yawast 0.5.0.beta1 → 0.5.0.beta2

data/lib/scanner/apache.rb

@@ -1,3 +1,5 @@
+require "base64"
+
 module Yawast
   module Scanner
     class Apache
@@ -36,37 +38,109 @@ module Yawast
       end
 
       def self.check_all(uri)
-        #this check for @apache may yield false negatives.. meh.
-        if @apache
-          #run all the defined checks
-          check_server_status(uri.copy)
-          check_server_info(uri.copy)
-        end
+        #run all the defined checks
+        check_server_status(uri.copy)
+        check_server_info(uri.copy)
+        check_tomcat_manager(uri.copy)
+        check_tomcat_version(uri.copy)
       end
 
       def self.check_server_status(uri)
-        uri.path = '/server-status'
+        check_page_for_string uri, '/server-status', 'Apache Server Status'
+      end
+
+      def self.check_server_info(uri)
+        check_page_for_string uri, '/server-info', 'Apache Server Information'
+      end
+
+      def self.check_tomcat_version(uri)
+        begin
+          req = Yawast::Shared::Http.get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          headers = Yawast::Shared::Http.get_headers
+          res = req.request(Xyz.new('/', headers))
+
+          if res.body != nil && res.body.include?('Apache Tomcat') && res.code == '501'
+            #check to see if there's a version number
+            version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body
+
+            if version != nil && version[0] != nil
+              Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}"
+              puts "\t\t\"curl -X XYZ #{uri}\""
+
+              puts ''
+            end
+          end
+        end
+      end
+
+      def self.check_tomcat_manager(uri)
+        check_tomcat_manager_paths uri, 'manager', 'Manager'
+        check_tomcat_manager_paths uri, 'host-manager', 'Host Manager'
+      end
+
+      def self.check_tomcat_manager_paths(uri, base_path, manager)
+        uri.path = "/#{base_path}/html"
         uri.query = '' if uri.query != nil
 
         ret = Yawast::Shared::Http.get(uri)
 
-        if ret.include? 'Apache Server Status'
-          Yawast::Utilities.puts_vuln "Apache Server Status page found: #{uri}"
+        if ret.include? '<tt>conf/tomcat-users.xml</tt>'
+          #this will get Tomcat 7+
+          Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+          check_tomcat_manager_passwords uri, manager
+
           puts ''
+        else
+          #check for Tomcat 6 and below
+          uri.path = "/#{base_path}"
+          ret = Yawast::Shared::Http.get(uri)
+
+          if ret.include? '<tt>conf/tomcat-users.xml</tt>'
+            Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+            check_tomcat_manager_passwords uri, manager
+
+            puts ''
+          end
         end
       end
 
-      def self.check_server_info(uri)
-        uri.path = '/server-info'
+      def self.check_tomcat_manager_passwords(uri, manager)
+        #check for known passwords
+        check_tomcat_manager_pwd_check uri, manager, 'tomcat:tomcat'
+        check_tomcat_manager_pwd_check uri, manager, 'tomcat:password'
+        check_tomcat_manager_pwd_check uri, manager, 'tomcat:'
+        check_tomcat_manager_pwd_check uri, manager, 'admin:admin'
+        check_tomcat_manager_pwd_check uri, manager, 'admin:password'
+        check_tomcat_manager_pwd_check uri, manager, 'admin:'
+      end
+
+      def self.check_tomcat_manager_pwd_check(uri, manager, credentials)
+        ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"})
+        if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') ||
+            ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>')
+          Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}"
+        end
+      end
+
+      def self.check_page_for_string(uri, path, search)
+        uri.path = path
         uri.query = '' if uri.query != nil
 
         ret = Yawast::Shared::Http.get(uri)
 
-        if ret.include? 'Apache Server Information'
-          Yawast::Utilities.puts_vuln "Apache Server Info page found: #{uri}"
+        if ret.include? search
+          Yawast::Utilities.puts_vuln "#{search} page found: #{uri}"
           puts ''
         end
       end
     end
+
+    #Custom class to allow using the XYZ verb
+    class Xyz < Net::HTTPRequest
+      METHOD = 'XYZ'
+      REQUEST_HAS_BODY = false
+      RESPONSE_HAS_BODY = true
+    end
   end
 end

data/lib/scanner/cert.rb

@@ -66,7 +66,7 @@ module Yawast
         return if domain == ''
 
         begin
-          socket = Socket.tcp(domain, 443, opts={connect_timeout: 8})
+          socket = Socket.tcp(domain, 443, {connect_timeout: 8})
 
           ctx = OpenSSL::SSL::SSLContext.new
           ctx.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]

data/lib/scanner/core.rb

@@ -4,7 +4,7 @@ module Yawast
       def self.print_header
         Yawast.header
 
