2009-12-14 22:52:34 +00:00
|
|
|
module Msf
|
|
|
|
class DBManager
|
|
|
|
|
|
|
|
class Host < ActiveRecord::Base
|
|
|
|
include DBSave
|
|
|
|
|
|
|
|
belongs_to :workspace
|
2011-02-08 18:53:55 +00:00
|
|
|
has_and_belongs_to_many :tags, :join_table => :hosts_tags
|
2009-12-14 22:52:34 +00:00
|
|
|
has_many :services, :dependent => :destroy
|
|
|
|
has_many :clients, :dependent => :destroy
|
|
|
|
has_many :vulns, :dependent => :destroy
|
|
|
|
has_many :notes, :dependent => :destroy
|
2010-05-07 06:37:00 +00:00
|
|
|
has_many :loots, :dependent => :destroy, :order => "loots.created_at desc"
|
2011-04-15 18:54:27 +00:00
|
|
|
has_many :sessions, :dependent => :destroy, :order => "sessions.opened_at"
|
2009-12-14 22:52:34 +00:00
|
|
|
|
2009-12-29 23:48:45 +00:00
|
|
|
has_many :service_notes, :through => :services
|
2010-10-02 18:48:29 +00:00
|
|
|
has_many :web_sites, :through => :services
|
2010-08-18 00:58:20 +00:00
|
|
|
has_many :creds, :through => :services
|
2010-08-24 21:57:04 +00:00
|
|
|
has_many :exploited_hosts, :dependent => :destroy
|
2009-12-29 23:48:45 +00:00
|
|
|
|
2010-03-20 14:38:50 +00:00
|
|
|
validates_exclusion_of :address, :in => ['127.0.0.1']
|
2009-12-14 22:52:34 +00:00
|
|
|
validates_uniqueness_of :address, :scope => :workspace_id
|
2011-01-20 23:10:27 +00:00
|
|
|
|
|
|
|
def attribute_locked?(attr)
|
|
|
|
n = notes.find_by_ntype("host.updated.#{attr}")
|
|
|
|
n && n.data[:locked]
|
|
|
|
end
|
|
|
|
|
2011-04-07 21:59:32 +00:00
|
|
|
# Determine if the fingerprint data is readable. If not, it nearly always
|
|
|
|
# means that there was a problem with the YAML or the Marshal'ed data,
|
|
|
|
# so let's log that for later investigation.
|
|
|
|
def validate_fingerprint_data(fp)
|
|
|
|
if fp.data.kind_of?(Hash) and !fp.data.empty?
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
dlog("Could not validate fingerprint data: #{fp.inspect}")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def normalize_os
|
|
|
|
host = self
|
|
|
|
|
|
|
|
wname = {} # os_name == Linux, Windows, Mac OS X, VxWorks
|
|
|
|
wtype = {} # purpose == server, client, device
|
|
|
|
wflav = {} # os_flavor == Ubuntu, Debian, 2003, 10.5, JetDirect
|
|
|
|
wvers = {} # os_sp == 9.10, SP2, 10.5.3, 3.05
|
|
|
|
warch = {} # arch == x86, PPC, SPARC, MIPS, ''
|
|
|
|
wlang = {} # os_lang == English, ''
|
|
|
|
whost = {} # hostname
|
|
|
|
|
|
|
|
# Normalize the operating system fingerprints provided by various
|
|
|
|
# scanners (nmap, nexpose, retina, nessus, etc). These are stored as
|
|
|
|
# notes (instead of directly in the os_* fields) specifically for this
|
|
|
|
# purpose. Note that we're already restricting to this host by using
|
|
|
|
# host.notes instead of Note, so don't need a host_id in the conditions.
|
|
|
|
fingers = host.notes.find(:all,
|
|
|
|
:conditions => [ "ntype like '%%fingerprint'" ]
|
|
|
|
)
|
|
|
|
fingers.each do |fp|
|
|
|
|
next if not validate_fingerprint_data(fp)
|
|
|
|
norm = normalize_scanner_fp(fp)
|
|
|
|
wvers[norm[:os_sp]] = wvers[norm[:os_sp]].to_i + (100 * norm[:certainty])
|
|
|
|
wname[norm[:os_name]] = wname[norm[:os_name]].to_i + (100 * norm[:certainty])
|
|
|
|
wflav[norm[:os_flavor]] = wflav[norm[:os_flavor]].to_i + (100 * norm[:certainty])
|
|
|
|
warch[norm[:arch]] = warch[norm[:arch]].to_i + (100 * norm[:certainty])
|
2011-04-11 22:29:53 +00:00
|
|
|
whost[norm[:name]] = whost[norm[:name]].to_i + (100 * norm[:certainty])
|
2011-04-07 21:59:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Grab service information and assign scores. Some services are
