From d5b710b9c7ad6ab5aa0629a66bfeabbff48d8f8f Mon Sep 17 00:00:00 2001 From: Aaron Manaloto Date: Wed, 1 Sep 2021 15:19:26 +0800 Subject: [PATCH 1/3] Add report_host fields to evidence --- CHANGELOG.md | 4 + lib/dradis/plugins/nessus/importer.rb | 2 +- templates/evidence.fields | 10 ++- templates/evidence.sample | 109 ++++++++++++++------------ templates/evidence.template | 16 +++- 5 files changed, 88 insertions(+), 53 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3252af..5829d4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## Dradis Framework 4.0.1 (XXX, 2021) ## + +* Add report_host fields to evidence + ## Dradis Framework 4.0.0 (July, 2021) ## * Add age_of_vuln, exploit_code_maturity, threat_intensity_last_28 diff --git a/lib/dradis/plugins/nessus/importer.rb b/lib/dradis/plugins/nessus/importer.rb index c51734f..e6e00c1 100644 --- a/lib/dradis/plugins/nessus/importer.rb +++ b/lib/dradis/plugins/nessus/importer.rb @@ -130,7 +130,7 @@ def process_report_item(xml_host, host_node, xml_report_item) port_info += xml_report_item.attributes['port'].value logger.info{ "\t\t\t => Adding reference to this host" } - evidence_content = template_service.process_template(template: 'evidence', data: xml_report_item) + evidence_content = template_service.process_template(template: 'evidence', data: xml_host) content_service.create_evidence(issue: issue, node: host_node, content: evidence_content) diff --git a/templates/evidence.fields b/templates/evidence.fields index 05e9755..201c28a 100644 --- a/templates/evidence.fields +++ b/templates/evidence.fields @@ -14,4 +14,12 @@ evidence.port evidence.protocol evidence.svc_name evidence.severity -report_item.plugin_name +evidence.plugin_name +evidence.name +evidence.ip +evidence.fqdn +evidence.operating_system +evidence.mac_address +evidence.netbios_name +evidence.scan_start_time +evidence.scan_stop_time diff --git a/templates/evidence.sample b/templates/evidence.sample index fa2eae2..12959f6 100644 --- a/templates/evidence.sample +++ b/templates/evidence.sample @@ -1,53 +1,64 @@ - + + + 10.0.0.1 + dc1.localdomain + Windows Server 2008 + 00:01:02:03:04:05 + DC1 + Tue Aug 9 09:59:24 2011 + Tue Aug 9 09:50:18 2011 + + - Exploits are available - 2002/06/19 - true - true - CVSS2#E:F/RL:OF/RC:C - true - Upgrade to Apache web server version 1.3.26 or 2.0.39 or newer. - 6.2 - High - The remote Apache web server is affected by the Apache web server chunk handling vulnerability. + Exploits are available + 2002/06/19 + true + true + CVSS2#E:F/RL:OF/RC:C + true + Upgrade to Apache web server version 1.3.26 or 2.0.39 or newer. + 6.2 + High + The remote Apache web server is affected by the Apache web server chunk handling vulnerability. -If safe checks are enabled, this may be a false positive since it is based on the version of Apache. Although unpatched Apache versions -1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36 are affected, the remote server may be running a patched version of Apache. + If safe checks are enabled, this may be a false positive since it is based on the version of Apache. Although unpatched Apache versions + 1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36 are affected, the remote server may be running a patched version of Apache. - 2002/06/17 - Apache Win32 Chunked Encoding - CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P - The remote web server is vulnerable to a remote code execution attack. - remote - http://httpd.apache.org/info/security_bulletin_20020617.txt - http://httpd.apache.org/info/security_bulletin_20020620.txt - true - 2011/03/08 - 7.5 - CANVAS - CVE-2002-0392 - 5033 - IAVA:2002-a-0003 - OSVDB:838 - $Revision: 1.45 $ - Fake output (for Plugin Manager testing purposes) + 2002/06/17 + Apache Win32 Chunked Encoding + CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P + The remote web server is vulnerable to a remote code execution attack. + remote + http://httpd.apache.org/info/security_bulletin_20020617.txt + http://httpd.apache.org/info/security_bulletin_20020620.txt + true + 2011/03/08 + 7.5 + CANVAS + CVE-2002-0392 + 5033 + IAVA:2002-a-0003 + OSVDB:838 + $Revision: 1.45 $ + Fake output (for Plugin Manager testing purposes) - 0 - CIS_MS_Windows_8_Level_1_v1.0.0.audit - 1aca1416734d72f4352467605412ee96 - 1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)' - This policy setting determines the number of failed logon attempts before a lock occurs. - 5 - PCI|8.5.13,CCE|CCE-21671-3,Level|1S,800-53|AC-1 - FAILED - https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf - Make sure 'Account lockout threshold' is set to 5 invalid attempts. - + 0 + CIS_MS_Windows_8_Level_1_v1.0.0.audit + 1aca1416734d72f4352467605412ee96 + 1.1.1.1 Set 'Account lockout threshold' to '5 invalid logon attempt(s)' + This policy setting determines the number of failed logon attempts before a lock occurs. + 5 + PCI|8.5.13,CCE|CCE-21671-3,Level|1S,800-53|AC-1 + FAILED + https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf + Make sure 'Account lockout threshold' is set to 5 invalid attempts. + + diff --git a/templates/evidence.template b/templates/evidence.template index d158e88..846048b 100644 --- a/templates/evidence.template +++ b/templates/evidence.template @@ -1,5 +1,17 @@ -#[Location]# +#[Port]# %evidence.protocol%/%evidence.port% +#[IP]# +%evidence.ip% + +#[FQDN]# +%evidence.fqdn% + +#[RDNS]# +%evidence.rdns% + +#[Netbios]# +%evidence.netbios% + #[Output]# -bc.. %evidence.plugin_output% \ No newline at end of file +bc.. %evidence.plugin_output% From a582f28ef5ab06917434ae3dec21ed15c1b7b01a Mon Sep 17 00:00:00 2001 From: Aaron Manaloto Date: Wed, 1 Sep 2021 16:13:37 +0800 Subject: [PATCH 2/3] Use ReportItem inside the Host to access the fields --- lib/dradis/plugins/nessus/importer.rb | 7 ++++++- lib/nessus/host.rb | 7 +++++-- lib/nessus/report_item.rb | 14 +++++++------- templates/evidence.template | 5 +---- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/lib/dradis/plugins/nessus/importer.rb b/lib/dradis/plugins/nessus/importer.rb index e6e00c1..8557396 100644 --- a/lib/dradis/plugins/nessus/importer.rb +++ b/lib/dradis/plugins/nessus/importer.rb @@ -130,7 +130,12 @@ def process_report_item(xml_host, host_node, xml_report_item) port_info += xml_report_item.attributes['port'].value logger.info{ "\t\t\t => Adding reference to this host" } - evidence_content = template_service.process_template(template: 'evidence', data: xml_host) + + # Remove all ReportItems in the XML but only add the relevant item + xml_host_dup = xml_host.dup + xml_host_dup.xpath('./ReportItem').remove + xml_host_dup.xpath('./HostProperties').after(xml_report_item) + evidence_content = template_service.process_template(template: 'evidence', data: xml_host_dup) content_service.create_evidence(issue: issue, node: host_node, content: evidence_content) diff --git a/lib/nessus/host.rb b/lib/nessus/host.rb index 6a937a0..b0ea29b 100644 --- a/lib/nessus/host.rb +++ b/lib/nessus/host.rb @@ -11,6 +11,7 @@ class Host # Accepts an XML node from Nokogiri::XML. def initialize(xml_node) @xml = xml_node + @report_item = report_items.first end # List of supported tags. They are all desdendents of the ./HostProperties @@ -35,7 +36,7 @@ def report_items # This allows external callers (and specs) to check for implemented # properties def respond_to?(method, include_private=false) - return true if supported_tags.include?(method.to_sym) + return true if supported_tags.include?(method.to_sym) || @report_item.respond_to?