rogue_one 0.1.4 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +39 -5
- data/images/eyecatch.png +0 -0
- data/lib/rogue_one.rb +2 -0
- data/lib/rogue_one/cli.rb +5 -1
- data/lib/rogue_one/detector.rb +36 -8
- data/lib/rogue_one/domain_list.rb +31 -0
- data/lib/rogue_one/version.rb +1 -1
- data/rogue_one.gemspec +4 -4
- metadata +13 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: da6511f3f76c39a222c7b41458dd08675358923709006f56452e966369f166c9
|
|
4
|
+
data.tar.gz: 99ecea46070225babfb4c2b5f9d51da679a026afb22a443cadb6939e7507b697
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7436a460f227a78b52d6bf57d85ac6e1f1b929f3b675aa02423f8cc5dc89a071cf01dc639e9ae20b688cb350bd99ec3cfef54332a07c56007b1364d82f96daab
|
|
7
|
+
data.tar.gz: 053b1f8f9a5c6eb5bf8b10654899bf7a41e106fa7fe412ce4e1fd27ad1917efd822a121464ba873ec698ea7d424d553cde8e85cd2f0ca53d26dd6cf11ac26b63
|
data/README.md
CHANGED
|
@@ -1,9 +1,22 @@
|
|
|
1
|
-
# Rogue one
|
|
1
|
+
# Rogue one
|
|
2
2
|
|
|
3
3
|
[](https://badge.fury.io/rb/rogue_one)
|
|
4
4
|
[](https://travis-ci.org/ninoseki/rogue_one)
|
|
5
|
+
[](https://www.codefactor.io/repository/github/ninoseki/rogue_one)
|
|
5
6
|
[](https://coveralls.io/github/ninoseki/rogue_one?branch=master)
|
|
6
7
|
|
|
8
|
+
A tiny tool for detecting a rogue DNS server and extracting landing pages from the rogue DNS server.
|
|
9
|
+
|
|
10
|
+
## How it works
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
IPv4 space is vast. But an attacker could secure a few numbers of IP addresses for landing pages.
|
|
15
|
+
It means you can (probably) find malicious landing pages by using the following methods.
|
|
16
|
+
|
|
17
|
+
- Resolving a bunch of domains by using a rogue DNS.
|
|
18
|
+
- Finding frequent IPv4s from the resolutions. They might be landing pages.
|
|
19
|
+
|
|
7
20
|
## Installation
|
|
8
21
|
|
|
9
22
|
```bash
|
|
@@ -18,6 +31,16 @@ Commands:
|
|
|
18
31
|
rogue_one help [COMMAND] # Describe available commands or one specific command
|
|
19
32
|
rogue_one report [DNS_SERVER] # Show a report of a given DNS server
|
|
20
33
|
|
|
34
|
+
$ rogue_one help report
|
|
35
|
+
Usage:
|
|
36
|
+
rogue_one report [DNS_SERVER]
|
|
37
|
+
|
|
38
|
+
Options:
|
|
39
|
+
[--custom-list=CUSTOM_LIST] # A path to a custom list of domains
|
|
40
|
+
[--verbose], [--no-verbose]
|
|
41
|
+
|
|
42
|
+
Show a report of a given DNS server
|
|
43
|
+
|
|
21
44
|
$ rogue_one report 1.1.1.1
|
|
22
45
|
{
|
|
23
46
|
"verdict": "benign one",
|
|
@@ -35,12 +58,23 @@ $ rogue_one report 1.53.252.215
|
|
|
35
58
|
"61.230.102.66"
|
|
36
59
|
]
|
|
37
60
|
}
|
|
61
|
+
|
|
62
|
+
$ rogue_one report 171.244.3.111 --custom-list tmp/roaming.yml
|
|
63
|
+
{
|
|
64
|
+
"verdict": "rogue one",
|
|
65
|
+
"landing_pages": [
|
|
66
|
+
"154.223.53.53",
|
|
67
|
+
"58.82.243.9"
|
|
68
|
+
]
|
|
69
|
+
}
|
|
70
|
+
# Note: a custom list should be an array of domains in YAML format.
|
|
38
71
|
```
|
|
39
72
|
|
|
40
|
-
| Key | Desc.
