nsauditor-ai 0.1.0

package/plugins/webapp_detector.mjs

@@ -0,0 +1,246 @@
+// plugins/webapp_detector.mjs
+// New plugin: Webapp Detector
+// Uses `simple-wappalyzer` to fingerprint web applications present on a host.
+// Tries HTTPS first (port 443), then HTTP (port 80), and can also try custom ports via opts.ports.
+// NOTE: Unlike http_probe, undici/fetch cannot ignore TLS easily per-request, so self-signed
+// HTTPS will usually fail and the plugin will fall back to HTTP.
+//
+// Add to package.json (dependencies):
+//   "simple-wappalyzer": "^1.14.0"   // or latest
+//
+// Example use (plugin manager):
+//   webappDetector.run("192.168.1.1")
+//
+// Result shape example:
+// {
+//   up: true,
+//   program: "WordPress + Nginx",
+//   version: "Unknown",
+//   os: null,
+//   type: "webapp",
+//   data: [
+//     {
+//       probe_protocol: "https",
+//       probe_port: 443,
+//       probe_info: "Detected web apps: WordPress, Nginx",
+//       response_banner: "200 OK\r\nserver: nginx\r\nx-powered-by: PHP/8.2"
+//     }
+//   ],
+//   apps: [ { name, categories, confidence, version?, slug, ... }, ... ]
+// }
+
+import wappalyzer from 'simple-wappalyzer';
+
+const DEBUG =
+  String(process.env.DEBUG_MODE || '').toLowerCase() === '1' ||
+  String(process.env.DEBUG_MODE || '').toLowerCase() === 'true';
+
+function log(...args) {
+  if (DEBUG) console.log('[webapp-detector]', ...args);
+}
+
+function parseExtraHeaders() {
+  try {
+    if (!process.env.HTTP_EXTRA_HEADERS) return {};
+    const h = JSON.parse(process.env.HTTP_EXTRA_HEADERS);
+    return h && typeof h === 'object' ? h : {};
+  } catch {
+    return {};
+  }
+}
+
+function buildBanner(statusCode, headers) {
+  const lines = [];
+  const statusLine = `${statusCode || 0}`;
+  lines.push(statusLine + (headers['status-message'] ? ' ' + headers['status-message'] : ''));
+  const pick = ['server', 'x-powered-by', 'www-authenticate', 'content-type', 'location', 'set-cookie'];
+  for (const k of pick) {
+    const v = headers[k];
+    if (!v) continue;
+    if (Array.isArray(v)) {
+      for (const vv of v) lines.push(`${k}: ${vv}`);
+    } else {
+      lines.push(`${k}: ${v}`);
+    }
+  }
+  return lines.join('\\r\\n');
+}
+
+function normalizeTarget(target) {
+  if (!target) return null;
+  if (typeof target === 'string') return target.replace(/^https?:\/\//i, '').split('/')[0];
+  return (target.host || target.hostname || target.name || '').replace(/^https?:\/\//i, '').split('/')[0];
+}
+
+async function fetchOnce(url, signal) {
+  const extra = parseExtraHeaders();
+  const headers = {
+    'User-Agent': 'Mozilla/5.0 (compatible; NetworkSecurityAuditor/1.18.0; +https://example.invalid)',
+    DNT: '1',
+    ...extra,
+  };
+  // global fetch (undici) is available in Node >=18
+  const res = await fetch(url, { redirect: 'follow', headers, signal });
+  const finalUrl = res.url || url;
+  const statusCode = res.status;
+  const rawHeaders = {};
+  res.headers.forEach((v, k) => (rawHeaders[k.toLowerCase()] = v));
+  const html = await res.text();
+  return { url: finalUrl, statusCode, headers: rawHeaders, html };
+}
+
+async function tryDetectAt(url) {
+  const ctrl = new AbortController();
+  const timeoutMs = Number(process.env.WAPPALYZER_TIMEOUT_MS || 15000);
+  const t = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    log('fetch start —', url);
+    const { url: finalUrl, html, statusCode, headers } = await fetchOnce(url, ctrl.signal);
+    log('fetch end —', finalUrl, statusCode, `html=${html?.length ?? 0}`);
+    const apps = await detectFromHtml(finalUrl, html, statusCode, headers);
+    return { ok: true, finalUrl, statusCode, headers, apps };
+  } catch (e) {
+    log('fetch error —', url, e?.message || e);
+    return { ok: false, error: e };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/** Run wappalyzer on provided HTML/headers. */
+async function detectFromHtml(url, html, statusCode, headers) {
+  try {
+    const result = await wappalyzer({ url, html, statusCode, headers });
+    if (Array.isArray(result) && result.length) {
+      log('wappalyzer apps=', result.map(a => a.name).join(', '));
+    } else {
