intrigue-ident 0.4 → 0.6

data/lib/checks/automattic.rb

@@ -0,0 +1,189 @@
+module Intrigue
+module Ident
+module Check
+  class Automattic < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor =>"Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"wordpress generator tag in content",
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /<meta name="generator" content="WordPress/i,
+          :dynamic_version => lambda { |x|  _first_body_capture x, /<meta name=\"generator\" content=\"WordPress\ (.*)\" \/>/i },
+          :hide => false,
+          :examples => [
+            "http://www.jewelosco.com:80",
+            "http://blog.nolimitvpn.com:80"
+          ],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor =>"Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"common link",
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /<link rel='https:\/\/api.w.org\/'/,
+          :examples => ["https://staging.blogs.nordstrom.com:443"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor =>"Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress (Hosted)",
+          :match_details =>"unique header",
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /x-hacker: If you're reading this, you should visit automattic.com/,
+          :examples => ["http://192.0.78.12:80"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress WP-JSON endpoint",
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /gmt_offset/,
+          :paths => ["#{url}/wp-json"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.0",
+          :match_type => :checksum_body,
+          :checksum => "a306a72ce0f250e5f67132dc6bcb2ccb",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.1",
+          :match_type => :checksum_body,
+          :checksum => "4f04728cb4631a553c4266c14b9846aa",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.2",
+          :match_type => :checksum_body,
+          :checksum => "25e1e78d5b0c221e98e14c6e8c62084f",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.3",
+          :match_type => :checksum_body,
+          :checksum => "83c83d0f0a71bd57c320d93e59991c53",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.5",
+          :match_type => :checksum_body,
+          :checksum => "7293453cf0ff5a9a4cfe8cebd5b5a71a",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.6",
+          :match_type => :checksum_body,
+          :checksum => "61740709537bd19fb6e03b7e11eb8812",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.7",
+          :match_type => :checksum_body,
+          :checksum => "e6bbc53a727f3af003af272fd229b0b2",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.7.1",
+          :match =>:checksum_body,
+          :checksum => "e6bbc53a727f3af003af272fd229b0b2",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        },
+        {
+          :type => "application",
+          :vendor => "Automattic",
+          :tags => ["CMS"],
+          :product =>"Wordpress",
+          :match_details =>"Wordpress TinyMCE Editor",
+          :references => ["https://dcid.me/texts/fingerprinting-web-apps.html"],
+          :version => "2.9.1",
+          :match_type => :checksum_body,
+          :checksum => "128e75ed19d49a94a771586bf83265ec",
+          :paths => ["#{url}/wp-includes/js/tinymce/tiny_mce.js"]
+        }
+      ]
+    end
+
+=begin
+all_checks = [{
+  :url => "#{url}",
+  :checklist => [
+  {
+    :product =>"Yoast Wordpress SEO Plugin", # won't be used if we have
+    :match_details =>"Yoast Wordpress SEO Plugin",
+    :match_type => "content",
+    :match_content =>  /<!-- \/ Yoast WordPress SEO plugin. -->/,
+    :test_site => "https://ip-50-62-231-56.ip.secureserver.net",
+    :dynamic_name => lambda{|x| x.scan(/the Yoast WordPress SEO plugin v.* - h/)[0].gsub("the ","").gsub(" - h","") }
+  }
+]},
+=end
+
+  end
+end
+end
+end

data/lib/checks/axis.rb

@@ -0,0 +1,24 @@
+module Intrigue
+module Ident
+module Check
+class Axis < Intrigue::Ident::Check::Base
+
+  def generate_checks(url)
+    [
+      {
+        :type => "application",
+        :vendor => "Axis",
+        :tags => ["tech:webcam"],
+        :product => "Webcam",
+        :match_details =>"default redirect uri",
+        :version => nil,
+        :match_type => :content_body,
+        :match_content =>  /<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0; URL=\/view\/viewer_index.shtml?id=/,
+        :paths => ["#{url}"]
+      }
+    ]
+  end
+end
+end
+end
+end

data/lib/checks/banu.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+  class Banu < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Banu",
+          :tags => [],
+          :product =>"Tinyproxy",
+          :match_details =>"server header",
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /server: tinyproxy/i,
+          :dynamic_version => lambda { |x|
+            _first_header_capture(x,/server: tinyproxy\/(.*)/i,)
+          },
+          :examples => ["http://208.46.69.59:8080"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/base.rb

