nsauditor-ai 0.1.0

package/plugins/sunrpc_scanner.mjs

@@ -0,0 +1,339 @@
+// plugins/sunrpc_scanner.mjs
+import net from 'node:net';
+import dgram from 'node:dgram';
+
+/* ----------------------------- Helpers ----------------------------- */
+
+function xdrEncodeInt(buffer, value, offset) {
+    buffer.writeUInt32BE(value >>> 0, offset);
+    return offset + 4;
+}
+
+function xdrDecodeInt(buffer, offset) {
+  const value = buffer.readInt32BE(offset);
+  return { value, newOffset: offset + 4 };
+}
+
+// Robust parser that handles both simplified replies (no accept_stat) and proper RPC replies (with accept_stat).
+function parseRpcPortFromReply(msg) {
+  // msg is expected to start at XID (no TCP record marker)
+  // Minimum valid RPC reply is 24 bytes
+  if (msg.length < 24) {
+    return null;
+  }
+
+  try {
+    // Layout:
+    //  0: xid
+    //  4: msg_type (should be 1 for REPLY)
+    //  8: reply_stat (should be 0 for ACCEPTED)
+    // 12: verifier_flavor
+    // 16: verifier_length
+    // 20: verifier_body (padded to 4) -> accept_stat -> result (port)
+    const msgType = msg.readUInt32BE(4);
+    const replyState = msg.readUInt32BE(8);
+    if (msgType !== 1 || replyState !== 0) return null;
+
+    // Compute offset after opaque_auth verifier (flavor,len,body[padded])
+    if (msg.length >= 20) {
+      const verflen = msg.readUInt32BE(16) >>> 0;
+      const pad = (4 - (verflen % 4)) % 4;
+      const acceptOff = 20 + verflen + pad;
+
+      // Proper RPC reply with accept_stat followed by result (port) on success
+      if (msg.length >= acceptOff + 8) {
+        const acceptStat = msg.readUInt32BE(acceptOff);
+        if (acceptStat === 0 /* SUCCESS */) {
+          const port = msg.readUInt32BE(acceptOff + 4);
+          return port > 0 && port <= 65535 ? port : null;
+        }
+      }
+    }
+
+    // Fallback: treat offset 20 as port directly (simplified responders)
+    if (msg.length >= 24) {
+      const port = msg.readUInt32BE(20);
+      return port > 0 && port <= 65535 ? port : null;
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
+
+async function getRpcPortTcp(host, program, version, timeout = 1000, rpcPort = 111) {
+  return new Promise((resolve, reject) => {
+    const socket = new net.Socket();
+    socket.setTimeout(timeout);
+    let receivedData = Buffer.alloc(0);
+    let expectedLength = null;
+    let done = false;
+
+    const finalize = (val) => {
+      if (done) return;
+      done = true;
+      clearTimeout(timeoutId);
+      socket.removeAllListeners();
+      try { 
+        socket.end();
+        socket.destroy(); 
+      } catch {}
+      resolve(val);
+    };
+
+    let timeoutId = setTimeout(() => {
+      finalize(null);
+    }, timeout);
+
+    socket.on('error', () => {
+      finalize(null);
+    });
+
+    socket.on('timeout', () => {
+      finalize(null);
+    });
+
+    socket.on('close', () => {
+      // Connection closed. Try to parse any data we might have received.
