yawast 0.6.0.beta2 → 0.6.0.beta3

data/lib/scanner/plugins/dns/caa.rb

@@ -8,36 +8,37 @@ module Yawast
         class CAA
           def self.caa_info(uri)
             # force DNS resolver to something that works
-            res = Resolver.new({:nameserver => ['8.8.8.8']})
+            # this is done to ensure that ISP resolvers don't get in the way
+            # at some point, should probably do something else, but works for now
+            @res = Resolver.new({:nameserver => ['8.8.8.8']})
+
+            # setup a list of domains already checked, so we can skip them
+            @checked = Array.new
 
             domain = uri.host.to_s
 
-            #BUG: this is a basic implementation that ignores CNAMEs/etc
+            chase_domain domain
+          end
+
+          def self.chase_domain(domain)
             while domain != '' do
               begin
-                ans = res.query(domain, 'CAA')
-
-                # check if we have any response
-                if ans.answer.count > 0
-                  ans.answer.each do |rec|
-                    # check for CNAME first
-                    if rec.type == 'CNAME'
-                      Yawast::Utilities.puts_info "\t\tCAA (#{domain}): CNAME Found: -> #{rec.rdata}"
+                # check to see if we've already ran into this one
+                if @checked.include? domain
+                  return
+                end
+                @checked.push domain
 
-                      follow_cname res,rec
-                    else
-                      # check for RDATA
-                      if rec.rdata != nil
-                        Yawast::Utilities.puts_info "\t\tCAA (#{domain}): #{rec.rdata}"
-                      else
-                        Yawast::Utilities.puts_error "\t\tCAA (#{domain}): Invalid Response: #{ans.answer}"
-                      end
-                    end
-                  end
+                # first, see if this is a CNAME. we do this explicitly because
+                # some resolvers flatten in an odd way that prevents just checking
+                # for the CAA record directly
+                cname = get_cname_record(domain)
+                if cname != nil
+                  Yawast::Utilities.puts_info "\t\tCAA (#{domain}): CNAME Found: -> #{cname}"
+                  chase_domain cname.to_s
                 else
-                  Yawast::Utilities.puts_info "\t\tCAA (#{domain}): No Records Found"
+                  print_caa_record domain
                 end
-
               rescue => e
                 Yawast::Utilities.puts_error "\t\tCAA (#{domain}): #{e.message}"
               end
@@ -47,33 +48,31 @@ module Yawast
             end
           end
 
-          def self.follow_cname(res, rec)
-            # we have a CNAME, so we should check the target, and see if it has anything
-            #  then, we'll continue searching the chain.
-            cname = rec.rdata
-            while cname != ''
-              cname_ans = res.query(cname, 'CAA')
+          def self.get_cname_record(domain)
+            ans = @res.query(domain, 'CNAME')
 
-              if cname_ans.answer.count > 0
-                ans.answer.each do |record|
-                  if record.type == 'CNAME'
-                    # another CNAME
-                    Yawast::Utilities.puts_info "\t\tCAA (#{domain}): CNAME Found: -> #{rec.rdata}"
-                    cname = rec.rdata
-                  else
-                    if record.rdata != nil
-                      Yawast::Utilities.puts_info "\t\tCAA (#{domain}): #{record.rdata}"
-                    else
-                      Yawast::Utilities.puts_error "\t\tCAA (#{domain}): Invalid Response: #{record.answer}"
-                    end
+            if ans.answer[0] != nil
+              return ans.answer[0].rdata
+            else
+              return nil
+            end
+          end
 
-                    cname = ''
-                  end
+          def self.print_caa_record(domain)
+            ans = @res.query(domain, 'CAA')
+
+            if ans.answer.count > 0
+              ans.answer.each do |rec|
+                # check for RDATA
+                if rec.rdata != nil
+                  Yawast::Utilities.puts_info "\t\tCAA (#{domain}): #{rec.rdata}"
+                else
+                  Yawast::Utilities.puts_error "\t\tCAA (#{domain}): Invalid Response: #{ans.answer}"
                 end
-              else
-                Yawast::Utilities.puts_info "\t\tCAA (#{cname}): No Records Found"
-                cname = ''
               end
+            else
+              # no answer, so no records
+              Yawast::Utilities.puts_info "\t\tCAA (#{domain}): No Records Found"
             end
           end
         end

