intrigue-ident 0.48 → 0.49

data/lib/checks/nginx.rb

@@ -13,8 +13,22 @@ module Check
             :version => nil,
             :match_type => :content_headers,
             :match_content =>  /server: nginx/i,
-            :dynamic_version => lambda { |x| x["details"]["headers"].select{|h| h=~/nginx/}.first.split("/").last },
-            :examples => ["https://api.appfire.com:443"],
+            :dynamic_version => lambda { |x| _first_header_capture(x,/server:(.*)/,["nginx","/"]) },
+            :examples => [
+              "https://api.appfire.com:443"
+            ],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Nginx",
+            :product =>"Nginx",
+            :match_details =>"nginx default 404 page - TODO needs multiline",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content => /<hr><center>nginx<\/center>/i,
+            :examples => [ "http://202.1.239.132:80" ],
+            :hide => true,
             :paths => ["#{url}"]
           }
         ]

data/lib/checks/okta.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class Okta < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor =>"Okta",
+            :product =>"Okta",
+            :match_details =>"okta auth",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /x-okta-backend/i,
+            :examples => ["http://autodiscover.westrsc.com:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/oracle.rb

@@ -5,17 +5,31 @@ module Check
 
       def generate_checks(url)
         [
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"Application Server",
+            :match_details =>"Oracle app server listed in server header",
+            :references => [],
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /server: Oracle-Application-Server/,
+            :hide => false,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/server:.*\/(.*) Oracle-HTTP-Server,/) },
+            :examples => ["https://63.85.74.53:443"],
+            :paths => ["#{url}"]
+          },
           {
             :type => "application",
             :vendor => "Oracle",
             :product =>"Glassfish",
             :match_details =>"Oracle / Sun GlassFish Enterprise Server",
-            :url => "",
+            :references => [],
             :version => nil,
             :match_type => :content_headers,
             :match_content =>  /Sun GlassFish Enterprise Server/,
-            :hide => true,
-            :dynamic_version => lambda { |x| x["details"]["headers"].join("\n").match(/Sun GlassFish Enterprise Server v([\d\.])/).captures[0] },
+            :hide => false,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/Sun GlassFish Enterprise Server\sv([\d\.]+)/) },
             :examples => ["http://52.4.12.185/"],
             :paths => ["#{url}"]
           },
@@ -24,14 +38,32 @@ module Check
             :vendor => "Oracle",
             :product =>"Glassfish",
             :match_details =>"Oracle / Sun GlassFish Enterprise Server",
-            :url => "",
+            :references => [],
             :version => nil,
             :match_type => :content_headers,
             :match_content =>  /GlassFish Server Open Source Edition/,
-            :hide => true,
-            :dynamic_version => lambda { |x| x["details"]["headers"].join("\n").match(/GlassFish Server Open Source Edition\s+([\d\.]+)$/).captures[0] },
+            :hide => false,
+            :dynamic_version => lambda { |x| _first_header_capture(x,/GlassFish Server Open Source Edition\s+([\d\.]+)$/) },
             :examples => ["http://52.2.97.57:80"],
             :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Oracle",
+            :product =>"JavaServer Faces",
+            :match_details =>"viewstate inclusion of javaserver faces",
+            :references => [
+              "http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html",
+              "http://www.oracle.com/technetwork/topics/index-090910.html",
+              "https://www.owasp.org/index.php/Java_Server_Faces",
+              "https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html"
+            ],
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /javax.faces.ViewState/,
+            :hide => false,
+            :examples => ["https://reset.oxy.com:443"],
+            :paths => ["#{url}"]
           }
         ]
       end

data/lib/checks/php.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+    class Php < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "application",
+            :vendor =>"PHP",
+            :product =>"PHP",
+            :match_details =>"",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /x-powered-by: PHP/i,
+            :dynamic_version => lambda { |x|
+              _first_header_capture(x,/x-powered-by: PHP\/(.*)/i,)
+            },
+            :examples => ["http://78.40.183.96:8081"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/restlet.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+    class Zscaler < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "application",
+            :vendor =>"Restlet",
+            :product =>"Restlet",
+            :match_details =>"server header for Restlet",
+            :references => ["http://restlet.com/company/blog/2016/02/03/api-testing-testing-web-apis-using-dhc-by-restlet/"],
+            :match_type => :content_headers,
+            :match_content =>  /server: Restlet-Framework/i,
+            :dynamic_version => lambda { |x|
+              _first_header_capture(x,/server: Restlet-Framework\/(.*)/i)
+            },
+            :examples => ["http://128.109.13.60:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/sailpoint.rb