+      if (expectedLength !== null && receivedData.length >= expectedLength + 4) {
+        const rpcMessage = receivedData.slice(4, expectedLength + 4);
+        const port = parseRpcPortFromReply(rpcMessage);
+        return finalize(port);
+      }
+      finalize(null);
+    });
+
+    socket.on('data', (data) => {
+      if (done) return;
+      receivedData = Buffer.concat([receivedData, data]);
+
+      // Parse TCP record marker
+      if (expectedLength === null && receivedData.length >= 4) {
+        const header = receivedData.readUInt32BE(0);
+        const lastFragment = (header & 0x80000000) !== 0;
+        expectedLength = header & 0x7FFFFFFF;
+
+        // Sanity checks
+        if (!lastFragment || expectedLength === 0 || expectedLength > 8192) {
+          return finalize(null);
+        }
+      }
+
+      // Check if we have complete message
+      if (expectedLength !== null && receivedData.length >= expectedLength + 4) {
+        const rpcMessage = receivedData.slice(4, expectedLength + 4);
+        const port = parseRpcPortFromReply(rpcMessage);
+        return finalize(port);
+      }
+    });
+
+    socket.connect(rpcPort, host, () => {
+      if (done) return;
+      
+      const transactionId = Math.floor(Math.random() * 0xFFFFFFFF);
+      // Proper RPC CALL with cred/verifier (AUTH_NULL) + PMAP GETPORT args
+      const rpcMessage = Buffer.alloc(56); // 14 * 4-byte integers
+      let offset = 0;
+
+      // RPC call header
+      offset = xdrEncodeInt(rpcMessage, transactionId, offset); // xid
+      offset = xdrEncodeInt(rpcMessage, 0, offset); // CALL
+      offset = xdrEncodeInt(rpcMessage, 2, offset); // RPC version
+
+      const rpcbindProgram = 100000;
+      const rpcbindVersion = 2;
+      const getPortProcedure = 3;
+
+      offset = xdrEncodeInt(rpcMessage, rpcbindProgram, offset);
+      offset = xdrEncodeInt(rpcMessage, rpcbindVersion, offset);
+      offset = xdrEncodeInt(rpcMessage, getPortProcedure, offset);
+
+      // AUTH credentials (AUTH_NULL)
+      offset = xdrEncodeInt(rpcMessage, 0, offset); // cred flavor
+      offset = xdrEncodeInt(rpcMessage, 0, offset); // cred length
+
+      // AUTH verifier (AUTH_NULL)
+      offset = xdrEncodeInt(rpcMessage, 0, offset); // verf flavor
+      offset = xdrEncodeInt(rpcMessage, 0, offset); // verf length
+
+      // PMAP_GETPORT args: program, version, protocol, port(0)
+      offset = xdrEncodeInt(rpcMessage, program, offset);
+      offset = xdrEncodeInt(rpcMessage, version, offset);
+      offset = xdrEncodeInt(rpcMessage, 6, offset); // TCP
+      offset = xdrEncodeInt(rpcMessage, 0, offset);
+
+      const frameHeader = Buffer.alloc(4);
+      frameHeader.writeUInt32BE((rpcMessage.length | 0x80000000) >>> 0, 0);
+      const packet = Buffer.concat([frameHeader, rpcMessage]);
+      
+      socket.write(packet, (err) => {
+        if (err && !done) {
+          finalize(null);
+        }
+      });
+    });
+  });
+}
+
+async function getRpcPortUdp(host, program, version, timeout = 1000, rpcPort = 111) {
+  return new Promise((resolve, reject) => {
+    const client = dgram.createSocket('udp4');
+    let done = false;
+    const finalize = (val) => {
+      if (done) return;
+      done = true;
+      clearTimeout(timeoutId);
+      client.removeAllListeners();
+      try { client.close(); } catch {}
+      resolve(val);
+    };
+
+    let timeoutId = setTimeout(() => {
+      finalize(null); // Timeout treated as normal failure case
+    }, timeout);
+
+    client.on('error', () => {
+      finalize(null); // Network errors treated as normal failure case
+    });
+
+    client.on('message', (msg) => {
+      if (done) return;
+      // UDP reply starts at XID (no record marker)
+      const port = parseRpcPortFromReply(msg);
+      finalize(port);
+    });
+
+    // Construct the rpcbind GETPORT packet with AUTH_NULL cred/verifier
+    const transactionId = Math.floor(Math.random() * 0xFFFFFFFF);
+    const packet = Buffer.alloc(56); // 14 * 4-byte integers
+    let offset = 0;
+
+    // RPC call header
+    offset = xdrEncodeInt(packet, transactionId, offset); // xid
+    offset = xdrEncodeInt(packet, 0, offset); // CALL
+    offset = xdrEncodeInt(packet, 2, offset); // RPC version
+
+    const rpcbindProgram = 100000;
+    const rpcbindVersion = 2;
+    const getPortProcedure = 3;
+
+    offset = xdrEncodeInt(packet, rpcbindProgram, offset);
+    offset = xdrEncodeInt(packet, rpcbindVersion, offset);
+    offset = xdrEncodeInt(packet, getPortProcedure, offset);