data/lib/scanner/plugins/servers/apache.rb

@@ -0,0 +1,171 @@
+require 'base64'
+require 'securerandom'
+
+module Yawast
+  module Scanner
+    module Plugins
+      module Servers
+        class Apache
+          def self.check_banner(banner)
+            #don't bother if this doesn't look like Apache
+            return unless banner.include? 'Apache'
+            @apache = true
+
+            modules = banner.split(' ')
+            server = modules[0]
+
+            #fix '(distro)' issue, such as with 'Apache/2.2.22 (Ubuntu)'
+            # if we don't do this, it triggers a false positive on the module check
+            if /\(\w*\)/.match modules[1]
+              server += " #{modules[1]}"
+              modules.delete_at 1
+            end
+
+            #print the server info no matter what we do next
+            Yawast::Utilities.puts_info "Apache Server: #{server}"
+            modules.delete_at 0
+
+            if modules.count > 0
+              Yawast::Utilities.puts_warn 'Apache Server: Module listing enabled'
+              modules.each { |mod| Yawast::Utilities.puts_warn "\t\t#{mod}" }
+              puts ''
+
+              #check for special items
+              modules.each do |mod|
+                if mod.include? 'OpenSSL'
+                  Yawast::Utilities.puts_warn "OpenSSL Version Disclosure: #{mod}"
+                  puts ''
+                end
+              end
+            end
+          end
+
+          def self.check_all(uri)
+            #run all the defined checks
+            check_server_status(uri.copy)
+            check_server_info(uri.copy)
+            check_tomcat_manager(uri.copy)
+            check_tomcat_version(uri.copy)
+            check_tomcat_put_rce(uri.copy)
+          end
+
+          def self.check_server_status(uri)
+            check_page_for_string uri, '/server-status', 'Apache Server Status'
+          end
+
+          def self.check_server_info(uri)
+            check_page_for_string uri, '/server-info', 'Apache Server Information'
+          end
+
+          def self.check_tomcat_version(uri)
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              headers = Yawast::Shared::Http.get_headers
+              res = req.request(Xyz.new('/', headers))
+
+              if res.body != nil && res.body.include?('Apache Tomcat') && res.code == '501'
+                #check to see if there's a version number
+                version = /Apache Tomcat\/\d*.\d*.\d*\b/.match res.body
+
+                if version != nil && version[0] != nil
+                  Yawast::Utilities.puts_warn "Apache Tomcat Version Found: #{version[0]}"
+                  puts "\t\t\"curl -X XYZ #{uri}\""
+
+                  puts ''
+                end
+              end
+            end
+          end
+
+          def self.check_tomcat_manager(uri)
+            check_tomcat_manager_paths uri, 'manager', 'Manager'
+            check_tomcat_manager_paths uri, 'host-manager', 'Host Manager'
+          end
+
+          def self.check_tomcat_manager_paths(uri, base_path, manager)
+            uri.path = "/#{base_path}/html"
+            uri.query = '' if uri.query != nil
+
+            ret = Yawast::Shared::Http.get(uri)
+
+            if ret.include? '<tt>conf/tomcat-users.xml</tt>'
+              #this will get Tomcat 7+
+              Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+              check_tomcat_manager_passwords uri, manager
+
+              puts ''
+            else
+              #check for Tomcat 6 and below
+              uri.path = "/#{base_path}"
+              ret = Yawast::Shared::Http.get(uri)
+
+              if ret.include? '<tt>conf/tomcat-users.xml</tt>'
+                Yawast::Utilities.puts_warn "Apache Tomcat #{manager} page found: #{uri}"
+                check_tomcat_manager_passwords uri, manager
+
+                puts ''
+              end
+            end
+          end
+
+          def self.check_tomcat_manager_passwords(uri, manager)
+            #check for known passwords
+            check_tomcat_manager_pwd_check uri, manager, 'tomcat:tomcat'
+            check_tomcat_manager_pwd_check uri, manager, 'tomcat:password'
+            check_tomcat_manager_pwd_check uri, manager, 'tomcat:'
+            check_tomcat_manager_pwd_check uri, manager, 'admin:admin'
+            check_tomcat_manager_pwd_check uri, manager, 'admin:password'
+            check_tomcat_manager_pwd_check uri, manager, 'admin:'
+          end
+
+          def self.check_tomcat_manager_pwd_check(uri, manager, credentials)
+            ret = Yawast::Shared::Http.get(uri, {'Authorization' => "Basic #{Base64.encode64(credentials)}"})
+            if ret.include?('<font size="+2">Tomcat Web Application Manager</font>') ||
+                ret.include?('<font size="+2">Tomcat Virtual Host Manager</font>')
+              Yawast::Utilities.puts_vuln "Apache Tomcat #{manager} weak password: #{credentials}"
+            end
+          end
+
+          def self.check_tomcat_put_rce(uri)
+            # CVE-2017-12615
+            uri.path = "/#{SecureRandom.hex}.jsp/"
+            uri.query = '' if uri.query != nil
+
+            # we'll use this to verify that it actually worked
+            check_value = SecureRandom.hex
+
+            # upload the JSP file
+            req_data = "<% out.println(\"#{check_value}\");%>"
+            Yawast::Shared::Http.put(uri, req_data)
+
+            # check to see of we get check_value back
+            res = Yawast::Shared::Http.get(uri)
+            if res.include? check_value
+              Yawast::Utilities.puts_vuln "Apache Tomcat PUT RCE (CVE-2017-12615): #{uri}"
+            end
+          end
+
+          def self.check_page_for_string(uri, path, search)
+            uri.path = path
+            uri.query = '' if uri.query != nil
+
+            ret = Yawast::Shared::Http.get(uri)
+
+            if ret.include? search
+              Yawast::Utilities.puts_vuln "#{search} page found: #{uri}"
+              puts ''
+            end
+          end
+        end
+
+        #Custom class to allow using the XYZ verb
+        class Xyz < Net::HTTPRequest
+          METHOD = 'XYZ'
+          REQUEST_HAS_BODY = false
+          RESPONSE_HAS_BODY = true
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/servers/iis.rb

