seeker-junos 0.0.5

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+gems

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/README.md

@@ -0,0 +1,34 @@
+# Seeker JunOS
+Finds hidden commands from JunOS devices by brute-forcing commands over SSH
+
+## Install
+```
+ % gem install seeker-junos
+ % cat >> ~/.netrc
+   machine Seeker
+     login <username>
+     password <passwrod>
+  ^d
+```
+
+## Run
+```
+% seeker-junos --level routing-options 193.88.239.31
+I, [2014-03-22T13:15:09.320710 #66906]  INFO -- : starting
+I, [2014-03-22T13:25:09.544325 #66906]  INFO -- : now at 'inhed', found 0 so far
+I, [2014-03-22T13:29:00.236750 #66906]  INFO -- : Found: 'kernel-options'
+I, [2014-03-22T13:31:59.445597 #66906]  INFO -- : Found: 'maximum-routes'
+I, [2014-03-22T13:34:41.146006 #66906]  INFO -- : Found: 'max-interface-supported'
+I, [2014-03-22T13:35:10.340298 #66906]  INFO -- : now at 'max-interface-supps', found 3 so far
+I, [2014-03-22T13:39:07.812630 #66906]  INFO -- : Found: 'nsr-phantom-holdtime'
+I, [2014-03-22T13:43:15.168970 #66906]  INFO -- : Found: 'rpd-server'
+I, [2014-03-22T13:45:09.499291 #66906]  INFO -- : now at 'task-accounc', found 5 so far
+I, [2014-03-22T13:45:31.663623 #66906]  INFO -- : Found: 'task-accounting'
+I, [2014-03-22T13:47:18.411653 #66906]  INFO -- : Found: 'task-scheduling'
+I, [2014-03-22T13:49:00.204509 #66906]  INFO -- : finishing, took 33.84805928741667 minutes
+["kernel-options", "maximum-routes", "max-interface-supported", "nsr-phantom-holdtime", "rpd-server", "task-accounting", "task-scheduling"]
+```
+Reports progress every 10min, outputs list of found commands when finished
+
+## Todo
+ * Full recurse, not just single level. Not sure if sane, as it already takes very fscking long to run

data/Rakefile

@@ -0,0 +1,47 @@
+begin
+  require 'rake/testtask'
+  require 'bundler'
+  Bundler.setup
+rescue LoadError
+  warn 'bunler missing'
+  exit 42
+end
+
+gemspec = eval(File.read(Dir['*.gemspec'].first))
+file    = [gemspec.name, gemspec.version].join('-') + '.gem'
+
+desc 'Validate gemspec'
+task :gemspec do
+  gemspec.validate
+end
+
+desc 'Run minitest'
+task :test do
+  Rake::TestTask.new do |t|
+    t.libs.push "lib"
+    t.test_files = FileList['spec/*_spec.rb']
+    t.verbose = true
+  end
+end
+
+desc 'Build gem'
+task :build do
+  system "gem build #{gemspec.name}.gemspec"
+  FileUtils.mkdir_p 'gems'
+  FileUtils.mv file, 'gems'
+end
+
+desc 'Install gem'
+task :install => :build do
+  system "sudo -E sh -c \'umask 022; gem install gems/#{file}\'"
+end
+
+desc 'Remove gems'
+task :clean do
+  FileUtils.rm_rf 'gems'
+end
+
+desc 'Push to rubygems'
+task :push do
+  system "gem push gems/#{file}"
+end

data/bin/seeker-junos

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby20
+
+$: << '/home/fisakytt/tmp/seeker/lib'
+
+begin
+  require 'seeker/junos/cli'
+  p Seeker::JunosCLI.new.result
+rescue => error
+  warn "#{error}"
+  raise if Seeker.debug > 0
+end

data/lib/seeker.rb

@@ -0,0 +1,15 @@
+require 'logger'
+
+module Seeker
+  class SeekerError < StandardError; end
+  class << self
+    def debug
+      @debug
+    end
+    def debug= arg
+      @debug=arg
+    end
+  end
+  Log = Logger.new STDOUT
+  Log.level = Logger::INFO
+end

