recog-intrigue 2.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/ISSUE_TEMPLATE/bug_report.md +37 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +17 -0
- data/.github/ISSUE_TEMPLATE/fingerprint_request.md +27 -0
- data/.github/PULL_REQUEST_TEMPLATE +24 -0
- data/.gitignore +14 -0
- data/.rbenv-gemset +1 -0
- data/.rspec +3 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +25 -0
- data/.yardopts +1 -0
- data/CONTRIBUTING.md +171 -0
- data/COPYING +23 -0
- data/Gemfile +10 -0
- data/LICENSE +7 -0
- data/README.md +85 -0
- data/Rakefile +22 -0
- data/bin/recog_export +81 -0
- data/bin/recog_match +55 -0
- data/bin/recog_standardize +118 -0
- data/bin/recog_verify +64 -0
- data/cpe-remap.yaml +134 -0
- data/features/data/failing_banners_fingerprints.xml +20 -0
- data/features/data/matching_banners_fingerprints.xml +23 -0
- data/features/data/multiple_banners_fingerprints.xml +32 -0
- data/features/data/no_tests.xml +3 -0
- data/features/data/sample_banner.txt +2 -0
- data/features/data/successful_tests.xml +18 -0
- data/features/data/tests_with_failures.xml +20 -0
- data/features/data/tests_with_warnings.xml +17 -0
- data/features/match.feature +36 -0
- data/features/support/aruba.rb +3 -0
- data/features/support/env.rb +6 -0
- data/features/verify.feature +48 -0
- data/identifiers/README.md +47 -0
- data/identifiers/os_architecture.txt +20 -0
- data/identifiers/os_device.txt +52 -0
- data/identifiers/os_family.txt +160 -0
- data/identifiers/os_product.txt +199 -0
- data/identifiers/service_family.txt +185 -0
- data/identifiers/service_product.txt +255 -0
- data/identifiers/software_class.txt +26 -0
- data/identifiers/software_family.txt +91 -0
- data/identifiers/software_product.txt +333 -0
- data/identifiers/vendor.txt +405 -0
- data/lib/recog.rb +4 -0
- data/lib/recog/db.rb +78 -0
- data/lib/recog/db_manager.rb +31 -0
- data/lib/recog/fingerprint.rb +280 -0
- data/lib/recog/fingerprint/regexp_factory.rb +56 -0
- data/lib/recog/fingerprint/test.rb +18 -0
- data/lib/recog/formatter.rb +51 -0
- data/lib/recog/match_reporter.rb +77 -0
- data/lib/recog/matcher.rb +94 -0
- data/lib/recog/matcher_factory.rb +14 -0
- data/lib/recog/nizer.rb +347 -0
- data/lib/recog/verifier.rb +39 -0
- data/lib/recog/verifier_factory.rb +13 -0
- data/lib/recog/verify_reporter.rb +86 -0
- data/lib/recog/version.rb +3 -0
- data/misc/convert_mysql_err +61 -0
- data/misc/order.xsl +17 -0
- data/recog-intrigue.gemspec +45 -0
- data/requirements.txt +2 -0
- data/spec/data/best_os_match_1.yml +17 -0
- data/spec/data/best_os_match_2.yml +17 -0
- data/spec/data/best_service_match_1.yml +17 -0
- data/spec/data/smb_native_os.txt +25 -0
- data/spec/data/test_fingerprints.xml +36 -0
- data/spec/data/verification_fingerprints.xml +86 -0
- data/spec/data/whitespaced_fingerprint.xml +5 -0
- data/spec/lib/fingerprint_self_test_spec.rb +174 -0
