intrigue-ident 0.4 → 0.6

data/lib/checks/citrix.rb

@@ -3,17 +3,92 @@ module Ident
 module Check
     class Citrix < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Citrix Netscaler Gateway",
-            :description => "Citrix Netscaler Gateway",
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "Netscaler Gateway",
+            :match_details => "Citrix Netscaler Gateway",
             :tags => ["tech:vpn"],
             :version => nil,
-            :type => :content_body,
-            :content => /<title>Netscaler Gateway/,
+            :match_type => :content_body,
+            :match_content =>  /<title>Netscaler Gateway/,
             :hide => false,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "Netscaler Gateway",
+            :match_details => "(often) customized logon page - netscaler gateway",
+            :tags => ["tech:vpn"],
+            :version => nil,
+            :match_type => :content_body,
+            :match_content => /CTXMSAM_LogonFont/,
+            :hide => false,
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "Netscaler Gateway",
+            :match_details => "misspelled content-length header",
+            :tags => ["tech:vpn"],
+            :references => ["https://support.citrix.com/article/CTX211605"],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content => /^cteonnt-length:.*$/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :examples => ["http://204.29.196.116:80"]
+          },
+          {
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "Netscaler Gateway",
+            :match_details => "cookie",
+            :tags => ["tech:vpn"],
+            :references => ["https://support.citrix.com/article/CTX131488"],
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content => /citrix_ns_id=/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :verify => ["dW5kZXJhcm1vdXIjSW50cmlndWU6OkVudGl0eTo6VXJpI2h0dHA6Ly8yMDQuMjkuMTk2LjEwMjo4MA=="],
+            :examples => ["http://204.29.196.102:80"]
+          },
+          {
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "XenServer",
+            :match_details => "page title",
+            :tags => ["tech:hypervisor"],
+            :references => [""],
+            :version => nil,
+            :dynamic_version => lambda { |x| _first_body_capture(x,/<title>XenServer (.*?)<\/title>/) },
+            :match_type => :content_body,
+            :match_content => /<title>XenServer/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vMTU4Ljg1LjE3My4zNzo4MA=="],
+            :examples => ["http://158.85.173.37:80"]
+          },
+          {
+            :type => "application",
+            :vendor => "Citrix",
+            :product => "XenServer",
+            :match_details => "page title",
+            :tags => ["tech:hypervisor"],
+            :references => [""],
+            :version => nil,
+            :dynamic_version => lambda { |x| _first_body_capture(x,/<title>Welcome to Citrix XenServer (.*?)<\/title>/) },
+            :match_type => :content_body,
+            :match_content => /<title>Welcome to Citrix XenServer/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwczovLzIzLmRjLjU1OWUuaXA0LnN0YXRpYy5zbC1yZXZlcnNlLmNvbTo0NDM="],
+            :examples => ["https://23.dc.559e.ip4.static.sl-reverse.com:443"]
           }
         ]
       end

data/lib/checks/cloudflare.rb

@@ -3,52 +3,62 @@ module Ident
 module Check
     class Cloudflare < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Cloudflare",
-            :description => "Cloudflare Accelerated Page",
-            :version => "",
-            :type => :content_cookies,
-            :content => /__cfduid/i,
-            :paths => ["#{uri}"]
+            :type => "service",
+            :vendor => "Cloudflare",
+            :product => "CDN",
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /__cfduid/i,
+            :match_details =>"Cloudflare Accelerated Page",
+            :paths => ["#{url}"]
           },
           {
-            :name => "Cloudflare",
-            :description => "Cloudflare Server",
-            :version => "",
-            :type => :content_headers,
-            :content => /cloudflare-nginx/i,
-            :paths => ["#{uri}"]
+            :type => "service",
+            :vendor => "Cloudflare",
+            :product => "CDN",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /cloudflare-nginx/i,
+            :match_details =>"Cloudflare Server",
+            :paths => ["#{url}"]
           },
           {
-            :name => "Cloudflare",
-            :description => "Cloudflare - Direct IP Access",
+            :type => "service",
+            :vendor => "Cloudflare",
+            :product => "CDN",
             :tags => ["error_page"],
-            :version => "",
-            :type => :content_body,
-            :content => /<title>Direct IP access not allowed \| Cloudflare/,
+            :version => nil,
+            :match_type => :content_body,
+            :match_content => /<title>Direct IP access not allowed \| Cloudflare/,
+            :match_details =>"Cloudflare - Direct IP Access",
             :hide => true,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           },
           {
-            :name => "Cloudflare",
-            :description => "Cloudflare Error",
+            :type => "service",
+            :vendor => "Cloudflare",
+            :product => "CDN",
+            :match_details =>"Cloudflare Error",
             :tags => ["error_page"],
             :version => "",
-            :type => :content_body,
-            :content => /cferror_details/,
+            :match_type => :content_body,
+            :match_content =>  /cferror_details/,
             :hide => true,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           },
           {
-            :name => "Cloudflare",
-            :description => "Cloudfront Error - Direct IP Access",
-            :version => "",
-            :type => :content_body,
-            :content => /403\ Forbidden<\/h1><\/center>\n<hr><center>cloudflare<\/center>/,
+            :type => "service",
+            :vendor => "Cloudflare",
+            :product => "CDN",
+            :match_details =>"Cloudfront Error - Direct IP Access",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /403\ Forbidden<\/h1><\/center>\n<hr><center>cloudflare<\/center>/im,
             :hide => true,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/cpanel.rb