-        puts "Scanning: #{@uri.to_s}"
+        puts "Scanning: #{@uri}"
         puts
       end
 
@@ -17,7 +17,7 @@ module Yawast
           ssl_redirect = check_for_ssl_redirect
           if ssl_redirect
             @uri = ssl_redirect
-            puts "Server redirects to TLS: Scanning: #{@uri.to_s}"
+            puts "Server redirects to TLS: Scanning: #{@uri}"
           end
 
           Yawast.set_openssl_options
@@ -48,7 +48,7 @@ module Yawast
             Yawast::Scanner::Apache.check_all(@uri)
             Yawast::Scanner::Iis.check_all(@uri, head)
 
-            Yawast::Scanner::Plugins::Http::FilePresence.check_all @uri
+            Yawast::Scanner::Plugins::Http::FilePresence.check_all @uri, options.files
 
             Yawast::Scanner::Generic.check_propfind(@uri)
             Yawast::Scanner::Generic.check_options(@uri)
@@ -110,6 +110,7 @@ module Yawast
           end
 
           Yawast::Scanner::Ssl.check_hsts(head)
+          Yawast::Scanner::Ssl.check_hsts_preload @uri
         elsif @uri.scheme == 'http'
           puts 'Skipping TLS checks; URL is not HTTPS'
         end

data/lib/scanner/generic.rb

@@ -1,4 +1,5 @@
 require 'ipaddr_extensions'
+require 'json'
 
 module Yawast
   module Scanner
@@ -24,8 +25,12 @@ module Yawast
                 if IPAddr.new(ip.address.to_s, Socket::AF_INET).private?
                   options.internalssl = true
                 else
-                  puts "\t\t\t\thttps://www.shodan.io/host/#{ip.address}"
-                  puts "\t\t\t\thttps://censys.io/ipv4/#{ip.address}"
+                  #show network info
+                  get_network_info ip
+                  get_network_location_info ip
+
+                  puts "\t\t\thttps://www.shodan.io/host/#{ip.address}"
+                  puts "\t\t\thttps://censys.io/ipv4/#{ip.address}"
                 end
               end
             end
@@ -45,7 +50,11 @@ module Yawast
                 if IPAddr.new(ip.address.to_s, Socket::AF_INET6).private?
                   options.internalssl = true
                 else
-                  puts "\t\t\t\thttps://www.shodan.io/host/#{ip.address.to_s.downcase}"
+                  #show network info
+                  get_network_info ip
+                  get_network_location_info ip
+
+                  puts "\t\t\thttps://www.shodan.io/host/#{ip.address.to_s.downcase}"
                 end
               end
             end
@@ -79,6 +88,29 @@ module Yawast
         end
       end
 
+      def self.get_network_info(ip)
+        begin
+          network_info = JSON.parse(Net::HTTP.get(URI("https://api.iptoasn.com/v1/as/ip/#{ip.address}")))
+
+          Yawast::Utilities.puts_info "\t\t\t#{network_info['as_country_code']} - #{network_info['as_description']}"
+        rescue => e
+          Yawast::Utilities.puts_error "Error getting network information: #{e.message}"
+        end
+      end
+
+      def self.get_network_location_info(ip)
+        begin
+          info = JSON.parse(Net::HTTP.get(URI("https://freegeoip.net/json/#{ip.address}")))
+          location = [info['city'], info['region_name'], info['country_code']].reject { |c| c.empty? }.join(', ')
+
+          if location != nil && !location.empty?
+            Yawast::Utilities.puts_info "\t\t\t#{location}"
+          end
+        rescue => e
+          Yawast::Utilities.puts_error "Error getting location information: #{e.message}"
+        end
+      end
+
       def self.head_info(head, uri)
         begin
           server = ''

data/lib/scanner/iis.rb

@@ -11,8 +11,6 @@ module Yawast
       end
 
       def self.check_all(uri, head)
-        return unless @iis
-
         #run all the defined checks
         check_asp_banner(head)
         check_mvc_version(head)
@@ -20,18 +18,17 @@ module Yawast
       end
 
       def self.check_asp_banner(head)
-        head.each do |k, v|
-          if k.downcase == 'x-aspnet-version'
-            Yawast::Utilities.puts_warn "ASP.NET Version: #{v}"
-            puts ''
-          end
-        end
+        check_header_value head, 'x-aspnet-version', 'ASP.NET'
       end
 
       def self.check_mvc_version(head)
+        check_header_value head, 'x-aspnetmvc-version', 'ASP.NET MVC'
+      end
+
+      def self.check_header_value(head, search, message)
         head.each do |k, v|
-          if k.downcase == 'x-aspnetmvc-version'
-            Yawast::Utilities.puts_warn "ASP.NET MVC Version: #{v}"
+          if k.downcase == search
+            Yawast::Utilities.puts_warn "#{message} Version: #{v}"
             puts ''
           end
         end

data/lib/scanner/plugins/http/directory_search.rb

@@ -16,7 +16,7 @@ module Yawast
             if search_list == nil
               @search_list = []
 