data/lib/seeker/cli.rb

@@ -0,0 +1,35 @@
+require_relative '../seeker'
+require 'slop'
+require 'net/netrc'
+
+module Seeker
+  class CLI
+    NETRC_MACHINE = 'Seeker'
+    attr_reader :result
+    class NoAuthFound < SeekerError; end
+    class MissingHost < SeekerError; end
+
+    private
+    def initialize
+      @opts = opts_parse
+      if not @opts.present? :debug
+        Seeker.debug = 0
+      elsif @opts[:debug]
+        Seeker.debug = @opts[:debug].to_i
+      else
+        Seeker.debug = 1
+      end
+      Log.level = Logger::DEBUG if Seeker.debug > 0
+      args = @opts.parse
+      @host = args.first
+      raise MissingHost, 'no host given as argument' unless @host
+      @user, @password = netrc_get
+      @result = seek
+    end
+
+    def netrc_get machine=NETRC_MACHINE
+      auth = Net::Netrc.locate machine
+      [auth.login, auth.password] rescue raise NoAuthFound, "could not find authentication for #{machine} in .netrc"
+    end
+  end
+end

data/lib/seeker/junos.rb

@@ -0,0 +1,109 @@
+require_relative '../seeker'
+require_relative 'ssh'
+
+module Seeker
+  class Junos
+    KNOWN = %w( apply-flags apply-macro inherit )
+    CHARS = ('a'..'z').to_a + ('0'..'9').to_a + %w( - )
+    REPORT_INTERVAL = 10*60
+    INVALID_INTERFACES = [
+      /^error: invalid interface type/,
+      /^error: missing or invalid (?:device|fpc) number/,
+    ]
+
+    def seek
+      @ssh = ssh_connect
+      @ssh.cmd 'configure'
+      start = Time.now
+      @report = start+REPORT_INTERVAL
+      Log.info "starting"
+      seek_level @opts[:level]
+      Log.info "finishing, took #{(Time.now - start)/60} minutes"
+      @ssh.cmd 'rollback'
+      @ssh.cmd 'exit'
+      @ssh.close
+      @found
+    end
+
+    def seek_level level
+      @ssh.cmd 'edit ' + level if level
+      @known = known_get
+      find_hidden
+      @ssh.cmd 'top'
+    end
+
+    private
+
+    def find_hidden
+      CHARS.each do |c|
+        cmd = @cmd.join + c
+        if Time.now > @report
+          Log.info "now at '#{cmd}', found #{@found.size} so far"
+          @report += REPORT_INTERVAL
+        end
+        next if @known.include? cmd
+        o = @ssh.cmd 'set ' + cmd
+        if complete? o
+          Log.info "Found: '#{cmd}'"
+          @report += REPORT_INTERVAL
+          @found << cmd
+        elsif valid? o
+          @cmd << c
+          find_hidden
+          @cmd.pop
+        end
+      end
+    end
+
+    def valid? output
+      valid = true
+      output = output.split "\n"
+      output = output[1..-1]
+      if output[1].match(/^syntax error\./)
+        output = output.first.sub(/^(\s+).*/, '\1')
+        valid = false if output.size < @min_space
+      end
+      valid = false if INVALID_INTERFACES.any? {|re| output[0].match re}
+      valid
+    end
+
+    def complete? output
+      output = output.split "\n"
+      output = output[1..-1]
+      complete = true
+      complete = false if output[1].match(/^syntax error\./)
+      complete = false if output[1].match(/ is ambiguous\./)
+      complete = false if output[0].match(/^error: syntax error:/)
+      complete = false if INVALID_INTERFACES.any? {|re| output[0].match re}
+      complete
+    end
+
+    def known_get
+      o = @ssh.cmd 'set ?'
+      o = o.each_line.map do |line|
+        re = line.match(/^[\s>+] (\S+).*/)
+        re[1] if re
+      end
+      o.compact + KNOWN
+    end
+
+    def initialize host, user, password, opts
+      @host, @user, @password, @opts = host, user, password, opts
+      @ssh       = nil
+      @known     = nil
+      @min_space = nil
+      @report    = nil
+      @cmd       = []
+      @found     = []
+    end
+
+    def ssh_connect
+      ssh = SSH.new @host, @user, @password
+      ssh.cmd 'set cli complete-on-space off'
+      ssh.cmd 'set cli screen-length 0'
+      @min_space = ssh.prompt_seen.size + 5
+      ssh
+    end
+
+  end
+end

