npm - nsauditor-ai - Versions diffs - 0.1.0 - Mend

nsauditor-ai 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/CONTRIBUTING.md +24 -0
package/LICENSE +21 -0
package/README.md +584 -0
package/bin/nsauditor-ai-mcp.mjs +2 -0
package/bin/nsauditor-ai.mjs +2 -0
package/cli.mjs +939 -0
package/config/services.json +304 -0
package/docs/EULA-nsauditor-ai.md +324 -0
package/index.mjs +15 -0
package/mcp_server.mjs +382 -0
package/package.json +44 -0
package/plugin_manager.mjs +829 -0
package/plugins/arp_scanner.mjs +162 -0
package/plugins/db_scanner.mjs +248 -0
package/plugins/dns_scanner.mjs +369 -0
package/plugins/dnssd-scanner.mjs +245 -0
package/plugins/ftp_banner_check.mjs +247 -0
package/plugins/host_up_check.mjs +337 -0
package/plugins/http_probe.mjs +290 -0
package/plugins/llmnr_scanner.mjs +130 -0
package/plugins/mdns_scanner.mjs +522 -0
package/plugins/netbios_scanner.mjs +737 -0
package/plugins/opensearch_scanner.mjs +276 -0
package/plugins/os_detector.mjs +436 -0
package/plugins/ping_checker.mjs +271 -0
package/plugins/port_scanner.mjs +250 -0
package/plugins/result_concluder.mjs +274 -0
package/plugins/snmp_scanner.mjs +278 -0
package/plugins/ssh_scanner.mjs +421 -0
package/plugins/sunrpc_scanner.mjs +339 -0
package/plugins/syn_scanner.mjs +314 -0
package/plugins/tls_scanner.mjs +225 -0
package/plugins/upnp_scanner.mjs +441 -0
package/plugins/webapp_detector.mjs +246 -0
package/plugins/wsd_scanner.mjs +290 -0
package/utils/attack_map.mjs +180 -0
package/utils/capabilities.mjs +53 -0
package/utils/conclusion_utils.mjs +70 -0
package/utils/cpe.mjs +74 -0
package/utils/cve_validator.mjs +64 -0
package/utils/cvss.mjs +129 -0
package/utils/delta_reporter.mjs +110 -0
package/utils/export_csv.mjs +82 -0
package/utils/finding_queue.mjs +64 -0
package/utils/finding_schema.mjs +36 -0
package/utils/host_iterator.mjs +166 -0
package/utils/license.mjs +29 -0
package/utils/net_validation.mjs +66 -0
package/utils/nvd_cache.mjs +77 -0
package/utils/nvd_client.mjs +130 -0
package/utils/oui.mjs +107 -0
package/utils/plugin_discovery.mjs +89 -0
package/utils/prompts.mjs +143 -0
package/utils/raw_report_html.mjs +170 -0
package/utils/redact.mjs +79 -0
package/utils/report_html.mjs +236 -0
package/utils/sarif.mjs +225 -0
package/utils/scan_history.mjs +248 -0
package/utils/scheduler.mjs +157 -0
package/utils/webhook.mjs +177 -0

package/plugins/arp_scanner.mjs ADDED Viewed

@@ -0,0 +1,162 @@
+// plugins/arp_scanner.mjs
+// ARP Scanner — infers vendor/OS hints from ARP (local targets only) via ctx helpers.
+// Short-circuits if a prior plugin already inferred OS (e.g., Ping Checker or others).
