From 4058159391a96ceb2763481863b6b41615ac624d Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Sun, 2 Apr 2023 16:10:49 +0200
Subject: [PATCH 1/4] L20 snmp checks

---
 config/trickest_blacklist.txt |  5 +++
 modules/L20_snmp_checks.sh    | 84 +++++++++++++++++++++++++++--------
 2 files changed, 70 insertions(+), 19 deletions(-)

diff --git a/config/trickest_blacklist.txt b/config/trickest_blacklist.txt
index de2f76af2..344265055 100644
--- a/config/trickest_blacklist.txt
+++ b/config/trickest_blacklist.txt
@@ -59,3 +59,8 @@ RxXwx3x/Redteam
 CVEDB/PoC-List
 vmmaltsev/13.1
 Zhivarev/13-01-hw
+7hang/cyber-security-interview
+Eduardmihai1997/VulnerabilityManagement
+PotterXma/linux-deployment-standard
+paramint/AD-Attack-Defense
+BSG9432/Districts-2023
diff --git a/modules/L20_snmp_checks.sh b/modules/L20_snmp_checks.sh
index e364ec7e5..7d3a8a6af 100755
--- a/modules/L20_snmp_checks.sh
+++ b/modules/L20_snmp_checks.sh
@@ -38,7 +38,8 @@ L20_snmp_checks() {
           return
         fi
       fi
-      check_live_snmp "$IP_ADDRESS_"
+      check_basic_snmp "$IP_ADDRESS_"
+      check_snmp_vulns "$IP_ADDRESS_"
     else
       print_output "[!] No IP address found"
     fi
@@ -49,36 +50,41 @@ L20_snmp_checks() {
   fi
 }
 
-check_live_snmp() {
+check_basic_snmp() {
   local IP_ADDRESS_="${1:-}"
 
   sub_module_title "SNMP enumeration for emulated system with IP $ORANGE$IP_ADDRESS_$NC"
 
   if command -v snmp-check > /dev/null; then
     print_output "[*] SNMP scan with community name ${ORANGE}public$NC"
-    snmp-check -w "$IP_ADDRESS_"| tee "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
+    snmp-check -w "$IP_ADDRESS_" >> "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
     if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt ]]; then
-      cat "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt >> "$LOG_FILE"
+      write_link "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
+      cat "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
     fi
     print_ln
     print_output "[*] SNMP scan with community name ${ORANGE}private$NC"
-    snmp-check -c private -w "$IP_ADDRESS_"| tee "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
+    snmp-check -c private -w "$IP_ADDRESS_" >> "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
     if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt ]]; then
-      cat "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt >> "$LOG_FILE"
-    fi
-  else
-    print_output "[*] SNMP scan with community name ${ORANGE}public$NC"
-    snmpwalk -v2c -c public "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt || true
-    if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt ]]; then
-      cat "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt >> "$LOG_FILE"
-    fi
-    print_ln
-    print_output "[*] SNMP scan with community name ${ORANGE}private$NC"
-    snmpwalk -v2c -c private "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmapwalk-private-"$IP_ADDRESS_".txt || true
-    if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt ]]; then
-      cat "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt >> "$LOG_FILE"
+      write_link "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
+      cat "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
     fi
   fi
+
+  print_output "[*] SNMP walk with community name ${ORANGE}public$NC"
+  snmpwalk -v2c -c public "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt || true
+  if [[ -f "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt ]]; then
+    write_link "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt
+    cat "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt
+  fi
+  print_ln
+  print_output "[*] SNMP walk with community name ${ORANGE}private$NC"
+  snmpwalk -v2c -c private "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmapwalk-private-"$IP_ADDRESS_".txt || true
+  if [[ -f "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt ]]; then
+    write_link "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt
+    cat "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt
+  fi
+
   SNMP_UP=$(wc -l "$LOG_PATH_MODULE"/snmp* | tail -1 | awk '{print $1}')
 
   if [[ "$SNMP_UP" -gt 20 ]]; then
@@ -88,6 +94,46 @@ check_live_snmp() {
   fi
 
   print_ln
-  print_output "[*] SNMP tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"
+  print_output "[*] SNMP basic tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"
 }
 
