Module: Msf::DBManager::Import::Nexpose::Raw
- Included in:
- Msf::DBManager::Import::Nexpose
- Defined in:
- lib/msf/core/db_manager/import/nexpose/raw.rb
Instance Method Summary collapse
- #import_nexpose_raw_noko_stream(args, &block) ⇒ Object
- #import_nexpose_rawxml(args = {}, &block) ⇒ Object
-
#import_nexpose_rawxml_file(args = {}) ⇒ Object
Nexpose Raw XML.
-
#nexpose_host_from_rawxml(h, vstructs, wspace, task = nil) ⇒ Object
Takes a Host object, an array of vuln structs (generated by nexpose_refs_to_struct()), and a workspace, and reports the vulns on that host.
-
#nexpose_refs_to_struct(vulns) ⇒ Object
Takes an array of vuln hashes, as returned by the NeXpose rawxml stream parser, like: [ “id”=>“winreg-notes-protocol-handler”, severity=“8”, “refs”=>[“source”=>“BID”, “value”=>“10600”, …] “id”=>“windows-zotob-c”, severity=“8”, “refs”=>[“source”=>“BID”, “value”=>“14513”, …] ] and transforms it into a struct, containing :id, :refs, :title, and :severity.
Instance Method Details
#import_nexpose_raw_noko_stream(args, &block) ⇒ Object
3 4 5 6 7 8 9 10 11 |
# File 'lib/msf/core/db_manager/import/nexpose/raw.rb', line 3 def import_nexpose_raw_noko_stream(args, &block) if block doc = Rex::Parser::NexposeRawDocument.new(args,framework.db) {|type, data| yield type,data } else doc = Rex::Parser::NexposeRawDocument.new(args,self) end parser = ::Nokogiri::XML::SAX::Parser.new(doc) parser.parse(args[:data]) end |
#import_nexpose_rawxml(args = {}, &block) ⇒ Object
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
# File 'lib/msf/core/db_manager/import/nexpose/raw.rb', line 13 def import_nexpose_rawxml(args={}, &block) bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] wspace = Msf::Util::DBManager.process_opts_workspace(args, framework).name if Rex::Parser.nokogiri_loaded parser = "Nokogiri v#{::Nokogiri::VERSION}" noko_args = args.dup noko_args[:blacklist] = bl noko_args[:workspace] = wspace if block yield(:parser, parser) import_nexpose_raw_noko_stream(noko_args) {|type, data| yield type,data} else import_nexpose_raw_noko_stream(noko_args) end return true end data = args[:data] # Use a stream parser instead of a tree parser so we can deal with # huge results files without running out of memory. parser = Rex::Parser::NexposeXMLStreamParser.new # Since all the Refs have to be in the database before we can use them # in a Vuln, we store all the hosts until we finish parsing and only # then put everything in the database. This is memory-intensive for # large files, but should be much less so than a tree parser. # # This method is also considerably faster than parsing through the tree # looking for references every time we hit a vuln. hosts = [] vulns = [] # The callback merely populates our in-memory table of hosts and vulns parser.callback = Proc.new { |type, value| case type when :host # XXX: Blacklist should be checked here instead of saving a # host we're just going to throw away later hosts.push(value) when :vuln value["id"] = value["id"].downcase if value["id"] vulns.push(value) end } REXML::Document.parse_stream(data, parser) vuln_refs = nexpose_refs_to_struct(vulns) hosts.each do |host| if bl.include? host["addr"] next else yield(:address,host["addr"]) if block end nexpose_host_from_rawxml(host, vuln_refs, wspace) end end |
#import_nexpose_rawxml_file(args = {}) ⇒ Object
Nexpose Raw XML
74 75 76 77 78 79 80 81 82 |
# File 'lib/msf/core/db_manager/import/nexpose/raw.rb', line 74 def import_nexpose_rawxml_file(args={}) filename = args[:filename] data = "" ::File.open(filename, 'rb') do |f| data = f.read(f.stat.size) end import_nexpose_rawxml(args.merge(:data => data)) end |
#nexpose_host_from_rawxml(h, vstructs, wspace, task = nil) ⇒ Object
Takes a Host object, an array of vuln structs (generated by nexpose_refs_to_struct()), and a workspace, and reports the vulns on that host.