|
|
|
|
# more trustworthy than others. If more services agree than not,
|
|
|
|
# than that should be considered as well.
|
|
|
|
# Each service has a starting number of points. Services that
|
|
|
|
# are more difficult to fake are awarded more points. The points
|
|
|
|
# represent a running total, not a fixed score.
|
|
|
|
# XXX: This needs to be refactored in a big way. Tie-breaking is
|
|
|
|
# pretty arbitrary, it would be nice to explicitly believe some
|
|
|
|
# services over others, but that means recording which service
|
|
|
|
# has an opinion and which doesn't. It would also be nice to
|
|
|
|
# identify "impossible" combinations of services and alert that
|
|
|
|
# something funny is going on.
|
|
|
|
host.services.find(:all).each do |s|
|
|
|
|
next if not s.info
|
|
|
|
points = 0
|
|
|
|
case s.name
|
|
|
|
when 'smb'
|
|
|
|
points = 210
|
|
|
|
case s.info
|
|
|
|
when /(ubuntu|debian|fedora|red ?hat|rhel)/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav[$1.capitalize] = wflav[$1.capitalize].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /^Windows/
|
|
|
|
win_sp = nil
|
|
|
|
win_flav = nil
|
|
|
|
win_lang = nil
|
|
|
|
|
|
|
|
ninfo = s.info
|
|
|
|
ninfo.gsub!('(R)', '')
|
|
|
|
ninfo.gsub!('(TM)', '')
|
|
|
|
ninfo.gsub!(/\s+/, ' ')
|
|
|
|
|
|
|
|
# Windows (R) Web Server 2008 6001 Service Pack 1 (language: Unknown) (name:PG-WIN2008WEB) (domain:WORKGROUP)
|
|
|
|
# Windows XP Service Pack 3 (language: English) (name:EGYPT-B3E55BF3C) (domain:EGYPT-B3E55BF3C)
|
|
|
|
# Windows 7 Ultimate (Build 7600) (language: Unknown) (name:WIN7) (domain:WORKGROUP)
|
|
|
|
|
|
|
|
#if ninfo =~ /^Windows ([^\s]+)(.*)(Service Pack |\(Build )([^\(]+)\(/
|
|
|
|
if ninfo =~ /^Windows (.*)(Service Pack [^\s]+|\(Build [^\)]+\))/
|
|
|
|
win_flav = $1.strip
|
|
|
|
win_sp = ($2).strip
|
|
|
|
win_sp.gsub!(/with.*/, '')
|
|
|
|
win_sp.gsub!('Service Pack', 'SP')
|
|
|
|
win_sp.gsub!('Build', 'b')
|
|
|
|
win_sp.gsub!(/\s+/, '')
|
|
|
|
win_sp.tr!("()", '')
|
|
|
|
else
|
|
|
|
if ninfo =~ /^Windows ([^\s+]+)([^\(]+)\(/
|
|
|
|
win_flav = $2.strip
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
if ninfo =~ /name: ([^\)]+)\)/
|
|
|
|
hostname = $1.strip
|
|
|
|
end
|
|
|
|
|
|
|
|
if ninfo =~ /language: ([^\)]+)\)/
|
|
|
|
win_lang = $1.strip
|
|
|
|
end
|
|
|
|
|
|
|
|
win_lang = nil if win_lang =~ /unknown/i
|
|
|
|
win_vers = win_sp
|
|
|
|
|
|
|
|
wname['Microsoft Windows'] = wname['Microsoft Windows'].to_i + points
|
|
|
|
wlang[win_lang] = wlang[win_lang].to_i + points if win_lang
|
|
|
|
wflav[win_flav] = wflav[win_flav].to_i + points if win_flav
|
|
|
|
wvers[win_vers] = wvers[win_vers].to_i + points if win_vers
|
|
|
|
whost[hostname] = whost[hostname].to_i + points if hostname
|
|
|
|
|
|
|
|
case win_flav
|
|
|
|
when /NT|2003|2008/
|
|
|
|
win_type = 'server'
|
|
|
|
else
|
|
|
|
win_type = 'client'
|
|
|
|
end
|
|
|
|
wtype[win_type] = wtype[win_type].to_i + points
|
|
|
|
end
|
|
|
|
|
|
|
|
when 'ssh'
|
|
|
|
points = 104
|
|
|
|
case s.info
|
|
|
|
when /honeypot/i # Never trust this
|
|
|
|
nil
|
|
|
|
when /ubuntu/i
|
|
|
|
# This needs to be above /debian/ becuase the ubuntu banner contains both, e.g.:
|
|
|
|
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Ubuntu'] = wflav['Ubuntu'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /debian/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Debian'] = wflav['Debian'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /FreeBSD/
|
|
|
|
wname['FreeBSD'] = wname['FreeBSD'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /sun_ssh/i
|
|
|
|
wname['Sun Solaris'] = wname['Sun Solaris'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /vshell|remotelyanywhere|freessh/i
|
|
|
|
wname['Microsoft Windows'] = wname['Microsoft Windows'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /radware/i
|
|
|
|
wname['RadWare'] = wname['RadWare'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /dropbear/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /netscreen/i
|
|
|
|
wname['NetScreen'] = wname['NetScreen'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /vpn3/
|
|
|
|
wname['Cisco VPN 3000'] = wname['Cisco VPN 3000'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /cisco/i
|
|
|
|
wname['Cisco IOS'] = wname['Cisco IOS'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /mpSSH/
|
|
|
|
wname['HP iLO'] = wname['HP iLO'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
end
|
|
|
|
when 'http'
|
|
|
|
points = 99
|
|
|
|
case s.info
|
|
|
|
when /iSeries/
|
|
|
|