@@ -0,0 +1,27 @@
+module Intrigue
+module Ident
+module Check
+    class Sailpoint < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "application",
+            :vendor => "Sailpoint",
+            :product => "IdentityQ",
+            :references => [
+              "https://www.sailpoint.com/identity-management-software-identityiq/"
+            ],
+            :match_details => "Main page of a sailpoint identityq instance",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /<title>SailPoint IdentityIQ/i,
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/telerik.rb

@@ -8,14 +8,27 @@ module Check
           {
             :type => "application",
             :vendor => "Telerik",
-            :product =>"Sitefinity",
-            :match_details =>"Telerik Sitefinity is an ASP.NET 2.0-based Content Management System (CMS)",
+            :product => "Sitefinity",
+            :match_details => "Telerik Sitefinity is an ASP.NET 2.0-based Content Management System (CMS)",
             :url => "https://www.sitefinity.com/",
             :version => nil,
             :match_type => :content_body,
             :match_content =>  /Telerik.Sitefinity.Resources/,
-            :dynamic_version => lambda { |x|  x["details"]["hidden_response_data"].match(/Version=([\d\.]+),/).captures[0] },
-            :verify_sites => [],
+            :dynamic_version => lambda { |x|  _first_body_capture x, /Version=([\d\.]+),/ },
+            :examples => [],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Telerik",
+            :product => "Sitefinity",
+            :match_details => "Detect Telerik via a meta generator tag",
+            :url => "https://www.sitefinity.com/",
+            :version => nil,
+            :match_type => :content_body,
+            :match_content =>  /<meta\ name=\"Generator\"\ content=\"Sitefinity/,
+            :dynamic_version => lambda { |x| _first_body_capture x, /<meta name=\"Generator\" content=\"Sitefinity (.*)\ \/><link/ },
+            :examples => [],
             :paths => ["#{url}"]
           }
         ]

data/lib/checks/wp_engine.rb

@@ -6,7 +6,7 @@ module Check
       def generate_checks(url)
         [
           {
-            :type => "application",
+            :type => "service",
             :vendor =>"WPEngine",
             :tags => ["hosting_provider"],
             :product =>"WPEngine",
@@ -14,6 +14,7 @@ module Check
             :version => nil,
             :match_type => :content_body,
             :match_content =>  /This domain is successfully pointed at WP Engine, but is not configured for an account on our platform./,
+            :hide => true,
             :paths => ["#{url}"]
           }
         ]

data/lib/checks/zscaler.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+    class Restlet < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor =>"Zscaler",
+            :product =>"Zscaler",
+            :match_details =>"server header for Zscaler",
+            :references => ["https://help.zscaler.com/zia/about-private-zens"],
+            :match_type => :content_headers,
+            :match_content =>  /server: Zscaler/i,
+            :dynamic_version => lambda { |x|
+              _first_header_capture(x,/server: Zscaler\/(.*)/i)
+            },
+            :examples => ["http://152.26.176.12:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/intrigue-ident.rb

@@ -11,7 +11,7 @@ Dir["#{check_folder}/*.rb"].each { |file| require_relative file }
 module Intrigue
   module Ident
 
-    VERSION=0.48
+    VERSION=0.49
 
     def generate_requests_and_check(url)
 
@@ -81,27 +81,33 @@ module Intrigue
 
     private
 
-    def _match_to_cpe(m)
-      out = "cpe:/#{m[:type]}:#{m[:vendor]}:#{m[:product]}"
-      out << ":#{m[:version]}" if m[:version]
-    out
-    end
-
     def _construct_match_response(check, data)
-      {
-        :type => check[:type],
-        :vendor => check[:vendor],
-        :product => check[:product],
-        :version => (check[:dynamic_version].call(data) if check[:dynamic_version]) || check[:version],
-        :tags => check[:tags],
-        :matched_content => check[:match_content],
-        :match_type => check[:match_type],
-        :match_details => check[:match_details],
-        :hide => check[:hide]
-      }
+      calculated_version = (check[:dynamic_version].call(data) if check[:dynamic_version]) || check[:version]
+
+      calculated_type = "a" if check[:type] == "application"
+      calculated_type = "h" if check[:type] == "hardware"
+      calculated_type = "o" if check[:type] == "operating_system"
+      calculated_type = "s" if check[:type] == "service" # literally made up
+
+      cpe_string = "cpe:/#{calculated_type}:#{check[:vendor]}:#{check[:product]}".downcase
+      cpe_string << ":#{calculated_version}".downcase if calculated_version
+
+    {
+      :type => check[:type],
+      :vendor => check[:vendor],
+      :product => check[:product],
+      :version => calculated_version,
+      :tags => check[:tags],
+      :matched_content => check[:match_content],
+      :match_type => check[:match_type],
+      :match_details => check[:match_details],
+      :hide => check[:hide],
+      :cpe => cpe_string
+    }
     end
 
     def _match_uri(check,data)
+      return nil unless check && data
 
       #puts "Trying to match #{check[:vendor]} #{check[:product]}: #{data["details"]["cookies"][0..10]}"
 