|
|
41
|
-
|
|
42
|
-
| verdict | A detection result (`rogue one` or `benign one`)
|
|
43
|
-
| landing_pages | An array of IP of landing pages
|
|
73
|
+
| Key | Desc. |
|
|
74
|
+
|---------------|--------------------------------------------------------------------------|
|
|
75
|
+
| verdict | A detection result (`rogue one` or `benign one`) |
|
|
76
|
+
| landing_pages | An array of IP of landing pages |
|
|
77
|
+
| results | DNS resolution results (only available if --verbose option is specified) |
|
|
44
78
|
|
|
45
79
|
## Notes
|
|
46
80
|
|
data/images/eyecatch.png
ADDED
|
Binary file
|
data/lib/rogue_one.rb
CHANGED
data/lib/rogue_one/cli.rb
CHANGED
|
@@ -6,11 +6,15 @@ require "json"
|
|
|
6
6
|
module RogueOne
|
|
7
7
|
class CLI < Thor
|
|
8
8
|
desc "report [DNS_SERVER]", "Show a report of a given DNS server"
|
|
9
|
+
method_option :custom_list, type: :string, desc: "A path to a custom list of domains"
|
|
10
|
+
method_option :verbose, type: :boolean
|
|
9
11
|
def report(dns_server)
|
|
10
12
|
with_error_handling do
|
|
11
13
|
Ping.pong? dns_server
|
|
12
14
|
|
|
13
|
-
|
|
15
|
+
custom_list = options["custom_list"]
|
|
16
|
+
verbose = options["verbose"]
|
|
17
|
+
detector = Detector.new(target: dns_server, custom_list: custom_list, verbose: verbose)
|
|
14
18
|
puts JSON.pretty_generate(detector.report)
|
|
15
19
|
end
|
|
16
20
|
end
|
data/lib/rogue_one/detector.rb
CHANGED
|
@@ -6,18 +6,24 @@ require "parallel"
|
|
|
6
6
|
module RogueOne
|
|
7
7
|
class Detector
|
|
8
8
|
attr_reader :target
|
|
9
|
+
attr_reader :custom_list
|
|
10
|
+
attr_reader :verbose
|
|
9
11
|
|
|
10
12
|
GOOGLE_PUBLIC_DNS = "8.8.8.8"
|
|
11
13
|
|
|
12
|
-
def initialize(target:)
|
|
14
|
+
def initialize(target:, custom_list: nil, verbose: false)
|
|
13
15
|
@target = target
|
|
16
|
+
@custom_list = custom_list
|
|
17
|
+
@verbose = verbose
|
|
18
|
+
|
|
14
19
|
@memo = {}
|
|
20
|
+
@verbose_memo = nil
|
|
15
21
|
end
|
|
16
22
|
|
|
17
23
|
def report
|
|
18
24
|
inspect
|
|
19
25
|
|
|
20
|
-
{ verdict: verdict, landing_pages: landing_pages }
|
|
26
|
+
{ verdict: verdict, landing_pages: landing_pages, results: results }.compact
|
|
21
27
|
end
|
|
22
28
|
|
|
23
29
|
private
|
|
@@ -30,27 +36,49 @@ module RogueOne
|
|
|
30
36
|
!landing_pages.empty?
|
|
31
37
|
end
|
|
32
38
|
|
|
39
|
+
def threshold
|
|
40
|
+
@threshold ||= (domains.length.to_f / 10.0).ceil
|
|
41
|
+
end
|
|
42
|
+
|
|
33
43
|
def landing_pages
|
|
34
44
|
@memo.map do |ip, count|
|
|
35
|
-
count >
|
|
45
|
+
count > threshold ? ip : nil
|
|
36
46
|
end.compact.sort
|
|
37
47
|
end
|
|
38
48
|
|
|
49
|
+
def results
|
|
50
|
+
@verbose_memo
|
|
51
|
+
end
|
|
52
|
+
|
|
39
53
|
def inspect
|
|
40
54
|
return unless @memo.empty?
|
|
41
55
|
|
|
42
|
-
results = Parallel.map(
|
|
56
|
+
results = Parallel.map(domains) do |domain|
|
|
43
57
|
normal_result = normal_resolver.dig(domain, "A")
|
|
44
58
|
target_result = target_resolver.dig(domain, "A")
|
|
45
59
|
|
|
46
|
-
target_result if target_result && normal_result != target_result
|
|
47
|
-
end.compact
|
|
60
|
+
[domain, target_result] if target_result && normal_result != target_result
|
|
61
|
+
end.compact.to_h
|
|
48
62
|
|
|
49
|
-
@memo = results.group_by(&:itself).map { |k, v| [k, v.length] }.to_h
|
|
63
|
+
@memo = results.values.group_by(&:itself).map { |k, v| [k, v.length] }.to_h
|
|
64
|
+
@verbose_memo = results if verbose
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def domains
|
|
68
|
+
@domains ||= custom_domains || top_100_domains
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def custom_domains
|
|
72
|
+
read_domains custom_list
|
|
50
73
|
end
|
|
51
74
|
|
|
52
75
|
def top_100_domains
|
|
53
|
-
|
|
76
|
+
read_domains File.expand_path("./data/top_100.yml", __dir__)
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def read_domains(path)
|
|
80
|
+
list = DomainList.new(path)
|
|
81
|
+
list.valid? ? list.domains : nil
|
|
54
82
|
end
|
|
55
83
|
|
|
56
84
|
def normal_resolver
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "yaml"
|
|
4
|
+
|
|
5
|
+
module RogueOne
|
|
6
|
+
class DomainList
|
|
7
|
+
attr_reader :path
|
|
8
|
+
|
|
9
|
+
def initialize(path)
|
|
10
|
+
@path = path.to_s
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def valid?
|
|
14
|
+
exists? && valid_format?