wname['IBM iSeries'] = wname['IBM iSeries'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Mandrake/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Mandrake'] = wflav['Mandrake'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Mandriva/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Mandrake'] = wflav['Mandrake'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Ubuntu/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Ubuntu'] = wflav['Ubuntu'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Debian/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Debian'] = wflav['Debian'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Fedora/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Fedora'] = wflav['Fedora'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /CentOS/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['CentOS'] = wflav['CentOS'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /RHEL/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['RHEL'] = wflav['RHEL'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Red.?Hat/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Red Hat'] = wflav['Red Hat'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /SuSE/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['SUSE'] = wflav['SUSE'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /TurboLinux/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['TurboLinux'] = wflav['TurboLinux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Gentoo/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Gentoo'] = wflav['Gentoo'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Conectiva/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Conectiva'] = wflav['Conectiva'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Asianux/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Asianux'] = wflav['Asianux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Trustix/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Trustix'] = wflav['Trustix'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /White Box/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['White Box'] = wflav['White Box'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /UnitedLinux/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['UnitedLinux'] = wflav['UnitedLinux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /PLD\/Linux/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['PLD/Linux'] = wflav['PLD/Linux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Vine\/Linux/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Vine/Linux'] = wflav['Vine/Linux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /rPath/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['rPath'] = wflav['rPath'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /StartCom/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['StartCom'] = wflav['StartCom'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /linux/i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /PalmOS/
|
|
|
|
wname['PalmOS'] = wname['PalmOS'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /Microsoft[\x20\x2d]IIS\/[234]\.0/
|
|
|
|
wname['Microsoft Windows NT 4.0'] = wname['Microsoft Windows NT 4.0'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Microsoft[\x20\x2d]IIS\/5\.0/
|
|
|
|
wname['Microsoft Windows 2000'] = wname['Microsoft Windows 2000'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Microsoft[\x20\x2d]IIS\/5\.1/
|
|
|
|
wname['Microsoft Windows XP'] = wname['Microsoft Windows XP'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Microsoft[\x20\x2d]IIS\/6\.0/
|
|
|
|
wname['Microsoft Windows 2003'] = wname['Microsoft Windows 2003'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Microsoft[\x20\x2d]IIS\/7\.0/
|
|
|
|
wname['Microsoft Windows 2008'] = wname['Microsoft Windows 2008'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Win32/i
|
|
|
|
wname['Microsoft Windows'] = wname['Microsoft Windows'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /DD\-WRT ([^\s]+) /i
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['DD-WRT'] = wflav['DD-WRT'].to_i + points
|
|
|
|
wvers[$1.strip] = wvers[$1.strip].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /Darwin/
|
|
|
|
wname['Apple Mac OS X'] = wname['Apple Mac OS X'].to_i + points
|
|
|
|
|
|
|
|
when /FreeBSD/i
|
|
|
|
wname['FreeBSD'] = wname['FreeBSD'].to_i + points
|
|
|
|
|
|
|
|
when /OpenBSD/i
|
|
|
|
wname['OpenBSD'] = wname['OpenBSD'].to_i + points
|
|
|
|
|
|
|
|
when /NetBSD/i
|
|
|
|
