search

intrigueio / intrigue-ident

Application and Service Fingerprinting
https://core.intrigue.io
Other
131 stars 40 forks source link

Integrate Recog for additional fingerprints #39

Closed jcran closed 4 years ago

jcran commented 4 years ago

Integrates and runs Rapid7's pattern matching lib "Recog" (https://github.com/rapid7/recog) as part of the normal Ident run. Only HTTP Cookies and Server Headers are currently supported, but this lays the groundwork to support other network services - which is where the true benefit is.

An example, requesting a page and returning the fingerprints. Considered keeping the results separate but having them under the returned 'fingerprint' attribute can give us vulnerability version based inference with no additional work - provided the checks are specific enough and handle backporting (which is a tall order). We shall see. 

JSON.pretty_generate(generate_http_requests_and_check("https://www.test.com")["fingerprint"])
[
  {
    "method": "ident",
    "type": "fingerprint",
    "vendor": "Nginx",
    "product": "Nginx",
    "version": "",
    "update": "",
    "tags": [
      "Web Server"
    ],
    "match_type": "content_headers",
    "match_details": "Nginx (no version)",
    "hide": false,
    "cpe": "cpe:2.3:a:nginx:nginx::",
    "issue": null,
    "task": null,
    "inference": false
  },
  {
    "method": "ident",
    "type": "fingerprint",
    "vendor": "Google",
    "product": "Tag Manager",
    "version": "",
    "update": "",
    "tags": [
      "Marketing",
      "Javascript"
    ],
    "match_type": "content_body",
    "match_details": "js load string",
    "hide": false,
    "cpe": "cpe:2.3:a:google:tag_manager::",
    "issue": null,
    "task": null,
    "inference": false
  },
  {
    "method": "ident",
    "type": "fingerprint",
    "vendor": "Bootstrap",
    "product": "Bootstrap",
    "version": "",
    "update": "",
    "tags": [
      "Web Framework"
    ],
    "match_type": "content_body",
    "match_details": "boostrap css",
    "hide": false,
    "cpe": "cpe:2.3:a:bootstrap:bootstrap::",
    "issue": null,
    "task": null,
    "inference": false
  },
  {
    "method": "recog",
    "vendor": "nginx",
    "product": "nginx",
    "version": null,
    "cpe": "cpe:/a:nginx:nginx:-",
    "match_details": "nginx without version info (Recog: http_header.server)",
    "inference": false,
    "hide": false,
    "issue": null
  },
  {
    "method": "recog",
    "vendor": "nginx",
    "product": "nginx",
    "version": null,
    "cpe": "cpe:/a:nginx:nginx:-",
    "match_details": "nginx with version info and/or mods (Recog: http_header.server)",
    "inference": false,
    "hide": false,
    "issue": null
  }
]
=> nil
jcran commented 4 years ago

Note that this is integrated by default and there may need to be some additional normalization of fingerprints in the future. See below for an example - Recog checks are called out in the match details: 

Fingerprint:
 - Cloudflare Cloudflare   - cloudflare cookie (CPE: cpe:2.3:s:cloudflare:cloudflare::) (Tags: ["CDN", "WAF"]) (Hide: false)
 - Cloudflare Cloudflare   - header (CPE: cpe:2.3:s:cloudflare:cloudflare::) (Tags: ["CDN", "WAF"]) (Hide: false)
 - Cloudflare Cloudflare   - server header (CPE: cpe:2.3:s:cloudflare:cloudflare::) (Tags: ["CDN", "WAF"]) (Hide: false)
 - Cloudflare Cloudflare   - ct header pointed to cloudflare (CPE: cpe:2.3:s:cloudflare:cloudflare::) (Tags: ["CDN", "WAF"]) (Hide: false)
 - Webflow Webflow   - body string (CPE: cpe:2.3:s:webflow:webflow::) (Tags: ["CMS", "SaaS"]) (Hide: false)
 - CloudFlare CloudFlare Load Balancer   - CloudFlare web load balancer endpoint (Recog: http_header.server) (CPE: ) (Tags: ) (Hide: false)