@@ -0,0 +1,64 @@
+module Yawast
+  module Scanner
+    module Plugins
+      module Servers
+        class Iis
+          def self.check_banner(banner)
+            #don't bother if this doesn't include IIS
+            return unless banner.include? 'Microsoft-IIS/'
+            @iis = true
+
+            Yawast::Utilities.puts_warn "IIS Version: #{banner}"
+            puts ''
+          end
+
+          def self.check_all(uri, head)
+            #run all the defined checks
+            check_asp_banner(head)
+            check_mvc_version(head)
+            check_asp_net_debug(uri)
+          end
+
+          def self.check_asp_banner(head)
+            check_header_value head, 'x-aspnet-version', 'ASP.NET'
+          end
+
+          def self.check_mvc_version(head)
+            check_header_value head, 'x-aspnetmvc-version', 'ASP.NET MVC'
+          end
+
+          def self.check_header_value(head, search, message)
+            head.each do |k, v|
+              if k.downcase == search
+                Yawast::Utilities.puts_warn "#{message} Version: #{v}"
+                puts ''
+              end
+            end
+          end
+
+          def self.check_asp_net_debug(uri)
+            begin
+              req = Yawast::Shared::Http.get_http(uri)
+              req.use_ssl = uri.scheme == 'https'
+              headers = Yawast::Shared::Http.get_headers
+              headers['Command'] = 'stop-debug'
+              headers['Accept'] = '*/*'
+              res = req.request(Debug.new('/', headers))
+
+              if res.code == 200
+                Yawast::Utilities.puts_vuln 'ASP.NET Debugging Enabled'
+              end
+            end
+          end
+        end
+
+        #Custom class to allow using the DEBUG verb
+        class Debug < Net::HTTPRequest
+          METHOD = 'DEBUG'
+          REQUEST_HAS_BODY = false
+          RESPONSE_HAS_BODY = true
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/servers/nginx.rb