wname['NetBSD'] = wname['NetBSD'].to_i + points
|
|
|
|
|
|
|
|
when /NetWare/i
|
|
|
|
wname['Novell NetWare'] = wname['Novell NetWare'].to_i + points
|
|
|
|
|
|
|
|
when /OpenVMS/i
|
|
|
|
wname['OpenVMS'] = wname['OpenVMS'].to_i + points
|
|
|
|
|
|
|
|
when /SunOS|Solaris/i
|
|
|
|
wname['Sun Solaris'] = wname['Sun Solaris'].to_i + points
|
|
|
|
|
|
|
|
when /HP.?UX/i
|
|
|
|
wname['HP-UX'] = wname['HP-UX'].to_i + points
|
|
|
|
end
|
|
|
|
when 'snmp'
|
|
|
|
points = 103
|
|
|
|
case s.info
|
|
|
|
when /^Sun SNMP Agent/
|
|
|
|
wname['Sun Solaris'] = wname['Sun Solaris'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^SunOS ([^\s]+) ([^\s]+) /
|
|
|
|
# XXX 1/2 XXX what does this comment mean i wonder
|
|
|
|
wname['Sun Solaris'] = wname['Sun Solaris'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Linux ([^\s]+) ([^\s]+) /
|
|
|
|
whost[$1] = whost[$1].to_i + points
|
|
|
|
wname['Linux ' + $2] = wname['Linux ' + $2].to_i + points
|
|
|
|
wvers[$2] = wvers[$2].to_i + points
|
|
|
|
arch = get_arch_from_string(s.info)
|
|
|
|
warch[arch] = warch[arch].to_i + points if arch
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Novell NetWare ([^\s]+)/
|
|
|
|
wname['Novell NetWare ' + $1] = wname['Novell NetWare ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
arch = "x86"
|
|
|
|
warch[arch] = warch[arch].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Novell UnixWare ([^\s]+)/
|
|
|
|
wname['Novell UnixWare ' + $1] = wname['Novell UnixWare ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
arch = "x86"
|
|
|
|
warch[arch] = warch[arch].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^HP-UX ([^\s]+) ([^\s]+) /
|
|
|
|
# XXX
|
|
|
|
wname['HP-UX ' + $2] = wname['HP-UX ' + $2].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^IBM PowerPC.*Base Operating System Runtime AIX version: (\d+\.\d+)/
|
|
|
|
wname['IBM AIX ' + $1] = wname['IBM AIX ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^SCO TCP\/IP Runtime Release ([^\s]+)/
|
|
|
|
wname['SCO UnixWare ' + $1] = wname['SCO UnixWare ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /.* IRIX version ([^\s]+)/
|
|
|
|
wname['SGI IRIX ' + $1] = wname['SGI IRIX ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Unisys ([^\s]+) version ([^\s]+) kernel/
|
|
|
|
wname['Unisys ' + $2] = wname['Unisys ' + $2].to_i + points
|
|
|
|
wvers[$2] = wvers[$2].to_i + points
|
|
|
|
whost[$1] = whost[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /.*OpenVMS V([^\s]+) /
|
|
|
|
# XXX
|
|
|
|
wname['OpenVMS ' + $1] = wname['OpenVMS ' + $1].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Hardware:.*Software: Windows NT Version ([^\s]+) /
|
|
|
|
wname['Microsoft Windows NT ' + $1] = wname['Microsoft Windows NT ' + $1].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Hardware:.*Software: Windows 2000 Version 5\.0/
|
|
|
|
wname['Microsoft Windows 2000'] = wname['Microsoft Windows 2000'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Hardware:.*Software: Windows 2000 Version 5\.1/
|
|
|
|
wname['Microsoft Windows XP'] = wname['Microsoft Windows XP'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when /^Hardware:.*Software: Windows Version 5\.2/
|
|
|
|
wname['Microsoft Windows 2003'] = wname['Microsoft Windows 2003'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
# XXX: TODO 2008, Vista, Windows 7
|
|
|
|
|
|
|
|
when /^Microsoft Windows CE Version ([^\s]+)+/
|
|
|
|
wname['Microsoft Windows CE ' + $1] = wname['Microsoft Windows CE ' + $1].to_i + points
|
|
|
|
wtype['client'] = wtype['client'].to_i + points
|
|
|
|
|
|
|
|
when /^IPSO ([^\s]+) ([^\s]+) /
|
|
|
|
whost[$1] = whost[$1].to_i + points
|
|
|
|
wname['Nokia IPSO ' + $2] = wname['Nokia IPSO ' + $2].to_i + points
|
|
|
|
wvers[$2] = wvers[$2].to_i + points
|
|
|
|
arch = get_arch_from_string(s.info)
|
|
|
|
warch[arch] = warch[arch].to_s + points if arch
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /^Sun StorEdge/
|
|
|
|
wname['Sun StorEdge'] = wname['Sun StorEdge'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /^HP StorageWorks/
|
|
|
|
wname['HP StorageWorks'] = wname['HP StorageWorks'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /^Network Storage/
|
|
|
|
# XXX
|
|
|
|
wname['Network Storage Router'] = wname['Network Storage Router'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /Cisco Internetwork Operating System.*Version ([^\s]+)/
|
|
|
|
vers = $1.split(/[,^\s]/)[0]
|
|
|
|
wname['Cisco IOS ' + vers] = wname['Cisco IOS ' + vers].to_i + points
|
|
|
|
