CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/parser/retina_xml.rb
Views: 1904
1
# -*- coding: binary -*-

2


3
module Rex

4
module Parser

5
# XXX - Retina XML does not include ANY service/port information export

6
class RetinaXMLStreamParser

7
  attr_accessor :on_found_host

8


9
  def initialize(on_found_host = nil)

10
    reset_state

11
    self.on_found_host = on_found_host if on_found_host

12
  end

13


14
  def reset_state

15
    @state = :generic_state

16
    @host  = { 'vulns' => [] }

17
    reset_audit_state

18
  end

19


20
  def reset_audit_state

21
    @audit = { 'refs' => [] }

22
  end

23


24
  def tag_start(name, attributes)

25
    @state = "in_#{name.downcase}".intern

26
  end

27


28
  def text(str)

29
    return if str.to_s.strip.empty?

30


31
    case @state

32
    when :in_ip

33
      @host["address"] = str

34
    when :in_dnsname

35
      @host["hostname"] = str.split(/\s+/).first

36
    when :in_netbiosname

37
      @host["netbios"] = str

38
    when :in_mac

39
      @host["mac"] = str.split(/\s+/).first

40
    when :in_os

41
      @host["os"] = str

42
    when :in_rthid

43
      @audit['refs'].push(['RETINA', str])

44
    when :in_cve

45
      str.split(",").each do |cve|

46
        cve = cve.to_s.strip

47
        next if cve.empty?

48
        pre,val = cve.split('-', 2)

49
        next if not val

50
        next if pre != "CVE"

51
        @audit['refs'].push( ['CVE', val] )

52
      end

53
    when :in_name

54
      @audit['name'] = str

55
    when :in_description

56
      @audit['description'] = str

57
    when :in_risk

58
      @audit['risk'] = str

59
    when :in_cce

60
      @audit['cce'] = str

61
    when :in_date

62
      @audit['data'] = str

63
    when :in_context

64
      @audit['proto'], @audit['port'] = str.split(/\s+/).first.split(':')

65
    end

66
  end

67


68
  def tag_end(name)

69
    case name

70
    when "host"

71
      on_found_host.call(@host) if on_found_host

72
      reset_state

73
    when "audit"

74
      @host['vulns'].push @audit

75
      reset_audit_state

76
    end

77
  end

78


79
  # We don't need these methods, but they're necessary to keep REXML happy

80
  def xmldecl(version, encoding, standalone); end

81
  def cdata; end

82
  def comment(str); end

83
  def instruction(name, instruction); end

84
  def attlist; end

85
end

86
end

87
end

88


89
=begin Old XML format

90
<scanJob>

91
  <hosts>

92
    <host>

93
      <ip>10.2.79.98</ip>

94
      <netBIOSName>bsmith-10156B07C</netBIOSName>

95
      <dnsName>bsmith-10156b07c.core.testcorp.com  random.testcorp.com</dnsName>

96
      <mac>00:02:29:0E:38:2B</mac>

97
      <os>Windows Server 2003 (X64), Service Pack 2</os>

98
      <audit>

99
        <rthID>7851</rthID>

100
        <cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>

101
        <cce>N/A</cce>

102
        <name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>

103
        <description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>

104
        <date>09/15/2010</date>

105
        <risk>Low</risk>

106
        <pciLevel>5 (Urgent)</pciLevel>

107
        <cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>

108
        <fixInformation>....</fixInformation>

109
      </audit>

110
    </host>

111
  </hosts>

112
</scanJob>

113
=end Old XML format

114


115
=begin New XML format

116
<?xml version="1.0" encoding="utf-8"?>

117
<scanJob>

118
  <hosts>

119
    <host>

120
      <ip>[redacted]</ip>

121
      <netBIOSName>[redacted]</netBIOSName>

122
      <dnsName>[redacted]</dnsName>

123
      <mac></mac>

124
      <os>[redacted]</os>

125
      <cpe>[redacted]</cpe>

126
      <audit>

127
        <cve>[redacted]</cve>

128
        <cce>N/A</cce>

129
        <name>TLS/SSL Weak Protocol Version Supported</name>

130
        <description>A targeted service that accepts connections for cryptographically weak SSL protocol versions (eg SSLv2, SSLv3, TLSv1.0) has been detected. Such protocols are known to have cryptographic weaknesses as well as other exploitable vulnerabilities.</description>

131
        <date>[redacted]</date>

132
        <risk>Medium</risk>

133
        <pciLevel>Medium</pciLevel>

134
        <pciReason>PCI DSS 4.1 - SSL Weakness</pciReason>

135
        <pciPassFail>Fail</pciPassFail>

136
        <cvssScore>4.3 [AV:N/AC:M/Au:N/C:P/I:N/A:N]</cvssScore>

137
        <cvssScoreV3>6.8 [AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N]</cvssScoreV3>

138
        <fixInformation>Ensure that applications or services are configured to reject SSLv3, SSLv2 and TLSv1.0 communications. Disabling weak protocols is a defense-in-depth measure against vulnerabilities that could allow SSL version downgrade attacks (e.g. CVE-2014-3566).</fixInformation>

139
        <exploit>No</exploit>

140
        <context>TCP:443 ([redacted]), SHA256[=][redacted], Serial[=][redacted]</context>

141
        <testedValue>Accepted SSL Method: (SSLv[23]|TLSv1(\.0)?)$</testedValue>

142
        <foundValue>[redacted]</foundValue>

143
        <cwe>CWE-310</cwe>

144
      </audit>

145
    </host>

146
  </hosts>

147
</scanJob>

148
=end New XML format

149


150