nexpose_pxgrid 0.1.2-java

data/lib/pxnx_jruby.rb

@@ -0,0 +1,70 @@
+#
+# The Nexpose pxGrid Node implementation.
+#
+=begin
+
+Copyright (C) 2015, Rapid7 LLC
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+      may be used to endorse or promote products derived from this software
+      without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+=end
+
+#
+# WARNING! This code makes an SSL connection to the Nexpose server, but does NOT
+#          verify the certificate at this time. This can be a security issue if
+#          an attacker is able to man-in-the-middle the connection between the
+#          Metasploit console and the Nexpose server. In the common case of
+#          running Nexpose and Metasploit on the same host, this is a low risk.
+#
+
+#
+# WARNING! This code is still rough and going through substantive changes. While
+#          you can build tools using this library today, keep in mind that
+#          method names and parameters may change in the future.
+#
+require 'java'
+Dir[File.dirname(__FILE__) + '/java_libs/*.jar'].each { |jar| require jar }
+require 'pxnx_jruby/version'
+require 'pxnx_jruby/connection'
+require 'pxnx_jruby/session_directory_notification'
+require 'pxnx_jruby/nexpose_connection'
+require 'pxnx_jruby/eps_broker'
+require 'pxnx_jruby/connection_manager'
+
+# Implements Cisco pxGrid Node to scan IPs connecting to the network.
+module PxnxJruby
+  # Create a connection to the pxGrid Controller.
+  def self.create_connection(connection_parameters = {})
+    Connection.new(connection_parameters)
+  end
+
+  # Generates a random 10.x.x.x IP Address for simulation/testing.
+  def self.random_ip
+    ip = IPAddr.new(10 * 2**24 + rand(2**24), Socket::AF_INET)
+    ip.to_s
+  end
+end

data/lib/pxnx_jruby/config/pxnx.config

@@ -0,0 +1,40 @@
+---
+# This configuration file defines all the particular options necessary to support the Cisco pxGrid Nexpose Integration.
+# Fields marked (M) are mandatory.
+#
+# (M) Batch mode delay.
+# Timeframe in seconds for which to wait before scanning connected devices with the 's' for seconds. Default 60s is considered "Realtime".
+:batch_mode_delay: 60s
+# (M) Enables logging to the log directory.
+:logging_enabled: true
+# (M) Sets the log level threshold for output.
+:log_level: info
+# (M) Number of connections. The number of simultaneous connections we can maintain to Nexpose for scanning.
+:nexpose_connection_max: 3
+# Nexpose options.
+:nexpose_data:
+  # (M) Nexpose console hostname.
+  :nxconsole: 127.0.0.1
+  # (M) Nexpose username.
+  :nxuser: nxadmin
+  # (M) Scan engine to use. A value of '-1' indicates use of the default engine.
+  :engine: -1
+  # (M) Risk score threshold used to quarantine an asset. If an asset has a risk score equal to or larger than this value it will be quarantined.
+  :riskscore: 20
+  # (M) Time to wait before cancelling a scan and continuing.
+  :scan_timeout: 3600
+# Cisco pxGrid options. Note all of these options can be set through environment variables of the same capitalised name e.g. ISE_URL instead of :ise_url
+:pxg_data:
+  # Cisco Identity Services Engine hostname/ip.
+#  :ise_url: 127.0.0.7
+  # Secondary Cisco Identity Services Engine hostname/ip.
+#  :secondary_ise_url: 127.0.0.8
+  # Cisco Identity Services Engine username.
+#  :ise_username: admin
+  # Cisco Identity Services Engine password.
+#  :ise_password: Nxadmin1!
+  # Keystore passphrase (Keystore located at pxnx/keystore.jks)
+#  :keystore_password: nxadmin
+  # Truststore passphrase (Truststore located at pxnx/truststore.jks)
+#  :truststore_password: nxadmin
+

data/lib/pxnx_jruby/connection.rb

@@ -0,0 +1,84 @@
+module PxnxJruby
+  # This class handles to the pxGrid Controller.
+  class Connection
+    require 'java'
+    require 'jruby/core_ext'
+    java_import org.slf4j.Logger
+    java_import org.slf4j.LoggerFactory
+    attr_accessor :config, :recon, :grid
+
+    # Initializes all the needed variables for connecting to Cisco.
+    #
+    # === Arguments
+    # * +Options+ - A Hash with information about the Cisco connection.
+    #
+    # === Options
+    # * +:ise_url+ - The URL for ISE. If several it also takes an Array of IPs
+    # * +:ise_username+ - The username for ISE.
+    # * +:ise_password+ - The password for ISE. We highly recommend setting this as an environment variable.
+    # * +:keystore_password+ - The password for your keystore. We highly recommend setting this as an environment variable.
+    # * +:truststore_password+ - The password for your truststore. We highly recommend setting this as an environment variable.
+    #
+    # * *Returns* :
+    #   - @config: A TLSConfiguration type object with all the configurations.
+    # ---
+    # TODO: This method ABC is too high (http://c2.com/cgi/wiki?AbcMetric)
+    # ---
+    def initialize(options = {})
+      @log = LoggerFactory.getLogger(Connection.become_java!)
+      @config = Java::com.cisco.pxgrid.TLSConfiguration.new
+
+      @options = options
+      file_path = File.expand_path(File.dirname(__FILE__))
+      hosts = [get_option(:ise_url), get_option(:secondary_ise_url)]
+
+      @config.setHosts(hosts.select { |h| !h.nil? })
+      @config.setUserName(get_option(:ise_username))
+      @config.setPassword(get_option(:ise_password))
+      @config.setKeystorePath("#{file_path}/../../keystore.jks")
+      @config.setKeystorePassphrase(get_option(:keystore_password))
+      @config.setTruststorePath("#{file_path}/../../truststore.jks")
+      @config.setTruststorePassphrase(get_option(:truststore_password))
+      @log.info("Listening for events, using username <#{@config.getUserName}>")
+      @config
+    end
+
+    # Returns a configuration option, prioritising environment variables.
+    # * *Returns* :
+    #   - the configuration option value
+    def get_option(option)
+      value = ENV[option.to_s.upcase]
+      value ||= (@options[:pxg_data] || {})[option] unless @options.nil?
+      @log.info('No configuration value found for #{option}') if value.nil?
+      value
+    end
+
+    # Connects to Cisco ISE.
+    # * *Returns* :
+    #   - true if connection succeeds, false if there was a failure.
+    # ---
+    # TODO: This method ABC is too high (http://c2.com/cgi/wiki?AbcMetric)
+    # ---
+    def connect
+      @grid = Java.com.cisco.pxgrid.GridConnection.new(@config)
+      @recon = Java.com.cisco.pxgrid.ReconnectionManager.new(@grid)
+      @recon.setRetryMillisecond(2000)
+      @log.info('Connecting...')
+      begin
+        @recon.start
+      rescue => e
+        @log.error("Could not connect: #{e.backtrace}")
+        return false
+      end
+      @log.info('Connection complete!')
+      true
+    end
+
+    # Disconnects from Cisco ISE.
+    def disconnect
+      @log.info('Disconnecting...')
+      @recon.stop unless @recon.nil?
+      @log.info('Disconnection complete!')
+    end
+  end
+end

data/lib/pxnx_jruby/connection_manager.rb

@@ -0,0 +1,44 @@
+module PxnxJruby
+  # This class managers the concurrency calls for pxGrid and Nexpose.
+  class ConnectionManager
+    require 'singleton'
+    include Singleton
+    require 'rufus-scheduler'
+    require 'thread_safe'
+    require 'java'
+    require 'jruby/core_ext'
+    java_import org.slf4j.Logger
+    java_import org.slf4j.LoggerFactory
+    java_import java.util.concurrent.Executors
+
+    def initialize
+      @log = LoggerFactory.getLogger(ConnectionManager.become_java!)
+      @join_list = ThreadSafe::Array.new
+      @connection_pool = nil
+      @scheduler = nil
+    end
+
+    # TODO: This method ABC is too high (http://c2.com/cgi/wiki?AbcMetric)
+    def setup(config_options = {})
+      # We can only have a certain number of connections to Nexpose. Generate a pool of connections for realtime or batched scans.
+      @connection_pool = Executors.newFixedThreadPool(config_options[:nexpose_connection_max])
+      # Schedule our "realtime" or batched tasks
+      @scheduler = Rufus::Scheduler.new
+      @scheduler.every config_options[:batch_mode_delay] do
+        begin
+          @log.debug("Scheduler executed. Number of queued connections for scanning is <#{@join_list.size}>.")
+          @connection_pool.submit(PxnxJruby::NexposeConnection.new(@join_list.clone, config_options)) unless @join_list.empty?
+          @join_list.clear
+        rescue Exception => e
+          @log.error("Error when executing the scheduler! The error was <#{e.message}> and backtrace was <#{e.backtrace.join("\n")}>.")
+        end
+      end
+    end
+
+    # Adds a new IP to the list.
+    def new_connection(ip)
+      fail 'The IP address for a new connection cannot be empty!' if ip.nil? || ip.empty?
+      @join_list << ip
+    end
+  end
+end