+
+    // AUTH credentials (AUTH_NULL)
+    offset = xdrEncodeInt(packet, 0, offset); // cred flavor
+    offset = xdrEncodeInt(packet, 0, offset); // cred length
+
+    // AUTH verifier (AUTH_NULL)
+    offset = xdrEncodeInt(packet, 0, offset); // verf flavor
+    offset = xdrEncodeInt(packet, 0, offset); // verf length
+
+    // PMAP_GETPORT args: program, version, protocol, port(0)
+    offset = xdrEncodeInt(packet, program, offset);
+    offset = xdrEncodeInt(packet, version, offset);
+    offset = xdrEncodeInt(packet, 17, offset); // UDP
+    offset = xdrEncodeInt(packet, 0, offset);
+
+    client.send(packet, rpcPort, host, (err) => {
+      if (err) {
+        finalize(null);
+      }
+    });
+  });
+}
+
+/* ----------------------------- Scanner Plugin ----------------------------- */
+
+// Reduced set for faster scanning
+const RPC_PROGRAMS = [
+  { num: 100000, name: 'PORTMAPPER', versions: [2] },
+  { num: 100003, name: 'NFS', versions: [3] },
+  { num: 100005, name: 'MOUNTD', versions: [1] }
+];
+
+export default {
+  id: "015", 
+  name: "SUN RPC Scanner",
+  description: "Scans for RPC services via portmapper on TCP/UDP 111 including NFS, mountd and others",
+  priority: 350,
+  requirements: {},
+  protocols: ["tcp", "udp"],
+  ports: [111],
+
+  async run(host, port=111, opts={}) {
+    const data = [];
+    let up = false;
+    let program = "Unknown";
+    let version = "Unknown";
+    
+    // Determine which protocols to scan based on opts or default to both
+    const protocols = opts.protocol ? [opts.protocol] : ['tcp', 'udp'];
+    const timeout = opts.timeout || 1000;
+
+    // Scan each RPC program using provided port and protocols
+    for (const protocol of protocols) {
+      for (const prog of RPC_PROGRAMS) {
+        for (const ver of prog.versions) {
+          try {
+            const getRpcPort = protocol === 'tcp' ? getRpcPortTcp : getRpcPortUdp;
+            const detectedPort = await getRpcPort(host, prog.num, ver, timeout, port);
+            
+            if (detectedPort) {
+              up = true;
+              program = "SUN RPC";
+              
+              data.push({
+                // normalized evidence fields (preferred by reports)
+                from: 'sunrpc',
+                protocol,
+                port: detectedPort,
+                info: `RPC ${prog.name} v${ver} (${protocol.toUpperCase()})`,
+                banner: `Program ${prog.num} Version ${ver} on port ${detectedPort} via ${protocol.toUpperCase()}`,
+                status: 'open',
+                service: prog.name.toLowerCase(),
+
+                // keep legacy probe_* fields for compatibility
+                probe_protocol: protocol,
+                probe_port: detectedPort,
+                probe_info: `RPC ${prog.name} v${ver} (${protocol.toUpperCase()})`,
+                response_banner: `Program ${prog.num} Version ${ver} on port ${detectedPort} via ${protocol.toUpperCase()}`
+              });
+              
+              // Exit early after finding first service to speed up testing
+              if (opts.protocol) return { up, program, version, type: 'sunrpc', data };
+            }
+          } catch {
+            // Individual program/version failures are ignored
+          }
+        }
+      }
+    }
+
+    if (!up) {
+      data.push({
+        from: 'sunrpc',
+        protocol: protocols[0],
+        port,
+        info: 'No RPC services found',
+        banner: null,
+        status: 'filtered',
+        service: 'sunrpc',
+
+        // legacy fields
+        probe_protocol: protocols[0],
+        probe_port: port,
+        probe_info: 'No RPC services found',
+        response_banner: null
+      });
+    }
+
+    return {
+      up,
+      program,
+      version,
+      type: 'sunrpc',
+      data
+    };
+  }
+};

package/plugins/syn_scanner.mjs

@@ -0,0 +1,314 @@
+// plugins/syn_scanner.mjs
+// TCP SYN Scanner — optional Nmap wrapper for SYN (-sS) scanning.
+// Gated by ENABLE_SYN_SCAN env var (default: false).
+// Requires nmap to be installed; falls back gracefully when missing.
+
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+const execFileP = promisify(execFile);
+
+/* ------------------------------ helpers ------------------------------ */
+
+const HOST_RE = /^[a-zA-Z0-9._:-]+$/;
+
+function isValidHost(host) {
+  if (!host || typeof host !== "string") return false;
+  if (host.length > 253) return false;
+  return HOST_RE.test(host);
+}
+
+/**
+ * Parse Nmap XML output (from -oX -) using regex.
