def testStatsHuntFilterLocalhost(self):
statshunt = aff4.FACTORY.Create("aff4:/temp", "StatsHunt")
self.assertTrue(
statshunt.ProcessInterface(
rdf_client.Interface(mac_address="123")))
self.assertFalse(
statshunt.ProcessInterface(rdf_client.Interface(ifname="lo")))
def Run(self, unused_args):
"""Enumerate all MAC addresses."""
libc = ctypes.cdll.LoadLibrary(ctypes.util.find_library("c"))
ifa = Ifaddrs()
p_ifa = ctypes.pointer(ifa)
libc.getifaddrs(ctypes.pointer(p_ifa))
addresses = {}
macs = {}
ifs = set()
m = p_ifa
while m:
ifname = ctypes.string_at(m.contents.ifa_name)
ifs.add(ifname)
try:
iffamily = ord(m.contents.ifa_addr[1])
if iffamily == 0x2: # AF_INET
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrin))
ip4 = "".join(map(chr, data.contents.sin_addr))
address_type = rdf_client.NetworkAddress.Family.INET
address = rdf_client.NetworkAddress(
address_type=address_type, packed_bytes=ip4)
addresses.setdefault(ifname, []).append(address)
if iffamily == 0x12: # AF_LINK
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrdl))
iflen = data.contents.sdl_nlen
addlen = data.contents.sdl_alen
macs[ifname] = "".join(
map(chr, data.contents.sdl_data[iflen:iflen + addlen]))
if iffamily == 0x1E: # AF_INET6
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrin6))
ip6 = "".join(map(chr, data.contents.sin6_addr))
address_type = rdf_client.NetworkAddress.Family.INET6
address = rdf_client.NetworkAddress(
address_type=address_type, packed_bytes=ip6)
addresses.setdefault(ifname, []).append(address)
except ValueError:
# Some interfaces don't have a iffamily and will raise a null pointer
# exception. We still want to send back the name.
pass
m = m.contents.ifa_next
libc.freeifaddrs(p_ifa)
for interface in ifs:
mac = macs.setdefault(interface, "")
address_list = addresses.setdefault(interface, "")
args = {"ifname": interface}
if mac:
args["mac_address"] = mac
if address_list:
args["addresses"] = address_list
self.SendReply(rdf_client.Interface(**args))
def Parse(self, query, result, knowledge_base):
"""Parse the wmi packages output."""
_ = query, knowledge_base
args = {"ifname": result["Description"]}
args["mac_address"] = binascii.unhexlify(result["MACAddress"].replace(
":", ""))
self._ConvertIPs([("IPAddress", "addresses"),
("DefaultIPGateway", "ip_gateway_list"),
("DHCPServer", "dhcp_server_list")], result, args)
if "DHCPLeaseExpires" in result:
args["dhcp_lease_expires"] = self.WMITimeStrToRDFDatetime(
result["DHCPLeaseExpires"])
if "DHCPLeaseObtained" in result:
args["dhcp_lease_obtained"] = self.WMITimeStrToRDFDatetime(
result["DHCPLeaseObtained"])
yield rdf_client.Interface(**args)
yield rdf_client.DNSClientConfiguration(
dns_server=result["DNSServerSearchOrder"],
dns_suffix=result["DNSDomainSuffixSearchOrder"])
def testNoApplicableTests(self):
"""Try to run linux tests on windows."""