+check_snmp_vulns() {
+  local IP_ADDRESS_="${1:-}"
+  local SNMP_UP_tmp=0
+
+  sub_module_title "SNMP firmadyne disclosure checks"
+
+  print_output "[*] This module tests multiple information disclosure vulnerabilities (${ORANGE}CVE-2016-1557 / CVE-2016-1559${NC})"
+
+  OIDs=( "iso.3.6.1.4.1.171.10.37.35.2.1.3.3.2.1.1.4" "iso.3.6.1.4.1.171.10.37.38.2.1.3.3.2.1.1.4" \
+    "iso.3.6.1.4.1.171.10.37.35.4.1.1.1" "iso.3.6.1.4.1.171.10.37.37.4.1.1.1" "iso.3.6.1.4.1.171.10.37.38.4.1.1.1" \
+    "iso.3.6.1.4.1.4526.100.7.8.1.5" "iso.3.6.1.4.1.4526.100.7.9.1.5" "iso.3.6.1.4.1.4526.100.7.9.1.7" \
+    "iso.3.6.1.4.1.4526.100.7.10.1.7" )
+
+  for OID in "${OIDs[@]}"; do
+    print_output "[*] Testing OID ${ORANGE}${OID}${NC} on IP address $ORANGE$IP_ADDRESS_$NC ..."
+    snmpwalk -v 2c -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
+    snmpwalk -v 1 -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
+    # remove "No Such Object" entries from the counting results:
+    if [[ $(grep -v "No Such Object" "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt | wc -l) -gt 0 ]]; then
+      print_ln
+      print_output "[+] Possible credential disclosure detected (${ORANGE}CVE-2016-1557 / CVE-2016-1559${GREEN}):${NC}"
+      tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt
+      print_ln
+    else
+      rm "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
+    fi
+  done
+
+  SNMP_UP_tmp=$(wc -l "$LOG_PATH_MODULE"/snmp* | tail -1 | awk '{print $1}')
+
+  if [[ "$SNMP_UP_tmp" -gt 20 ]]; then
+    SNMP_UP=1
+  fi
+
+  # TODO: check output for vulnerability and integrate it into f20/f50
+
+  print_ln
+  print_output "[*] SNMP vulnerability tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"
+
+}

From 930622768897fb428b19bb0489bc454f89850e45 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Sun, 2 Apr 2023 17:01:35 +0200
Subject: [PATCH 2/4] update readme

---
 README.md | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 35dfdb4bf..d3cfd8bb4 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 <!-- 
 EMBA - EMBEDDED LINUX ANALYZER
 
-Copyright 2020-2022 Siemens AG
-Copyright 2020-2022 Siemens Energy AG
+Copyright 2020-2023 Siemens AG
+Copyright 2020-2023 Siemens Energy AG
 
 EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
@@ -60,7 +60,13 @@ sudo ./installer.sh -d
 
 ## Quick start with default scan profile:
 ```console
-sudo ./emba -l ./log -f /firmware -p ./scan-profiles/default-scan.emba
+sudo ./emba -l ~/log -f ~firmware -p ./scan-profiles/default-scan.emba
+
+```
+## Quick start with system-emulation scan profile:
+For further details on EMBA's system-emulation engine check the [wiki](https://github.com/e-m-b-a/emba/wiki/System-emulation).
+```console
+sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/default-scan-emulation.emba
 
 ```
 ---

From cfbf0aac9febbc1c2b8c5ee626f81c29db38828b Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Mon, 3 Apr 2023 15:41:45 +0200
Subject: [PATCH 3/4] improve crawler once more

---
 modules/L25_web_checks.sh | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/L25_web_checks.sh b/modules/L25_web_checks.sh
index 2796f4c72..51fac5b69 100755
--- a/modules/L25_web_checks.sh
+++ b/modules/L25_web_checks.sh
@@ -214,9 +214,11 @@ web_access_crawler() {
   local WEB_DIR_L1=""
   local WEB_DIR_L2=""
   local WEB_DIR_L3=""
+  local CURL_OPTS=( -sS -D )
 
   if [[ "$SSL_" -eq 1 ]]; then
-    PROTO="-k https"
+    PROTO="https"
+    CURL_OPTS+=( -k )
   else
     PROTO="http"
   fi
@@ -235,21 +237,21 @@ web_access_crawler() {
     print_dot
     WEB_FILE="$(basename "$WEB_PATH")"
     echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
-    timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+    timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
     WEB_DIR_L1="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1 | rev)"
     if [[ -n "${WEB_DIR_L1}" ]]; then
       echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L1}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
-      timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+      timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
     fi
     WEB_DIR_L2="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-2 | rev)"
     if [[ -n "${WEB_DIR_L2}" ]]; then
       echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L2}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
-      timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+      timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
     fi
     WEB_DIR_L3="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-3 | rev)"
     if [[ -n "${WEB_DIR_L3}" ]]; then
       echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L3}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
-      timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
+      timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
     fi
   done
 

From be9049f8977b91cdd6e0578714b63ba41396b442 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Mon, 3 Apr 2023 15:48:05 +0200
Subject: [PATCH 4/4] make shellcheck happy

---
 modules/L20_snmp_checks.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/L20_snmp_checks.sh b/modules/L20_snmp_checks.sh
index 7d3a8a6af..79f873fb8 100755
--- a/modules/L20_snmp_checks.sh
+++ b/modules/L20_snmp_checks.sh
@@ -115,7 +115,7 @@ check_snmp_vulns() {
     snmpwalk -v 2c -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
     snmpwalk -v 1 -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
     # remove "No Such Object" entries from the counting results:
-    if [[ $(grep -v "No Such Object" "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt | wc -l) -gt 0 ]]; then
+    if [[ $(grep -v -c "No Such Object" "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt) -gt 0 ]]; then
       print_ln
       print_output "[+] Possible credential disclosure detected (${ORANGE}CVE-2016-1557 / CVE-2016-1559${GREEN}):${NC}"
       tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt