intrigue-ident 0.49 → 0.51

data/lib/checks/docuwiki.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+class Docuwiki < Intrigue::Ident::Check::Base
+
+  def generate_checks(url)
+    [
+      {
+        :type => "application",
+        :vendor => "Docuwiki",
+        :product => "Docuwiki",
+        :version => nil,
+        :match_type => :content_headers,
+        :match_content =>  /DokuWiki=/,
+        :match_details =>"Cookie match",
+        :references => ["https://www.dokuwiki.org/dokuwiki"],
+        :examples => ["https://docs.foxycart.com:443"],
+        :paths => ["#{url}"]
+      }
+    ]
+  end
+end
+end
+end
+end

data/lib/checks/drupal.rb

@@ -9,6 +9,7 @@ module Check
             :type => "application",
             :vendor => "Drupal",
             :product => "Drupal",
+            :tags => ["CMS"],
             :match_details => "Drupal CMS",
             :version => nil,
             :match_type => :content_body,
@@ -22,12 +23,13 @@ module Check
             :type => "application",
             :vendor => "Drupal",
             :product => "Drupal",
+            :tags => ["CMS"],
             :match_details => "Drupal headers",
             :version => nil,
             :match_type => :content_headers,
-            :match_content =>  /x-drupal-cache:/,
+            :match_content =>  /x-generator: Drupal/,
             :dynamic_version => lambda { |x|
-              _first_header_capture(x,/x-generator: Drupal\ ([0-9]+)\ \(https:\/\/www.drupal.org\)/i,)
+              _first_header_capture(x,/x-generator: Drupal\ ([0-9]+)\ \(/i,)
             },
             :paths => ["#{url}"]
           }

data/lib/checks/f5.rb

@@ -9,7 +9,7 @@ module Check
             :type => "application",
             :vendor => "F5",
             :product =>"BIG-IP APM",
-            :match_details =>"F5 BIG-IP APM",
+            :match_details =>"F5 BIG-IP APM default cookie",
             :tags => ["tech:load_balancer"],
             :version => nil,
             :match_type => :content_cookies,
@@ -17,6 +17,19 @@ module Check
             :hide => false,
             :paths => ["#{url}"]
           },
+          {
+            :type => "application",
+            :vendor => "F5",
+            :product =>"BIG-IP APM",
+            :match_details =>"F5 BIG-IP APM default logo",
+            :tags => ["tech:load_balancer"],
+            :version => nil,
+            :references => ["https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-customization-11-6-0/3.html"],
+            :match_type => :content_body,
+            :match_content => /<img src="\/public\/images\/my\/tr.gif\//,
+            :hide => false,
+            :paths => ["#{url}"]
+          },
           {
             :type => "hardware",
             :vendor => "F5",

data/lib/checks/generic.rb

@@ -6,8 +6,22 @@ module Check
       def generate_checks(url)
         [
           {
-            :type => "application",
-            :product =>"Unauthorized (401)",
+            :type => "none",
+            :vendor => nil,
+            :product =>"Authentication Required",
+            :match_details =>"www-authenticate header",
+            :tags => [],
+            :version => nil,
+            :hide => true,
+            :match_type => :content_headers,
+            :match_content =>  /^www-authenticate:.*$/,
+            :paths => ["#{url}"],
+            :examples => ["https://160.69.1.115:443"]
+          },
+          {
+            :type => "none",
+            :vendor => nil,
+            :product => "Generic Unauthorized",
             :match_details =>"Generic Unauthorized",
             :tags => ["error_page"],
             :version => nil,
@@ -17,8 +31,9 @@ module Check
             :paths => ["#{url}"]
           },
           {
-            :type => "application",
-            :product =>"Content Missing (404)",
+            :type => "none",
+            :vendor => nil,
+            :product => "Content Missing (404)",
             :match_details =>"Content Missing (404) - Could be an API, or just serving something at another location. TODO ... is this ECS-specific? (check header)",
             :tags => ["error_page"],
             :version => nil,