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", mode="rw",
token=self.token, age=aff4.ALL_TIMES)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.SYSTEM("Windows"))
self.client.Set(self.client.Schema.OS_RELEASE("7"))
self.client.Set(self.client.Schema.OS_VERSION("6.1.7601SP1"))
self.client.Set(self.client.Schema.KERNEL("6.1.7601"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.ARCH("AMD64"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.USER([userobj]))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.LAST_INTERFACES([interface]))
self.client.Flush()
args = endtoend.EndToEndTestFlowArgs(
test_names=["TestListDirectoryOSLinuxDarwin",
"MockEndToEndTest",
"TestListDirectoryOSLinuxDarwin"])
self.assertRaises(flow.FlowError, list, test_lib.TestFlowHelper(
"EndToEndTestFlow", self.client_mock, client_id=self.client_id,
token=self.token, args=args))
def setUp(self):
super(TestEndToEndTestFlow, self).setUp()
self.SetupClients(1, system="Linux", os_version="14.04", arch="x86_64")
install_time = rdfvalue.RDFDatetime.Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(self.client_id,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token,
age=aff4.ALL_TIMES)
kb = self.client.Get(self.client.Schema.KNOWLEDGE_BASE)
kb.users.Append(userobj)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.OS_RELEASE("debian"))
self.client.Set(self.client.Schema.KERNEL("3.15-rc2"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.KNOWLEDGE_BASE(kb))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.INTERFACES([interface]))
self.client.Flush()
self.client_mock = action_mocks.ListDirectoryClientMock()
def _SetupClients(self, n):
res = {}
for i in range(1, n + 1):
client_id = "C.100000000000000%d" % i
client = objects.Client()
client.system = "Windows"
client.hostname = "host-%d" % i
client.fqdn = "host-%d.example.com" % i
client.interfaces = [
rdf_client.Interface(addresses=[
rdf_client.NetworkAddress(
address_type=rdf_client.NetworkAddress.Family.INET,
packed_bytes=ipv6_utils.InetPtoN(
socket.AF_INET, "192.168.0.%d" % i)),
rdf_client.NetworkAddress(
address_type=rdf_client.NetworkAddress.Family.INET6,
packed_bytes=ipv6_utils.InetPtoN(
socket.AF_INET6, "2001:abcd::%d" % i))
],
mac_address=("aabbccddee0%d" %
i).decode("hex"))
]
res[client_id] = client
return res
def testGetClientSummary(self):
hostname = "test"
system = "Linux"
os_release = "12.02"
kernel = "3.15-rc2"
fqdn = "test.test.com"
arch = "amd64"
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
timestamp = 1
with utils.Stubber(time, "time", lambda: timestamp):
with aff4.FACTORY.Create("C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
kb = rdf_client.KnowledgeBase()
kb.users.Append(userobj)
empty_summary = fd.GetSummary()
self.assertEqual(empty_summary.client_id, "C.0000000000000000")
self.assertFalse(empty_summary.system_info.version)
self.assertEqual(empty_summary.timestamp.AsSecondsFromEpoch(),
1)
# This will cause TYPE to be written with current time = 101 when the
# object is closed
timestamp += 100
fd.Set(fd.Schema.HOSTNAME(hostname))
fd.Set(fd.Schema.SYSTEM(system))
fd.Set(fd.Schema.OS_RELEASE(os_release))
fd.Set(fd.Schema.KERNEL(kernel))
fd.Set(fd.Schema.FQDN(fqdn))
fd.Set(fd.Schema.ARCH(arch))
fd.Set(fd.Schema.INSTALL_DATE(install_time))
fd.Set(fd.Schema.KNOWLEDGE_BASE(kb))
fd.Set(fd.Schema.USERNAMES([user]))
fd.Set(fd.Schema.INTERFACES([interface]))
with aff4.FACTORY.Open("C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
summary = fd.GetSummary()
self.assertEqual(summary.system_info.node, hostname)
self.assertEqual(summary.system_info.system, system)
self.assertEqual(summary.system_info.release, os_release)
self.assertEqual(summary.system_info.kernel, kernel)
self.assertEqual(summary.system_info.fqdn, fqdn)
self.assertEqual(summary.system_info.machine, arch)
self.assertEqual(summary.system_info.install_date,
install_time)
self.assertItemsEqual(summary.users, [userobj])
self.assertItemsEqual(summary.interfaces, [interface])
self.assertFalse(summary.client_info)
self.assertEqual(summary.timestamp.AsSecondsFromEpoch(), 101)
def _TestInterfaces(self, client_nr):
ip1 = rdf_client.NetworkAddress()
ip1.human_readable_address = "192.168.0.%d" % client_nr
ip2 = rdf_client.NetworkAddress()
ip2.human_readable_address = "2001:abcd::%x" % client_nr
mac1 = rdf_client.MacAddress()
mac1.human_readable_address = "aabbccddee%02x" % client_nr
mac2 = rdf_client.MacAddress()
mac2.human_readable_address = "bbccddeeff%02x" % client_nr
return [
rdf_client.Interface(addresses=[ip1, ip2]),
rdf_client.Interface(mac_address=mac1),
rdf_client.Interface(mac_address=mac2),
]
def EnumerateInterfaces(self, _):
self.response_count += 1
return [rdf_client.Interface(
mac_address="123456",
addresses=[
rdf_client.NetworkAddress(
address_type=rdf_client.NetworkAddress.Family.INET,
human_readable="100.100.100.1",
packed_bytes=socket.inet_pton(socket.AF_INET, "100.100.100.1"),)
])]
def testRdfFormatter(self):
"""Hints format RDF values with arbitrary values and attributes."""