+ * Returns { hosts: [{ ip, status, ports: [{ port, protocol, state, service, version }], os }] }
+ */
+export function parseNmapXml(xml) {
+  const result = { hosts: [] };
+  if (!xml || typeof xml !== "string") return result;
+
+  // Match each <host>...</host> block
+  const hostBlocks = xml.match(/<host[\s>][\s\S]*?<\/host>/gi);
+  if (!hostBlocks) return result;
+
+  for (const block of hostBlocks) {
+    const host = { ip: null, status: null, ports: [], os: null };
+
+    // Extract address
+    const addrMatch = block.match(/<address\s+addr="([^"]+)"/i);
+    if (addrMatch) host.ip = addrMatch[1];
+
+    // Extract status
+    const statusMatch = block.match(/<status\s+state="([^"]+)"/i);
+    if (statusMatch) host.status = statusMatch[1];
+
+    // Extract ports
+    const portMatches = block.match(/<port[\s>][\s\S]*?<\/port>/gi);
+    if (portMatches) {
+      for (const portBlock of portMatches) {
+        const portInfo = {};
+
+        const protoMatch = portBlock.match(/protocol="([^"]+)"/i);
+        portInfo.protocol = protoMatch ? protoMatch[1] : "tcp";
+
+        const portIdMatch = portBlock.match(/portid="([^"]+)"/i);
+        portInfo.port = portIdMatch ? Number(portIdMatch[1]) : 0;
+
+        const stateMatch = portBlock.match(/<state\s+state="([^"]+)"/i);
+        portInfo.state = stateMatch ? stateMatch[1] : "unknown";
+
+        const svcNameMatch = portBlock.match(/<service\s+name="([^"]+)"/i);
+        portInfo.service = svcNameMatch ? svcNameMatch[1] : null;
+
+        // Extract product and version from service tag attributes
+        const productMatch = portBlock.match(/product="([^"]+)"/i);
+        const versionMatch = portBlock.match(/version="([^"]+)"/i);
+        portInfo.version = null;
+        if (productMatch && versionMatch) {
+          portInfo.version = `${productMatch[1]} ${versionMatch[1]}`;
+        } else if (productMatch) {
+          portInfo.version = productMatch[1];
+        } else if (versionMatch) {
+          portInfo.version = versionMatch[1];
+        }
+
+        host.ports.push(portInfo);
+      }
+    }
+
+    // Extract OS match
+    const osMatch = block.match(/<osmatch\s+name="([^"]+)"/i);
+    if (osMatch) host.os = osMatch[1];
+
+    result.hosts.push(host);
+  }
+
+  return result;
+}
+
+/**
+ * Build the nmap argument list.
+ */
+function buildNmapArgs(host) {
+  const args = ["-sS", "-Pn", "-T4", "--min-rate", "100", "-oX", "-"];
+
+  const portRange = process.env.SYN_SCAN_PORTS;
+  const PORT_RANGE_RE = /^[\dT:U:,\-\s]+$/;
+  if (portRange && typeof portRange === "string" && portRange.trim() && PORT_RANGE_RE.test(portRange.trim())) {
+    args.push("-p", portRange.trim());
+  }
+
+  args.push(host);
+  return args;
+}
+
+/**
+ * Check if nmap is available on the system.
+ */
+async function isNmapAvailable() {
+  try {
+    // Use 'command -v' on Unix-like, 'where' on Windows
+    const cmd = process.platform === "win32" ? "where" : "command";
+    const cmdArgs = process.platform === "win32" ? ["nmap"] : ["-v", "nmap"];
+    await execFileP(cmd, cmdArgs, { timeout: 5000 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if SYN scanning is enabled via env var.