- data/spec/lib/recog/db_spec.rb +98 -0
- data/spec/lib/recog/fingerprint/regexp_factory_spec.rb +73 -0
- data/spec/lib/recog/fingerprint_spec.rb +112 -0
- data/spec/lib/recog/formatter_spec.rb +69 -0
- data/spec/lib/recog/match_reporter_spec.rb +91 -0
- data/spec/lib/recog/nizer_spec.rb +330 -0
- data/spec/lib/recog/verify_reporter_spec.rb +113 -0
- data/spec/spec_helper.rb +82 -0
- data/update_cpes.py +186 -0
- data/xml/apache_modules.xml +1911 -0
- data/xml/apache_os.xml +273 -0
- data/xml/architecture.xml +36 -0
- data/xml/dns_versionbind.xml +761 -0
- data/xml/fingerprints.xsd +128 -0
- data/xml/ftp_banners.xml +1553 -0
- data/xml/h323_callresp.xml +603 -0
- data/xml/hp_pjl_id.xml +358 -0
- data/xml/html_title.xml +1630 -0
- data/xml/http_cookies.xml +411 -0
- data/xml/http_servers.xml +3195 -0
- data/xml/http_wwwauth.xml +595 -0
- data/xml/imap_banners.xml +245 -0
- data/xml/ldap_searchresult.xml +711 -0
- data/xml/mdns_device-info_txt.xml +1796 -0
- data/xml/mdns_workstation_txt.xml +15 -0
- data/xml/mysql_banners.xml +1649 -0
- data/xml/mysql_error.xml +871 -0
- data/xml/nntp_banners.xml +82 -0
- data/xml/ntp_banners.xml +1223 -0
- data/xml/operating_system.xml +629 -0
- data/xml/pop_banners.xml +499 -0
- data/xml/rsh_resp.xml +76 -0
- data/xml/rtsp_servers.xml +76 -0
- data/xml/sip_banners.xml +359 -0
- data/xml/sip_user_agents.xml +221 -0
- data/xml/smb_native_lm.xml +62 -0
- data/xml/smb_native_os.xml +662 -0
- data/xml/smtp_banners.xml +1690 -0
- data/xml/smtp_debug.xml +39 -0
- data/xml/smtp_ehlo.xml +49 -0
- data/xml/smtp_expn.xml +82 -0
- data/xml/smtp_help.xml +157 -0
- data/xml/smtp_mailfrom.xml +20 -0
- data/xml/smtp_noop.xml +44 -0
- data/xml/smtp_quit.xml +29 -0
- data/xml/smtp_rcptto.xml +25 -0
- data/xml/smtp_rset.xml +26 -0
- data/xml/smtp_turn.xml +26 -0
- data/xml/smtp_vrfy.xml +89 -0
- data/xml/snmp_sysdescr.xml +6507 -0
- data/xml/snmp_sysobjid.xml +430 -0
- data/xml/ssh_banners.xml +1968 -0
- data/xml/telnet_banners.xml +1595 -0
- data/xml/x11_banners.xml +232 -0
- data/xml/x509_issuers.xml +134 -0
- data/xml/x509_subjects.xml +1268 -0
- metadata +304 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 8ce6e9357161c0d9ccd4a78a1b29c32ad316d5ebdbc36d1c14c83e7642a4ee87
|
4
|
+
data.tar.gz: 55a033985a85110154d9eb1fda16a4a860ee6f4490cb162ed8e5ed5bdb8d8c8f
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 625729df058c4a85767187b2244edc45a6b7f038f5cd620d7f986adb62744479cf9a4592b827dae962158b32dab3cd97463d237b25425016d87263e596dad304
|
7
|
+
data.tar.gz: ccfdfed40b6691f9477f29d311a1e41273a85cbb481693f4377ab0547ba0fed8ddf765d00c5a6348b9bef673205bf4afbdbc8a27b32fd25b01e82b11ff5a412c
|
@@ -0,0 +1,37 @@
|
|
1
|
+
---
|
2
|
+
name: Bug report
|
3
|
+
about: Create a report to help us improve
|
4
|
+
|
5
|
+
---
|
6
|
+
|
7
|
+
**Describe the bug**
|
8
|
+
A clear and concise description of what the bug is.
