intrigue-ident 0.4 → 0.6

data/lib/checks/microtik.rb

@@ -0,0 +1,27 @@
+module Intrigue
+module Ident
+module Check
+  class Microtik < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor =>"Microtik",
+          :product =>"RouterOS",
+          :match_details => "page title",
+          :match_type => :content_body,
+          :match_content =>  /<title>RouterOS router configuration page/,
+          :version => nil,
+          :dynamic_version => lambda { |x| _first_body_capture(x,/<h1>RouterOS v(.*?)<\/h1>/) },
+          :examples => ["http://91.211.58.34:80"],
+          :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vOTEuMjExLjU4LjM0Ojgw"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+
+  end
+end
+end
+end

data/lib/checks/nagios.rb

@@ -3,15 +3,17 @@ module Ident
 module Check
     class Nagios < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Nagios",
-            :description => "Nagios",
+            :type => "application",
+            :vendor => "Nagios",
+            :product =>"Nagios",
+            :match_details =>"Nagios",
             :version => nil,
-            :type => :content_headers,
-            :content => /nagios/i,
-            :paths => ["#{uri}"]
+            :match_type => :content_headers,
+            :match_content =>  /nagios/i,
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/new_relic.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class NewRelic < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor => "NewRelic",
+            :product =>"NewRelic",
+            :references => ["https://discuss.newrelic.com/t/relic-solution-what-is-bam-nr-data-net-new-relic-browser-monitoring/42055"],
+            :match_details =>"NewRelic tracking code",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /bam.nr-data.net/i,
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/nginx.rb

@@ -0,0 +1,40 @@
+module Intrigue
+module Ident
+module Check
+    class Nginx < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "application",
+            :vendor => "Nginx",
+            :product =>"Nginx",
+            :match_details =>"Nginx",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /server: nginx/i,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/server:(.*)/,["nginx","/"]) },
+            :examples => [
+              "https://api.appfire.com:443"
+            ],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Nginx",
+            :product =>"Nginx",
+            :match_details =>"nginx default 404 page - TODO needs multiline",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content => /<hr><center>nginx<\/center>/i,
+            :examples => [ "http://202.1.239.132:80" ],
+            :hide => true,
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/okta.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class Okta < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor =>"Okta",
+            :product =>"Okta",
+            :match_details =>"okta auth",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /x-okta-backend/i,
+            :examples => ["http://autodiscover.westrsc.com:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/ookla.rb

@@ -0,0 +1,27 @@
+module Intrigue
+module Ident
+module Check
+  class Ookla < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor =>"Ookla",
+          :product =>"Speedtest Server",
+          :match_details => "page title",
+          :match_type => :content_body,
+          :references => ["https://support.ookla.com/hc/en-us/articles/234578568-How-To-Install-Submit-Server"],
+          :match_content => /<title>OoklaServer/,
+          :version => nil,
+          :examples => ["http://91.211.56.179:8081"],
+          :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vOTEuMjExLjU2LjE3OTo4MDgx"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+
+  end
+end
+end
+end

data/lib/checks/openresty.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class OpenResty < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor =>"OpenResty",
+            :product =>"OpenResty",
+            :match_details =>"server header for OpenResty",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /server: openresty/i,
+            :examples => ["http://54.164.224.102:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/oracle.rb

@@ -3,31 +3,222 @@ module Ident
 module Check
     class Oracle < Intrigue::Ident::Check::Base
 