(method) super end @@ -49,7 +50,7 @@ def method_missing(method, *args) # The problem would be that it would make tricky to debug problems with # typos. For instance: <>.potr would return nil instead of raising an # exception - unless supported_tags.include?(method) + unless supported_tags.include?(method) || @report_item.respond_to?(method) super return end @@ -59,6 +60,8 @@ def method_missing(method, *args) method_name = translations_table.fetch(method, method.to_s) return @xml.attributes[method_name].value if @xml.attributes.key?(method_name) + # return the report_item field if it's a report_item method + return @report_item.send(method_name) if @report_item.respond_to?(method_name) # translation of Host properties translations_table = { diff --git a/lib/nessus/report_item.rb b/lib/nessus/report_item.rb index 83ffd9d..058739a 100644 --- a/lib/nessus/report_item.rb +++ b/lib/nessus/report_item.rb @@ -19,15 +19,15 @@ def initialize(xml_node) def supported_tags [ # attributes - :plugin_family, :plugin_id, :plugin_name, :port, :protocol, :svc_name, :severity, + :plugin_family, :plugin_id, :plugin_name, :port, :protocol, :svc_name, :severity, # simple tags - :age_of_vuln, :cvss3_base_score, :cvss3_temporal_score, :cvss3_temporal_vector, + :age_of_vuln, :cvss3_base_score, :cvss3_temporal_score, :cvss3_temporal_vector, :cvss3_vector, :cvss_base_score, :cvss_temporal_score, :cvss_temporal_vector, :cvss_vector, - :description, :exploit_available, :exploit_code_maturity, :exploit_framework_canvas, + :description, :exploit_available, :exploit_code_maturity, :exploit_framework_canvas, :exploit_framework_core, :exploitability_ease, :exploit_framework_metasploit, :metasploit_name, :patch_publication_date, :plugin_modification_date, :plugin_output, - :plugin_publication_date, :plugin_version, :risk_factor, :solution, :synopsis, - :threat_intensity_last_28, :threat_recency, :threat_sources_last_28, :vpr_score, + :plugin_publication_date, :plugin_version, :risk_factor, :solution, :synopsis, + :threat_intensity_last_28, :threat_recency, :threat_sources_last_28, :vpr_score, :vuln_publication_date, # multiple tags :bid_entries, :cve_entries, :see_also_entries, :xref_entries, @@ -52,7 +52,7 @@ def respond_to?(method, include_private=false) # attribute, simple descendent or collection that it maps to in the XML # tree. def method_missing(method, *args) - + # We could remove this check and return nil for any non-recognized tag. # The problem would be that it would make tricky to debug problems with # typos. For instance: <>.potr would return nil instead of raising an @@ -116,4 +116,4 @@ def method_missing(method, *args) end end end -end \ No newline at end of file +end diff --git a/templates/evidence.template b/templates/evidence.template index 846048b..c31da48 100644 --- a/templates/evidence.template +++ b/templates/evidence.template @@ -7,11 +7,8 @@ #[FQDN]# %evidence.fqdn% -#[RDNS]# -%evidence.rdns% - #[Netbios]# -%evidence.netbios% +%evidence.netbios_name% #[Output]# bc.. %evidence.plugin_output% From b0b510c576c4f17c26fe3dd8cc42669a0b505675 Mon Sep 17 00:00:00 2001 From: Aaron Manaloto Date: Fri, 3 Sep 2021 17:21:26 +0800 Subject: [PATCH 3/3] Bump minor version --- CHANGELOG.md | 2 +- lib/dradis/plugins/nessus/gem_version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5829d4e..0be4930 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## Dradis Framework 4.0.1 (XXX, 2021) ## +## Dradis Framework 4.1.0 (XXX, 2021) ## * Add report_host fields to evidence diff --git a/lib/dradis/plugins/nessus/gem_version.rb b/lib/dradis/plugins/nessus/gem_version.rb index dc316c5..d0a322e 100644 --- a/lib/dradis/plugins/nessus/gem_version.rb +++ b/lib/dradis/plugins/nessus/gem_version.rb @@ -8,7 +8,7 @@ def self.gem_version module VERSION MAJOR = 4 - MINOR = 0 + MINOR = 1 TINY = 0 PRE = nil