+import { promisify } from "node:util";
+import { execFile } from "node:child_process";
+import { isPrivateLike } from '../utils/net_validation.mjs';
+const execFileP = promisify(execFile);
+const DEBUG = /^(1|true|yes|on)$/i.test(String(process.env.DEBUG_MODE || process.env.ARP_DEBUG || ""));
+const ONLY_IF_OS_UNKNOWN = !/^(0|false|no|off)$/i.test(String(process.env.ARP_RUN_ONLY_IF_OS_UNKNOWN ?? "1"));
+function dlog(...a) { if (DEBUG) console.log("[arp-scanner]", ...a); }
+// --- Exported: tests expect a STRING MAC (or null) ---
+export function parseArpOutput(out, ip) {
+  if (!out) return null;
+  // Normalize MAC patterns (colon or dash, 1 or 2 hex digits per octet)
+  const macRe = /([0-9a-f]{1,2}(?:[:-][0-9a-f]{1,2}){5})/i;
+  // Log raw output for debugging
+  dlog("Raw ARP output:", out);
+  // Prefer a line with the specific IP if provided (macOS/Linux: IP in parentheses or first column; Windows: "Internet Address")
+  if (ip) {
+    const ipLine = out
+      .split(/\r?\n/)
+      .find((l) => l.includes(ip) || l.includes(`(${ip})`));
+    if (ipLine) {
+      const m = ipLine.match(macRe);
+      if (m) {
+        let mac = m[1].replace(/-/g, ":").toUpperCase();
+        // Normalize to two digits per octet
+        mac = mac.split(":").map(part => part.padStart(2, "0")).join(":");
+        dlog(`Parsed MAC for IP ${ip}: ${mac}`);
+        return mac;
+      }
+    }
+  }
+  // Fallback: first MAC in the whole output
+  const m2 = out.match(macRe);
+  if (m2) {
+    let mac = m2[1].replace(/-/g, ":").toUpperCase();
+    mac = mac.split(":").map(part => part.padStart(2, "0")).join(":");
+    dlog(`Parsed fallback MAC: ${mac}`);
+    return mac;
+  }
+  dlog("No MAC found in output");
+  return null;
+}
+async function getMacViaArp(ip, iface = null) {
+  const cmd = "arp";
+  const args = process.platform === "win32" ? ["-a", ip] : ["-n", ip];
+  // Add interface specification for macOS/Linux if provided
+  if (iface && process.platform !== "win32") {
+    args.push("-i", iface);
+  }
+  try {
+    const { stdout } = await execFileP(cmd, args, { windowsHide: true, timeout: 5000 });
+    return parseArpOutput(stdout, ip);
+  } catch (e) {
+    dlog("arp exec failed:", e?.message || e);
+    return null;
+  }
+}
+export default {
+  id: "026",
+  name: "ARP Scanner",
+  description: "Infers vendor/OS hints from ARP (local targets only) via ctx helpers.",
+  priority: 25,
+  requirements: {},
+  protocols: ["arp"],
+  ports: [],
+  async run(host, _port, opts = {}) {
+    const data = [];
+    let up = false;
+    let os = null;
+    // ----- Short-circuit logic (no manager changes required) -----
+    const ctx = opts?.context || {};
+    const osKnown = !!ctx.os || !!ctx.arpOs || !!ctx.pingOs;
+    if (ONLY_IF_OS_UNKNOWN && osKnown) {
+      dlog("Skipping ARP scan — OS already known by prior probe");
+      data.push({
+        probe_protocol: "arp",
+        probe_port: 0,
+        probe_info: "Skipped: OS already known from prior plugin",
+        response_banner: null
+      });
+      return { up: false, os: null, data };
+    }
+    // -------------------------------------------------------------
+    // Only meaningful on local subnets
+    if (!isPrivateLike(host)) {
+      dlog("Target not in private/local range; ARP not attempted.");
+      data.push({
+        probe_protocol: "arp",
+        probe_port: 0,
+        probe_info: "Non-local target — ARP not attempted",
+        response_banner: null
+      });
+      return { up: false, os: null, data };
+    }
+    // Try with interface 'en0' for macOS, fallback to no interface
+    const interfaces = process.platform === "win32" ? [null] : [null, "en0"];
+    let mac = null;
+    for (const iface of interfaces) {
+      mac = await getMacViaArp(host, iface);
+      if (mac) break;
+    }
+    if (!mac) {
+      data.push({
+        probe_protocol: "arp",
+        probe_port: 0,
+        probe_info: "No ARP entry",
+        response_banner: null,
+        mac: null
+      });
+      return { up: false, os: null, data };
+    }
+    up = true; // ARP implies L2 presence
+    // Use ctx helpers only (no internal OUI loading)
+    const vendorRaw = typeof ctx.lookupVendor === "function" ? (ctx.lookupVendor(mac) || null) : null;
+    const vendor = vendorRaw ? vendorRaw.replace(/[\r\n]+/g, ' ').trim() : null;
+    const info = vendor ? `ARP entry found — vendor: ${vendor}` : "ARP entry found";
+    data.push({
+      probe_protocol: "arp",
+      probe_port: 0,
+      probe_info: info,
+      response_banner: mac,
+      mac
+    });
+    // Vendor → OS heuristic via ctx helper (conservative)
+    if (typeof ctx.probableOsFromVendor === "function") {
+      const vendorOs = ctx.probableOsFromVendor(vendor);
+      if (vendorOs && vendorOs !== "Unknown") os = vendorOs;
+    }
+    return {
+      up,
+      program: "ARP",
+      version: "Unknown",
+      os,
+      type: "arp",
+      data
+    };
+  }
+};

package/plugins/db_scanner.mjs ADDED Viewed

@@ -0,0 +1,248 @@
+// plugins/db_scanner.mjs
+// Lightweight DB product/version probes (no external deps). Best-effort banner grabs.