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
# File 'lib/msf/core/db_manager/import/nexpose/raw.rb', line 86 def nexpose_host_from_rawxml(h, vstructs, wspace,task=nil) hobj = nil data = {:workspace => wspace} if h["addr"] addr = h["addr"] else # Can't report it if it doesn't have an IP return end data[:host] = addr if (h["hardware-address"]) # Put colons between each octet of the MAC address data[:mac] = h["hardware-address"].gsub(':', '').scan(/../).join(':') end data[:state] = (h["status"] == "alive") ? Msf::HostState::Alive : Msf::HostState::Dead # Since we only have one name field per host in the database, just # take the first one. if (h["names"] and h["names"].first) data[:name] = h["names"].first end if (data[:state] != Msf::HostState::Dead) hobj = report_host(data) report_import_note(wspace, hobj) end if h["notes"] note = { :workspace => wspace, :host => (hobj || addr), :type => "host.vuln.nexpose_keys", :data => {}, :mode => :unique_data, :task => task } h["notes"].each do |v,k| note[:data][v] ||= [] next if note[:data][v].include? k note[:data][v] << k end report_note(note) end if h["os_family"] note = { :workspace => wspace, :host => hobj || addr, :type => 'host.os.nexpose_fingerprint', :task => task, :data => { :family => h["os_family"], :certainty => h["os_certainty"] } } note[:data][:vendor] = h["os_vendor"] if h["os_vendor"] note[:data][:product] = h["os_product"] if h["os_product"] note[:data][:version] = h["os_version"] if h["os_version"] note[:data][:arch] = h["arch"] if h["arch"] report_note(note) end h["endpoints"].each { |p| extra = "" extra << p["product"] + " " if p["product"] extra << p["version"] + " " if p["version"] # Skip port-0 endpoints next if p["port"].to_i == 0 # XXX This should probably be handled in a more standard way # extra << "(" + p["certainty"] + " certainty) " if p["certainty"] data = {} data[:workspace] = wspace data[:proto] = p["protocol"].downcase data[:port] = p["port"].to_i data[:state] = p["status"] data[:host] = hobj || addr data[:info] = extra if not extra.empty? data[:task] = task if p["name"] != "<unknown>" data[:name] = p["name"] end report_service(data) } h["vulns"].each_pair { |k,v| next if v["status"] !~ /^vulnerable/ vstruct = vstructs.select {|vs| vs.id.to_s.downcase == v["id"].to_s.downcase}.first next unless vstruct data = {} data[:workspace] = wspace data[:host] = hobj || addr data[:proto] = v["protocol"].downcase if v["protocol"] data[:port] = v["port"].to_i if v["port"] data[:name] = "NEXPOSE-" + v["id"] data[:info] = vstruct.title data[:refs] = vstruct.refs data[:task] = task report_vuln(data) } end |
#nexpose_refs_to_struct(vulns) ⇒ Object
Takes an array of vuln hashes, as returned by the NeXpose rawxml stream parser, like:
[
"id"=>"winreg-notes-protocol-handler", severity="8", "refs"=>["source"=>"BID", "value"=>"10600", ...]
"id"=>"windows-zotob-c", severity="8", "refs"=>["source"=>"BID", "value"=>"14513", ...]
]
and transforms it into a struct, containing :id, :refs, :title, and :severity
Other attributes can be added later, as needed.
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 |
# File 'lib/msf/core/db_manager/import/nexpose/raw.rb', line 202 def nexpose_refs_to_struct(vulns) ret = [] vulns.each do |vuln| next if ret.map {|v| v.id}.include? vuln["id"] vstruct = Struct.new(:id, :refs, :title, :severity).new vstruct.id = vuln["id"] vstruct.title = vuln["title"] vstruct.severity = vuln["severity"] vstruct.refs = [] vuln["refs"].each do |ref| if ref['source'] == 'BID' vstruct.refs.push('BID-' + ref["value"]) elsif ref['source'] == 'CVE' # value is CVE-$ID vstruct.refs.push(ref["value"]) elsif ref['source'] == 'MS' vstruct.refs.push('MSB-' + ref["value"]) elsif ref['source'] == 'URL' vstruct.refs.push('URL-' + ref["value"]) end end ret.push vstruct end return ret end |