Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNMP module improvements #565

Merged
merged 4 commits into from
Apr 3, 2023
Merged

SNMP module improvements #565

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4058159
L20 snmp checks
m-1-k-3 Apr 2, 2023
9306227
update readme
m-1-k-3 Apr 2, 2023
cfbf0aa
improve crawler once more
m-1-k-3 Apr 3, 2023
be9049f
make shellcheck happy
m-1-k-3 Apr 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
<!--
EMBA - EMBEDDED LINUX ANALYZER

Copyright 2020-2022 Siemens AG
Copyright 2020-2022 Siemens Energy AG
Copyright 2020-2023 Siemens AG
Copyright 2020-2023 Siemens Energy AG

EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
Expand Down Expand Up @@ -60,7 +60,13 @@ sudo ./installer.sh -d

## Quick start with default scan profile:
```console
sudo ./emba -l ./log -f /firmware -p ./scan-profiles/default-scan.emba
sudo ./emba -l ~/log -f ~firmware -p ./scan-profiles/default-scan.emba

```
## Quick start with system-emulation scan profile:
For further details on EMBA's system-emulation engine check the [wiki](https://github.com/e-m-b-a/emba/wiki/System-emulation).
```console
sudo ./emba -l ~/log -f ~/firmware -p ./scan-profiles/default-scan-emulation.emba

```
---
Expand Down
5 changes: 5 additions & 0 deletions config/trickest_blacklist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,8 @@ RxXwx3x/Redteam
CVEDB/PoC-List
vmmaltsev/13.1
Zhivarev/13-01-hw
7hang/cyber-security-interview
Eduardmihai1997/VulnerabilityManagement
PotterXma/linux-deployment-standard
paramint/AD-Attack-Defense
BSG9432/Districts-2023
84 changes: 65 additions & 19 deletions modules/L20_snmp_checks.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@ L20_snmp_checks() {
return
fi
fi
check_live_snmp "$IP_ADDRESS_"
check_basic_snmp "$IP_ADDRESS_"
check_snmp_vulns "$IP_ADDRESS_"
else
print_output "[!] No IP address found"
fi
Expand All @@ -49,36 +50,41 @@ L20_snmp_checks() {
fi
}

check_live_snmp() {
check_basic_snmp() {
local IP_ADDRESS_="${1:-}"

sub_module_title "SNMP enumeration for emulated system with IP $ORANGE$IP_ADDRESS_$NC"

if command -v snmp-check > /dev/null; then
print_output "[*] SNMP scan with community name ${ORANGE}public$NC"
snmp-check -w "$IP_ADDRESS_"| tee "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
snmp-check -w "$IP_ADDRESS_" >> "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt ]]; then
cat "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt >> "$LOG_FILE"
write_link "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
cat "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt
fi
print_ln
print_output "[*] SNMP scan with community name ${ORANGE}private$NC"
snmp-check -c private -w "$IP_ADDRESS_"| tee "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
snmp-check -c private -w "$IP_ADDRESS_" >> "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt ]]; then
cat "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt >> "$LOG_FILE"
fi
else
print_output "[*] SNMP scan with community name ${ORANGE}public$NC"
snmpwalk -v2c -c public "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt || true
if [[ -f "$LOG_PATH_MODULE"/snmp-check-public-"$IP_ADDRESS_".txt ]]; then
cat "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt >> "$LOG_FILE"
fi
print_ln
print_output "[*] SNMP scan with community name ${ORANGE}private$NC"
snmpwalk -v2c -c private "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmapwalk-private-"$IP_ADDRESS_".txt || true
if [[ -f "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt ]]; then
cat "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt >> "$LOG_FILE"
write_link "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
cat "$LOG_PATH_MODULE"/snmp-check-private-"$IP_ADDRESS_".txt
fi
fi

print_output "[*] SNMP walk with community name ${ORANGE}public$NC"
snmpwalk -v2c -c public "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt || true
if [[ -f "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt ]]; then
write_link "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt
cat "$LOG_PATH_MODULE"/snmpwalk-public-"$IP_ADDRESS_".txt
fi
print_ln
print_output "[*] SNMP walk with community name ${ORANGE}private$NC"
snmpwalk -v2c -c private "$IP_ADDRESS_" .iso | tee "$LOG_PATH_MODULE"/snmapwalk-private-"$IP_ADDRESS_".txt || true
if [[ -f "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt ]]; then
write_link "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt
cat "$LOG_PATH_MODULE"/snmpwalk-private-"$IP_ADDRESS_".txt
fi