@@ -3,16 +3,18 @@ module Ident
 module Check
     class Cpanel < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "cPanel Hosted - Missing Page",
-            :description => "cPanel Hosted, but either misconfigured, or accessed via ip vs hostname?",
+            :vendor => "cPanel",
+            :type => "application",
+            :product =>"cPanel Hosted - Missing Page",
+            :match_details =>"cPanel Hosted, but either misconfigured, or accessed via ip vs hostname?",
             :version => nil,
-            :type => :content_body,
-            :content => /URL=\/cgi-sys\/defaultwebpage.cgi/,
+            :match_type => :content_body,
+            :match_content =>  /URL=\/cgi-sys\/defaultwebpage.cgi/,
             :hide => true,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/craft.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class Craft < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :vendor => "Craft",
+            :type => "application",
+            :product =>"CMS",
+            :match_details =>"csrf protection cookie",
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /CRAFT_CSRF_TOKEN/,
+            :hide => true,
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/django.rb

@@ -3,15 +3,17 @@ module Ident
 module Check
     class Django < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Django",
-            :description => "Django Admin Page",
+            :type => "application",
+            :vendor => "Django",
+            :product =>"Django",
             :version => nil,
-            :type => :content_body,
-            :content => /<title>Log in \| Django site admin<\/title>/,
-            :paths => ["#{uri}/admin"]
+            :match_details =>"Django Admin Page",
+            :match_type => :content_body,
+            :match_content =>  /<title>Log in \| Django site admin<\/title>/,
+            :paths => ["#{url}/admin"]
           }
         ]
       end

data/lib/checks/docuwiki.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+class Docuwiki < Intrigue::Ident::Check::Base
+
+  def generate_checks(url)
+    [
+      {
+        :type => "application",
+        :vendor => "Docuwiki",
+        :product => "Docuwiki",
+        :version => nil,
+        :match_type => :content_headers,
+        :match_content =>  /DokuWiki=/,
+        :match_details =>"Cookie match",
+        :references => ["https://www.dokuwiki.org/dokuwiki"],
+        :examples => ["https://docs.foxycart.com:443"],
+        :paths => ["#{url}"]
+      }
+    ]
+  end
+end
+end
+end
+end

data/lib/checks/drupal.rb

@@ -3,20 +3,37 @@ module Ident
 module Check
     class Drupal < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Drupal",
-            :description => "Drupal CMS",
+            :type => "application",
+            :vendor => "Drupal",
+            :product => "Drupal",
+            :tags => ["CMS"],
+            :match_details => "Drupal version in page content",
             :version => nil,
-            :type => :content_body,
-            :content => /Drupal/,
+            :match_type => :content_body,
+            :match_content => /^Drupal [0-9]+\.[0-9]+/,
             :dynamic_version => lambda { |x|
-              version = x.body.scan(/^(Drupal.*)[ ,<\.].*$/)[0]
-              return version.first.gsub("Drupal ","").gsub(",","").chomp if version
+              _first_body_capture(x,/^Drupal ([0-9\.]*?)[ ,<\.].*$/)
             },
-            :paths => ["#{uri}/CHANGELOG.txt"]
+            :paths => ["#{url}/CHANGELOG.txt"]
+          },
+          {
+            :type => "application",
+            :vendor => "Drupal",
+            :product => "Drupal",
+            :tags => ["CMS"],
+            :match_details => "Drupal headers",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /x-generator: Drupal/,
+            :dynamic_version => lambda { |x|
+              _first_header_capture(x,/x-generator: Drupal\ ([0-9]+)\ \(/i,)
+            },
+            :paths => ["#{url}"]
           }
+
         ]
       end
 