|
9
|
+
|
10
|
+
**To Reproduce**
|
11
|
+
Steps to reproduce the behavior:
|
12
|
+
|
13
|
+
1. Do this...
|
14
|
+
2. Do that...
|
15
|
+
3. Then something happens...
|
16
|
+
|
17
|
+
Code that reproduces the behavior: <!-- This is optional -->
|
18
|
+
```ruby
|
19
|
+
# paste code here, or create a gist, or link to public code snippet
|
20
|
+
```
|
21
|
+
|
22
|
+
Matcher that reproduces the behavior: <!-- This is optional -->
|
23
|
+
```xml
|
24
|
+
<!-- paste matcher xml here, or create a gist, or link to public code snippet -->
|
25
|
+
```
|
26
|
+
|
27
|
+
**Expected behavior**
|
28
|
+
A clear and concise description of what you expected to happen.
|
29
|
+
|
30
|
+
|
31
|
+
**Environment (please complete the following information):**
|
32
|
+
- Operating System:
|
33
|
+
- Ruby Version:
|
34
|
+
- Recog Version:
|
35
|
+
|
36
|
+
**Additional context**
|
37
|
+
Add any other context about the problem here.
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
name: Feature request
|
3
|
+
about: Suggest an idea for this project
|
4
|
+
|
5
|
+
---
|
6
|
+
|
7
|
+
**Is your feature request related to a problem? Please describe.**
|
8
|
+
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
9
|
+
|
10
|
+
**Describe the solution you'd like**
|
11
|
+
A clear and concise description of what you want to happen.
|
12
|
+
|
13
|
+
**Describe alternatives you've considered**
|
14
|
+
A clear and concise description of any alternative solutions or features you've considered.
|
15
|
+
|
16
|
+
**Additional context**
|
17
|
+
Add any other context or screenshots about the feature request here.
|
@@ -0,0 +1,27 @@
|
|
1
|
+
---
|
2
|
+
name: Fingerprint request
|
3
|
+
about: Request new fingerprint coverage
|
4
|
+
|
5
|
+
---
|
6
|
+
|
7
|
+
**Request for new fingerprint(s) for a product**
|
8
|
+
Briefly describe the product to be fingerprinted, including vendor and version information.
|
9
|
+
<!-- Include links to relevant public documentation from the vendor or other sources, if available -->
|
10
|
+
|
11
|
+
**Provide details about the product**
|
12
|
+
What protocol(s) can be used to retrieve identifiable information about the product?
|
13
|
+
<!-- Examples: Telnet, SSH, SNMP, SMTP, HTTP(S), Vendor Proprietary Protocol -->
|
14
|
+
|
15
|
+
What information can be collected on each protocol?
|
16
|
+
<!-- Example: HTTP Server banner: nginx/0.8.53 -->
|
17
|
+
|
18
|
+
What request, command, and/or payload can be used to retrieve information on each protocol?
|
19
|
+
<!-- Use code fences like the below example to preserve formatting -->
|
20
|
+
```
|
21
|
+
HTTP HEAD /
|
22
|
+
|
23
|
+
HTTP GET /info.php
|
24
|
+
```
|
25
|
+
|
26
|
+
**Example banner(s) with specific version info**
|
27
|
+
<!-- Paste raw text here, using code fences to preserve formatting if needed-->
|
@@ -0,0 +1,24 @@
|
|
1
|
+
## Description
|
2
|
+
A detailed description of your changes.
|
3
|
+
|
4
|
+
|
5
|
+
## Motivation and Context
|
6
|
+
Explanation of why these changes are being proposed, including any links to other relevant issues or pull requests.
|
7
|
+
|
8
|
+
|
9
|
+
## How Has This Been Tested?
|
10
|
+
A clear and concise description of your changes were tested.
|
11
|
+
|
12
|
+
|
13
|
+
## Types of changes
|
14
|
+
<!--- What types of changes does your code introduce? Remove any that do not apply: -->
|
15
|
+
- Bug fix (non-breaking change which fixes an issue)
|
16
|
+
- New feature (non-breaking change which adds functionality)
|
17
|
+
- Breaking change (fix or feature that would cause existing functionality to change)
|
18
|
+
|
19
|
+
|
20
|
+
## Checklist:
|
21
|
+
<!--- After submitting the PR, check all of the boxes that apply. -->
|
22
|
+
- [ ] I have updated the documentation accordingly (or changes are not required).