-      def generate_checks(uri)
+      def generate_checks(url)
         [
           {
-            :name => "Oracle Glassfish",
-            :description => "Oracle / Sun GlassFish Enterprise Server",
-            :url => "",
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Application Server",
+            :match_details =>"server header",
+            :references => [],
             :version => nil,
-            :type => :content_headers,
-            :content => /Sun GlassFish Enterprise Server/,
-            :hide => true,
-            :dynamic_version => lambda { |x| x["details"]["headers"].join("\n").match(/Sun GlassFish Enterprise Server v([\d\.])/).captures[0] },
+            :match_type => :content_headers,
+            :match_content =>  /Oracle-Application-Server/,
+            :hide => false,
+            :dynamic_version => lambda { |x|
+                _first_header_capture(x,/Oracle-Application-Server-[0-9]+[a-z]?\/(.*?)\ /) },
+            :examples => [
+              "https://63.85.74.53:443",
+              "https://rss.tomthumb.com:443",
+              "https://qas.huntsmanservice.com:443"
+            ],
+            :verify => ["YWxiZXJ0c29ucyNJbnRyaWd1ZTo6RW50aXR5OjpVcmkjaHR0cHM6Ly9yc3MudG9tdGh1bWIuY29tOjQ0Mw=="],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Fusion Middleware",
+            :match_details =>"page title & docs link... should give us a version",
+            :version => nil,
+            :dynamic_version => lambda { |x|
+              doc_version = _first_body_capture(x,/download.oracle.com\/docs\/cd\/(.*?)\/index.htm/)
+              case doc_version
+                when "E15217_01"
+                  fmw_version = "10.1.4.3"
+                when "E15051_01"
+                  fmw_version = "11.1.1.0"
+                when "E12839_01"
+                  fmw_version = "11.1.1.1"
+                when "E15523_01"
+                  fmw_version = "11.1.1.2"
+                when "E14571_01"
+                  fmw_version = "11.1.1.3"
+                when "E17904_01"
+                  fmw_version = "11.1.1.4"
+                when "E21764_01"
+                  fmw_version = "11.1.1.5"
+                else
+                  fmw_version = nil
+              end
+            fmw_version
+            },
+            :match_type => :content_body,
+            :references => [
+              "https://en.wikipedia.org/wiki/Oracle_Fusion_Middleware",
+              "https://docs.oracle.com/cd/E21764_01/index.htm"
+            ],
+            :match_content =>  /<title>Welcome to Oracle Fusion Middleware/,
+            :hide => false,
+            :examples => [
+              "http://200.142.198.113:80"
+            ],
+            :verify => ["aWJtI0ludHJpZ3VlOjpFbnRpdHk6OlVyaSNodHRwOi8vMjAwLjE0Mi4xOTguMTEzOjgw"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Glassfish",
+            :match_details =>"Oracle / Sun GlassFish Enterprise Server",
+            :references => [],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /Sun GlassFish Enterprise Server/,
+            :hide => false,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/Sun GlassFish Enterprise Server\sv([\d\.]+)/) },
             :examples => ["http://52.4.12.185/"],
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
           },
           {
-            :name => "Oracle Glassfish",
-            :description => "Oracle / Sun GlassFish Enterprise Server",
-            :url => "",
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Glassfish",
+            :match_details =>"Oracle / Sun GlassFish Enterprise Server",
+            :references => [],
             :version => nil,
-            :type => :content_headers,
-            :content => /GlassFish Server Open Source Edition/,
-            :hide => true,
-            :dynamic_version => lambda { |x| x["details"]["headers"].join("\n").match(/GlassFish Server Open Source Edition\s+([\d\.]+)$/).captures[0] },
+            :match_type => :content_headers,
+            :match_content =>  /GlassFish Server Open Source Edition/,
+            :hide => false,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/GlassFish Server Open Source Edition\s+([\d\.]+)$/) },
             :examples => ["http://52.2.97.57:80"],
-            :paths => ["#{uri}"]
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"HTTP Server",
+            :match_details =>"server header",
+            :references => [],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /Oracle-HTTP-Server/,
+            :hide => false,
+            :dynamic_version => lambda { |x|
+                _first_header_capture(x,/Oracle-HTTP-Server\/(.*?)\ /)
+            },
+            :examples => [
+              "https://qas.huntsmanservice.com:443"
+            ],