wvers[vers] = wvers[vers].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /Cisco Catalyst.*Version ([^\s]+)/
|
|
|
|
vers = $1.split(/[,^\s]/)[0]
|
|
|
|
wname['Cisco CatOS ' + vers] = wname['Cisco CatOS ' + vers].to_i + points
|
|
|
|
wvers[vers] = wvers[vers].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /Cisco 761.*Version ([^\s]+)/
|
|
|
|
vers = $1.split(/[,^\s]/)[0]
|
|
|
|
wname['Cisco 761 ' + vers] = wname['Cisco 761 ' + vers].to_i + points
|
|
|
|
wvers[vers] = wvers[vers].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /Network Analysis Module.*Version ([^\s]+)/
|
|
|
|
vers = $1.split(/[,^\s]/)[0]
|
|
|
|
wname['Cisco NAM ' + vers] = wname['Cisco NAM ' + vers].to_i + points
|
|
|
|
wvers[vers] = wvers[vers].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /VPN 3000 Concentrator Series Version ([^\s]+)/
|
|
|
|
vers = $1.split(/[,^\s]/)[0]
|
|
|
|
wname['Cisco VPN 3000 ' + vers] = wname['Cisco VPN 3000 ' + vers].to_i + points
|
|
|
|
wvers[vers] = wvers[vers].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /ProCurve.*Switch/
|
|
|
|
wname['3Com ProCurve Switch'] = wname['3Com ProCurve Switch'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /ProCurve.*Access Point/
|
|
|
|
wname['3Com Access Point'] = wname['3Com Access Point'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /3Com.*Access Point/i
|
|
|
|
wname['3Com Access Point'] = wname['3Com Access Point'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /ShoreGear/
|
|
|
|
wname['ShoreTel Appliance'] = wname['ShoreTel Appliance'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /firewall/i
|
|
|
|
wname['Unknown Firewall'] = wname['Unknown Firewall'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /phone/i
|
|
|
|
wname['Unknown Phone'] = wname['Unknown Phone'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /router/i
|
|
|
|
wname['Unknown Router'] = wname['Unknown Router'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
|
|
|
|
when /switch/i
|
|
|
|
wname['Unknown Switch'] = wname['Unknown Switch'].to_i + points
|
|
|
|
wtype['device'] = wtype['device'].to_i + points
|
|
|
|
#
|
|
|
|
# Printer Signatures
|
|
|
|
#
|
|
|
|
when /^HP ETHERNET MULTI-ENVIRONMENT/
|
|
|
|
wname['HP Printer'] = wname['HP Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Canon/i
|
|
|
|
wname['Canon Printer'] = wname['Canon Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Epson/i
|
|
|
|
wname['Epson Printer'] = wname['Epson Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /ExtendNet/i
|
|
|
|
wname['ExtendNet Printer'] = wname['ExtendNet Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Fiery/i
|
|
|
|
wname['Fiery Printer'] = wname['Fiery Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Konica/i
|
|
|
|
wname['Konica Printer'] = wname['Konica Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Lanier/i
|
|
|
|
wname['Lanier Printer'] = wname['Lanier Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Lantronix/i
|
|
|
|
wname['Lantronix Printer'] = wname['Lantronix Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Lexmark/i
|
|
|
|
wname['Lexmark Printer'] = wname['Lexmark Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Magicolor/i
|
|
|
|
wname['Magicolor Printer'] = wname['Magicolor Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Minolta/i
|
|
|
|
wname['Minolta Printer'] = wname['Minolta Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /NetJET/i
|
|
|
|
wname['NetJET Printer'] = wname['NetJET Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /OKILAN/i
|
|
|
|
wname['OKILAN Printer'] = wname['OKILAN Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Phaser/i
|
|
|
|
wname['Phaser Printer'] = wname['Phaser Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /PocketPro/i
|
|
|
|
wname['PocketPro Printer'] = wname['PocketPro Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Ricoh/i
|
|
|
|
wname['Ricoh Printer'] = wname['Ricoh Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Savin/i
|
|
|
|
wname['Savin Printer'] = wname['Savin Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /SHARP AR/i
|
|
|
|
wname['SHARP Printer'] = wname['SHARP Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Star Micronix/i
|
|
|
|
wname['Star Micronix Printer'] = wname['Star Micronix Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Source Tech/i
|
|
|
|
wname['Source Tech Printer'] = wname['Source Tech Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Xerox/i
|
|
|
|
wname['Xerox Printer'] = wname['Xerox Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /^Brother/i
|
|
|
|