@@ -112,20 +118,20 @@ module Intrigue
       # if type "content", do the content check
 
       if check[:match_type] == :content_body
-        if data["details"]["hidden_response_data"]
+        if data["details"] && data["details"]["hidden_response_data"]
           match = _construct_match_response(check,data) if data["details"]["hidden_response_data"] =~ check[:match_content]
         end
       elsif check[:match_type] == :content_headers
-        if data["details"]["headers"]
+        if data["details"] && data["details"]["headers"]
           match = _construct_match_response(check,data) if data["details"]["headers"].join("\n") =~ check[:match_content]
         end
       elsif check[:match_type] == :content_cookies
         # Check only the set-cookie header
-        if data["details"]["cookies"]
+        if data["details"] && data["details"]["cookies"]
           match = _construct_match_response(check,data) if data["details"]["cookies"] =~ check[:match_content]
         end
       elsif check[:match_type] == :checksum_body
-        if data["details"]["response_data_hash"]
+        if data["details"] && data["details"]["response_data_hash"]
           match = _construct_match_response(check,data) if Digest::MD5.hexdigest(data["details"]["response_data_hash"]) == check[:checksum]
         end
       end
@@ -160,6 +166,7 @@ module Intrigue
       		"host_id": 1571,
       		"scripts": [],
       		"products": [],
+          "cookies": "",
       		"protocol": "tcp",
       		"ip_address": "69.112.37.69",
       		"javascript": [],

data/util/check.rb

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+require_relative "../lib/intrigue-ident"
+include Intrigue::Ident
+url = ARGV[0]
+debug = ARGV[1] || nil
+puts "Checking... #{url}"
+matches = generate_requests_and_check(url)
+
+if debug
+  puts "Debug: #{url}"
+  response = _http_request :get, "#{url}"
+  puts "Headers:"
+  response.each_header {|x| puts " - #{x}: #{response[x]}" }
+  puts "Body:"
+  puts response.body
+end
+
+puts "Results: "
+matches.each{|x| puts " - #{x[:cpe]}" } if matches
+puts "Done! #{matches.count} matches"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: intrigue-ident
 version: !ruby/object:Gem::Version
-  version: '0.48'
+  version: '0.49'
 platform: ruby
 authors:
 - jcran
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-07-06 00:00:00.000000000 Z
+date: 2018-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -63,6 +63,7 @@ files:
 - Gemfile.lock
 - intrigue-ident.gemspec
 - lib/check_factory.rb
+- lib/checks/acquia.rb
 - lib/checks/adobe.rb
 - lib/checks/akamai.rb
 - lib/checks/amazon.rb
@@ -84,9 +85,11 @@ files:
 - lib/checks/gitlab.rb
 - lib/checks/google.rb
 - lib/checks/grafana.rb
+- lib/checks/groovy.rb
 - lib/checks/heroku.rb
 - lib/checks/hp.rb
 - lib/checks/jenkins.rb
+- lib/checks/jobvite.rb
 - lib/checks/joomla.rb
 - lib/checks/limesuvey.rb
 - lib/checks/lithium.rb
@@ -96,20 +99,27 @@ files:
 - lib/checks/mediawiki.rb
 - lib/checks/microsoft.rb
 - lib/checks/nagios.rb
+- lib/checks/new_relic.rb
 - lib/checks/nginx.rb
+- lib/checks/okta.rb
 - lib/checks/oracle.rb
 - lib/checks/palo_alto.rb
 - lib/checks/pardot.rb
 - lib/checks/pfsense.rb
+- lib/checks/php.rb
 - lib/checks/phpmyadmin.rb
 - lib/checks/pivotal.rb
 - lib/checks/rabbitmq.rb
+- lib/checks/restlet.rb
+- lib/checks/sailpoint.rb
 - lib/checks/team_city.rb
 - lib/checks/telerik.rb
 - lib/checks/varnish.rb
 - lib/checks/vmware.rb
 - lib/checks/wp_engine.rb
+- lib/checks/zscaler.rb
 - lib/intrigue-ident.rb
+- util/check.rb
 homepage: https://intrigue.io
 licenses:
 - BSD