+ */
+function isSynScanEnabled() {
+  const v = String(process.env.ENABLE_SYN_SCAN || "").toLowerCase();
+  return v === "1" || v === "true" || v === "yes" || v === "on";
+}
+
+/* ------------------------------ plugin ------------------------------ */
+
+export default {
+  id: "024",
+  name: "TCP SYN Scanner (Nmap)",
+  description:
+    "SYN scan via Nmap wrapper. Requires nmap installed and ENABLE_SYN_SCAN=1. Falls back gracefully when unavailable.",
+  priority: 12,
+  protocols: ["tcp"],
+  ports: [],
+  requirements: {},
+
+  async run(host, _port = 0, opts = {}) {
+    // Gate: must be explicitly enabled
+    if (!isSynScanEnabled()) {
+      return {
+        up: false,
+        program: "Unknown",
+        version: "Unknown",
+        os: null,
+        type: "syn-scan",
+        tcpOpen: [],
+        data: [{ probe_info: "SYN scan disabled (set ENABLE_SYN_SCAN=1 to enable)" }],
+      };
+    }
+
+    // Validate host to prevent command injection
+    if (!isValidHost(host)) {
+      return {
+        up: false,
+        program: "Unknown",
+        version: "Unknown",
+        os: null,
+        type: "syn-scan",
+        tcpOpen: [],
+        data: [{ probe_info: `Invalid host: ${String(host).slice(0, 50)}` }],
+      };
+    }
+
+    // Check nmap availability
+    const nmapFound = await isNmapAvailable();
+    if (!nmapFound) {
+      return {
+        up: false,
+        program: "Unknown",
+        version: "Unknown",
+        os: null,
+        type: "syn-scan",
+        tcpOpen: [],
+        data: [{ probe_info: "nmap not found, falling back to TCP connect scan" }],
+      };
+    }
+
+    // Run nmap SYN scan
+    const timeoutMs = Number(process.env.SYN_SCAN_TIMEOUT) || 30000;
+    const args = buildNmapArgs(host);
+
+    let stdout, stderr;
+    try {
+      const result = await execFileP("nmap", args, {
+        timeout: timeoutMs,
+        maxBuffer: 10 * 1024 * 1024,
+      });
+      stdout = result.stdout || "";
+      stderr = result.stderr || "";
+    } catch (err) {
+      const msg = String(err?.stderr || err?.message || err);
+
+      // Detect permission issues (SYN scan requires root/sudo)
+      if (/permission|operation not permitted|requires root|raw socket|not authorized/i.test(msg)) {
+        return {
+          up: false,
+          program: "Unknown",
+          version: "Unknown",
+          os: null,
+          type: "syn-scan",
+          tcpOpen: [],
+          data: [
+            {
+              probe_info:
+                "SYN scan requires root/sudo privileges. Run with sudo or use the TCP connect scanner instead.",
+            },
+          ],
+        };
+      }
+
+      return {
+        up: false,
+        program: "Unknown",
+        version: "Unknown",
+        os: null,
+        type: "syn-scan",
+        tcpOpen: [],
+        data: [{ probe_info: `nmap error: ${msg.slice(0, 200)}` }],
+      };
+    }
+
+    // Parse XML output
+    const parsed = parseNmapXml(stdout);
+
+    const data = [];
+    const tcpOpen = [];
+    let hostUp = false;
+    let detectedOs = null;
+
+    for (const h of parsed.hosts) {
+      if (h.status === "up") hostUp = true;
+      if (h.os) detectedOs = h.os;
+
+      for (const p of h.ports) {
+        const row = {
+          probe_protocol: p.protocol || "tcp",
+          probe_port: p.port,
+          status: p.state,
+          probe_info: `SYN scan: ${p.state}${p.service ? ` (${p.service})` : ""}`,
+          response_banner: p.version || null,
+          service: p.service || null,
+        };
+        data.push(row);
+
+        if (p.state === "open" && (p.protocol || "tcp") === "tcp") {
+          tcpOpen.push(p.port);
+        }
+      }
+    }
+
+    // Update context if provided
+    const ctx = opts?.context;
+    if (ctx) {
+      if (hostUp) ctx.hostUp = true;
+      if (ctx.tcpOpen && typeof ctx.tcpOpen.add === "function") {
+        for (const p of tcpOpen) ctx.tcpOpen.add(p);
+      }
+      if (detectedOs && !ctx.os) {
+        ctx.os = detectedOs;
+        ctx.guessedOs = detectedOs;
+      }
+    }
+
+    return {
+      up: hostUp || tcpOpen.length > 0,
+      program: "nmap",
+      version: "Unknown",
+      os: detectedOs,
+      type: "syn-scan",
+      tcpOpen,
+      data,
+    };
+  },
+};
+
+/* ------------------------------ conclude adapter ------------------------------ */
+
+import { statusFrom } from "../utils/conclusion_utils.mjs";
+
+export async function conclude({ host, result }) {
+  const rows = Array.isArray(result?.data) ? result.data : [];
+  const items = [];
+
+  for (const r of rows) {
+    const proto = r?.probe_protocol || "tcp";
+    const port = Number(r?.probe_port ?? 0);
+    if (!port) continue;
+
+    const state = r?.status || "unknown";
+    let status;
+    if (state === "open") status = "open";
+    else if (state === "closed") status = "closed";
+    else if (state === "filtered") status = "filtered";
+    else status = statusFrom({ info: r?.probe_info, banner: r?.response_banner, fallbackUp: result?.up });
+
+    items.push({
+      port,
+      protocol: proto,
+      service: r?.service || "unknown",
+      program: result?.program || "nmap",
+      version: r?.response_banner || "Unknown",
+      status,
+      info: r?.probe_info || null,
+      banner: r?.response_banner || null,
+      source: "syn_scanner",
+      evidence: rows,
+      authoritative: false,
+    });
+  }
+
+  return items;
+}