data/lib/checks/gitlab.rb

@@ -13,6 +13,10 @@ module Check
             :version => nil,
             :match_type => :content_cookies,
             :match_content =>  /_gitlab_session/i,
+            :dynamic_version => lambda{ |x|
+                _first_body_capture(x,/window.gon={};gon.api_version=\"v([0-9\.])\"/i)
+            },
+            :examples => [ ],
             :paths => ["#{url}"]
           }
         ]

data/lib/checks/google.rb

@@ -6,7 +6,7 @@ module Check
       def generate_checks(url)
         [
           {
-            :type => "application",
+            :type => "service",
             :vendor => "Google",
             :product => "Hosted",
             :match_details => "Google Missing Page",
@@ -15,6 +15,17 @@ module Check
             :match_content =>  /The requested URL <code>\/<\/code> was not found on this server\./,
             :hide => true,
             :paths => ["#{url}"]
+          },
+          {
+            :type => "application",
+            :vendor => "Google",
+            :product =>"Search Appliance",
+            :match_details =>"server header reports google search appliance",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /server: Google Search Appliance/i,
+            :paths => ["#{url}"],
+            :examples => ["http://161.107.1.43:80"]
           }
         ]
       end

data/lib/checks/ibm.rb

@@ -0,0 +1,63 @@
+module Intrigue
+module Ident
+module Check
+  class Ibm < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "IBM",
+          :product =>"Datapower",
+          :references => ["https://www.ibm.com/developerworks/community/blogs/HermannSW/entry/datapower_x_backside_transport_transfer_encoding_and_connection_header_fields9?lang=en"],
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /X-Backside-Transport:/i,
+          :match_details =>"header thrown by ibm datapower (on error?)",
+          :examples => ["https://css-ewebsvcs.freddiemac.com:443"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "IBM",
+          :product =>"IBM Security Access Manager for Web",
+          :references => ["https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2.1/com.ibm.isam.doc/wrp_config/concept/con_sam_intro.html"],
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /www-authenticate: Basic realm=\"IBM Security Access Manager for Web\"/i,
+          :match_details =>"IBM security access manager login prompt",
+          :examples => ["https://161.107.22.69:443"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "IBM",
+          :product =>"Tivoli Access Manager for e-business",
+          :references => ["https://www.ibm.com/support/knowledgecenter/en/SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_qsg_en.htm"],
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /<title>Access Manager for e-Business Login/i,
+          :match_details =>"Generic Ibm tivoli copyright",
+          :examples => ["https://161.107.1.22:443"],
+          :paths => ["#{url}"]
+        },
+        {
+          :type => "application",
+          :vendor => "IBM",
+          :product =>"WebSEAL",
+          :references => ["https://www.ibm.com/support/knowledgecenter/en/SSPREK_8.0.1.2/com.ibm.isamw.doc_8.0.1.2/wrp_config/task/tsk_submt_form_data_ws.html"],
+          :version => nil,
+          :match_type => :content_body,
+          :match_content =>  /<form method=\"POST\" action=\"\/pkmslogin.form\">/i,
+          :match_details =>"form action to submit to webseal (on ourselves)",
+          :examples => ["https://pseuat.fmrei.com:443"],
+          :paths => ["#{url}"]
+        }
+
+      ]
+    end
+
+  end
+end
+end
+end

data/lib/checks/ivanti.rb

@@ -0,0 +1,27 @@
+module Intrigue
+module Ident
+module Check
+  class Ivanti < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Ivanti",
+          :tags => [],
+          :product =>"LANDESK Appliance",
+          :match_details =>"matched title",
+          :match_type => :content_body,
+          :version => nil,
+          :references => ["https://community.ivanti.com/community/all-products/systems/cloudservices"],
+          :match_content =>  /<title>LANDESK\(R\) Cloud Services Appliance/i,
+          :examples => ["https://techcentral.hormel.com/"],
+          :verify => ["aG9ybWVsZm9vZHMjSW50cmlndWU6OkVudGl0eTo6VXJpI2h0dHBzOi8vdGVjaGNlbnRyYWwuaG9ybWVsLmNvbTo0NDM="],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/jamf.rb