@@ -0,0 +1,17 @@
+module Yawast
+  module Scanner
+    module Plugins
+      module Servers
+        class Nginx
+          def self.check_banner(banner)
+            #don't bother if this doesn't include nginx
+            return unless banner.include? 'nginx/'
+
+            Yawast::Utilities.puts_warn "nginx Version: #{banner}"
+            puts ''
+          end
+        end
+      end
+    end
+  end
+end

data/lib/scanner/plugins/servers/python.rb

@@ -0,0 +1,17 @@
+module Yawast
+  module Scanner
+    module Plugins
+      module Servers
+        class Python
+          def self.check_banner(banner)
+            #don't bother if this doesn't include Python
+            return unless banner.include? 'Python/'
+
+            Yawast::Utilities.puts_warn "Python Version: #{banner}"
+            puts ''
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shared/http.rb

@@ -47,6 +47,18 @@ module Yawast
         body
       end
 
+      def self.put(uri, body, headers = nil)
+        begin
+          req = get_http(uri)
+          req.use_ssl = uri.scheme == 'https'
+          res = req.request_put(uri.path, body, get_headers(headers))
+        rescue
+          #do nothing for now
+        end
+
+        res.read_body
+      end
+
       def self.get_status_code(uri)
         req = get_http(uri)
         req.use_ssl = uri.scheme == 'https'

data/lib/version.rb

@@ -1,3 +1,3 @@
 module Yawast
-  VERSION = '0.6.0.beta2'
+  VERSION = '0.6.0.beta3'
 end

data/test/test_scan_apache_banner.rb

@@ -7,7 +7,7 @@ class TestScannerApacheBanner < Minitest::Test
   def test_apache_banner_no_version
     server = 'Apache'
     override_stdout
-    Yawast::Scanner::Apache.check_banner server
+    Yawast::Scanner::Plugins::Servers::Apache.check_banner server
 
     assert stdout_value.include?("Apache Server: #{server}"), "Unexpected banner: #{stdout_value}"
 
@@ -17,7 +17,7 @@ class TestScannerApacheBanner < Minitest::Test
   def test_apache_basic_banner
     server = 'Apache/2.4.7'
     override_stdout
-    Yawast::Scanner::Apache.check_banner server
+    Yawast::Scanner::Plugins::Servers::Apache.check_banner server
 
     assert stdout_value.include?("Apache Server: #{server}"), "Unexpected banner: #{stdout_value}"
 
@@ -27,7 +27,7 @@ class TestScannerApacheBanner < Minitest::Test
   def test_apache_banner_distro
     server = 'Apache/2.4.7 (Ubuntu)'
     override_stdout
-    Yawast::Scanner::Apache.check_banner server
+    Yawast::Scanner::Plugins::Servers::Apache.check_banner server
 
     assert stdout_value.include?("Apache Server: #{server}"), "Unexpected banner: #{stdout_value}"
 
@@ -37,7 +37,7 @@ class TestScannerApacheBanner < Minitest::Test
   def test_apache_one_module
     server = 'Apache/2.4.6 (FreeBSD) PHP/5.4.23'
     override_stdout
-    Yawast::Scanner::Apache.check_banner server
+    Yawast::Scanner::Plugins::Servers::Apache.check_banner server
 
     assert stdout_value.include?('Apache Server: Module listing enabled'), 'Module listing missing'
 
@@ -47,7 +47,7 @@ class TestScannerApacheBanner < Minitest::Test
   def test_apache_openssl_module
     server = 'Apache/2.4.6 (FreeBSD) PHP/5.4.23 OpenSSL/0.9.8n'
     override_stdout
-    Yawast::Scanner::Apache.check_banner server
+    Yawast::Scanner::Plugins::Servers::Apache.check_banner server
 
     assert stdout_value.include?('Apache Server: Module listing enabled'), 'Module listing missing'
     assert stdout_value.include?('OpenSSL Version Disclosure'), 'OpenSSL version warning missing'

data/test/test_scan_apache_server_info.rb

@@ -13,7 +13,7 @@ class TestScannerApacheServerInfo < Minitest::Test
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
 
     Yawast::Shared::Http.setup nil, nil
-    Yawast::Scanner::Apache.check_server_info uri
+    Yawast::Scanner::Plugins::Servers::Apache.check_server_info uri
 
     assert stdout_value.include?('Apache Server Information page found'), 'Apache Server Info page warning not found'
 

data/test/test_scan_apache_server_status.rb

@@ -13,7 +13,7 @@ class TestScannerApacheServerStatus < Minitest::Test
     uri = Yawast::Commands::Utils.extract_uri(["http://localhost:#{port}"])
 