|
23
|
+
- [ ] I have added tests to cover my changes (or new tests are not required).
|
24
|
+
- [ ] All new and existing tests passed.
|
data/.gitignore
ADDED
data/.rbenv-gemset
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
recog
|
data/.rspec
ADDED
data/.ruby-gemset
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
recog
|
data/.ruby-version
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
2.6.6
|
data/.travis.yml
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
language: ruby
|
2
|
+
sudo: false
|
3
|
+
cache: bundler
|
4
|
+
rvm:
|
5
|
+
- '2.5.8'
|
6
|
+
- '2.6.6'
|
7
|
+
- 'jruby-9.1.9.0'
|
8
|
+
jdk:
|
9
|
+
- openjdk8
|
10
|
+
matrix:
|
11
|
+
allow_failures:
|
12
|
+
- rvm: 'jruby-9.1.9.0'
|
13
|
+
before_install:
|
14
|
+
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
15
|
+
- rake --version
|
16
|
+
before_script:
|
17
|
+
- bundle exec rake --version
|
18
|
+
script: bundle exec rake tests
|
19
|
+
env:
|
20
|
+
global:
|
21
|
+
- CI="travis"
|
22
|
+
- JRUBY_OPTS="--server -J-Xms512m -J-Xmx2G"
|
23
|
+
branches:
|
24
|
+
only:
|
25
|
+
- master
|
data/.yardopts
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--markup markdown
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,171 @@
|
|
1
|
+
# Contributing to Recog
|
2
|
+
|
3
|
+
The users and maintainers of Recog would greatly appreciate any contributions
|
4
|
+
you can make to the project. These contributions typically come in the form of
|
5
|
+
filed bugs/issues or pull requests (PRs). These contributions routinely result
|
6
|
+
in new versions of the [recog gem](https://rubygems.org/gems/recog) to be
|
7
|
+
released. The process for everything is described below.
|
8
|
+
|
9
|
+
## Contributing Issues / Bug Reports
|
10
|
+
|
11
|
+
If you encounter any bugs or problems with Recog, please file them
|
12
|
+
[here](https://github.com/rapid7/recog/issues/new), providing as much detail as
|
13
|
+
possible. If the bug is straight-forward enough and you understand the fix for
|
14
|
+
the bug well enough, you may take the simpler, less-paperwork route and simply
|
15
|
+
fill a PR with the fix and the necessary details.
|
16
|
+
|
17
|
+
## Contributing Code
|
18
|
+
|
19
|
+
Recog uses a model nearly identical to that of
|
20
|
+
[Metasploit](https://github.com/rapid7/metasploit-framework) as outlined
|
21
|
+
[here](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment),
|
22
|
+
at least from a ```git``` perspective. If you've been through that process
|
23
|
+
(or, even better, you've been through it many times with many people), you can
|
24
|
+
do exactly what you did for Metasploit but with Recog and ignore the rest of
|
25
|
+
this document.
|
26
|
+
|
27
|
+
On the other hand, if you haven't, read on!
|
28
|
+
|
29
|
+
### Fork and Clone
|
30
|
+
|
31
|
+
Generally, this should only need to be done once, or if you need to start over.
|
32
|
+
|
33
|
+
1. Fork Recog: Visit https://github.com/rapid7/recog and click Fork,
|
34
|
+
selecting your github account if prompted
|
35
|
+
2. Clone ```git@github.com:<your-github-username>/recog.git```, replacing
|
36
|
+
```<your-github-username>``` with, you guessed it, your Github username.
