149 lines
4.4 KiB
Ruby
149 lines
4.4 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
module Rex
|
|
module Parser
|
|
# XXX - Retina XML does not include ANY service/port information export
|
|
class RetinaXMLStreamParser
|
|
attr_accessor :on_found_host
|
|
|
|
def initialize(on_found_host = nil)
|
|
reset_state
|
|
self.on_found_host = on_found_host if on_found_host
|
|
end
|
|
|
|
def reset_state
|
|
@state = :generic_state
|
|
@host = { 'vulns' => [] }
|
|
reset_audit_state
|
|
end
|
|
|
|
def reset_audit_state
|
|
@audit = { 'refs' => [] }
|
|
end
|
|
|
|
def tag_start(name, attributes)
|
|
@state = "in_#{name.downcase}".intern
|
|
end
|
|
|
|
def text(str)
|
|
return if str.to_s.strip.empty?
|
|
|
|
case @state
|
|
when :in_ip
|
|
@host["address"] = str
|
|
when :in_dnsname
|
|
@host["hostname"] = str.split(/\s+/).first
|
|
when :in_netbiosname
|
|
@host["netbios"] = str
|
|
when :in_mac
|
|
@host["mac"] = str.split(/\s+/).first
|
|
when :in_os
|
|
@host["os"] = str
|
|
when :in_rthid
|
|
@audit['refs'].push(['RETINA', str])
|
|
when :in_cve
|
|
str.split(",").each do |cve|
|
|
cve = cve.to_s.strip
|
|
next if cve.empty?
|
|
pre,val = cve.split('-', 2)
|
|
next if not val
|
|
next if pre != "CVE"
|
|
@audit['refs'].push( ['CVE', val] )
|
|
end
|
|
when :in_name
|
|
@audit['name'] = str
|
|
when :in_description
|
|
@audit['description'] = str
|
|
when :in_risk
|
|
@audit['risk'] = str
|
|
when :in_cce
|
|
@audit['cce'] = str
|
|
when :in_date
|
|
@audit['data'] = str
|
|
when :in_context
|
|
@audit['proto'], @audit['port'] = str.split(/\s+/).first.split(':')
|
|
end
|
|
end
|
|
|
|
def tag_end(name)
|
|
case name
|
|
when "host"
|
|
on_found_host.call(@host) if on_found_host
|
|
reset_state
|
|
when "audit"
|
|
@host['vulns'].push @audit
|
|
reset_audit_state
|
|
end
|
|
end
|
|
|
|
# We don't need these methods, but they're necessary to keep REXML happy
|
|
def xmldecl(version, encoding, standalone); end
|
|
def cdata; end
|
|
def comment(str); end
|
|
def instruction(name, instruction); end
|
|
def attlist; end
|
|
end
|
|
end
|
|
end
|
|
|
|
=begin Old XML format
|
|
<scanJob>
|
|
<hosts>
|
|
<host>
|
|
<ip>10.2.79.98</ip>
|
|
<netBIOSName>bsmith-10156B07C</netBIOSName>
|
|
<dnsName>bsmith-10156b07c.core.testcorp.com random.testcorp.com</dnsName>
|
|
<mac>00:02:29:0E:38:2B</mac>
|
|
<os>Windows Server 2003 (X64), Service Pack 2</os>
|
|
<audit>
|
|
<rthID>7851</rthID>
|
|
<cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>
|
|
<cce>N/A</cce>
|
|
<name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>
|
|
<description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>
|
|
<date>09/15/2010</date>
|
|
<risk>Low</risk>
|
|
<pciLevel>5 (Urgent)</pciLevel>
|
|
<cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>
|
|
<fixInformation>....</fixInformation>
|
|
</audit>
|
|
</host>
|
|
</hosts>
|
|
</scanJob>
|
|
=end Old XML format
|
|
|
|
=begin New XML format
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
<scanJob>
|
|
<hosts>
|
|
<host>
|
|
<ip>[redacted]</ip>
|
|
<netBIOSName>[redacted]</netBIOSName>
|
|
<dnsName>[redacted]</dnsName>
|
|
<mac></mac>
|
|
<os>[redacted]</os>
|
|
<cpe>[redacted]</cpe>
|
|
<audit>
|
|
<cve>[redacted]</cve>
|
|
<cce>N/A</cce>
|
|
<name>TLS/SSL Weak Protocol Version Supported</name>
|
|
<description>A targeted service that accepts connections for cryptographically weak SSL protocol versions (eg SSLv2, SSLv3, TLSv1.0) has been detected. Such protocols are known to have cryptographic weaknesses as well as other exploitable vulnerabilities.</description>
|
|
<date>[redacted]</date>
|
|
<risk>Medium</risk>
|
|
<pciLevel>Medium</pciLevel>
|
|
<pciReason>PCI DSS 4.1 - SSL Weakness</pciReason>
|
|
<pciPassFail>Fail</pciPassFail>
|
|
<cvssScore>4.3 [AV:N/AC:M/Au:N/C:P/I:N/A:N]</cvssScore>
|
|
<cvssScoreV3>6.8 [AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N]</cvssScoreV3>
|
|
<fixInformation>Ensure that applications or services are configured to reject SSLv3, SSLv2 and TLSv1.0 communications. Disabling weak protocols is a defense-in-depth measure against vulnerabilities that could allow SSL version downgrade attacks (e.g. CVE-2014-3566).</fixInformation>
|
|
<exploit>No</exploit>
|
|
<context>TCP:443 ([redacted]), SHA256[=][redacted], Serial[=][redacted]</context>
|
|
<testedValue>Accepted SSL Method: (SSLv[23]|TLSv1(\.0)?)$</testedValue>
|
|
<foundValue>[redacted]</foundValue>
|
|
<cwe>CWE-310</cwe>
|
|
</audit>
|
|
</host>
|
|
</hosts>
|
|
</scanJob>
|
|
=end New XML format
|