@@ -0,0 +1,26 @@
+module Intrigue
+module Ident
+module Check
+  class Jamf < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Jamf",
+          :tags => [],
+          :product =>"Pro",
+          :match_details =>"jamf pro login page",
+          :match_type => :content_body,
+          :version => nil,
+          :dynamic_version => lambda { |x| _first_body_capture(x,/<title>Jamf Pro Login - Jamf Pro v(.*)</) },
+          :match_content =>  /<title>Jamf Pro Login - Jamf Pro v/i,
+          :examples => ["https://98.99.248.54:8443"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/jekyll.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+    class Jekyll < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "service",
+            :vendor =>"Jekyll",
+            :product =>"Jekyll",
+            :match_details =>"server header for Jekyll",
+            :references => ["https://jekyllrb.com/"],
+            :match_type => :content_body,
+            :match_content =>  /<meta name="generator" content="Jekyll v3.7.3"/i,
+            :dynamic_version => lambda { |x|
+              _first_body_capture(x,/<meta name="generator" content="Jekyll v(.*)"/i)
+            },
+            :examples => ["http://github.io:80"],
+            :paths => ["#{url}"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/jive.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+  class Jive < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "service",
+          :vendor => "Jive",
+          :tags => [],
+          :product =>"Platform",
+          :match_details =>"jive login page",
+          :match_type => :content_cookies,
+          :version => nil,
+          :match_content =>  /jive.login.ts=/i,
+          :examples => ["https://www.gsd.ouroath.com:443"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/joomla.rb

@@ -8,6 +8,7 @@ module Check
           {
             :type => "application",
             :vendor => "Joomla!",
+            :tags => ["CMS"],
             :product =>"Joomla!",
             :match_details =>"Known Joomla Admin Page",
             :match_type => :content_body,

data/lib/checks/jupyter.rb

@@ -0,0 +1,26 @@
+module Intrigue
+module Ident
+module Check
+  class Jupyter < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Jupyter",
+          :tags => [],
+          :product =>"Notebook",
+          :match_details =>"matched jupyterhub header",
+          :match_type => :content_headers,
+          :version => nil,
+          :dynamic_version => lambda { |x| _first_header_capture(x,/^x-jupyterhub-version: (.*)$/) },
+          :match_content =>  /x-jupyterhub-version:/i,
+          :examples => ["https://18.18.154.11:443"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/lighttpd.rb

@@ -0,0 +1,28 @@
+module Intrigue
+module Ident
+module Check
+  class Lighttpd < Intrigue::Ident::Check::Base
+
+    def generate_checks(url)
+      [
+        {
+          :type => "application",
+          :vendor => "Lighttpd",
+          :tags => [],
+          :product =>"Lighttpd",
+          :match_details =>"server header",
+          :version => nil,
+          :match_type => :content_headers,
+          :match_content =>  /server: lighttpd/i,
+          :dynamic_version => lambda { |x|
+            _first_header_capture(x,/server: lighttpd\/(.*)/i,)
+          },
+          :examples => ["http://98.99.246.234:80"],
+          :paths => ["#{url}"]
+        }
+      ]
+    end
+  end
+end
+end
+end

data/lib/checks/mailchimp.rb

@@ -0,0 +1,25 @@
+module Intrigue
+module Ident
+module Check
+    class Mailchimp < Intrigue::Ident::Check::Base
+
+      def generate_checks(url)
+        [
+          {
+            :type => "application",
+            :vendor => "Mailchimp",
+            :product =>"Mandrill",
+            :match_details =>"login page",
+            :match_type => :content_body,
+            :version => nil,
+            :match_content =>  /<title>Log in to Mandrill/i,
+            :paths => ["#{url}"],
+            :examples => ["http://107.20.49.246:80"]
+          }
+        ]
+      end
+
+    end
+  end
+  end
+  end

