def Parse(self, query, result, knowledge_base): """Parse the wmi packages output.""" _ = query, knowledge_base args = {"ifname": result["Description"]} args["mac_address"] = binascii.unhexlify(result["MACAddress"].replace( ":", "")) self._ConvertIPs([("IPAddress", "addresses"), ("DefaultIPGateway", "ip_gateway_list"), ("DHCPServer", "dhcp_server_list")], result, args) if "DHCPLeaseExpires" in result: args["dhcp_lease_expires"] = self.WMITimeStrToRDFDatetime( result["DHCPLeaseExpires"]) if "DHCPLeaseObtained" in result: args["dhcp_lease_obtained"] = self.WMITimeStrToRDFDatetime( result["DHCPLeaseObtained"]) yield rdfvalue.Interface(**args) yield rdfvalue.DNSClientConfiguration( dns_server=result["DNSServerSearchOrder"], dns_suffix=result["DNSDomainSuffixSearchOrder"])
def testClientSummaryToExportedNetworkInterfaceConverter(self): client_summary = rdfvalue.ClientSummary( interfaces=[rdfvalue.Interface( mac_address="123456", ifname="eth0", addresses=[ rdfvalue.NetworkAddress( address_type=rdfvalue.NetworkAddress.Family.INET, packed_bytes=socket.inet_aton("127.0.0.1"), ), rdfvalue.NetworkAddress( address_type=rdfvalue.NetworkAddress.Family.INET, packed_bytes=socket.inet_aton("10.0.0.1"), ), rdfvalue.NetworkAddress( address_type=rdfvalue.NetworkAddress.Family.INET6, packed_bytes=socket.inet_pton(socket.AF_INET6, "2001:720:1500:1::a100"), ) ] )] ) converter = export.ClientSummaryToExportedNetworkInterfaceConverter() results = list(converter.Convert(rdfvalue.ExportedMetadata(), client_summary, token=self.token)) self.assertEqual(len(results), 1) self.assertEqual(results[0].mac_address, "123456".encode("hex")) self.assertEqual(results[0].ifname, "eth0") self.assertEqual(results[0].ip4_addresses, "127.0.0.1 10.0.0.1") self.assertEqual(results[0].ip6_addresses, "2001:720:1500:1::a100")
def setUp(self): super(TestEndToEndTestFlow, self).setUp() install_time = rdfvalue.RDFDatetime().Now() user = "******" userobj = rdfvalue.User(username=user) interface = rdfvalue.Interface(ifname="eth0") self.client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", mode="rw", token=self.token, age=aff4.ALL_TIMES) self.client.Set(self.client.Schema.HOSTNAME("hostname")) self.client.Set(self.client.Schema.SYSTEM("Linux")) self.client.Set(self.client.Schema.OS_RELEASE("debian")) self.client.Set(self.client.Schema.OS_VERSION("14.04")) self.client.Set(self.client.Schema.KERNEL("3.15-rc2")) self.client.Set(self.client.Schema.FQDN("hostname.example.com")) self.client.Set(self.client.Schema.ARCH("x86_64")) self.client.Set(self.client.Schema.INSTALL_DATE(install_time)) self.client.Set(self.client.Schema.USER([userobj])) self.client.Set(self.client.Schema.USERNAMES([user])) self.client.Set(self.client.Schema.LAST_INTERFACES([interface])) self.client.Flush() self.client_mock = action_mocks.ActionMock("ListDirectory", "StatFile")
def Run(self, unused_args): """Enumerate all interfaces and collect their MAC addresses.""" libc = ctypes.cdll.LoadLibrary(ctypes.util.find_library("c")) ifa = Ifaddrs() p_ifa = ctypes.pointer(ifa) libc.getifaddrs(ctypes.pointer(p_ifa)) addresses = {} macs = {} ifs = set() m = p_ifa while m: ifname = ctypes.string_at(m.contents.ifa_name) ifs.add(ifname) try: iffamily = ord(m.contents.ifa_addr[0]) if iffamily == 0x2: # AF_INET data = ctypes.cast(m.contents.ifa_addr, ctypes.POINTER(Sockaddrin)) ip4 = "".join(map(chr, data.contents.sin_addr)) address_type = rdfvalue.NetworkAddress.Family.INET address = rdfvalue.NetworkAddress( address_type=address_type, packed_bytes=ip4) addresses.setdefault(ifname, []).append(address) if iffamily == 0x11: # AF_PACKET data = ctypes.cast(m.contents.ifa_addr, ctypes.POINTER(Sockaddrll)) addlen = data.contents.sll_halen macs[ifname] = "".join( map(chr, data.contents.sll_addr[:addlen])) if iffamily == 0xA: # AF_INET6 data = ctypes.cast(m.contents.ifa_addr, ctypes.POINTER(Sockaddrin6)) ip6 = "".join(map(chr, data.contents.sin6_addr)) address_type = rdfvalue.NetworkAddress.Family.INET6 address = rdfvalue.NetworkAddress( address_type=address_type, packed_bytes=ip6) addresses.setdefault(ifname, []).append(address) except ValueError: # Some interfaces don't have a iffamily and will raise a null pointer # exception. We still want to send back the name. pass m = m.contents.ifa_next libc.freeifaddrs(p_ifa) for interface in ifs: mac = macs.setdefault(interface, "") address_list = addresses.setdefault(interface, "") args = {"ifname": interface} if mac: args["mac_address"] = mac if addresses: args["addresses"] = address_list self.SendReply(rdfvalue.Interface(**args))