data/lib/checks/f5.rb

@@ -3,17 +3,45 @@ module Ident
 module Check
     class F5 < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "F5 BIG-IP APM",
-            :description => "F5 BIG-IP APM",
-            :tags => ["tech:vpn"],
+            :type => "application",
+            :vendor => "F5",
+            :product =>"BIG-IP APM",
+            :match_details =>"F5 BIG-IP APM default cookie",
+            :tags => ["tech:load_balancer"],
             :version => nil,
-            :type => :content_cookies,
-            :content => /MRHSession/,
+            :match_type => :content_cookies,
+            :match_content => /MRHSession/,
             :hide => false,
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "F5",
+            :product =>"BIG-IP APM",
+            :match_details =>"F5 BIG-IP APM default logo",
+            :tags => ["tech:load_balancer"],
+            :version => nil,
+            :references => ["https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-customization-11-6-0/3.html"],
+            :match_type => :content_body,
+            :match_content => /<img src="\/public\/images\/my\/tr.gif\//,
+            :hide => false,
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "hardware",
+            :vendor => "F5",
+            :product =>"BIG-IP",
+            :match_details =>"F5 BIG-IP Load balancer cookie",
+            :tags => ["tech:load_balancer"],
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /BIGipServer/,
+            :examples => ["https://reset.oxy.com:443"],
+            :hide => false,
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/fastly.rb

@@ -3,15 +3,30 @@ module Ident
 module Check
     class Fastly < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Fastly",
-            :description => "",
-            :version => "",
-            :type => :content_headers,
-            :content => /x-fastly-backend-reqs/i,
-            :paths => ["#{uri}"]
+            :type => "service",
+            :vendor =>"Fastly",
+            :product =>"Fastly",
+            :match_details =>"header",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /x-fastly-backend-reqs/i,
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "service",
+            :vendor =>"Fastly",
+            :product =>"Fastly",
+            :match_details =>"error content in page",
+            :version => nil,
+            :hide => true,
+            :match_type => :content_body,
+            :match_content =>  /<title>Fastly error: unknown domain/i,
+            :examples => ["http://151.101.1.224:80"],
+            :verify => ["ZXRzeSNJbnRyaWd1ZTo6RW50aXR5OjpVcmkjaHR0cDovLzE1MS4xMDEuMS4yMjQ6ODA="],
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/generic.rb

@@ -3,16 +3,44 @@ module Ident
 module Check
     class Generic < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Content Missing (404)",
-            :description => "Content Missing (404) - Could be an API, or just serving something at another location. TODO ... is this ECS-specific? (check header)",
+            :type => "none",
+            :vendor => nil,
+            :product =>"Authentication Required",
+            :match_details =>"www-authenticate header",
+            :tags => [],
+            :version => nil,
+            :hide => true,
+            :match_type => :content_headers,
+            :match_content =>  /^www-authenticate:.*$/,
+            :paths => ["#{url}"],
+            :examples => ["https://160.69.1.115:443"]
+          },
+          {
+            :type => "none",
+            :vendor => nil,
+            :product => "Generic Unauthorized",
+            :match_details =>"Generic Unauthorized",
+            :tags => ["error_page"],
+            :version => nil,
+            :hide => true,
+            :match_type => :content_body,
+            :match_content =>  /<STRONG>401 Unauthorized/,
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "none",
+            :vendor => nil,
+            :product => "Content Missing (404)",
+            :match_details =>"Content Missing (404) - Could be an API, or just serving something at another location. TODO ... is this ECS-specific? (check header)",
             :tags => ["error_page"],
             :version => nil,
-            :type => :content_body,
-            :content => /<title>404 - Not Found<\/title>/,
-            :paths => ["#{uri}"]
+            :hide => true,
+            :match_type => :content_body,
+            :match_content =>  /<title>404 - Not Found<\/title>/,
+            :paths => ["#{url}"]
           }
         ]
       end