@@ -7,6 +7,64 @@ class Base
     CheckFactory.register(base)
   end
 
+  private
+
+    def _body(content)
+      content["details"]["hidden_response_data"] || ""
+    end
+
+    # matching helpers
+    def _first_body_match(content, regex)
+      return nil unless content["details"]["hidden_response_data"]
+      content["details"]["hidden_response_data"].match(regex)
+    end
+
+    def _first_body_capture(content, regex, filter=[])
+      return nil unless content["details"]["hidden_response_data"]
+      x = content["details"]["hidden_response_data"].match(regex)
+      if x
+        x = x.captures.first.strip
+        filter.each{|f| x.gsub!(f,"") }
+        x = x.strip
+        return x if x.length > 0
+      end
+    nil
+    end
+
+    def _first_header_match(content, regex)
+      return nil unless content["details"]["headers"]
+      content["details"]["headers"].match(regex).first
+    end
+
+    def _first_header_capture(content,regex, filter=[])
+      return nil unless content["details"]["headers"]
+      x = content["details"]["headers"].join("\n").match(regex)
+      if x
+        x = x.captures.first
+        filter.each{|f| x.gsub!(f,"") }
+        x = x.strip
+        return x if x.length > 0
+      end
+    nil
+    end
+
+    def _first_cookie_match(content, regex)
+      return nil unless content["details"]["cookies"]
+      content["details"]["cookies"].match(regex).first
+    end
+
+    def _first_cookie_capture(content, regex, filter=[])
+      return nil unless content["details"]["headers"]
+      x = content["details"]["cookies"].match(regex)
+      if x
+        x = x.captures.first.strip
+        filter.each{|f| x.gsub!(f,"") }
+        x = x.strip
+        return x if x.length > 0
+      end
+    nil
+  end
+
 end
 end
 end

data/lib/checks/checkpoint.rb

@@ -0,0 +1,55 @@
+module Intrigue
+module Ident
+module Check
+  class Checkpoint < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Checkpoint",
+          :tags => ["tech:vpn"],
+          :product =>"GO",
+          :match_details =>"page title",
+          :references => ["https://en.wikipedia.org/wiki/Check_Point_GO"],
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /<title>Check Point Mobile GO/i,
+          :examples => ["http://192.234.138.61:80"],
+          :verify => ["eGNlbGVuZXJneSNJbnRyaWd1ZTo6RW50aXR5OjpVcmkjaHR0cDovLzE5Mi4yMzQuMTM4LjYxOjgw"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "Checkpoint",
+          :tags => ["tech:vpn"],
+          :product =>"GO",
+          :match_details =>"server header",
+          :references => ["https://en.wikipedia.org/wiki/Check_Point_GO"],
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /server: CPWS/i,
+          :examples => ["http://200.142.200.1:80"],
+          :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vMjAwLjE0Mi4yMDAuMTo4MA=="],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "Checkpoint",
+          :tags => ["tech:vpn"],
+          :product =>"SSL Network Extender",
+          :match_details =>"server header",
+          :references => [],
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /server: Check Point SVN foundation/i,
+          :examples => ["https://www.cora.ro:8443"],
+          :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwczovL3d3dy5jb3JhLnJvOjg0NDM="],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/chef.rb