SNMP_UP=$(wc -l "$LOG_PATH_MODULE"/snmp* | tail -1 | awk '{print $1}')

if [[ "$SNMP_UP" -gt 20 ]]; then
Expand All @@ -88,6 +94,46 @@ check_live_snmp() {
fi

print_ln
print_output "[*] SNMP tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"
print_output "[*] SNMP basic tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"
}

check_snmp_vulns() {
local IP_ADDRESS_="${1:-}"
local SNMP_UP_tmp=0

sub_module_title "SNMP firmadyne disclosure checks"

print_output "[*] This module tests multiple information disclosure vulnerabilities (${ORANGE}CVE-2016-1557 / CVE-2016-1559${NC})"

OIDs=( "iso.3.6.1.4.1.171.10.37.35.2.1.3.3.2.1.1.4" "iso.3.6.1.4.1.171.10.37.38.2.1.3.3.2.1.1.4" \
"iso.3.6.1.4.1.171.10.37.35.4.1.1.1" "iso.3.6.1.4.1.171.10.37.37.4.1.1.1" "iso.3.6.1.4.1.171.10.37.38.4.1.1.1" \
"iso.3.6.1.4.1.4526.100.7.8.1.5" "iso.3.6.1.4.1.4526.100.7.9.1.5" "iso.3.6.1.4.1.4526.100.7.9.1.7" \
"iso.3.6.1.4.1.4526.100.7.10.1.7" )

for OID in "${OIDs[@]}"; do
print_output "[*] Testing OID ${ORANGE}${OID}${NC} on IP address $ORANGE$IP_ADDRESS_$NC ..."
snmpwalk -v 2c -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
snmpwalk -v 1 -c public "${IP_ADDRESS_}" "${OID}" >> "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
# remove "No Such Object" entries from the counting results:
if [[ $(grep -v -c "No Such Object" "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt) -gt 0 ]]; then
print_ln
print_output "[+] Possible credential disclosure detected (${ORANGE}CVE-2016-1557 / CVE-2016-1559${GREEN}):${NC}"
tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt
print_ln
else
rm "$LOG_PATH_MODULE"/snmpwalk-firmadyne_disclosure-"$IP_ADDRESS_"-"${OID}".txt || true
fi
done

SNMP_UP_tmp=$(wc -l "$LOG_PATH_MODULE"/snmp* | tail -1 | awk '{print $1}')

if [[ "$SNMP_UP_tmp" -gt 20 ]]; then
SNMP_UP=1
fi

# TODO: check output for vulnerability and integrate it into f20/f50

print_ln
print_output "[*] SNMP vulnerability tests for emulated system with IP $ORANGE$IP_ADDRESS_$NC finished"

}
12 changes: 7 additions & 5 deletions modules/L25_web_checks.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,9 +214,11 @@ web_access_crawler() {
local WEB_DIR_L1=""
local WEB_DIR_L2=""
local WEB_DIR_L3=""
local CURL_OPTS=( -sS -D )

if [[ "$SSL_" -eq 1 ]]; then
PROTO="-k https"
PROTO="https"
CURL_OPTS+=( -k )
else
PROTO="http"
fi
Expand All @@ -235,21 +237,21 @@ web_access_crawler() {
print_dot
WEB_FILE="$(basename "$WEB_PATH")"
echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/$WEB_FILE$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
WEB_DIR_L1="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1 | rev)"
if [[ -n "${WEB_DIR_L1}" ]]; then
echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L1}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L1}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
fi
WEB_DIR_L2="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-2 | rev)"
if [[ -n "${WEB_DIR_L2}" ]]; then
echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L2}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L2}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
fi
WEB_DIR_L3="$(dirname "$WEB_PATH" | rev | cut -d'/' -f1-3 | rev)"
if [[ -n "${WEB_DIR_L3}" ]]; then
echo -e "\\n[*] Testing $ORANGE$PROTO://$IP_:$PORT_/${WEB_DIR_L3}/${WEB_FILE}$NC" >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
timeout --preserve-status --signal SIGINT 2 curl -sS -D - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
timeout --preserve-status --signal SIGINT 2 curl "${CURL_OPTS[@]}" - "$PROTO""://""$IP_":"$PORT_""/""${WEB_DIR_L3}""/""$WEB_FILE" -o /dev/null >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" 2>/dev/null || true
fi
done

Expand Down