data/lib/pxnx_jruby/eps_broker.rb

@@ -0,0 +1,49 @@
+module PxnxJruby
+  class EpsBroker
+    require 'java'
+    require 'jruby/core_ext'
+    java_import org.slf4j.Logger
+    java_import org.slf4j.LoggerFactory
+
+   attr_accessor :grid_connection, :eps, :ip
+
+    # Takes a GridConnection object.
+    def initialize(grid)
+      @grid = grid
+      # Doc says this is an instance method, but it isn't.
+      @eps_factory = Java::com.cisco.pxgrid.stub.eps.EPSClientStub.new
+      @eps = @eps_factory.createEPSQuery(@grid)
+      @log = LoggerFactory.getLogger(EpsBroker.become_java!)
+    end
+
+    # Sends an IP or an Array of IPs (Strings) to quarantine.
+    def quarantine_ip(ip)
+      @ip = ip.is_a?(Array) ? ip : Array.new(1, ip)
+      @ip.each do |single_ip|
+        @log.info("Quarantine on <#{single_ip}>")
+        begin
+          @eps.quarantineByIP(single_ip)
+          return true
+        rescue Java::com.cisco.pxgrid.TimeoutException => e
+          @log.error("Could not quarantine <#{single_ip}> the error was <#{e.message}>.")
+          return false
+        end
+      end
+    end
+
+    # Unquarantines an IP or an Array of IPs (Strings)
+    def unquarantine_ip(ip)
+      @ip = ip.is_a?(Array) ? ip : Array.new(1, ip)
+      @ip.each do |single_ip|
+        @log.info("Removing quarantine on <#{single_ip}>.")
+        begin
+          @eps.unquarantineByIP(single_ip)
+            true
+        rescue Java::com.cisco.pxgrid.TimeoutException => e
+          @log.error("Could not unquarantine <#{single_ip}> the error was <#{e.message}>.")
+          return false
+        end
+      end
+    end
+  end
+end

data/lib/pxnx_jruby/nexpose_connection.rb

@@ -0,0 +1,62 @@
+module PxnxJruby
+  class NexposeConnection
+    require_relative 'nx_logger'
+    require 'nexpose'
+    require 'waitutil'
+    require 'java'
+    require 'jruby/core_ext'
+    java_import org.slf4j.Logger
+    java_import org.slf4j.LoggerFactory
+    java_import 'java.util.concurrent.Callable'
+    include Callable
+    attr_accessor :ip, :nsc, :site, :scan_info, :devices_to_quarantine
+
+    def initialize(ips, options = {})
+      @log = LoggerFactory.getLogger(NexposeConnection.become_java!)
+      @nsc = Nexpose::Connection.new(options[:nexpose_data][:nxconsole],options[:nexpose_data][:nxuser], ENV['NEXPOSE_PASSWORD'])
+      @log.info("Connecting to nexpose console: #{options[:nexpose_data][:nxconsole]}.")
+      @nsc.login
+      PxnxJruby::NxLogger.instance.on_connect(options[:nexpose_data][:nxconsole], 3780, @nsc.session_id, "{}")
+      @ip_list = ips
+      @options = options
+    end
+
+    # TODO Allow scan options.
+    def call
+        begin
+          @ip = @ip_list.is_a?(Array) ? @ip_list : Array.new(1, @ip_list)
+          @site = Nexpose::Site.new("pxGrid-Nexpose-#{DateTime.now.strftime('%Y%jT%H%M%SZ')}", 'full-audit')
+          @site.description = "Rapid7 Nexpose - Cisco pxGrid Integration scan job saved at #{DateTime.now.strftime('%Y%jT%H%M%SZ')}"
+          @log.info("Scanning IPs <#{@ip.each{|ip| ip}}> on site <#{@site.name}>.")
+          @ip.each { |ip| @site.add_ip(ip) }
+          @site.engine = @options[:nexpose_data][:engine] unless @options.empty?
+          @site.save(@nsc)
+          @scan_info = @site.scan(@nsc)
+
+          # Hold this thread until the scan has finished
+          # Add ', :verbose => true' to get more info.
+          WaitUtil.wait_for_condition('waiting_for_scan_to_finish', :timeout_sec => @options[:nexpose_data][:scan_timeout], :delay_sec => 30) do
+            @completed = true
+            if %w(unknown dispatched running).include? (@nsc.scan_status(@scan_info.id))
+              @completed = false
+              @log.debug("Scan still running for site <#{@site.name}>")
+            end
+            @completed
+          end
+          @log.info("Scan completed for site #{@site.name}>")
+          devices = @nsc.devices(@site.id)
+          @devices_to_quarantine = devices.select { |d| d.risk_score >= @options[:nexpose_data][:riskscore]}
+          Thread.new do
+            eps_broker = PxnxJruby::EpsBroker.new(@options[:grid_connection].grid)
+            @log.info("Quarantining device <#{@devices_to_quarantine}> for site <#{@site.name}>.")
+            eps_broker.quarantine_ip(@devices_to_quarantine) unless @devices_to_quarantine.empty?
+          end unless @options[:debug] == true
+          @log.debug("Deleting temporary site <#{@site.name}>, logging out and exiting.")
+          @site.delete(@nsc) unless @options[:debug] == true
+          @nsc.logout unless @options[:debug] == true
+        rescue Exception => e
+          @log.error("Exception while running a Nexpose connection thread! Message is <#{e.message}> and stacktrace is <#{e.backtrace.join("\n")}>.")
+      end
+    end
+   end
+end