+            :verify => ["aHVudHNtYW4jSW50cmlndWU6OkVudGl0eTo6VXJpI2h0dHBzOi8vcWFzLmh1bnRzbWFuc2VydmljZS5jb206NDQz"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Java",
+            :match_details =>"JSESSIONID cookie",
+            :references => ["https://javarevisited.blogspot.com/2012/08/what-is-jsessionid-in-j2ee-web.html"],
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /JSESSIONID=/,
+            :hide => false,
+            :examples => ["https://birdcam.xcelenergy.com:443"],
+            :paths => ["#{url}"]
+          },
+          { # TODO - this will tell us J2EE versions, see references!!!
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Java Application Server",
+            :match_details =>"x-header",
+            :references => ["http://www.ntu.edu.sg/home/ehchua/programming/java/javaservlets.html"],
+            :version => nil,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/^x-powered-by: Servlet\/(.*)JSP.*$/) },
+            :match_type => :content_headers,
+            :match_content =>  /x-powered-by: Servlet/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :examples => ["http://165.160.15.20/"]
+          },
+          { # TODO - this will tell us J2EE versions, see references!!!
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Java Server Pages",
+            :match_details =>"x-header",
+            :references => ["http://www.ntu.edu.sg/home/ehchua/programming/java/javaservlets.html"],
+            :version => nil,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/^x-powered-by: Servlet\/.*JSP\/(.*)$/) },
+            :match_type => :content_headers,
+            :match_content =>  /x-powered-by: Servlet\/.*JSP.*/,
+            :hide => false,
+            :paths => ["#{url}"],
+            :examples => ["http://165.160.15.20/"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"JavaServer Faces",
+            :match_details =>"viewstate inclusion of javaserver faces",
+            :references => [
+              "http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html",
+              "http://www.oracle.com/technetwork/topics/index-090910.html",
+              "https://www.owasp.org/index.php/Java_Server_Faces",
+              "https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html"
+            ],
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /javax.faces.ViewState/,
+            :hide => false,
+            :examples => ["https://reset.oxy.com:443"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Web Cache Server",
+            :match_details =>"server header",
+            :references => [],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /Oracle-Web-Cache/,
+            :hide => false,
+            :dynamic_version => lambda { |x|
+                _first_header_capture(x,/Oracle-Web-Cache-[0-9]+[a-z]?\/(.*?)\ /) },
+            :examples => [
+              "https://qas.huntsmanservice.com:443"
+            ],
+            :verify => ["aHVudHNtYW4jSW50cmlndWU6OkVudGl0eTo6VXJpI2h0dHBzOi8vcWFzLmh1bnRzbWFuc2VydmljZS5jb206NDQz"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Weblogic",
+            :match_details =>"weblogic fault / fail",
+            :references => ["https://coderanch.com/t/603067/application-servers/Calling-weblogic-webservice-error"],
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /<faultcode>env:WebServiceFault/,
+            :hide => false,
+            :examples => ["https://css-ewebsvcs.freddiemac.com:443"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Weblogic",
+            :match_details =>"weblogic header",
+            :references => [
+              "https://support.oracle.com/knowledge/Middleware/2100514_1.html",
+              "https://www.qualogy.com/techblog/oracle/how-to-harden-weblogic-and-fusion-middleware-against-worm-attacks"
+            ],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /^x-oracle-dms-ecid:/,
+            :hide => false,
+            :examples => ["https://tmsstg-eem-db.ros.com:443"],
+            :verify => ["cm9zc3N0b3JlcyNJbnRyaWd1ZTo6RW50aXR5OjpVcmkjaHR0cHM6Ly90bXNzdGctZWVtLWRiLnJvcy5jb206NDQz"],
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/palo_alto.rb

@@ -6,12 +6,14 @@ module Check
       def generate_checks(uri)
         [
           {
-            :name => "Palo Alto Networks GlobalProtect Portal",
+            :type => "application",
+            :vendor => "Palo Alto Networks",
+            :product =>"GlobalProtect Portal",
             :tags => ["tech:vpn"],
-            :description => "Pardot",
+            :match_details =>"Pardot",
             :version => nil,
-            :type => :content_body,
-            :content => /global-protect\/login.esp/i,
+            :match_type => :content_body,
+            :match_content =>  /global-protect\/login.esp/i,
             :paths => ["#{uri}"]
           }
         ]