rogue_one 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6f56c7358aca2eaaacd1e5d93d88793cd60dbc7cfa2b4b1d21e3a4a2ba68b44b
+  data.tar.gz: a0b87b0b0084a95a4285b2781c657beb5a88f191ff392dcc35fc1f25a6e62955
+SHA512:
+  metadata.gz: c22cf1c4878be88a3fa3098f7132334a1c998b4dbcc91aff77595b78932708d1b15c2c1735cea742689c19099ce49fe2e0ceddedf0e2e8baeb9f850bcd43b5e2
+  data.tar.gz: f71648b22084e42702e681930ffa5b7f0da42c00b444634eca93a4b347dfb201dea9f008becc85b6105ec2c47a9c6cfa8ccbed43792587e64ba07a9bcdbe7898

data/.gitignore

@@ -0,0 +1,52 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+.env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6
+before_install: gem install bundler -v 2.0.1

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in rogue_one.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Manabu Niseki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,41 @@
+# Rogue one: a rogue DNS detector
+
+[![Build Status](https://travis-ci.org/ninoseki/rogue_one.svg?branch=master)](https://travis-ci.org/ninoseki/rogue_one)
+[![Coverage Status](https://coveralls.io/repos/github/ninoseki/rogue_one/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/rogue_one?branch=master)
+
+## Installation
+
+```bash
+gem install rogue_one
+```
+
+## Usage
+
+```bash
+$ rogue_one
+Commands:
+  rogue_one help [COMMAND]       # Describe available commands or one specific command
+  rogue_one report [DNS_SERVER]  # Show a report of a given DNS server
+
+$ rogue_one report 1.1.1.1
+{
+  "verdict": "rogue one",
+  "landing_pages": [
+
+  ]
+}
+
+$ rogue_one reprot 1.53.252.215
+{
+  "verdict": "rogue one",
+  "landing_pages": [
+    "1.171.170.228",
+    "1.171.168.19",
+    "61.230.102.66"
+  ]
+}
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rogue_one"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/rogue_one

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "rogue_one"
+
+RogueOne::CLI.start

data/lib/rogue_one/cli.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "thor"
+require "json"
+
+module RogueOne
+  class CLI < Thor
+    desc "report [DNS_SERVER]", "Show a report of a given DNS server"
+    def report(dns_server)
+      with_error_handling do
+        detector = Detector.new(target: dns_server)
+        puts JSON.pretty_generate(detector.report)
+      end
+    end
+
+    no_commands do
+      def with_error_handling
+        yield
+      rescue StandardError => e
+        puts "Warning: #{e}"
+      end
+    end
+  end
+end

data/lib/rogue_one/data/top_100.yml

@@ -0,0 +1,101 @@
+---
+- google.com
+- facebook.com
+- youtube.com
+- yahoo.com
+- baidu.com
+- wikipedia.org
+- qq.com
+- taobao.com
+- twitter.com
+- amazon.com
+- linkedin.com
+- live.com
+- google.co.in
+- sina.com.cn
+- hao123.com
+- blogspot.com
+- weibo.com
+- tmall.com
+- vk.com
+- wordpress.com
+- yahoo.co.jp
+- sohu.com
+- yandex.ru
+- ebay.com
+- google.de
+- bing.com
+- pinterest.com
+- google.co.uk
+- 163.com
+- 360.cn
+- google.fr
+- ask.com
+- instagram.com
+- google.co.jp
+- tumblr.com
+- msn.com
+- google.com.br
+- mail.ru
+- microsoft.com
+- xvideos.com
+- paypal.com
+- google.ru
+- soso.com
+- adcash.com
+- google.es
+- google.it
+- imdb.com
+- apple.com
+- imgur.com
+- neobux.com
+- craigslist.org
+- amazon.co.jp
+- t.co
+- xhamster.com
+- stackoverflow.com
+- reddit.com
+- google.com.mx
+- google.com.hk
+- cnn.com
+- google.ca
+- fc2.com
+- go.com
+- ifeng.com
+- bbc.co.uk
+- vube.com
+- people.com.cn
+- blogger.com
+- aliexpress.com
+- odnoklassniki.ru
+- wordpress.org
+- alibaba.com
+- gmw.cn
+- adobe.com
+- huffingtonpost.com
+- google.com.tr
+- xinhuanet.com
+- googleusercontent.com
+- youku.com
+- godaddy.com
+- pornhub.com
+- akamaihd.net
+- thepiratebay.se
+- kickass.to
+- google.com.au
+- amazon.de
+- clkmon.com
+- ebay.de
+- alipay.com
+- google.pl
+- espn.go.com
+- dailymotion.com
+- about.com
+- bp.blogspot.com
+- blogspot.in
+- netflix.com
+- vimeo.com
+- dailymail.co.uk
+- redtube.com
+- rakuten.co.jp
+- conduit.com