# Create a complex RDF value
rdf = rdf_client.ClientSummary()
rdf.system_info.system = "Linux"
rdf.system_info.node = "coreai.skynet.com"
# Users (repeated)
rdf.users = [rdf_client.User(username=u) for u in ("root", "jconnor")]
# Interface (nested, repeated)
addresses = [
rdf_client.NetworkAddress(human_readable=a)
for a in ("1.1.1.1", "2.2.2.2", "3.3.3.3")
]
eth0 = rdf_client.Interface(ifname="eth0", addresses=addresses[:2])
ppp0 = rdf_client.Interface(ifname="ppp0", addresses=addresses[2])
rdf.interfaces = [eth0, ppp0]
template = ("{system_info.system} {users.username} {interfaces.ifname} "
"{interfaces.addresses.human_readable}\n")
hinter = hints.Hinter(template=template)
expected = "Linux root,jconnor eth0,ppp0 1.1.1.1,2.2.2.2,3.3.3.3"
result = hinter.Render(rdf)
self.assertEqual(expected, result)
def testRepeatedFields(self):
"""Test handling of protobuf repeated fields."""
sample = rdf_client.Interface()
# Add a simple string.
sample.ip4_addresses.Append("127.0.0.1")
self.assertEqual(sample.ip4_addresses[0], "127.0.0.1")
# Add an invalid type.
self.assertRaises(type_info.TypeValueError, sample.addresses.Append, 2)
# Add a protobuf
sample.addresses.Append(human_readable="127.0.0.1")
self.assertEqual(sample.addresses[0].human_readable, "127.0.0.1")
self.assertEqual(len(sample.addresses), 1)
def Run(self, args):
del args # Unused.
pythoncom.CoInitialize()
for interface in wmi.WMI().Win32_NetworkAdapterConfiguration():
addresses = []
for ip_address in interface.IPAddress:
addresses.append(
rdf_client.NetworkAddress(human_readable_address=ip_address))
response = rdf_client.Interface(ifname=interface.Description)
if interface.MACAddress:
response.mac_address = binascii.unhexlify(
interface.MACAddress.replace(":", ""))
if addresses:
response.addresses = addresses
self.SendReply(response)
def testNoApplicableTests(self):
"""Try to run linux tests on windows."""
self.SetupClients(
1, system="Windows", os_version="6.1.7601SP1", arch="AMD64")
install_time = rdfvalue.RDFDatetime.Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(
self.client_id,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token,
age=aff4.ALL_TIMES)
kb = self.client.Get(self.client.Schema.KNOWLEDGE_BASE)
kb.users.Append(userobj)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.OS_RELEASE("7"))
self.client.Set(self.client.Schema.KERNEL("6.1.7601"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.KNOWLEDGE_BASE(kb))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.INTERFACES([interface]))
self.client.Flush()
args = endtoend.EndToEndTestFlowArgs(test_names=[
"TestListDirectoryOSLinuxDarwin", "MockEndToEndTest",
"TestListDirectoryOSLinuxDarwin"
])
self.assertRaises(
flow.FlowError,
list,
test_lib.TestFlowHelper(
"EndToEndTestFlow",
self.client_mock,
client_id=self.client_id,
token=self.token,
args=args))
def setUp(self):
super(TestEndToEndTestFlow, self).setUp()
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", mode="rw",
token=self.token, age=aff4.ALL_TIMES)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.SYSTEM("Linux"))
self.client.Set(self.client.Schema.OS_RELEASE("debian"))
self.client.Set(self.client.Schema.OS_VERSION("14.04"))
self.client.Set(self.client.Schema.KERNEL("3.15-rc2"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.ARCH("x86_64"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.USER([userobj]))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.LAST_INTERFACES([interface]))
self.client.Flush()
self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")
def Run(self, unused_args):
"""Enumerate all MAC addresses."""