+//
+// Detects: MySQL/MariaDB (3306), Microsoft SQL Server (1433), PostgreSQL (5432),
+// Oracle TNS (1521), MongoDB (27017)
+import net from 'node:net';
+const TIMEOUT = 2500;
+const DB_PORTS = [3306, 1433, 5432, 1521, 27017];
+function connect(host, port, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const s = new net.Socket();
+    let done = false;
+    const finish = (err, sock) => { if (done) return; done = true; err ? reject(err) : resolve(sock); };
+    s.setNoDelay(true);
+    s.setTimeout(timeoutMs, () => { try{s.destroy()}catch{}; finish(new Error('timeout')); });
+    s.once('error', (e)=>{ try{s.destroy()}catch{}; finish(e); });
+    s.connect(port, host, ()=>finish(null, s));
+  });
+}
+const readAll = (sock, ms) => new Promise(res => {
+  const chunks = []; let len = 0; const t = setTimeout(() => end(), ms);
+  const end = () => { clearTimeout(t); try{sock.destroy()}catch{}; res(Buffer.concat(chunks, len)); };
+  sock.on('data', b => { chunks.push(b); len += b.length; if (len > 65536) end(); });
+  sock.on('end', end); sock.on('close', end); sock.on('error', end);
+});
+// --- MySQL / MariaDB (3306) ---
+async function probeMySQL(host, port, timeoutMs) {
+  const s = await connect(host, port, timeoutMs);
+  const buf = await readAll(s, timeoutMs); // server greets first
+  if (buf.length >= 6 && buf[4] === 0x0a) {
+    let i = 5;
+    while (i < buf.length && buf[i] !== 0x00) i++;
+    const verStr = buf.slice(5, i).toString('utf8');
+    const lower = verStr.toLowerCase();
+    const product = lower.includes('mariadb') ? 'MariaDB' : 'MySQL';
+    const m = verStr.match(/\d+\.\d+(?:\.\d+)?/);
+    return { type: 'mysql', product, version: m ? m[0] : '', banner: `MySQL greeting: ${verStr}` };
+  }
+  return { type: 'mysql', product: 'MySQL', version: '', banner: 'MySQL (no greeting parsed)' };
+}
+// --- Microsoft SQL Server / TDS (1433) ---
+async function probeMSSQL(host, port, timeoutMs) {
+  const s = await connect(host, port, timeoutMs);
+  // Minimal PRELOGIN request (TDS 7.x)
+  const prelogin = Buffer.from([
+    0x12,0x01,0x00,0x14,0x00,0x00,0x00,0x00, // TDS header
+    0x00,0x00,0x06,0x00,0x06,               // VERSION token, offset 0x0006, len 6
+    0xFF,                                   // terminator
+    0x08,0x00,0x01,0x55,0x00,0x00           // arbitrary client version payload
+  ]);
+  s.write(prelogin);
+  const buf = await readAll(s, timeoutMs);
+  const hdrLen = 8;
+  if (buf.length <= hdrLen) {
+    return { type: 'mssql', product: 'Microsoft SQL Server', version: '', banner: 'TDS (no response)' };
+  }
+  const payload = buf.slice(hdrLen);
+  let i = 0, version = '';
+  while (i + 4 < payload.length && payload[i] !== 0xFF) {
+    const token   = payload[i];
+    const offset  = payload.readUInt16BE(i+1);
+    const length  = payload.readUInt16BE(i+3);
+    if (token === 0x00 && offset + length <= payload.length && length === 6) {
+      const v = payload.slice(offset, offset + length);
+      const major = v[0], minor = v[1], build = v.readUInt16BE(2), sub = v.readUInt16BE(4);
+      version = `${major}.${minor}.${build}.${sub}`;
+      break;
+    }
+    i += 5;
+  }
