risu 1.7.6 → 1.7.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: afeb7452a6387818f031b7eb9be509fb7b8b1f91
-  data.tar.gz: d0c0482d6673456aaa3eb7ffd32f928df5ba4d03
+  metadata.gz: 7bfaa5045c80e643b40cc2c4aa2dda7bd51df8ea
+  data.tar.gz: 702efcb8879156cd8fbdea75ff5eef32e6f41011
 SHA512:
-  metadata.gz: c009a3228e6fb7a9b84b256610fcd61381c223520e8f9ff9a3412c577fd4690f0adceeea0dfde312d3f78519c5337ce8560af3b5100cb79eeabd0f9533cf043e
-  data.tar.gz: abf5109f7c5ebc5f1931c1cebaa4290ae740140364ca0d9503f3901ab09f04a38b69179fdb1031663bb489ac393b3b470c76fd21567bb47ba84f9923eef6cac5
+  metadata.gz: 37662a0fa9723012859b123ef993dc25aa150019d61c90dfecc9692133ffad2c3e3df3a4a2a8832027608ebcaacc9f07e9d7314537b5a37fea68c4db21027c30
+  data.tar.gz: 0fa39c976bcf35de2405cb3f08309df5ebbb1e1117cf2d0a6700bdc15c1838a02ae3f9fcb3438105649fe5cb6c5f3faf85a01f9422dcce2587c2b9f9f26c21c4

data/Gemfile

@@ -1,18 +1,2 @@
 source "https://rubygems.org"
 gemspec
-
-#
-# gem 'simplecov', '~> 0.11.0'
-# gem 'yard', '~> 0.8.0'
-# gem 'minitest', '~> 5.0'
-# gem 'test-unit'
-#
-# gem 'rails', "~> 4.2.5"
-# gem 'libxml-ruby', "~> 2.8.0"
-# gem 'prawn', "~> 2.0.2"
-# gem 'prawn-table', "~> 0.2.2"
-# gem 'gruff', "~> 0.6.0"
-# gem 'mysql2', "~> 0.4.1"
-# gem 'rmagick', "~> 2.15.4"
-# gem 'sqlite3', "~> 1.3.11"
-# gem 'nokogiri', "~> 1.6.7"

data/README.markdown

@@ -12,7 +12,7 @@ Risu is [Nessus](http://www.nessus.org) parser, that converts Nessus .nessus xml
 ## Requirements
 
 ### Ruby
-Risu has been tested with ruby-2.0.0, ruby-2.1.0 and ruby-2.2.3. Please try to use one of these versions if possible. I recommend using RVM to setup your ruby environment you can get it [here](https://rvm.beginrescueend.com/).
+Risu has been tested with ruby-2.0.0, ruby-2.1.0 and ruby-2.2.3. Please use the latest version if possible. I recommend using [chruby](https://github.com/postmodern/chruby) or [RVM](https://rvm.io/) to setup your ruby environment.
 
 ### RubyGems
 Risu relies heavily on [RubyGems](http://rubygems.org/) to install other dependencies I highly recommend using it. RubyGems is included by default in the 1.9.x versions of [Ruby](http://ruby-lang.org/).

data/Rakefile

@@ -42,9 +42,16 @@ task :tag_and_bag do
 	system "git push"
 end
 
-task :release => [:tag_and_bag, :build] do
- 	system "gem push #{Risu::APP_NAME}-#{Risu::VERSION}.gem"
-	puts "Just released #{Risu::APP_NAME} v#{Risu::VERSION}. #{Risu::APP_NAME} is an Nessus XML parser/database/report generator. More information at #{HOME_PAGE}"
+task :push do
+	system "gem push #{Risu::APP_NAME}-#{Risu::VERSION}.gem"
+end
+
+task :tweet do
+	puts "Just released #{Risu::APP_NAME} v#{Risu::VERSION}. #{Risu::APP_NAME} is an Nessus XML parser/database/report generator. More information at #{Risu::HOME_PAGE}"
+end
+
+task :release => [:tag_and_bag, :build, :push, :tweet] do
+
 end
 
 task :clean do

data/{NEWS.markdown → docs/NEWS.markdown}

@@ -1,5 +1,15 @@
 # News
 
+# 1.7.7 (June 24, 2016)
+- **NOTICE** Only ruby-2.2.1 and above are supported now. Please upgrade.
+- Merge pull request #90 to add a new Banner for the console from [abenson]
+- Updated Java, Windows, ESXi post-processing plugin-ids
+- Templates
+	- Added a count of hosts on the host listings on the notable_detailed and technical_findings templates.
+	- Added more fields to the host_findings_csv template.
+- Loads of updates to the PostProcessing Plugins
+- Some changes based on code climate reports
+
 # 1.7.6 (December 02, 2015)
 - **NOTICE** Upon next major release, "1.8.0" ruby-2.2.1+ will only be supported. This is due to rails5 dropping support for all previous versions. Risu 1.8.0 will be release shortly after rails5 with this change.
 - **API CHANGES** Several APIs have been marked deprecated they will be moved in 1.8.0. Stubs will be left behind with warnings until 1.9.0. These changes are mostly to clean up the Models. Right now the models are very fat and interdependent on things they shouldn't. Some of the notable changes will be:

data/lib/risu/base.rb

@@ -36,6 +36,7 @@ require 'risu/base/host_template_helper'
 require 'risu/base/malware_template_helper'
 require 'risu/base/graph_template_helper'
 require 'risu/base/shares_template_helper'
+require 'risu/base/scan_helper'
 require 'risu/base/template_helper'
 
 require 'risu/base/post_process_base'

data/lib/risu/base/graph_template_helper.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2014 Arxopia LLC.
+# Copyright (c) 2012-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/base/host_template_helper.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2014 Arxopia LLC.
+# Copyright (c) 2012-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/base/malware_template_helper.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2014 Arxopia LLC.
+# Copyright (c) 2012-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@ module Risu
 			#
 			def conficker_count
 				begin
-					return Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").count
+					return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
 				rescue => e
 					return 0
 				end
@@ -78,18 +78,76 @@ module Risu
 
 				conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
 				heading2 "Conficker Worm Infection"
-				@output.text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."
-				@output.text "\n"
+
+				text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."
+
+				text "\n"
+			end
+
+			#
+			def known_malicious_process_count
+				begin
+					return Item.where(:plugin_id => 59275).count
+				rescue => e
+					return 0
+				end
+			end
+
+			#
+			def known_malicious_process_section
+				count = known_malicious_process_count()
+
+				if count <= 0
+					return
+				end
+
+				heading1 "Known Malicious Process Detected" if count == 1
+				heading1 "Known Malicious Processes Detected" if count > 1
+
+				text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."
+
+				text "\n"
+			end
+
+			#
+			def known_malicious_process_appendix_section
+				count = known_malicious_process_count()
+
+				if count <= 0
+					return
+				end
+
+				heading2 "Known Malicious Process" if count == 1
+				heading2 "Known Malicious Processes" if count > 1
+
+				findings = Item.where(:plugin_id => 59275)
+				plugin = Plugin.find_by_id(59275)
+
+				findings.each do |finding|
+					host = Host.find_by_id(finding.host_id)
+
+					text "Host", :style => :bold
+					host_string = "#{host.name}"
+					host_string << " (#{host.fqdn})" if host.fqdn != nil
+					text host_string
+
+					definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
+					definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
+				end
+
+				text "\n"
 			end
 
 			#
 			def malware_section
 				conficker_section
+				known_malicious_process_section
 			end
 
 			#
 			def malware_appendix_section
 				conficker_appendix_section
+				known_malicious_process_appendix_section
 			end
 		end
 	end

data/lib/risu/base/post_process_manager.rb

@@ -43,7 +43,7 @@ module Risu
 
 				load_postprocesses(base_dir + path)
 				load_postprocesses(Dir.pwd, false)
-				load_postprocesses(File.expand_path(USER_TEMPLATES_DIR)) if File.exists?(File.expand_path(USER_TEMPLATES_DIR)) && File.directory?(File.expand_path(USER_TEMPLATES_DIR))
+				load_postprocesses(File.expand_path(USER_TEMPLATES_DIR)) if File.exist?(File.expand_path(USER_TEMPLATES_DIR)) && File.directory?(File.expand_path(USER_TEMPLATES_DIR))
 
 				sort
 			end

data/lib/risu/base/scan_helper.rb

@@ -0,0 +1,77 @@
+# Copyright (c) 2012-2016 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Templates
+		module ScanHelper
+
+			#
+			# TODO doc
+			def scan_info_to_hash(plugin_output)
+				scan_info = {}
+
+				plugin_output.split("\n").each do |line|
+					a = line.split(":")
+
+					if a.size != 2
+						next
+					end
+
+					key = a[0].strip.downcase
+					value = a[1].strip.downcase
+
+					key = key.gsub(" ", "_")
+
+					scan_info[key] = value
+				end
+
+				return scan_info
+			end
+
+			# TODO doc
+			#
+			def authenticated_count
+				count = {}
+				count["auth"] = 0
+				count["unauth"] = 0
+
+				Item.where(:plugin_id => 19506).each do |item|
+					scan_info = scan_info_to_hash (item.plugin_output)
+
+					auth = scan_info["credentialed_checks"]
+
+					if auth =~ /yes/
+						count["auth"] = count["auth"] + 1
+					else
+						count["unauth"] = count["unauth"] + 1
+					end
+				end
+
+				return count
+			end
+		end
+	end
+end

data/lib/risu/base/schema.rb

@@ -106,11 +106,9 @@ module Risu
 					t.text :cm_compliance_check_name, limit: 4294967295
 					t.text :cm_compliance_result, limit: 4294967295
 					t.text :cm_compliance_output, limit: 4294967295
-
 					t.text :cm_compliance_reference, limit: 4294967295
 					t.text :cm_compliance_see_also, limit: 4294967295
 					t.text :cm_compliance_solution, limit: 4294967295
-
 					t.integer :real_severity
 					t.integer :risk_score
 				end
@@ -133,7 +131,7 @@ module Risu
 					t.string :metasploit_name
 					t.string :exploit_framework_canvas
 					t.string :canvas_package
-					t.string :exploit_available
+					t.boolean :exploit_available
 					t.string :risk_factor
 					t.text :solution, limit: 4294967295
 					t.text :synopsis, limit: 4294967295

data/lib/risu/base/shares_template_helper.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2014 Arxopia LLC.
+# Copyright (c) 2012-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -66,29 +66,54 @@ module Risu
 				end
 			end
 