for interface_dict in self.RunNetAdapterWMIQuery():
self.SendReply(rdf_client.Interface(**interface_dict))
def testGetClientSummary(self):
hostname = "test"
system = "Linux"
os_release = "12.02"
kernel = "3.15-rc2"
fqdn = "test.test.com"
arch = "amd64"
install_time = rdfvalue.RDFDatetime.Now()
user = "******"
userobj = rdf_client.User(username=user)
interface = rdf_client.Interface(ifname="eth0")
google_cloud_instance = cloud.GoogleCloudInstance(
instance_id="1771384456894610289",
zone="projects/123456789733/zones/us-central1-a",
project_id="myproject",
unique_id="us-central1-a/myproject/1771384456894610289")
cloud_instance = cloud.CloudInstance(
cloud_type="GOOGLE", google=google_cloud_instance)
serial_number = "DSD33679FZ"
system_manufacturer = "Foobar Inc."
system_uuid = "C31292AD-6Z4F-55D8-28AC-EC1100E42222"
hwinfo = rdf_client.HardwareInfo(
serial_number=serial_number,
system_manufacturer=system_manufacturer,
system_uuid=system_uuid)
timestamp = 1
with utils.Stubber(time, "time", lambda: timestamp):
with aff4.FACTORY.Create(
"C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
kb = rdf_client.KnowledgeBase()
kb.users.Append(userobj)
empty_summary = fd.GetSummary()
self.assertEqual(empty_summary.client_id, "C.0000000000000000")
self.assertFalse(empty_summary.system_info.version)
self.assertEqual(empty_summary.timestamp.AsSecondsSinceEpoch(), 1)
# This will cause TYPE to be written with current time = 101 when the
# object is closed
timestamp += 100
fd.Set(fd.Schema.HOSTNAME(hostname))
fd.Set(fd.Schema.SYSTEM(system))
fd.Set(fd.Schema.OS_RELEASE(os_release))
fd.Set(fd.Schema.KERNEL(kernel))
fd.Set(fd.Schema.FQDN(fqdn))
fd.Set(fd.Schema.ARCH(arch))
fd.Set(fd.Schema.INSTALL_DATE(install_time))
fd.Set(fd.Schema.KNOWLEDGE_BASE(kb))
fd.Set(fd.Schema.USERNAMES([user]))
fd.Set(fd.Schema.HARDWARE_INFO(hwinfo))
fd.Set(fd.Schema.INTERFACES([interface]))
fd.Set(fd.Schema.CLOUD_INSTANCE(cloud_instance))
with aff4.FACTORY.Open(
"C.0000000000000000",
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token) as fd:
summary = fd.GetSummary()
self.assertEqual(summary.system_info.system, system)
self.assertEqual(summary.system_info.release, os_release)
self.assertEqual(summary.system_info.kernel, kernel)
self.assertEqual(summary.system_info.fqdn, fqdn)
self.assertEqual(summary.system_info.machine, arch)
self.assertEqual(summary.system_info.install_date, install_time)
self.assertItemsEqual(summary.users, [userobj])
self.assertItemsEqual(summary.interfaces, [interface])
self.assertFalse(summary.client_info)
self.assertEqual(summary.timestamp.AsSecondsSinceEpoch(), 101)
self.assertEqual(summary.cloud_type, "GOOGLE")
self.assertEqual(summary.cloud_instance_id,
"us-central1-a/myproject/1771384456894610289")
self.assertEqual(summary.serial_number, serial_number)
self.assertEqual(summary.system_manufacturer, system_manufacturer)
self.assertEqual(summary.system_uuid, system_uuid)