|
37
|
+
3. Add the master Recog repository as your upstream:
|
38
|
+
|
39
|
+
```
|
40
|
+
git remote add upstream git://github.com/rapid7/recog.git
|
41
|
+
```
|
42
|
+
4. Update your `.git/config` to ensure that the `remote ["upstream"]` section is configured to pull both branches and PRs from upstream. It should look something like the following, in particular the second `fetch` option:
|
43
|
+
|
44
|
+
```
|
45
|
+
[remote "upstream"]
|
46
|
+
url = git@github.com:rapid7/recog.git
|
47
|
+
fetch = +refs/heads/*:refs/remotes/upstream/*
|
48
|
+
fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
|
49
|
+
```
|
50
|
+
5. Fetch the latest revisions, including PRs:
|
51
|
+
|
52
|
+
```
|
53
|
+
git fetch --all
|
54
|
+
```
|
55
|
+
|
56
|
+
### Branch and Improve
|
57
|
+
|
58
|
+
If you have a contribution to make, first create a branch to contain your
|
59
|
+
work. The name is yours to choose, however generally it should roughly
|
60
|
+
describe what you are doing. In this example, and from here on out, the
|
61
|
+
branch will be FOO, but you should obviously change this:
|
62
|
+
|
63
|
+
```
|
64
|
+
git fetch --all
|
65
|
+
git checkout master
|
66
|
+
git rebase upstream/master
|
67
|
+
git checkout -b FOO
|
68
|
+
```
|
69
|
+
|
70
|
+
Now, make your changes, commit as necessary with useful commit messages.
|
71
|
+
|
72
|
+
Please note that changes to [lib/recog/version.rb](https://github.com/rapid7/recog/blob/master/lib/recog/version.rb) in PRs are almost never necessary.
|
73
|
+
|
74
|
+
Now push your changes to your fork:
|
75
|
+
|
76
|
+
```
|
77
|
+
git push origin FOO
|
78
|
+
```
|
79
|
+
|
80
|
+
Finally, submit the PR. Navigate to ```https://github.com/<your-github-username>/recog/compare/FOO```, fill in the details and submit.
|
81
|
+
|
82
|
+
### Testing
|
83
|
+
|
84
|
+
When your PR is submitted, it will be automatically subjected to the full run of tests in [Travis](https://travis-ci.org/rapid7/recog/), however you are encourage to perform testing _before_ submitting the PR. To do this, simply run `rake tests`.
|
85
|
+
|
86
|
+
## Updating CPEs
|
87
|
+
|
88
|
+
There exists some automation to update the CPEs that might be asserted with
|
89
|
+
some recog fingerprints. This should be run periodically to ensure that all
|
90
|
+
fingerprints that could have CPEs do, etc.
|
91
|
+
|
92
|
+
First, setup a python3 venv:
|
93
|
+
|
94
|
+
```
|
95
|
+
python3 -m venv venv
|
96
|
+
source venv/bin/activate
|
97
|
+
pip install -r requirements.txt
|
98
|
+
```
|
99
|
+
|
100
|
+
Download the latest CPE 2.3 dictionary:
|
101
|
+
|
102
|
+
```
|
103
|
+
wget https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
|
104
|
+
````
|
105
|
+
|
106
|
+
Run the CPE automation against every XML file, using GNU `parallel` to speed things up:
|
107
|
+
|
108
|
+
```
|
109
|
+
ls xml/*.xml | parallel --gnu "./update_cpes.py {} official-cpe-dictionary_v2.3.xml cpe-remap.yaml && xmllint --format --noblanks {} > {}.bak && mv {}.bak {} || echo {}" 2> errors.txt
|
110
|
+
```
|
111
|
+
|
112
|
+
Any mismatched fingerprints will be listed in `errors.txt` for eventual
|
113
|
+
maintenance. The `cpe-remap.yaml` file can be used to map between
|
114
|
+
vendor/product/etc differences between Recog and CPE, or to work around bugs in
|
115
|
+
either.
|
116
|
+
|
117
|
+
## Landing PRs
|
118
|
+
|
119
|
+
(Note: this portion is a work-in-progress. Please update it as things change)
|
120
|
+
|
121
|
+
Much like with the process of submitting PRs, Recog's process for landing PRs
|
122
|
+
is very similar to [Metasploit's process for landing
|
123
|
+
PRs](https://github.com/rapid7/metasploit-framework/wiki/Landing-Pull-Requests).