wname['Brother Printer'] = wname['Brother Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /^Axis.*Network Print/i
|
|
|
|
wname['Axis Printer'] = wname['Axis Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /^Prestige/i
|
|
|
|
wname['Prestige Printer'] = wname['Prestige Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /^ZebraNet/i
|
|
|
|
wname['ZebraNet Printer'] = wname['ZebraNet Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /e\-STUDIO/i
|
|
|
|
wname['eStudio Printer'] = wname['eStudio Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /^Gestetner/i
|
|
|
|
wname['Gestetner Printer'] = wname['Gestetner Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /IBM.*Print/i
|
|
|
|
wname['IBM Printer'] = wname['IBM Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /HP (Color|LaserJet|InkJet)/i
|
|
|
|
wname['HP Printer'] = wname['HP Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Dell (Color|Laser|Ink)/i
|
|
|
|
wname['Dell Printer'] = wname['Dell Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
when /Print/i
|
|
|
|
wname['Unknown Printer'] = wname['Unknown Printer'].to_i + points
|
|
|
|
wtype['printer'] = wtype['printer'].to_i + points
|
|
|
|
end # End of s.info for SNMP
|
|
|
|
|
|
|
|
when 'telnet'
|
|
|
|
points = 105
|
|
|
|
case s.info
|
|
|
|
when /IRIX/
|
|
|
|
wname['SGI IRIX'] = wname['SGI IRIX'].to_i + points
|
|
|
|
when /AIX/
|
|
|
|
wname['IBM AIX'] = wname['IBM AIX'].to_i + points
|
|
|
|
when /(FreeBSD|OpenBSD|NetBSD)\/(.*) /
|
|
|
|
wname[$1] = wname[$1].to_i + points
|
|
|
|
arch = get_arch_from_string($2)
|
|
|
|
warch[arch] = warch[arch].to_i + points
|
|
|
|
when /Ubuntu (\d+(\.\d+)+)/
|
|
|
|
wname['Linux'] = wname['Linux'].to_i + points
|
|
|
|
wflav['Ubuntu'] = wflav['Ubuntu'].to_i + points
|
|
|
|
wvers[$1] = wvers[$1].to_i + points
|
|
|
|
when /User Access Verification/
|
|
|
|
wname['Cisco IOS'] = wname['Cisco IOS'].to_i + points
|
|
|
|
when /Microsoft/
|
|
|
|
wname['Microsoft Windows'] = wname['Microsoft Windows'].to_i + points
|
|
|
|
end # End of s.info for TELNET
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
|
|
|
|
when 'smtp'
|
|
|
|
points = 103
|
|
|
|
case s.info
|
|
|
|
when /ESMTP.*SGI\.8/
|
|
|
|
wname['SGI IRIX'] = wname['SGI IRIX'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
end # End of s.info for SMTP
|
|
|
|
|
|
|
|
when 'netbios'
|
|
|
|
points = 201
|
|
|
|
case s.info
|
|
|
|
when /W2K3/i
|
|
|
|
wname['Microsoft Windows 2003'] = wname['Microsoft Windows 2003'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
when /W2K8/i
|
|
|
|
wname['Microsoft Windows 2008'] = wname['Microsoft Windows 2008'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
end # End of s.info for NETBIOS
|
|
|
|
|
|
|
|
when 'dns'
|
|
|
|
points = 101
|
|
|
|
case s.info
|
|
|
|
when 'Microsoft DNS'
|
|
|
|
wname['Microsoft Windows'] = wname['Microsoft Windows'].to_i + points
|
|
|
|
wtype['server'] = wtype['server'].to_i + points
|
|
|
|
end # End of s.info for DNS
|
|
|
|
end # End of s.name case
|
|
|
|
# End of Services
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Report the best match here
|
|
|
|
#
|
|
|
|
best_match = {}
|
|
|
|
best_match[:os_name] = wname.keys.sort{|a,b| wname[b] <=> wname[a]}[0]
|
|
|
|
best_match[:purpose] = wtype.keys.sort{|a,b| wtype[b] <=> wtype[a]}[0]
|
|
|
|
best_match[:os_flavor] = wflav.keys.sort{|a,b| wflav[b] <=> wflav[a]}[0]
|
|
|
|
best_match[:os_sp] = wvers.keys.sort{|a,b| wvers[b] <=> wvers[a]}[0]
|
|
|
|
best_match[:arch] = warch.keys.sort{|a,b| warch[b] <=> warch[a]}[0]
|
|
|
|
best_match[:name] = whost.keys.sort{|a,b| whost[b] <=> whost[a]}[0]
|
|
|
|
best_match[:os_lang] = wlang.keys.sort{|a,b| wlang[b] <=> wlang[a]}[0]
|
|
|
|
|
|
|
|
best_match[:os_flavor] ||= ""
|
|
|
|
if best_match[:os_name]
|
|
|
|
# Handle cases where the flavor contains the base name
|
2011-04-13 01:48:37 +00:00
|
|
|
# Don't use gsub!() here because the string was a hash key in a
|
|
|
|
# previously life and gets frozen on 1.9.1, see #4128
|
|
|
|
best_match[:os_flavor] = best_match[:os_flavor].gsub(best_match[:os_name], '')
|
2011-04-07 21:59:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
best_match[:os_name] ||= 'Unknown'
|
|
|
|
best_match[:purpose] ||= 'device'
|
|
|
|
|
|
|
|
[:os_name, :purpose, :os_flavor, :os_sp, :arch, :name, :os_lang].each do |host_attr|
|
|
|
|
next if host.attribute_locked? host_attr
|
|
|
|
if best_match[host_attr]
|
|
|
|
host[host_attr] = Rex::Text.ascii_safe_hex(best_match[host_attr])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
host.save!