+			#
+			def anon_smb_query
+				return Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id)
+			end
+
 			#
 			def anon_smb_count
+				count = 0
 				begin
-					return Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id).count
+					anon_smb_query().each do |finding|
+						host = Host.find_by_id(finding.host_id)
+
+						login = host.host_properties.where(:name => 'smb-login-used').first.value
+						login = login.split("\\")[1] if login.include?("\\")
+
+						if finding.plugin_output.include?("The following shares can be accessed as #{login}")
+							# If the output was collect via the username that is authenitcated skip it.
+							next
+						end
+
+						count = count + 1
+					end
 				rescue => e
 					return 0
 				end
+
+				return count
 			end
 
 			#
 			def anon_smb_section
-
 				if anon_smb_count() <= 0
 					return
 				end
 
 				heading2 "Anonymous SMB Share Detection"
 
-				findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id)
-
-				findings.each do |finding|
+				anon_smb_query().each do |finding|
 					host = Host.find_by_id(finding.host_id)
 
+					login = host.host_properties.where(:name => 'smb-login-used').first.value
+					login = login.split("\\")[1] if login.include?("\\")
+
+					if finding.plugin_output.include?("The following shares can be accessed as #{login}")
+						# If the output was collect via the username that is authenitcated skip it.
+						next
+					end
+
 					host_string = "#{host.name}"
 					host_string << " (#{host.fqdn})" if host.fqdn != nil
 
@@ -110,31 +135,31 @@ module Risu
 				anon_ftp_text = ""
 				anon_smb_text = ""
 
-				anon_smb_count = 0
-				anon_ftp_count = 0
+				v_anon_smb_count = 0
+				v_anon_ftp_count = 0
 
 				begin
-					anon_ftp_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Anonymous FTP Enabled").first.id).count
+					v_anon_ftp_count = anon_ftp_count()
 				rescue Exception => e
 				end
 
 				begin
-					anon_smb_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id).count
+					v_anon_smb_count = anon_smb_count()
 				rescue Exception => e
 				end
 
-				if anon_ftp_count > 1
+				if v_anon_ftp_count > 1
 					anon_ftp_text = "Anonymous FTP was detected as being enabled on #{anon_ftp_count} network nodes. Anonymous FTP allows anyone to access files stored on the FTP server, depending on the server's configuration also write files. "
 					poor_count = poor_count + 1
-				elsif anon_ftp_count == 1
+				elsif v_anon_ftp_count == 1
 					anon_ftp_text = "Anonymous FTP was detected as being enabled on #{anon_ftp_count} network node. Anonymous FTP allows anyone to access files stored on the FTP server, depending on the server's configuration also write files. "
 					poor_count = poor_count + 1
 				end
 
-				if anon_smb_count > 1
+				if v_anon_smb_count > 1
 					anon_smb_text = "Anonymous SMB shares were detected on #{anon_smb_count} network nodes. These shares also were found to have read and write access enabled. "
 					poor_count = poor_count + 1
-				elsif anon_smb_count == 1
+				elsif v_anon_smb_count == 1
 					anon_smb_text = "Anonymous SMB shares were detected on #{anon_smb_count} network node. These shares also were found to have read and write access enabled. "
 					poor_count = poor_count + 1
 				end
@@ -144,7 +169,7 @@ module Risu
 				heading1 "Other Findings of Interest" if poor_count > 0
 
 				#Anon ftp/smb + clear text
-				@output.text anon_ftp_text + anon_smb_text + anonymous_access_text if anon_ftp_count > 0 || anon_smb_count > 0
+				@output.text anon_ftp_text + anon_smb_text + anonymous_access_text if v_anon_ftp_count > 0 || v_anon_smb_count > 0
 				@output.text "\n"
 				@output.text "\n"
 			end
@@ -154,30 +179,31 @@ module Risu
 				anon_smb_section
 			end
 
+			#
 			def shares_section_has_findings?
 				poor_count = 0
 
 				anon_ftp_text = ""
 				anon_smb_text = ""
 
-				anon_smb_count = 0
-				anon_ftp_count = 0
+				v_anon_smb_count = 0
+				v_anon_ftp_count = 0
 
 				begin
-					anon_ftp_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Anonymous FTP Enabled").first.id).count
+					v_anon_ftp_count = anon_ftp_count()
 				rescue Exception => e
 				end
 
 				begin
-					anon_smb_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id).count
+					v_anon_smb_count = anon_smb_count()
 				rescue Exception => e
 				end
 
-				if anon_ftp_count >= 1
+				if v_anon_ftp_count >= 1
 					poor_count = poor_count + 1
 				end
 
-				if anon_smb_count >= 1
+				if v_anon_smb_count >= 1
 					poor_count = poor_count + 1
 				end