+  const map = { 16: 'SQL Server 2022', 15: 'SQL Server 2019', 14: 'SQL Server 2017', 13: 'SQL Server 2016', 12: 'SQL Server 2014', 11: 'SQL Server 2012', 10: 'SQL Server 2008/R2', 9: 'SQL Server 2005', 8: 'SQL Server 2000' };
+  const edition = version ? map[Number(version.split('.')[0])] || '' : '';
+  return {
+    type: 'mssql',
+    product: 'Microsoft SQL Server',
+    version,
+    banner: version ? `MSSQL PRELOGIN: ${version}${edition ? ' ('+edition+')' : ''}` : 'MSSQL (no version parsed)'
+  };
+}
+// --- PostgreSQL (5432) ---
+async function probePostgres(host, port, timeoutMs) {
+  const s = await connect(host, port, timeoutMs);
+  // StartupMessage: len(4) + protocol 3.0 (4) + params (key\0val\0... \0)
+  const params = Buffer.from('user\0pgscan\0database\0postgres\0application_name\0audit-scan\0\0','utf8');
+  const startup = Buffer.alloc(8 + params.length);
+  startup.writeUInt32BE(startup.length, 0);
+  startup.writeUInt32BE(196608, 4); // 3.0
+  params.copy(startup, 8);
+  s.write(startup);
+  const buf = await readAll(s, timeoutMs);
+  const text = buf.toString('utf8');
+  const m = text.match(/PostgreSQL\s+(\d+\.\d+(?:\.\d+)?)/i);
+  const version = m ? m[1] : '';
+  return { type: 'postgresql', product: 'PostgreSQL', version, banner: version ? `PostgreSQL ${version}` : 'PostgreSQL (version not disclosed)' };
+}
+// --- Oracle TNS (1521) — heuristic ---
+async function probeOracleTNS(host, port, timeoutMs) {
+  const s = await connect(host, port, timeoutMs);
+  const buf = await readAll(s, timeoutMs);
+  const b = buf.toString('utf8');
+  const m = b.match(/version\s*=?\s*([\d.]+)/i);
+  return { type: 'oracle', product: 'Oracle Database', version: m ? m[1] : '', banner: b || 'TNS (no banner)' };
+}
+// --- MongoDB (27017) ---
+async function probeMongoDB(host, port, timeoutMs) {
+  const s = await connect(host, port, timeoutMs);
+  // Build OP_QUERY for { buildInfo: 1 } on admin.$cmd
+  const coll = Buffer.from('admin.$cmd\0', 'utf8');
+  const doc = buildBsonInt32('buildInfo', 1);
+  const headerLen = 16, bodyLen = 4 + coll.length + 4 + 4 + doc.length;
+  const buf = Buffer.alloc(headerLen + bodyLen);
+  let o = 0;
+  buf.writeInt32LE(headerLen + bodyLen, o); o+=4;
+  buf.writeInt32LE(1, o); o+=4;     // requestID
+  buf.writeInt32LE(0, o); o+=4;     // responseTo
+  buf.writeInt32LE(2004, o); o+=4;  // OP_QUERY
+  buf.writeInt32LE(0, o); o+=4;     // flags
+  coll.copy(buf, o); o += coll.length;
+  buf.writeInt32LE(0, o); o+=4;     // numberToSkip
+  buf.writeInt32LE(-1, o); o+=4;    // numberToReturn
+  doc.copy(buf, o); o += doc.length;
+  s.write(buf);
+  const rsp = await readAll(s, timeoutMs);
+  const txt = rsp.toString('utf8');
+  const m = txt.match(/"version"\s*:\s*"([^"]+)"/i);
+  const version = m ? m[1] : '';
+  return { type: 'mongodb', product: 'MongoDB', version, banner: version ? `MongoDB buildInfo: ${version}` : 'MongoDB (version not disclosed)' };
+}
+function buildBsonInt32(key, value) {
+  const k = Buffer.from(key + '\0', 'utf8');
+  const len = 4 + 1 + k.length + 4 + 1; // size + type + key + int32 + terminator
+  const b = Buffer.alloc(len);
+  let o = 0;
+  b[o++] = 0; // filled after
+  b[o++] = 0;
+  b[o++] = 0;
+  b[o++] = 0;