data/lib/seeker/junos/cli.rb

@@ -0,0 +1,17 @@
+require_relative '../cli'
+require_relative '../junos'
+module Seeker
+  class JunosCLI < CLI
+    def opts_parse
+      opts = Slop.parse(:help=>true) do
+        banner 'Usage: junos-seeker [options] hostname'
+        on 'l=', 'level', 'Level to start from, e.g. chassis, system, routing-options'
+        on 'd',  'debug', 'Debug (optionally with level)', :optional_argument=>true
+      end
+    end
+
+    def seek
+      Junos.new(@host, @user, @password, @opts).seek
+    end
+  end
+end

data/lib/seeker/ssh.rb

@@ -0,0 +1,64 @@
+require 'net/ssh'
+
+module Seeker
+  class SSH
+    TIMEOUT = 5
+    PROMPT  = /^[^\s>#]+[>#] /
+    SLEEP   = 0.001
+    attr_reader :prompt_seen
+    class NoSshShell < SeekerError; end
+
+    def cmd command
+      Log.debug "SSH: #{command}"
+      @output = ''
+      @session.send_data command + "\n"
+      @session.process
+      expect @prompt
+      @output
+    end
+
+    def close command='exit'
+      @session.send_data command +"\n"
+    end
+
+    private
+
+    def initialize host, user, password, prompt=PROMPT
+      @output      = ''
+      @prompt      = prompt
+      @prompt_seen = nil
+      @session     = nil
+      @ssh = Net::SSH.start host, user, :password=>password, :timeout=>TIMEOUT
+      shell_open
+      expect @prompt
+    end
+
+    def shell_open
+      @session = @ssh.open_channel do |channel|
+        channel.on_data do |channel, data|
+          $stderr.print data  if Seeker.debug > 1
+          @output << data
+        end
+        channel.request_pty do |channel, success|
+          raise NoSshShell, "Can't get PTY" unless success
+          channel.send_channel_request 'shell' do |channel, success|
+            raise NoSshShell, "Can't get shell" unless success
+          end
+        end
+      end
+    end
+
+    def expect regexp
+      Timeout::timeout(TIMEOUT) do
+        @ssh.loop(SLEEP) do
+          sleep SLEEP
+          re = @output.match regexp
+          @prompt_seen = re[0] if re
+          not re
+        end
+      end
+    end
+
+
+  end
+end

data/seeker-junos.gemspec

@@ -0,0 +1,18 @@
+Gem::Specification.new do |s|
+  s.name              = 'seeker-junos'
+  s.version           = '0.0.5'
+  s.platform          = Gem::Platform::RUBY
+  s.authors           = [ 'Saku Ytti' ]
+  s.email             = %w( saku@ytti.fi )
+  s.homepage          = 'http://github.com/ytti/seeker-junos'
+  s.summary           = 'find hidden commands in junos'
+  s.description       = 'logs via ssh to junos devices and brute forces hidden passwords out'
+  s.rubyforge_project = s.name
+  s.files             = `git ls-files`.split("\n")
+  s.executables       = %w( seeker-junos )
+  s.require_path      = 'lib'
+
+  s.add_dependency 'net-ssh'
+  s.add_dependency 'net-netrc'
+  s.add_dependency 'slop'
+end

metadata

@@ -0,0 +1,111 @@
+--- !ruby/object:Gem::Specification
+name: seeker-junos
+version: !ruby/object:Gem::Version
+  version: 0.0.5
+  prerelease: 
+platform: ruby
+authors:
+- Saku Ytti
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-netrc
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: slop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: logs via ssh to junos devices and brute forces hidden passwords out
+email:
+- saku@ytti.fi
+executables:
+- seeker-junos
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- bin/seeker-junos
+- lib/seeker.rb
+- lib/seeker/cli.rb
+- lib/seeker/junos.rb
+- lib/seeker/junos/cli.rb
+- lib/seeker/ssh.rb
+- seeker-junos.gemspec
+homepage: http://github.com/ytti/seeker-junos
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 526249442777840062
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 526249442777840062
+requirements: []
+rubyforge_project: seeker-junos
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: find hidden commands in junos
+test_files: []