|
124
|
+
In short:
|
125
|
+
|
126
|
+
1. Follow the "Fork and Clone" steps from above
|
127
|
+
2. Update your `.git/config` to ensure that the `remote ["upstream"]` section is configured to pull both branches and PRs from upstream. It should look something like the following, in particular the second `fetch` option:
|
128
|
+
|
129
|
+
```
|
130
|
+
[remote "upstream"]
|
131
|
+
url = git@github.com:rapid7/recog.git
|
132
|
+
fetch = +refs/heads/*:refs/remotes/upstream/*
|
133
|
+
fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
|
134
|
+
```
|
135
|
+
3. Fetch the latest revisions, including PRs:
|
136
|
+
|
137
|
+
```
|
138
|
+
git fetch --all
|
139
|
+
```
|
140
|
+
4. Checkout and branch the PR for testing. Replace ```PR``` below with the actual PR # in question:
|
141
|
+
|
142
|
+
```
|
143
|
+
git checkout -b landing-PR upstream/pr/PR
|
144
|
+
```
|
145
|
+
5. Test the PR (see the Testing section above)
|
146
|
+
6. Merge with master, re-test, validate and push:
|
147
|
+
|
148
|
+
```
|
149
|
+
git checkout -b upstream-master --track upstream/master
|
150
|
+
git merge -S --no-ff --edit landing-PR # merge the PR into upstream-master
|
151
|
+
# re-test if/as necessary
|
152
|
+
git push upstream upstream-master:master --dry-run # confirm you are pushing what you expect
|
153
|
+
git push upstream upstream-master:master # push upstream-master to upstream:master
|
154
|
+
```
|
155
|
+
7. If applicable, release a new version (see next section)
|
156
|
+
|
157
|
+
## Releasing New Versions
|
158
|
+
|
159
|
+
When Recog's critical parts are modified, for example its fingerprints or underlying supporting code, a new version _must_ eventually be released. These new releases can then be optionally included in projects such as Metasploit or products such as Rapid7's Nexpose in a controlled manner. Releases for non-functional updates such as updates to documentation are not necessary.
|
160
|
+
|
161
|
+
When a new version of Recog is to be released, you _must_ follow the instructions below.
|
162
|
+
|
163
|
+
1. If are not already a Recog project contributor for the Recog gem (you'd be listed [here under OWNERS](https://rubygems.org/gems/recog)), become one:
|
164
|
+
1. Get an account on [Rubygems](https://rubygems.org)
|
165
|
+
2. Contact one of the Recog project contributors (listed [here under OWNERS](https://rubygems.org/gems/recog) and have them add you to the Recog gem. They'll need to run:
|
166
|
+
```
|
167
|
+
gem owner recog -a EMAIL
|
168
|
+
```
|
169
|
+
2. Edit [lib/recog/version.rb](https://github.com/rapid7/recog/blob/master/lib/recog/version.rb) and increment ```VERSION```. Commit and push to rapid7/recog master.
|
170
|
+
3. Run `rake release`. Among other things, this creates the new gem, uploads it to Rubygems and tags the release with a tag like `v<VERSION>`, where `<VERSION>` is replaced with the version from `version.rb`. For example, if you release version 1.2.3 of the gem, the tag will be `v1.2.3`.
|
171
|
+
4. If your default remote repository is not `rapid7/recog`, you must ensure that the tags created in the previous step are also pushed to the right location(s). For example, if `origin` is your fork of recog and `upstream` is `rapid7/master`, you should run `git push --tags --dry-run upstream` to confirm what tags will be pushed and then `git push --tags upstream` to push the tags.
|
data/COPYING
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
Copyright (c) 2014-2015, Rapid7
|
2
|
+
All rights reserved.
|
3
|
+
|
4
|
+
Redistribution and use in source and binary forms, with or without modification,
|
5
|
+
are permitted provided that the following conditions are met:
|
6
|
+
|
7
|
+
* Redistributions of source code must retain the above copyright notice, this
|
8
|
+
list of conditions and the following disclaimer.