data/lib/rogue_one/detector.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module RogueOne
+  class Detector
+    attr_reader :target
+
+    GOOGLE_PUBLIC_DNS = "8.8.8.8"
+
+    def initialize(target:)
+      @target = target
+      @memo = Hash.new(0)
+      @mismatched_domains = []
+    end
+
+    def report
+      inspect
+
+      {
+        verdict: verdict,
+        landing_pages: landing_pages
+      }
+    end
+
+    private
+
+    def verdict
+      rogue_one? ? "rogue one" : "benign one"
+    end
+
+    def rogue_one?
+      @mismatched_domains.length > 50
+    end
+
+    def landing_pages
+      return [] unless rogue_one?
+
+      @memo.map do |ip, count|
+        count > 10 ? ip : nil
+      end.compact
+    end
+
+    def inspect
+      top_100_domains.each do |domain|
+        normal_result = normal_resolver.dig(domain, "A")
+        target_result = target_resolver.dig(domain, "A")
+
+        if normal_result != target_result
+          @mismatched_domains << domain
+          @memo[target_result] += 1 if target_result
+        end
+      end
+    end
+
+    def top_100_domains
+      @top_100_domains ||= YAML.safe_load(File.read(File.expand_path("./data/top_100.yml", __dir__)))
+    end
+
+    def normal_resolver
+      @normal_resolver ||= Resolver.new(nameserver: GOOGLE_PUBLIC_DNS)
+    end
+
+    def target_resolver
+      @target_resolver ||= Resolver.new(nameserver: target)
+    end
+  end
+end

data/lib/rogue_one/resolver.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "resolv"
+
+module RogueOne
+  class Resolver
+    attr_reader :nameserver
+
+    def initialize(nameserver:)
+      @nameserver = nameserver
+    end
+
+    def dig(domain, type)
+      _resolver.getresource(domain, resource_by_type(type)).address.to_s
+    rescue Resolv::ResolvError => e
+      nil
+    end
+
+    private
+
+    def _resolver
+      @_resolver ||= Resolv::DNS.new(nameserver: [nameserver])
+    end
+
+    def resource_by_type(type)
+      resources.dig(type.upcase.to_sym)
+    end
+
+    def resources
+      {
+        ANY: Resolv::DNS::Resource::IN::ANY,
+        NS: Resolv::DNS::Resource::IN::NS,
+        CNAME: Resolv::DNS::Resource::IN::CNAME,
+        SOA: Resolv::DNS::Resource::IN::SOA,
+        HINFO: Resolv::DNS::Resource::IN::HINFO,
+        MINFO: Resolv::DNS::Resource::IN::MINFO,
+        MX: Resolv::DNS::Resource::IN::MX,
+        TXT: Resolv::DNS::Resource::IN::TXT,
+        A: Resolv::DNS::Resource::IN::A,
+        WKS: Resolv::DNS::Resource::IN::WKS,
+        PTR: Resolv::DNS::Resource::IN::PTR,
+        AAAA: Resolv::DNS::Resource::IN::AAAA,
+        SRV: Resolv::DNS::Resource::IN::SRV,
+      }
+    end
+  end
+end

data/lib/rogue_one/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RogueOne
+  VERSION = "0.1.0"
+end

data/lib/rogue_one.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "rogue_one/version"
+
+require "rogue_one/resolver"
+require "rogue_one/detector"
+require "rogue_one/cli"
+
+module RogueOne
+  class Error < StandardError; end
+end

data/rogue_one.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "rogue_one/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "rogue_one"
+  spec.version       = RogueOne::VERSION
+  spec.authors       = ["Manabu Niseki"]
+  spec.email         = ["manabu.niseki@gmail.com"]
+
+  spec.summary       = "Rogue one: a rogue DNS detector"
+  spec.description   = 'Rogue one: a rogue DNS detector'
+  spec.homepage      = "https://github.com/ninoseki/rogue_one"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "coveralls", "~> 0.8"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.8"
+
+  spec.add_dependency "thor", "~> 0.19"
+end

metadata

@@ -0,0 +1,131 @@
+--- !ruby/object:Gem::Specification
+name: rogue_one
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Manabu Niseki
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-04-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: 'Rogue one: a rogue DNS detector'
+email:
+- manabu.niseki@gmail.com
+executables:
+- rogue_one
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/rogue_one
+- lib/rogue_one.rb
+- lib/rogue_one/cli.rb
+- lib/rogue_one/data/top_100.yml
+- lib/rogue_one/detector.rb
+- lib/rogue_one/resolver.rb
+- lib/rogue_one/version.rb
+- rogue_one.gemspec
+homepage: https://github.com/ninoseki/rogue_one
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: 'Rogue one: a rogue DNS detector'
+test_files: []