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
#
|
|
|
|
# Convert a host.os.*_fingerprint Note into a hash containing the standard os_* fields
|
|
|
|
#
|
|
|
|
# Also includes a :certainty which is a float from 0 - 1.00 indicating the
|
|
|
|
# scanner's confidence in its fingerprint. If the particular scanner does
|
|
|
|
# not provide such information, defaults to 0.80.
|
|
|
|
#
|
|
|
|
def normalize_scanner_fp(fp)
|
|
|
|
return {} if not validate_fingerprint_data(fp)
|
|
|
|
ret = {}
|
|
|
|
data = fp.data
|
|
|
|
case fp.ntype
|
|
|
|
when 'host.os.session_fingerprint'
|
|
|
|
# These come from meterpreter sessions' client.sys.config.sysinfo
|
2011-04-11 23:15:05 +00:00
|
|
|
case data[:os]
|
|
|
|
when /Windows/
|
2011-04-07 21:59:32 +00:00
|
|
|
ret.update(parse_windows_os_str(data[:os]))
|
2011-04-11 23:15:05 +00:00
|
|
|
when /Linux ([^[:space:]]*) ([^[:space:]]*) .* (\(.*\))/
|
|
|
|
ret[:os_name] = "Linux"
|
|
|
|
ret[:name] = $1
|
|
|
|
ret[:os_sp] = $2
|
|
|
|
ret[:arch] = get_arch_from_string($3)
|
2011-04-07 21:59:32 +00:00
|
|
|
else
|
|
|
|
ret[:os_name] = data[:os]
|
|
|
|
end
|
|
|
|
ret[:arch] = data[:arch] if data[:arch]
|
|
|
|
|
|
|
|
when 'host.os.nmap_fingerprint'
|
|
|
|
# :os_vendor=>"Microsoft" :os_family=>"Windows" :os_version=>"2000" :os_accuracy=>"94"
|
|
|
|
#
|
|
|
|
# :os_match=>"Microsoft Windows Vista SP0 or SP1, Server 2008, or Windows 7 Ultimate (build 7000)"
|
|
|
|
# :os_vendor=>"Microsoft" :os_family=>"Windows" :os_version=>"7" :os_accuracy=>"100"
|
|
|
|
ret[:certainty] = data[:os_accuracy].to_f / 100.0
|
|
|
|
if (data[:os_vendor] == data[:os_family])
|
|
|
|
ret[:os_name] = data[:os_family]
|
|
|
|
else
|
|
|
|
ret[:os_name] = data[:os_vendor] + " " + data[:os_family]
|
|
|
|
end
|
2011-04-11 22:29:53 +00:00
|
|
|
ret[:os_flavor] = data[:os_version]
|
|
|
|
ret[:name] = data[:hostname] if data[:hostname]
|
2011-04-07 21:59:32 +00:00
|
|
|
|
|
|
|
when 'host.os.nexpose_fingerprint'
|
|
|
|
# :family=>"Windows" :certainty=>"0.85" :vendor=>"Microsoft" :product=>"Windows 7 Ultimate Edition"
|
|
|
|
# :family=>"Linux" :certainty=>"0.64" :vendor=>"Linux" :product=>"Linux"
|
|
|
|
# :family=>"Linux" :certainty=>"0.80" :vendor=>"Ubuntu" :product=>"Linux"
|
|
|
|
# :family=>"IOS" :certainty=>"0.80" :vendor=>"Cisco" :product=>"IOS"
|
|
|
|
# :family=>"embedded" :certainty=>"0.61" :vendor=>"Linksys" :product=>"embedded"
|
|
|
|
ret[:certainty] = data[:certainty].to_f
|
|
|
|
case data[:family]
|
|
|
|
when /AIX|ESX|Mac OS X|OpenSolaris|Solaris|IOS|Linux/
|
|
|
|
if data[:vendor] == data[:family]
|
|
|
|
ret[:os_name] = data[:vendor]
|
|
|
|
else
|
|
|
|
# family often contains the vendor string, so rip it out to
|
|
|
|
# avoid useless duplication
|
|
|
|
ret[:os_name] = data[:vendor] + " " + data[:family].gsub(data[:vendor], '').strip
|
|
|
|
end
|
|
|
|
when "Windows"
|
|
|
|
ret[:os_name] = "Microsoft Windows"
|
|
|
|
ret[:os_flavor] = data[:product].gsub("Windows", '').strip if data[:product]
|
2011-04-11 22:29:53 +00:00
|
|
|
ret[:os_sp] = data[:version] if data[:version]
|
2011-04-07 21:59:32 +00:00
|
|
|
when "embedded"
|
|
|
|
ret[:os_name] = data[:vendor]
|
|
|
|
else
|
|
|
|
ret[:os_name] = data[:vendor]
|
|
|
|
end
|
|
|
|
ret[:arch] = get_arch_from_string(data[:arch]) if data[:arch]
|
|
|
|
ret[:arch] ||= get_arch_from_string(data[:desc]) if data[:desc]
|
|
|
|
|
|
|
|
when 'host.os.retina_fingerprint'
|
|
|
|
# :os=>"Windows Server 2003 (X64), Service Pack 2"
|
|
|
|
case data[:os]
|
|
|
|
when /Windows/
|
|
|
|
ret.merge(parse_windows_os_str(data[:os]))
|
|
|
|
else
|
|
|
|
# No idea what this looks like if it isn't windows. Just store
|
|
|
|
# the whole thing and hope for the best. XXX: Ghetto. =/
|
|
|
|
ret[:os_name] = data[:os]
|
|
|
|
end
|
|
|
|
when 'host.os.nessus_fingerprint'
|
|
|
|
# :os=>"Microsoft Windows 2000 Advanced Server (English)"
|
|
|
|
# :os=>"Microsoft Windows 2000\nMicrosoft Windows XP"
|
|
|
|
# :os=>"Linux Kernel 2.6"
|
|
|
|
# :os=>"Sun Solaris 8"
|
|
|
|
# :os=>"IRIX 6.5"
|
|
|
|
|
|
|
|
# Nessus sometimes jams multiple OS names together with a newline.
|
|
|
|
oses = data[:os].split(/\n/)