data/lib/checks/microsoft.rb

@@ -10,7 +10,7 @@ module Check
             :vendor => "Microsoft",
             :product =>"ASP.NET",
             :version => nil,
-            :dynamic_version => lambda{|x| x["details"]["hidden_response_data"].scan(/ASP.NET Version:(.*)$/)[0].first.chomp },
+            :dynamic_version => lambda{|x| _body(x).scan(/ASP.NET Version:(.*)$/)[0].first.chomp },
             :tags => ["error_page"],
             :match_type => :content_body,
             :match_content =>  /^.*ASP.NET is configured.*$/i,
@@ -22,7 +22,7 @@ module Check
             :vendor => "Microsoft",
             :product =>"ASP.NET",
             :version => nil,
-            :dynamic_version => lambda{|x| x["details"]["hidden_response_data"].scan(/ASP.NET Version:(.*)$/i)[0].first.chomp if x["details"]["hidden_response_data"].scan(/ASP.NET Version:(.*)$/i)[0] },
+            :dynamic_version => lambda{|x| _body(x).scan(/ASP.NET Version:(.*)$/i)[0].first.chomp if x["details"]["hidden_response_data"].scan(/ASP.NET Version:(.*)$/i)[0] },
             :match_type => :content_headers,
             :match_content =>  /^x-aspnet-version:.*$/i,
             :match_details =>"X-AspNet Header",
@@ -48,6 +48,18 @@ module Check
             :match_content =>  /ASP.NET_SessionId.*$/i,
             :paths => ["#{url}"]
           },
+          {
+            :type => "application",
+            :vendor => "Microsoft",
+            :product =>"ASP.NET",
+            :match_details =>"ASPXAUTH cookie",
+            :version => nil,
+            :references => ["https://www.sitefinity.com/developer-network/forums/developing-with-sitefinity-/claims-auth---aspxauth-cookie-remains"],
+            :match_type => :content_cookies,
+            :match_content =>  /ASPXAUTH=/i,
+            :examples => ["https://marketplace.overdrive.com/Account/Login"],
+            :paths => ["#{url}"]
+          },
           {
             :type => "application",
             :vendor => "Microsoft",
@@ -186,6 +198,29 @@ module Check
             :match_content =>  /HTTP Error 503. The service is unavailable./,
             :paths => ["#{url}"]
           },
+          {
+            :type => "application",
+            :vendor =>"Microsoft",
+            :product =>"Kestrel",
+            :references => ["https://stackify.com/what-is-kestrel-web-server/"],
+            :match_details =>"kestrel in server header",
+            :version => nil,
+            :match_type => :content_headers,
+            :match_content =>  /server: Kestrel/i,
+            :examples => ["http://partner-staging.jet.com:80"],
+            :paths => ["#{url}"]
+          },
+          {
+            :type => "service",
+            :vendor =>"Microsoft",
+            :product =>"Office 365 API",
+            :match_details =>"office 365 api auth cookie",
+            :version => nil,
+            :match_type => :content_cookies,
+            :match_content =>  /x-ms-gateway-slice/i,
+            :examples => ["http://autodiscover.jet.com:80"],
+            :paths => ["#{url}"]
+          },
           {
             :type => "service",
             :vendor =>"Microsoft",
@@ -197,7 +232,6 @@ module Check
             :examples => ["http://outlook.newscorp.com:80"],
             :paths => ["#{url}"]
           },
-
           {
             :type => "application",
             :vendor => "Microsoft",
@@ -206,7 +240,7 @@ module Check
             :version => nil,
             :match_type => :content_headers,
             :match_content =>  /x-owa-version/,
-            :dynamic_version => lambda { |x| _first_header_capture(/x-owa-version:(.*)/) },
+            :dynamic_version => lambda { |x| _first_header_capture(x, /x-owa-version:(.*)/) },
             :paths => ["#{url}"]
           },
           {
@@ -217,9 +251,7 @@ module Check
             :version => nil,
             :match_type => :content_body,
             :match_content =>  /OwaPage\ =\ ASP.auth_logon_aspx/,
-            :dynamic_version => lambda { |x|
-              _first_body_capture x, /href=\"\/owa\/auth\/(.*)\/themes\/resources\/favicon.ico/
-            },
+            :dynamic_version => lambda { |x| _first_body_capture x, /href=\"\/owa\/auth\/(.*)\/themes\/resources\/favicon.ico/ },
             :paths => ["#{url}"]
           },
           {