+  b[o++] = 0x10; // int32
+  k.copy(b, o); o += k.length;
+  b.writeInt32LE(value, o); o+=4;
+  b[o++] = 0x00;
+  b.writeInt32LE(len, 0);
+  return b;
+}
+async function probeDb(host, port, timeoutMs) {
+  switch (Number(port)) {
+    case 3306:  return await probeMySQL(host, port, timeoutMs);
+    case 1433:  return await probeMSSQL(host, port, timeoutMs);
+    case 5432:  return await probePostgres(host, port, timeoutMs);
+    case 1521:  return await probeOracleTNS(host, port, timeoutMs);
+    case 27017: return await probeMongoDB(host, port, timeoutMs);
+    default:    return null;
+  }
+}
+export default {
+  id: '025',
+  name: 'DB Scanner',
+  description: 'Identifies common databases on well-known ports and extracts product/version banners.',
+  priority: 62,
+  requirements: { host: 'up', tcp_open: DB_PORTS },
+  protocols: ['tcp'],
+  ports: DB_PORTS,
+  dependencies: [],
+  async run(host, port = 0, opts = {}) {
+    const timeoutMs = Number(opts.timeoutMs || process.env.DB_SCAN_TIMEOUT_MS || TIMEOUT);
+    const result = {
+      up: false,
+      program: 'Unknown',
+      version: 'Unknown',
+      os: null,
+      type: 'database',
+      data: [],
+    };
+    try {
+      const r = await probeDb(host, Number(port), timeoutMs);
+      if (!r) {
+        result.data.push({
+          probe_protocol: 'tcp',
+          probe_port: Number(port),
+          probe_info: 'Unsupported DB port',
+          response_banner: null
+        });
+        return result;
+      }
+      const program =
+        r.product || (r.type ? String(r.type).toUpperCase() : 'Unknown');
+      result.up = true; // a TCP conversation succeeded
+      result.program = program;
+      result.version = r.version || 'Unknown';
+      result.data.push({
+        probe_protocol: 'tcp',
+        probe_port: Number(port),
+        probe_info: `${program}${r.version ? ' ' + r.version : ''}`.trim(),
+        response_banner: r.banner || null
+      });
+      return result;
+    } catch (e) {
+      result.data.push({
+        probe_protocol: 'tcp',
+        probe_port: Number(port),
+        probe_info: `TCP error: ${e?.message || e}`,
+        response_banner: null
+      });
+      return result;
+    }
+  }
+};
+import { statusFrom } from '../utils/conclusion_utils.mjs';
+export async function conclude({ host, result }) {
+  const rows = Array.isArray(result?.data) ? result.data : [];
+  const svcByPort = { 3306:'mysql', 5432:'postgresql', 1433:'mssql', 1521:'oracle', 27017:'mongodb' };
+  const items = [];
+  for (const r of rows) {
+    if (typeof r?.probe_port !== 'number') continue;
+    const port = Number(r.probe_port);
+    const proto = String(r?.probe_protocol || 'tcp');
+    const service = svcByPort[port] || (proto === 'udp' ? `udp-${port}` : `tcp-${port}`);
+    const info = r?.probe_info || null;
+    const banner = r?.response_banner || null;
+    items.push({
+      port, protocol: proto, service,
+      program: result?.program || 'Unknown', version: result?.version || 'Unknown',
+      status: result?.up ? 'open' : statusFrom({ info, banner }),
+      info, banner, source: 'db-scanner', evidence: rows, authoritative: true
+    });
+  }
+  return items;
+}