|
|
|
|
if oses.length > 1
|
|
|
|
# Multiple fingerprints means Nessus wasn't really sure, reduce
|
|
|
|
# the certainty accordingly
|
|
|
|
ret[:certainty] = 0.5
|
|
|
|
else
|
|
|
|
ret[:certainty] = 0.8
|
|
|
|
end
|
|
|
|
|
|
|
|
# Since there is no confidence associated with them, the best we
|
|
|
|
# can do is just take the first one.
|
|
|
|
case oses.first
|
|
|
|
when /Windows/
|
2011-04-22 19:07:41 +00:00
|
|
|
ret.merge(parse_windows_os_str(data[:os]))
|
2011-04-11 22:29:53 +00:00
|
|
|
|
|
|
|
when /(2\.[46]\.\d+[-a-zA-Z0-9]+)/
|
|
|
|
# Linux kernel version
|
|
|
|
ret[:os_name] = "Linux"
|
|
|
|
ret[:os_sp] = $1
|
2011-04-07 21:59:32 +00:00
|
|
|
when /(.*)?((\d+\.)+\d+)$/
|
2011-04-11 22:29:53 +00:00
|
|
|
# Then we don't necessarily know what the os is, but this
|
|
|
|
# fingerprint has some version information at the end, pull it
|
|
|
|
# off.
|
|
|
|
# When Nessus doesn't know what kind of linux it has, it gives an os like
|
|
|
|
# "Linux Kernel 2.6"
|
|
|
|
# The "Kernel" string is useless, so cut it off.
|
2011-04-07 21:59:32 +00:00
|
|
|
ret[:os_name] = $1.gsub("Kernel", '').strip
|
|
|
|
ret[:os_sp] = $2
|
|
|
|
else
|
|
|
|
ret[:os_name] = oses.first
|
|
|
|
end
|
|
|
|
|
2011-04-11 22:29:53 +00:00
|
|
|
ret[:name] = data[:hname]
|
2011-04-07 21:59:32 +00:00
|
|
|
when 'host.os.qualys_fingerprint'
|
|
|
|
# :os=>"Microsoft Windows 2000"
|
|
|
|
# :os=>"Windows 2003"
|
|
|
|
# :os=>"Microsoft Windows XP Professional SP3"
|
|
|
|
# :os=>"Ubuntu Linux"
|
|
|
|
# :os=>"Cisco IOS 12.0(3)T3"
|
|
|
|
case data[:os]
|
|
|
|
when /Windows/
|
|
|
|
ret.merge(parse_windows_os_str(data[:os]))
|
|
|
|
else
|
|
|
|
parts = data[:os].split(/\s+/, 3)
|
|
|
|
ret[:os_name] = parts[0] + " " + parts[1]
|
|
|
|
ret[:os_sp] = parts[2] if parts[2]
|
|
|
|
end
|
|
|
|
# XXX: We should really be using smb_version's stored fingerprints
|
|
|
|
# instead of parsing the service info manually. Disable for now so we
|
|
|
|
# don't count smb twice.
|
|
|
|
#when 'smb.fingerprint'
|
|
|
|
# # smb_version is kind enough to store everything we need directly
|
|
|
|
# ret.merge(fp.data)
|
|
|
|
# # If it's windows, this should be a pretty high-confidence
|
|
|
|
# # fingerprint. Otherwise, it's samba which doesn't give us much of
|
|
|
|
# # anything in most cases.
|
|
|
|
# ret[:certainty] = 1.0 if fp.data[:os_name] =~ /Windows/
|
|
|
|
end
|
|
|
|
ret[:certainty] ||= 0.8
|
|
|
|
|
|
|
|
ret
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_windows_os_str(str)
|
|
|
|
ret = {}
|
|
|
|
|
|
|
|
ret[:os_name] = "Microsoft Windows"
|
|
|
|
ret[:arch] = get_arch_from_string(str)
|
|
|
|
if str =~ /(Service Pack|SP) ?(\d+)/
|
|
|
|
ret[:os_sp] = "SP#{$2}"
|
|
|
|
end
|
|
|
|
|
|
|
|
# Flavor
|
|
|
|
case str
|
|
|
|
when /(XP|2000|2003|Vista|7 .* Edition|7)/
|
|
|
|
ret[:os_flavor] = $1
|
|
|
|
else
|
|
|
|
# If we couldn't pull out anything specific for the flavor, just cut
|
|
|
|
# off the stuff we know for sure isn't it and hope for the best
|
|
|
|
ret[:os_flavor] ||= str.gsub(/(Microsoft )?Windows|(Service Pack|SP) ?(\d+)/, '').strip
|
|
|
|
end
|
|
|
|
|
|
|
|
if str =~ /NT|2003|2008|SBS|Server/
|
|
|
|
ret[:type] = 'server'
|
|
|
|
else
|
|
|
|
ret[:type] = 'client'
|
|
|
|
end
|
|
|
|
|
|
|
|
ret
|
|
|
|
end
|
|
|
|
|
|
|
|
# A case switch to return a normalized arch based on a given string.
|
|
|
|
def get_arch_from_string(str)
|
|
|
|
case str
|
|
|
|
when /x64|amd64|x86_64/i
|
|
|
|
"x64"
|
|
|
|
when /x86|i[3456]86/i
|
|
|
|
"x86"
|
|
|
|
when /PowerPC|PPC|POWER|ppc/
|
|
|
|
"ppc"
|
|
|
|
when /SPARC/i
|
|
|
|
"sparc"
|
|
|
|
when /MIPS/i
|
|
|
|
"mips"
|
|
|
|
when /ARM/i
|
|
|
|
"arm"
|
|
|
|
else
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2009-12-14 22:52:34 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
2009-12-29 23:48:45 +00:00
|
|
|
end
|