     Yawast::Shared::Http.setup nil, nil
-    Yawast::Scanner::Apache.check_server_status uri
+    Yawast::Scanner::Plugins::Servers::Apache.check_server_status uri
 
     assert stdout_value.include?('Apache Server Status page found'), 'Apache Server Status page warning not found'
 

data/test/test_scan_iis_headers.rb

@@ -8,7 +8,7 @@ class TestScannerIisHeaders < Minitest::Test
     server = 'Microsoft-IIS/8.5'
 
     override_stdout
-    Yawast::Scanner::Iis.check_banner server
+    Yawast::Scanner::Plugins::Servers::Iis.check_banner server
 
     assert stdout_value.include?("IIS Version: #{server}"), "Unexpected banner: #{stdout_value}"
 
@@ -19,7 +19,7 @@ class TestScannerIisHeaders < Minitest::Test
     headers = parse_headers_from_file File.dirname(__FILE__) + '/data/iis_server_header.txt'
 
     override_stdout
-    Yawast::Scanner::Iis.check_asp_banner headers
+    Yawast::Scanner::Plugins::Servers::Iis.check_asp_banner headers
 
     assert stdout_value.include?('ASP.NET Version'), 'ASP.NET Version warning not found.'
 
@@ -30,7 +30,7 @@ class TestScannerIisHeaders < Minitest::Test
     headers = parse_headers_from_file File.dirname(__FILE__) + '/data/iis_server_header.txt'
 
     override_stdout
-    Yawast::Scanner::Iis.check_mvc_version headers
+    Yawast::Scanner::Plugins::Servers::Iis.check_mvc_version headers
 
     assert stdout_value.include?('ASP.NET MVC Version'), 'ASP.NET MVC Version warning not found.'
 

data/test/test_scan_nginx_banner.rb

@@ -8,7 +8,7 @@ class TestScannerNginxHeaders < Minitest::Test
     server = 'nginx/1.8.1'
 
     override_stdout
-    Yawast::Scanner::Nginx.check_banner server
+    Yawast::Scanner::Plugins::Servers::Nginx.check_banner server
 
     assert stdout_value.include?("nginx Version: #{server}"), "Unexpected banner: #{stdout_value}"
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yawast
 version: !ruby/object:Gem::Version
-  version: 0.6.0.beta2
+  version: 0.6.0.beta3
 platform: ruby
 authors:
 - Adam Caudill
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-26 00:00:00.000000000 Z
+date: 2017-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ssllabs
@@ -164,6 +164,7 @@ files:
 - ".ruby-version"
 - ".travis.yml"
 - CHANGELOG.md
+- Dockerfile
 - Gemfile
 - LICENSE
 - README.md
@@ -171,6 +172,7 @@ files:
 - bin/yawast
 - lib/commands/cert.rb
 - lib/commands/cms.rb
+- lib/commands/dns.rb
 - lib/commands/head.rb
 - lib/commands/scan.rb
 - lib/commands/ssl.rb
@@ -179,18 +181,19 @@ files:
 - lib/resources/common_file.txt
 - lib/resources/srv_list.txt
 - lib/resources/subdomain_list.txt
-- lib/scanner/apache.rb
 - lib/scanner/cert.rb
 - lib/scanner/cms.rb
 - lib/scanner/core.rb
 - lib/scanner/generic.rb
-- lib/scanner/iis.rb
-- lib/scanner/nginx.rb
 - lib/scanner/php.rb
 - lib/scanner/plugins/dns/caa.rb
 - lib/scanner/plugins/dns/generic.rb
 - lib/scanner/plugins/http/directory_search.rb
 - lib/scanner/plugins/http/file_presence.rb
+- lib/scanner/plugins/servers/apache.rb
+- lib/scanner/plugins/servers/iis.rb
+- lib/scanner/plugins/servers/nginx.rb
+- lib/scanner/plugins/servers/python.rb
 - lib/scanner/plugins/ssl/sweet32.rb
 - lib/scanner/ssl.rb
 - lib/scanner/ssl_labs.rb