-              File.open(File.dirname(__FILE__) + '/../../../resources/common.txt', 'r') do |f|
+              File.open(File.dirname(__FILE__) + '/../../../resources/common_dir.txt', 'r') do |f|
                 f.each_line do |line|
                   @search_list.push line.strip
                 end
@@ -72,10 +72,15 @@ module Yawast
           def self.load_queue(uri)
             @search_list.each do |line|
               check = uri.copy
-              check.path = check.path + "#{line}/"
 
-              #add the job to the queue
-              @jobs.push check
+              begin
+                check.path = check.path + "#{line}/"
+
+                #add the job to the queue
+                @jobs.push check
+              rescue
+                #who cares
+              end
             end
           end
 
@@ -84,11 +89,11 @@ module Yawast
               res = Yawast::Shared::Http.head uri
 
               if res.code == '200'
-                @results.push "\tFound: '#{uri.to_s}'"
+                @results.push "\tFound: '#{uri}'"
 
                 load_queue uri if @recursive
               elsif res.code == '301' && @list_redirects
-                @results.push "\tFound Redirect: '#{uri.to_s} -> '#{res['Location']}'"
+                @results.push "\tFound Redirect: '#{uri} -> '#{res['Location']}'"
               end
             rescue => e
               Yawast::Utilities.puts_error "Error searching for directories (#{e.message})"

data/lib/scanner/plugins/http/file_presence.rb

@@ -25,7 +25,7 @@ module Yawast
             end
           end
 
-          def self.check_all(uri)
+          def self.check_all(uri, common_files)
             #first, we need to see if the site responds to 404 in a reasonable way
             fake_uri = uri.copy
             fake_uri.path = "/#{SecureRandom.hex}/"
@@ -44,6 +44,14 @@ module Yawast
             check_elmah_axd uri
             check_readme_html uri
             check_release_notes_txt uri
+
+            if common_files
+              puts ''
+              puts 'Checking for common files (this will take a few minutes)...'
+              check_common uri
+            end
+
+            puts ''
           end
 
           def self.check_source_control(uri)
@@ -51,6 +59,7 @@ module Yawast
             check_path(uri, '/.hg/', true)
             check_path(uri, '/.svn/', true)
             check_path(uri, '/.bzr/', true)
+            check_path(uri, '/.csv/', true)
           end
 
           def self.check_cross_domain(uri)
@@ -82,6 +91,85 @@ module Yawast
 
           def self.check_release_notes_txt(uri)
             check_path(uri, '/RELEASE-NOTES.txt', false)
+            check_path(uri, '/docs/RELEASE-NOTES.txt', false)
+          end
+
+          def self.check_common(uri)
+            begin
+              @search_list = []
+
+              File.open(File.dirname(__FILE__) + '/../../../resources/common_file.txt', 'r') do |f|
+                f.each_line do |line|
+                  @search_list.push line.strip
+                end
+              end
+
+              pool_size = 16
+              @jobs = Queue.new
+              @results = Queue.new
+
+              #load the queue, starting at /
+              base = uri.copy
+              base.path = '/'
+              load_queue base
+
+              workers = (pool_size).times.map do
+                Thread.new do
+                  begin
+                    while (check = @jobs.pop(true))
+                      process check
+                    end
+                  rescue ThreadError
+                    #do nothing
+                  end
+                end
+              end
+
+              results = Thread.new do
+                begin
+                  while true
+                    if @results.length > 0
+                      out = @results.pop(true)
+                      Yawast::Utilities.puts_info out
+                    end
+                  end
+                rescue ThreadError
+                  #do nothing
+                end
+              end
+
+              workers.map(&:join)
+              results.terminate
+            rescue => e
+              Yawast::Utilities.puts_error "Error searching for files (#{e.message})"
+            end
+          end
+
+          def self.load_queue(uri)
+            @search_list.each do |line|
+              check = uri.copy
+
+              begin
+                check.path = "/#{line}"
+
+                #add the job to the queue
+                @jobs.push check
+              rescue
+                #who cares
+              end
+            end
+          end
+
+          def self.process(uri)
+            begin
+              res = Yawast::Shared::Http.head uri
+
+              if res.code == '200'
+                @results.push "'#{uri.path}' found: #{uri}"
+              end
+            rescue => e
+              Yawast::Utilities.puts_error "Error searching for file '#{uri.path}' (#{e.message})"
+            end
           end
         end
       end