASE ist: #{GEM_BASE}"
+    
+    autoload :VERSION,          'evasion-db/version'
+    autoload :LogMatchesHelper, 'evasion-db/log_matches_helper'
+    autoload :Knowledge,        'evasion-db/knowledge'
+
+    # install fetchers
+    require File.join(GEM_BASE, 'evasion-db', 'idmef-fetchers', 'fetchers.rb')
+    FIDIUS::EvasionDB.install_fetchers
+
+    # install recorders
+    require File.join(GEM_BASE, 'evasion-db', 'recorders', 'recorders.rb')
+    FIDIUS::EvasionDB.install_recorders
+  end
+end

data/lib/msf-plugins/database.yml.example

@@ -0,0 +1,24 @@
+ids_db:
+  adapter: postgresql
+  host: 10.10.10.253
+  port: 5432
+  encoding: utf8
+  database: preludemanager
+  username: preludemanager
+  password: fidius09
+  read_timeout: 1
+  write_timeout: 1
+  wait_timeout: 1
+  timeout: 1
+  pool: 1
+  retry: 3
+
+evasion_db:
+  adapter: mysql2
+  host: localhost
+  port: 3306
+  encoding: utf8
+  database: evasion_db
+  username: root
+  password:
+  socket: /opt/lampp/var/mysql/mysql.sock