+      log('wappalyzer apps=∅');
+    }
+    return result || [];
+  } catch (e) {
+    log('wappalyzer error:', e?.message || e);
+    return [];
+  }
+}
+
+function summarizeApps(apps) {
+  if (!Array.isArray(apps) || !apps.length) return { program: null, version: 'Unknown', list: [] };
+  // Sort by confidence descending then name
+  const sorted = [...apps].sort((a, b) => (Number(b.confidence||0) - Number(a.confidence||0)) || String(a.name).localeCompare(String(b.name)));
+  const names = sorted.map(a => a.name).filter(Boolean);
+  const program = names.slice(0, 3).join(' + ') || null;
+  // If exactly 1 app and it has a version, expose it
+  const version = (sorted.length === 1 && sorted[0]?.version) ? String(sorted[0].version) : 'Unknown';
+  return { program, version, list: names };
+}
+
+export default {
+  id: '010',
+  name: 'Webapp Detector',
+  description: 'Identifies web applications and frameworks using simple-wappalyzer (tries HTTPS then HTTP).',
+  priority: 55, // run near HTTP probe
+  requirements: { host: 'up', tcp_open: [80, 443] }, // heuristic gate; still attempts both
+  protocols: ['tcp'],
+  ports: [80, 443],
+
+  /**
+   * @param {string} host - target hostname or IP
+   * @param {number} port - optional hint (ignored; detection tries 443 then 80 unless opts.ports provided)
+   * @param {object} opts - options: { ports?: number[] }
+   */
+  async run(host, port = 0, opts = {}) {
+    const result = {
+      up: false,
+      program: null,
+      version: 'Unknown',
+      os: null,
+      type: 'webapp',
+      data: [],
+      apps: [], // raw simple-wappalyzer results
+    };
+
+    let target = normalizeTarget(host);
+    if (!target) return result;
+
+    // Build candidate URLs
+    const set = new Set();
+    const addUrl = (proto, p) => {
+      const defaultPort = (proto === 'https' ? 443 : 80);
+      const portPart = (p && p !== defaultPort) ? `:${p}` : '';
+      set.add(`${proto}://${target}${portPart}/`);
+    };
+
+    // If specific ports given, try both schemes for each; else default to 443 then 80
+    const ports = Array.isArray(opts.ports) && opts.ports.length ? opts.ports : [443, 80];
+    for (const p of ports) {
+      if (p === 443) addUrl('https', 443);
+      else if (p === 80) addUrl('http', 80);
+      else { addUrl('https', p); addUrl('http', p); }
+    }
+
+    // Try in order added (prefers https:443, then http:80, then customs)
+    for (const url of set) {
+      const r = await tryDetectAt(url);
+      if (r.ok) {
+        result.up = true;
+        result.apps = r.apps || [];
+        const { program, version, list } = summarizeApps(result.apps);
+        if (program) result.program = program;
+        if (version) result.version = version;
+
+        // Prepare a concise banner
+        const proto = url.startsWith('https:') ? 'https' : 'http';
+        const portFromUrl = (() => {
+          try {
+            const u = new URL(url);
+            return Number(u.port || (u.protocol === 'https:' ? 443 : 80));
+          } catch { return proto === 'https' ? 443 : 80; }
+        })();
+
+        result.data.push({
+          probe_protocol: proto,
+          probe_port: portFromUrl,
+          probe_info: list.length ? `Detected web apps: ${list.join(', ')}` : `HTTP service detected (status ${r.statusCode})`,
+          response_banner: buildBanner(r.statusCode, r.headers),
+        });
+
+        // Stop after first successful detection
+        break;
+      } else {
+        // Log error row for visibility
+        const proto = url.startsWith('https:') ? 'https' : 'http';
+        const portFromUrl = (() => {
+          try { const u = new URL(url); return Number(u.port || (u.protocol === 'https:' ? 443 : 80)); } catch { return proto === 'https' ? 443 : 80; }
+        })();
+        result.data.push({
+          probe_protocol: proto,
+          probe_port: portFromUrl,
+          probe_info: `Webapp detect error: ${r.error?.message || String(r.error || 'unknown error')}`,
+          response_banner: null,
+        });
+      }
+    }
+
+    return result;
+  },
+};
+
+// Concluder adapter: emits detected apps as service records for result fusion.