@@ -3,24 +3,28 @@ module Ident
 module Check
     class Chef < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Chef Server",
-            :description => "Chef Server",
+            :type => "application",
+            :vendor => "Chef",
+            :product =>"Server",
+            :match_details =>"Chef Server",
             :version => nil,
-            :type => :content_body,
-            :content => /<title>Chef Server<\/title>/,
-            :dynamic_version => lambda{|x| x.body.scan(/Version\ (.*)\ &mdash;/)[0].first },
-            :paths => ["#{uri}"]
+            :match_type => :content_body,
+            :match_content =>  /<title>Chef Server<\/title>/,
+            :dynamic_version => lambda{|x| _first_body_capture(/Version\ (.*)\ &mdash;/) },
+            :paths => ["#{url}"]
           },
           {
-            :name => "Chef Server",
-            :description => "Chef Server",
+            :type => "application",
+            :vendor => "Chef",
+            :product =>"Server",
+            :match_details =>"Chef Server",
             :version => nil,
-            :type => :content_cookies,
-            :content => /chef-manage/i,
-            :paths => ["#{uri}"]
+            :match_type => :content_cookies,
+            :match_content =>  /chef-manage/i,
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/cisco.rb

@@ -3,27 +3,100 @@ module Ident
 module Check
     class Cisco < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Cisco SSL VPN",
-            :description => "Cisco SSL VPN",
+            :type => "application",
+            :vendor => "Cisco",
+            :product => "Adaptive Security Device Manager",
+            :match_details => "page title",
+            :version => nil,
+            :dynamic_version => lambda {|x| _first_body_capture(x,/<title>Cisco ASDM (.*?)<\/title>/)},
+            :match_type => :content_body,
+            :match_content =>  /<title>Cisco ASDM/,
+            :hide => false,
+            :examples => ["https://194.107.112.4:443"],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwczovLzE5NC4xMDcuMTEyLjQ6NDQz"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "hardware",
+            :vendor => "Cisco",
+            :product => "Email Security Appliance",
+            :match_details => "page title",
+            :version => nil,
+            :dynamic_version => lambda {|x| _first_body_capture(x,/Email Security Appliance   (.*?) \(/)},
+            :match_type => :content_body,
+            :match_content =>  /<title>        Cisco         Email Security Appliance/,
+            :hide => false,
+            :examples => ["https://200.142.198.180:443"],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwczovLzIwMC4xNDIuMTk4LjE4MDo0NDM="],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "hardware",
+            :vendor => "Cisco",
+            :product => "Meraki",
+            :match_details => "Meraki logo on an on-prem box",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /<img id="header_logo" src="images\/meraki-logo.png"/,
+            :hide => false,
+            :examples => [],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Cisco",
+            :product =>"SSL VPN",
+            :match_details =>"Cisco SSL VPN",
+            :tags => ["tech:vpn"],
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /webvpn/,
+            :hide => false,
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Cisco",
+            :product =>"SSL VPN",
+            :match_details =>"Cisco SSL VPN",
             :tags => ["tech:vpn"],
             :version => nil,
-            :type => :content_cookies,
-            :content => /webvpn/,
+            :match_type => :content_body,
+            :match_content => /document.location.replace\(\"\/\+CSCOE\+\/logon.html\"\)/,
+            :examples => [
+              "https://12.237.144.250:443",
+              "http://12.150.243.178:80"],
             :hide => false,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           },
           {
-            :name => "Cisco Router",
-            :description => "Cisco Router",
+            :type => "application",
+            :vendor => "Cisco",
+            :product => "Router",
+            :match_details => "Cisco Router",
             :version => nil,
-            :type => :content_headers,
-            :content => /server: cisco-IOS/,
+            :match_type => :content_headers,
+            :match_content =>  /server: cisco-IOS/,
             :hide => false,
-            :paths => ["#{uri}"]
-          }
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Cisco",
+            :product =>"vManage",
+            :match_details => "page title",
+            :tags => [],
+            :version => nil,
+            :match_type => :content_body,
+            :match_content => /<title>Cisco vManage/,
+            :examples => ["http://129.41.171.244:80"],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vMTI5LjQxLjE3MS4yNDQ6ODA="],
+            :hide => false,
+            :paths => ["#{url}"]
+          },
         ]
       end