|
9
|
+
|
10
|
+
* Redistributions in binary form must reproduce the above copyright notice, this
|
11
|
+
list of conditions and the following disclaimer in the documentation and/or
|
12
|
+
other materials provided with the distribution.
|
13
|
+
|
14
|
+
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
15
|
+
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
16
|
+
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
17
|
+
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
|
18
|
+
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
19
|
+
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
20
|
+
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
21
|
+
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
22
|
+
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
23
|
+
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
data/Gemfile
ADDED
data/LICENSE
ADDED
data/README.md
ADDED
@@ -0,0 +1,85 @@
|
|
1
|
+
# Recog: A Recognition Framework
|
2
|
+
[![Gem Version](https://badge.fury.io/rb/recog.svg)](http://badge.fury.io/rb/recog)
|
3
|
+
[![Build Status](https://travis-ci.org/rapid7/recog.svg?branch=master)](https://travis-ci.org/rapid7/recog)
|
4
|
+
|
5
|
+
|
6
|
+
Recog is a framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes. Recog makes it simple to extract useful information from web server banners, snmp system description fields, and a whole lot more.
|
7
|
+
|
8
|
+
Recog is open source, please see the [LICENSE](https://raw.githubusercontent.com/rapid7/recog/master/LICENSE) file for more information.
|
9
|
+
|
10
|
+
## Installation
|
11
|
+
|
12
|
+
Recog consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that makes it easy to develop, test, and use the contained fingerprints. In order to use the included ruby code, a recent version of Ruby (2.31+) is required, along with Rubygems and the `bundler` gem. Once these dependencies are in place, use the following commands to grab the latest source code and install any additional dependencies.
|
13
|
+
|
14
|
+
```shell
|
15
|
+
$ git clone git@github.com:rapid7/recog.git
|
16
|
+
$ cd recog
|
17
|
+
$ bundle install
|
18
|
+
```
|
19
|
+
|
20
|
+
## Maturity
|
21
|
+
|
22
|
+
Please note that while the XML fingerprints themselves are quite stable and well-tested, the Ruby codebase in Recog is still fairly new and subject to change quickly. Please contact us (research[at]rapid7.com) before leveraging the Recog code within any production projects.
|
23
|
+
|
24
|
+
## Fingerprints
|
25
|
+
|
26
|
+
The fingerprints within Recog are stored in XML files, each of which is designed to match a specific protocol response string or field. For example, the file [ssh_banners.xml](https://github.com/rapid7/recog/blob/master/xml/ssh_banners.xml) can determine the os, vendor, and sometimes hardware product by matching the initial SSH daemon banner string.
|
27
|
+
|
28
|
+
A fingerprint file consists of an XML document like the following:
|
29
|
+
|
30
|
+
```xml
|
31
|
+
<fingerprints matches="ssh.banner">
|
32
|
+
<fingerprint pattern="^RomSShell_([\d\.]+)$">
|
33
|
+
<description>Allegro RomSShell SSH</description>
|
34
|
+
<example service.version="4.62">RomSShell_4.62</example>
|
35
|
+
<param pos="0" name="service.vendor" value="Allegro"/>
|
36
|
+
<param pos="0" name="service.product" value="RomSShell"/>
|
37
|
+
<param pos="1" name="service.version"/>
|
38
|
+
</fingerprint>
|
39
|
+
</fingerprints>
|
40
|
+
```
|
41
|
+
|
42
|
+
The first line should always consist of the XML version declaration. The first element should always be a `fingerprints` block with a `matches` attribute indicating what data this fingerprint file is supposed to match. The `matches` attribute is normally in the form of `protocol.field`.