+export async function conclude({ host, result }) {
+  if (!result?.up || !Array.isArray(result.apps) || result.apps.length === 0) return [];
+
+  // Extract port from the first successful probe record
+  const probeRecord = result.data?.find(d => d.probe_port && d.probe_port > 0);
+  const port = probeRecord?.probe_port ?? 80;
+  const protocol = probeRecord?.probe_protocol ?? 'tcp';
+
+  // Emit one service record per detected app
+  return result.apps.map(app => ({
+    protocol,
+    port,
+    service: app.name ?? 'webapp',
+    version: app.version ?? null,
+    info: Array.isArray(app.categories) ? app.categories.join(', ') : 'webapp',
+    authoritative: false,
+  }));
+}

package/plugins/wsd_scanner.mjs

@@ -0,0 +1,290 @@
+// plugins/wsd_scanner.mjs
+// Enhanced WS-Discovery Scanner — discovers WS-Discovery devices in the subnet with comprehensive analysis
+// Filters results to include only devices matching the target host IP by default.
+// Set WSD_INCLUDE_NON_MATCHED=1 to keep all discovered devices.
+
+import dgram from 'dgram';
+import { parseString } from 'xml2js';
+import { v4 as uuidv4 } from 'uuid';
+import { isPrivateLike } from '../utils/net_validation.mjs';
+
+const DEBUG = /^(1|true|yes|on)$/i.test(String(process.env.DEBUG_MODE || process.env.WSD_DEBUG || ""));
+function dlog(...a) { if (DEBUG) console.log("[wsd-scanner]", ...a); }
+
+function ipMatches(target, address) {
+  const t = String(target || "").trim();
+  const a = String(address || "").trim();
+  return t === a;
+}
+
+/**
+ * Discovers WS-Discovery devices by sending a multicast Probe message.
+ * @param {string} targetHost The target host IP to filter for
+ * @param {number} timeout The time in milliseconds to wait for responses.
+ * @returns {Promise<Array<Object>>} A promise that resolves with an array of discovered devices.
+ */
+function discoverWsDiscoveryDevices(targetHost, timeout = 5000) {
+  return new Promise((resolve, reject) => {
+    const client = dgram.createSocket('udp4');
+    const devices = [];
+    const knownAddresses = new Set();
+    const probeMessageId = `urn:uuid:${uuidv4()}`;
+    const includeNonMatched = /^(1|true|yes|on)$/i.test(String(process.env.WSD_INCLUDE_NON_MATCHED || ""));
+
+    // The multicast address and port for WS-Discovery
+    const multicastAddress = '239.255.255.250';
+    const multicastPort = 3702;
+
+    // XML-based WS-Discovery Probe message
+    const probeMessage = `
+      <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
+        xmlns:a="http://www.w3.org/2005/08/addressing"
+        xmlns:d="http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01">
+        <s:Header>
+          <a:Action>http://docs.oasis-open.org/ws-dd/ns/discovery/2009/01/Probe</a:Action>
+          <a:MessageID>${probeMessageId}</a:MessageID>
+          <a:To>${multicastAddress}:${multicastPort}</a:To>
+        </s:Header>
+        <s:Body>
+          <d:Probe/>
+        </s:Body>
+      </s:Envelope>
+    `;
+
+    client.on('message', (msg, rinfo) => {
+      // Ignore messages that are not responses to our Probe
+      if (rinfo.address === client.address().address) return;
+      if (knownAddresses.has(rinfo.address)) return;
+
+      // Filter by target host unless includeNonMatched is set
+      const ipHit = ipMatches(targetHost, rinfo.address);
+      if (!ipHit && !includeNonMatched) {
+        dlog(`Filtering out non-matching device: ${rinfo.address} (target: ${targetHost})`);
+        return;
+      }
+
+      // Parse the XML response from the device
+      parseString(msg.toString(), (err, result) => {
+        if (err) {
+          dlog(`XML parse error from ${rinfo.address}:`, err.message);
+          return; // Silently ignore parsing errors
+        }
+        