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def domains
|
|
18
|
+
@domains ||= exists? ? YAML.safe_load(File.read(path)) : nil
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
|
|
23
|
+
def exists?
|
|
24
|
+
File.exist?(path)
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def valid_format?
|
|
28
|
+
domains.is_a? Array
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
data/lib/rogue_one/version.rb
CHANGED
data/rogue_one.gemspec
CHANGED
|
@@ -26,9 +26,9 @@ Gem::Specification.new do |spec|
|
|
|
26
26
|
|
|
27
27
|
spec.add_development_dependency "bundler", "~> 2.0"
|
|
28
28
|
spec.add_development_dependency "coveralls", "~> 0.8"
|
|
29
|
-
spec.add_development_dependency "rake", "~>
|
|
30
|
-
spec.add_development_dependency "rspec", "~> 3.
|
|
29
|
+
spec.add_development_dependency "rake", "~> 13.0"
|
|
30
|
+
spec.add_development_dependency "rspec", "~> 3.9"
|
|
31
31
|
|
|
32
|
-
spec.add_dependency "parallel", "~> 1.
|
|
33
|
-
spec.add_dependency "thor", "~> 0.
|
|
32
|
+
spec.add_dependency "parallel", "~> 1.18"
|
|
33
|
+
spec.add_dependency "thor", "~> 0.20"
|
|
34
34
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rogue_one
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-10-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -44,56 +44,56 @@ dependencies:
|
|
|
44
44
|
requirements:
|
|
45
45
|
- - "~>"
|
|
46
46
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: '
|
|
47
|
+
version: '13.0'
|
|
48
48
|
type: :development
|
|
49
49
|
prerelease: false
|
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
51
|
requirements:
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: '
|
|
54
|
+
version: '13.0'
|
|
55
55
|
- !ruby/object:Gem::Dependency
|
|
56
56
|
name: rspec
|
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
|
58
58
|
requirements:
|
|
59
59
|
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: '3.
|
|
61
|
+
version: '3.9'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: '3.
|
|
68
|
+
version: '3.9'
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: parallel
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
72
72
|
requirements:
|
|
73
73
|
- - "~>"
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: '1.
|
|
75
|
+
version: '1.18'
|
|
76
76
|
type: :runtime
|
|
77
77
|
prerelease: false
|
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
79
|
requirements:
|
|
80
80
|
- - "~>"
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: '1.
|
|
82
|
+
version: '1.18'
|
|
83
83
|
- !ruby/object:Gem::Dependency
|
|
84
84
|
name: thor
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '0.
|
|
89
|
+
version: '0.20'
|
|
90
90
|
type: :runtime
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '0.
|
|
96
|
+
version: '0.20'
|
|
97
97
|
description: 'Rogue one: a rogue DNS detector'
|
|
98
98
|
email:
|
|
99
99
|
- manabu.niseki@gmail.com
|
|
@@ -112,10 +112,12 @@ files:
|
|
|
112
112
|
- bin/console
|
|
113
113
|
- bin/setup
|
|
114
114
|
- exe/rogue_one
|
|
115
|
+
- images/eyecatch.png
|
|
115
116
|
- lib/rogue_one.rb
|
|
116
117
|
- lib/rogue_one/cli.rb
|
|
117
118
|
- lib/rogue_one/data/top_100.yml
|
|
118
119
|
- lib/rogue_one/detector.rb
|
|
120
|
+
- lib/rogue_one/domain_list.rb
|
|
119
121
|
- lib/rogue_one/ping.rb
|
|
120
122
|
- lib/rogue_one/resolver.rb
|
|
121
123
|
- lib/rogue_one/version.rb
|
|
@@ -139,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
139
141
|
- !ruby/object:Gem::Version
|
|
140
142
|
version: '0'
|
|
141
143
|
requirements: []
|
|
142
|
-
rubygems_version: 3.0.
|
|
144
|
+
rubygems_version: 3.0.3
|
|
143
145
|
signing_key:
|
|
144
146
|
specification_version: 4
|
|
145
147
|
summary: 'Rogue one: a rogue DNS detector'
|