|
43
|
+
|
44
|
+
Inside of the `fingerprints` element there should be one or more `fingerprint` elements. Every `fingerprint` must contain a `pattern` attribute, which contains the regular expression to be used to match against the data. An optional `flags` attribute can be specified to control how the regular expression is to be interpreted. See [the Recog documentation for `FLAG_MAP`](http://www.rubydoc.info/gems/recog/Recog/Fingerprint/RegexpFactory#FLAG_MAP-constant) for more information.
|
45
|
+
|
46
|
+
Inside of the fingerprint, a `description` element should contain a human-readable string describing this fingerprint.
|
47
|
+
|
48
|
+
At least one `example` element should be present, however multiple `example` elements are preferred. These elements are used as part of the test coverage present in `rspec` which validates that the provided data matches the specified regular expression. Additionally, if the fingerprint is using the `param` elements to extract field values from the data (described next), you can add these expected extractions as attributes for the `example` elements. In the example above, this:
|
49
|
+
|
50
|
+
```xml
|
51
|
+
<example service.version="4.62">RomSShell_4.62</example>
|
52
|
+
```
|
53
|
+
|
54
|
+
tests that `RomSShell_4.62` matches the provided regular expression and that the value of `service.version` is 4.62.
|
55
|
+
|
56
|
+
The `param` elements contain a `pos` attribute, which indicates what capture field from the `pattern` should be extracted, or `0` for a static string. The `name` attribute is the key that will be reported in the case of a successful match and the `value` will either be a static string for `pos` values of `0` or missing and taken from the captured field.
|
57
|
+
|
58
|
+
The `example` string can be base64 encoded to permit the use of unprintable characters. To signal this to Recog an `_encoding` attribute with the value of `base64` is added to the `example` element. Based64 encoded text that is longer than 80 characters may be wrapped with newlines as shown below to aid in readability.
|
59
|
+
|
60
|
+
````xml
|
61
|
+
<example _encoding="base64">
|
62
|
+
dGllczGEAAAAlQQWMS4yLjg0MC4xMTM1NTYuMS40LjgwMAQuZGF0YS5yZW1vdmVkLjCEAAAAK
|
63
|
+
AQdZG9tYWluQ29udHJvbGxlckZ1bmN0aW9uYWxpdHkxhAAAAAMEATc=
|
64
|
+
</example>
|
65
|
+
````
|
66
|
+
|
67
|
+
### Testing
|
68
|
+
|
69
|
+
Once a fingerprint has been added, the `example` entries can be tested by executing `bin/recog_verify` against the fingerprint file:
|
70
|
+
|
71
|
+
```shell
|
72
|
+
$ bin/recog_verify xml/ssh_banners.xml
|
73
|
+
```
|
74
|
+
|
75
|
+
Matches can be tested on the command-line in a similar fashion:
|
76
|
+
|
77
|
+
```shell
|
78
|
+
$ echo 'OpenSSH_6.6p1 Ubuntu-2ubuntu1' | bin/recog_match xml/ssh_banners.xml -
|
79
|
+
MATCH: {"matched"=>"OpenSSH running on Ubuntu 14.04", "service.version"=>"6.6p1", "openssh.comment"=>"Ubuntu-2ubuntu1", "service.vendor"=>"OpenBSD", "service.family"=>"OpenSSH", "service.product"=>"OpenSSH", "os.vendor"=>"Ubuntu", "os.device"=>"General", "os.family"=>"Linux", "os.product"=>"Linux", "os.version"=>"14.04", "service.protocol"=>"ssh", "fingerprint_db"=>"ssh.banner", "data"=>"OpenSSH_6.6p1 Ubuntu-2ubuntu1"}
|
80
|
+
```
|
81
|
+
|
82
|
+
### Best Practices
|
83
|
+
|
84
|
+
* Create a single fingerprint for each product as long as the pattern remains clear and readable. If that is not possible, the pattern should be logically decomposed into additional fingerprints.
|
85
|
+
* Create regular expressions that allow for flexible version number matching. This ensures greater probability of matching a product. For example, all known public releases of a product report either `major.minor` or `major.minor.build` format version numbers. If the fingerprint strictly matches this version number format, it would fail to match a modified build of the product that reports only a `major` version number format.
|