+        // Ensure this is a valid ProbeMatch message
+        try {
+          if (result && result['s:Envelope'] && result['s:Envelope']['s:Body'] && 
+              result['s:Envelope']['s:Body'][0]['d:ProbeMatches']) {
+            const probeMatch = result['s:Envelope']['s:Body'][0]['d:ProbeMatches'][0]['d:ProbeMatch'][0];
+            const xaddrs = probeMatch['d:XAddrs'] ? probeMatch['d:XAddrs'][0].split(' ') : [];
+            
+            const endpointRef = probeMatch['a:EndpointReference'] && probeMatch['a:EndpointReference'][0]['a:Address'] 
+              ? probeMatch['a:EndpointReference'][0]['a:Address'][0] : 'Unknown';
+            
+            const types = probeMatch['d:Types'] ? probeMatch['d:Types'][0] : 'Unknown';
+            const scopes = probeMatch['d:Scopes'] ? probeMatch['d:Scopes'][0] : null;
+            const metadataVersion = probeMatch['d:MetadataVersion'] ? probeMatch['d:MetadataVersion'][0] : null;
+            
+            devices.push({
+              address: rinfo.address,
+              port: rinfo.port,
+              xaddrs: xaddrs,
+              endpointUuid: endpointRef,
+              types: types,
+              scopes: scopes,
+              metadataVersion: metadataVersion,
+              isMatched: ipHit,
+              timestamp: new Date().toISOString()
+            });
+            knownAddresses.add(rinfo.address);
+            
+            dlog(`Discovered WS-Discovery device: ${rinfo.address} (matched: ${ipHit}), types: ${types}`);
+          }
+        } catch (parseErr) {
+          dlog(`Parse error processing response from ${rinfo.address}:`, parseErr.message);
+        }
+      });
+    });
+
+    client.on('error', (err) => {
+      dlog("WS-Discovery client error:", err.message);
+      client.close();
+      reject(err);
+    });
+
+    client.bind(() => {
+      try {
+        client.setBroadcast(true);
+        client.setMulticastTTL(128);
+        
+        dlog(`Sending WS-Discovery probe to ${multicastAddress}:${multicastPort}`);
+        const buffer = Buffer.from(probeMessage);
+        client.send(buffer, multicastPort, multicastAddress, (err) => {
+          if (err) {
+            dlog("Failed to send WS-Discovery probe:", err.message);
+            client.close();
+            reject(err);
+          }
+        });
+      } catch (err) {
+        dlog("Error setting up WS-Discovery client:", err.message);
+        client.close();
+        reject(err);
+      }
+    });
+
+    setTimeout(() => {
+      dlog(`WS-Discovery timeout reached, found ${devices.length} devices`);
+      client.close();
+      resolve(devices);
+    }, timeout);
+  });
+}
+
+export default {
+  id: "016",
+  name: "Enhanced WS-Discovery Scanner",
+  description: "Discovers WS-Discovery enabled devices using multicast probe messages. Returns only devices matching the target host IP by default.",
+  priority: 400,
+  requirements: {},
+  protocols: ["udp"],
+  ports: [3702],
+  runStrategy: "single",
+
+  async run(host, port = 3702, opts = {}) {
+    const data = [];
+    let up = false;
+    let program = "WS-Discovery"; // Always set to WS-Discovery
+    let version = "1.1"; // Always set to 1.1
+    
+    const timeout = opts.timeout || 5000;
+
+    if (!isPrivateLike(host)) {
+      data.push({
+        probe_protocol: "udp",
+        probe_port: port,
+        probe_info: "Non-local target — WS-Discovery not attempted (requires local network)",
+        response_banner: null
+      });
+      return {
+        up: false,
+        program: "WS-Discovery",
+        version: "1.1",
+        type: "wsdiscovery",
+        data
+      };
+    }
+
+    try {
+      dlog(`Starting WS-Discovery scan for host: ${host}`);
+      const devices = await discoverWsDiscoveryDevices(host, timeout);
+      
+      const matchedDevices = devices.filter(d => d.isMatched);
+      const matched = matchedDevices.length > 0;
+      
+      dlog(`Discovery complete: total=${devices.length}, matched=${matchedDevices.length}`);
+      
+      if (devices.length > 0) {
+        up = matched;
+        // program and version already set above
+        
+        // Sort devices - matched first
+        devices.sort((a, b) => {
+          if (a.isMatched && !b.isMatched) return -1;
+          if (!a.isMatched && b.isMatched) return 1;
+          return 0;
+        });
+        
+        devices.forEach((device) => {
+          const xaddrsInfo = device.xaddrs.length > 0 ? device.xaddrs.join(', ') : 'No XAddrs';
+          
+          // Build comprehensive info string
+          const infoParts = [];
+          if (device.isMatched) {
+            infoParts.push("Matched host —");
+          } else {
+            infoParts.push("Discovered —");
+          }
+          infoParts.push(`types="${device.types}"`);
+          infoParts.push(`address=${device.address}`);
+          if (device.scopes) {
+            infoParts.push(`scopes="${device.scopes}"`);
+          }
+          if (device.metadataVersion) {
+            infoParts.push(`metadataVersion=${device.metadataVersion}`);
+          }
+
+          const bannerObj = {
+            address: device.address,
+            endpointUuid: device.endpointUuid,
+            types: device.types,
+            xaddrs: device.xaddrs,
+            scopes: device.scopes,
+            metadataVersion: device.metadataVersion,
+            discoveredAt: device.timestamp,
+            isMatched: device.isMatched
+          };
+          
+          data.push({
+            probe_protocol: 'udp',
+            probe_port: device.port,
+            probe_info: infoParts.join(' '),
+            response_banner: JSON.stringify(bannerObj),
+            device_address: device.address,
+            device_types: device.types,
+            endpoint_uuid: device.endpointUuid,
+            xaddrs: device.xaddrs,
+            scopes: device.scopes,
+            isMatched: device.isMatched
+          });
+        });
+
+        // Add summary row for matched devices
+        if (matched) {
+          const uniqueTypes = [...new Set(matchedDevices.map(d => d.types))];
+          const summaryRow = {
+            probe_protocol: 'udp',
+            probe_port: port,
+            probe_info: `Host ${host} confirmed via WS-Discovery - ${matchedDevices.length} device(s) found: ${uniqueTypes.join(', ')}`,
+            response_banner: JSON.stringify({
+              summary: true,
+              matchedDevices: matchedDevices.length,
+              deviceTypes: uniqueTypes,
+              discoveredAt: new Date().toISOString()
+            })
+          };
+          data.unshift(summaryRow);
+        }
+      } else {
+        data.push({
+          probe_protocol: 'udp',
+          probe_port: port,
+          probe_info: 'No WS-Discovery devices relevant to target IP discovered within timeout window',
+          response_banner: JSON.stringify({
+            timeout: timeout,
+            reason: "No responses received"
+          })
+        });
+      }
+    } catch (error) {
+      dlog("WS-Discovery scan error:", error.message);
+      data.push({
+        probe_protocol: 'udp',
+        probe_port: port,
+        probe_info: 'WS-Discovery scan failed',
+        response_banner: JSON.stringify({
+          error: error.message,
+          timestamp: new Date().toISOString()
+        })
+      });
+    }
+
+    return {
+      up,
+      program,
+      version,
+      type: 'wsdiscovery',
+      deviceCount: data.length - (up ? 1 : 0), // Exclude summary row from count
+      data
+    };
+  }
+};