def Parse(self, query, result, knowledge_base):
"""Parse the wmi packages output."""
_ = query, knowledge_base
args = {"ifname": result["Description"]}
args["mac_address"] = binascii.unhexlify(result["MACAddress"].replace(
":", ""))
self._ConvertIPs([("IPAddress", "addresses"),
("DefaultIPGateway", "ip_gateway_list"),
("DHCPServer", "dhcp_server_list")], result, args)
if "DHCPLeaseExpires" in result:
args["dhcp_lease_expires"] = self.WMITimeStrToRDFDatetime(
result["DHCPLeaseExpires"])
if "DHCPLeaseObtained" in result:
args["dhcp_lease_obtained"] = self.WMITimeStrToRDFDatetime(
result["DHCPLeaseObtained"])
yield rdfvalue.Interface(**args)
yield rdfvalue.DNSClientConfiguration(
dns_server=result["DNSServerSearchOrder"],
dns_suffix=result["DNSDomainSuffixSearchOrder"])
def testClientSummaryToExportedNetworkInterfaceConverter(self):
client_summary = rdfvalue.ClientSummary(
interfaces=[rdfvalue.Interface(
mac_address="123456",
ifname="eth0",
addresses=[
rdfvalue.NetworkAddress(
address_type=rdfvalue.NetworkAddress.Family.INET,
packed_bytes=socket.inet_aton("127.0.0.1"),
),
rdfvalue.NetworkAddress(
address_type=rdfvalue.NetworkAddress.Family.INET,
packed_bytes=socket.inet_aton("10.0.0.1"),
),
rdfvalue.NetworkAddress(
address_type=rdfvalue.NetworkAddress.Family.INET6,
packed_bytes=socket.inet_pton(socket.AF_INET6,
"2001:720:1500:1::a100"),
)
]
)]
)
converter = export.ClientSummaryToExportedNetworkInterfaceConverter()
results = list(converter.Convert(rdfvalue.ExportedMetadata(),
client_summary,
token=self.token))
self.assertEqual(len(results), 1)
self.assertEqual(results[0].mac_address, "123456".encode("hex"))
self.assertEqual(results[0].ifname, "eth0")
self.assertEqual(results[0].ip4_addresses, "127.0.0.1 10.0.0.1")
self.assertEqual(results[0].ip6_addresses, "2001:720:1500:1::a100")
def setUp(self):
super(TestEndToEndTestFlow, self).setUp()
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdfvalue.User(username=user)
interface = rdfvalue.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(self.client_id,
"VFSGRRClient",
mode="rw",
token=self.token,
age=aff4.ALL_TIMES)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.SYSTEM("Linux"))
self.client.Set(self.client.Schema.OS_RELEASE("debian"))
self.client.Set(self.client.Schema.OS_VERSION("14.04"))
self.client.Set(self.client.Schema.KERNEL("3.15-rc2"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.ARCH("x86_64"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.USER([userobj]))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.LAST_INTERFACES([interface]))
self.client.Flush()
self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")
def Run(self, unused_args):
"""Enumerate all interfaces and collect their MAC addresses."""
libc = ctypes.cdll.LoadLibrary(ctypes.util.find_library("c"))
ifa = Ifaddrs()
p_ifa = ctypes.pointer(ifa)
libc.getifaddrs(ctypes.pointer(p_ifa))
addresses = {}
macs = {}
ifs = set()
m = p_ifa
while m:
ifname = ctypes.string_at(m.contents.ifa_name)
ifs.add(ifname)
try:
iffamily = ord(m.contents.ifa_addr[0])
if iffamily == 0x2: # AF_INET
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrin))
ip4 = "".join(map(chr, data.contents.sin_addr))
address_type = rdfvalue.NetworkAddress.Family.INET
address = rdfvalue.NetworkAddress(
address_type=address_type, packed_bytes=ip4)
addresses.setdefault(ifname, []).append(address)
if iffamily == 0x11: # AF_PACKET
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrll))
addlen = data.contents.sll_halen
macs[ifname] = "".join(
map(chr, data.contents.sll_addr[:addlen]))
if iffamily == 0xA: # AF_INET6
data = ctypes.cast(m.contents.ifa_addr,
ctypes.POINTER(Sockaddrin6))
ip6 = "".join(map(chr, data.contents.sin6_addr))
address_type = rdfvalue.NetworkAddress.Family.INET6
address = rdfvalue.NetworkAddress(
address_type=address_type, packed_bytes=ip6)
addresses.setdefault(ifname, []).append(address)
except ValueError:
# Some interfaces don't have a iffamily and will raise a null pointer
# exception. We still want to send back the name.
pass
m = m.contents.ifa_next
libc.freeifaddrs(p_ifa)
for interface in ifs:
mac = macs.setdefault(interface, "")
address_list = addresses.setdefault(interface, "")
args = {"ifname": interface}
if mac:
args["mac_address"] = mac
if addresses:
args["addresses"] = address_list
self.SendReply(rdfvalue.Interface(**args))
def testGetClientSummary(self):
hostname = "test"
system = "Linux"
os_release = "12.02"
kernel = "3.15-rc2"
fqdn = "test.test.com"
arch = "amd64"
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdfvalue.User(username=user)
interface = rdfvalue.Interface(ifname="eth0")
timestamp = 1
with utils.Stubber(time, "time", lambda: timestamp):
with aff4.FACTORY.Create("C.0000000000000000",
"VFSGRRClient",
mode="rw",
token=self.token) as fd:
empty_summary = fd.GetSummary()
self.assertEqual(empty_summary.client_id, "C.0000000000000000")
self.assertFalse(empty_summary.system_info.version)
self.assertEqual(empty_summary.timestamp.AsSecondsFromEpoch(),
1)
# This will cause TYPE to be written with current time = 101 when the
# object is closed
timestamp += 100
fd.Set(fd.Schema.HOSTNAME(hostname))
fd.Set(fd.Schema.SYSTEM(system))
fd.Set(fd.Schema.OS_RELEASE(os_release))
fd.Set(fd.Schema.KERNEL(kernel))
fd.Set(fd.Schema.FQDN(fqdn))
fd.Set(fd.Schema.ARCH(arch))
fd.Set(fd.Schema.INSTALL_DATE(install_time))
fd.Set(fd.Schema.USER([userobj]))
fd.Set(fd.Schema.USERNAMES([user]))
fd.Set(fd.Schema.LAST_INTERFACES([interface]))
with aff4.FACTORY.Open("C.0000000000000000",
"VFSGRRClient",
mode="rw",
token=self.token) as fd:
summary = fd.GetSummary()
self.assertEqual(summary.system_info.node, hostname)
self.assertEqual(summary.system_info.system, system)
self.assertEqual(summary.system_info.release, os_release)
self.assertEqual(summary.system_info.kernel, kernel)
self.assertEqual(summary.system_info.fqdn, fqdn)
self.assertEqual(summary.system_info.machine, arch)
self.assertEqual(summary.system_info.install_date,
install_time)
self.assertItemsEqual(summary.users, [userobj])
self.assertItemsEqual(summary.interfaces, [interface])
self.assertFalse(summary.client_info)
self.assertEqual(summary.timestamp.AsSecondsFromEpoch(), 101)
def EnumerateInterfaces(self, _):
return [
rdfvalue.Interface(
mac_address="123456",
addresses=[
rdfvalue.NetworkAddress(
address_type=rdfvalue.NetworkAddress.Family.INET,
human_readable="127.0.0.1",
packed_bytes=socket.inet_aton("127.0.0.1"),
)
])
]
def testRdfFormatter(self):
"""Hints format RDF values with arbitrary values and attributes."""
# Create a complex RDF value
rdf = rdfvalue.ClientSummary()
rdf.system_info.system = "Linux"
rdf.system_info.node = "coreai.skynet.com"
# Users (repeated)
rdf.users = [rdfvalue.User(username=u) for u in ("root", "jconnor")]
# Interface (nested, repeated)
addresses = [
rdfvalue.NetworkAddress(human_readable=a)
for a in ("1.1.1.1", "2.2.2.2", "3.3.3.3")
]
eth0 = rdfvalue.Interface(ifname="eth0", addresses=addresses[:2])
ppp0 = rdfvalue.Interface(ifname="ppp0", addresses=addresses[2])
rdf.interfaces = [eth0, ppp0]
template = (
"{system_info.system} {users.username} {interfaces.ifname} "
"{interfaces.addresses.human_readable}")
hinter = hints.Hinter(template=template)
expected = "Linux root,jconnor eth0,ppp0 1.1.1.1,2.2.2.2,3.3.3.3"
result = hinter.Render(rdf)
self.assertEqual(expected, result)
def testRepeatedFields(self):
"""Test handling of protobuf repeated fields."""
sample = rdfvalue.Interface()
# Add a simple string.
sample.ip4_addresses.Append("127.0.0.1")
self.assertEqual(sample.ip4_addresses[0], "127.0.0.1")
# Add an invalid type.
self.assertRaises(type_info.TypeValueError, sample.addresses.Append, 2)
# Add a protobuf
sample.addresses.Append(human_readable="127.0.0.1")
self.assertEqual(sample.addresses[0].human_readable, "127.0.0.1")
self.assertEqual(len(sample.addresses), 1)
def testNoApplicableTests(self):
"""Try to run linux tests on windows."""
install_time = rdfvalue.RDFDatetime().Now()
user = "******"
userobj = rdfvalue.User(username=user)
interface = rdfvalue.Interface(ifname="eth0")
self.client = aff4.FACTORY.Create(self.client_id,
"VFSGRRClient",
mode="rw",
token=self.token,
age=aff4.ALL_TIMES)
self.client.Set(self.client.Schema.HOSTNAME("hostname"))
self.client.Set(self.client.Schema.SYSTEM("Windows"))
self.client.Set(self.client.Schema.OS_RELEASE("7"))
self.client.Set(self.client.Schema.OS_VERSION("6.1.7601SP1"))
self.client.Set(self.client.Schema.KERNEL("6.1.7601"))
self.client.Set(self.client.Schema.FQDN("hostname.example.com"))
self.client.Set(self.client.Schema.ARCH("AMD64"))
self.client.Set(self.client.Schema.INSTALL_DATE(install_time))
self.client.Set(self.client.Schema.USER([userobj]))
self.client.Set(self.client.Schema.USERNAMES([user]))
self.client.Set(self.client.Schema.LAST_INTERFACES([interface]))
self.client.Flush()
args = rdfvalue.EndToEndTestFlowArgs(test_names=[
"TestListDirectoryOSLinuxDarwin", "MockEndToEndTest",
"TestListDirectoryOSLinuxDarwin"
])
self.assertRaises(
flow.FlowError, list,
test_lib.TestFlowHelper("EndToEndTestFlow",
self.client_mock,
client_id=self.client_id,
token=self.token,
args=args))
def testStatsHuntFilterLocalhost(self):
statshunt = aff4.FACTORY.Create("aff4:/temp", "StatsHunt")
self.assertTrue(
statshunt.ProcessInterface(rdfvalue.Interface(mac_address="123")))
self.assertFalse(
statshunt.ProcessInterface(rdfvalue.Interface(ifname="lo")))