def testGetClientSummary(self): hostname = "test" system = "Linux" os_release = "12.02" kernel = "3.15-rc2" fqdn = "test.test.com" arch = "amd64" install_time = rdfvalue.RDFDatetime().Now() user = "******" userobj = rdfvalue.User(username=user) interface = rdfvalue.Interface(ifname="eth0") timestamp = 1 with utils.Stubber(time, "time", lambda: timestamp): with aff4.FACTORY.Create("C.0000000000000000", "VFSGRRClient", mode="rw", token=self.token) as fd: empty_summary = fd.GetSummary() self.assertEqual(empty_summary.client_id, "C.0000000000000000") self.assertFalse(empty_summary.system_info.version) self.assertEqual(empty_summary.timestamp.AsSecondsFromEpoch(), 1) # This will cause TYPE to be written with current time = 101 when the # object is closed timestamp += 100 fd.Set(fd.Schema.HOSTNAME(hostname)) fd.Set(fd.Schema.SYSTEM(system)) fd.Set(fd.Schema.OS_RELEASE(os_release)) fd.Set(fd.Schema.KERNEL(kernel)) fd.Set(fd.Schema.FQDN(fqdn)) fd.Set(fd.Schema.ARCH(arch)) fd.Set(fd.Schema.INSTALL_DATE(install_time)) fd.Set(fd.Schema.USER([userobj])) fd.Set(fd.Schema.USERNAMES([user])) fd.Set(fd.Schema.LAST_INTERFACES([interface])) with aff4.FACTORY.Open("C.0000000000000000", "VFSGRRClient", mode="rw", token=self.token) as fd: summary = fd.GetSummary() self.assertEqual(summary.system_info.node, hostname) self.assertEqual(summary.system_info.system, system) self.assertEqual(summary.system_info.release, os_release) self.assertEqual(summary.system_info.kernel, kernel) self.assertEqual(summary.system_info.fqdn, fqdn) self.assertEqual(summary.system_info.machine, arch) self.assertEqual(summary.system_info.install_date, install_time) self.assertItemsEqual(summary.users, [userobj]) self.assertItemsEqual(summary.interfaces, [interface]) self.assertFalse(summary.client_info) self.assertEqual(summary.timestamp.AsSecondsFromEpoch(), 101)
def EnumerateInterfaces(self, _): return [ rdfvalue.Interface( mac_address="123456", addresses=[ rdfvalue.NetworkAddress( address_type=rdfvalue.NetworkAddress.Family.INET, human_readable="127.0.0.1", packed_bytes=socket.inet_aton("127.0.0.1"), ) ]) ]
def testRdfFormatter(self): """Hints format RDF values with arbitrary values and attributes.""" # Create a complex RDF value rdf = rdfvalue.ClientSummary() rdf.system_info.system = "Linux" rdf.system_info.node = "coreai.skynet.com" # Users (repeated) rdf.users = [rdfvalue.User(username=u) for u in ("root", "jconnor")] # Interface (nested, repeated) addresses = [ rdfvalue.NetworkAddress(human_readable=a) for a in ("1.1.1.1", "2.2.2.2", "3.3.3.3") ] eth0 = rdfvalue.Interface(ifname="eth0", addresses=addresses[:2]) ppp0 = rdfvalue.Interface(ifname="ppp0", addresses=addresses[2]) rdf.interfaces = [eth0, ppp0] template = ( "{system_info.system} {users.username} {interfaces.ifname} " "{interfaces.addresses.human_readable}") hinter = hints.Hinter(template=template) expected = "Linux root,jconnor eth0,ppp0 1.1.1.1,2.2.2.2,3.3.3.3" result = hinter.Render(rdf) self.assertEqual(expected, result)
def testRepeatedFields(self): """Test handling of protobuf repeated fields.""" sample = rdfvalue.Interface() # Add a simple string. sample.ip4_addresses.Append("127.0.0.1") self.assertEqual(sample.ip4_addresses[0], "127.0.0.1") # Add an invalid type. self.assertRaises(type_info.TypeValueError, sample.addresses.Append, 2) # Add a protobuf sample.addresses.Append(human_readable="127.0.0.1") self.assertEqual(sample.addresses[0].human_readable, "127.0.0.1") self.assertEqual(len(sample.addresses), 1)
def testNoApplicableTests(self): """Try to run linux tests on windows.""" install_time = rdfvalue.RDFDatetime().Now() user = "******" userobj = rdfvalue.User(username=user) interface = rdfvalue.Interface(ifname="eth0") self.client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", mode="rw", token=self.token, age=aff4.ALL_TIMES) self.client.Set(self.client.Schema.HOSTNAME("hostname")) self.client.Set(self.client.Schema.SYSTEM("Windows")) self.client.Set(self.client.Schema.OS_RELEASE("7")) self.client.Set(self.client.Schema.OS_VERSION("6.1.7601SP1")) self.client.Set(self.client.Schema.KERNEL("6.1.7601")) self.client.Set(self.client.Schema.FQDN("hostname.example.com")) self.client.Set(self.client.Schema.ARCH("AMD64")) self.client.Set(self.client.Schema.INSTALL_DATE(install_time)) self.client.Set(self.client.Schema.USER([userobj])) self.client.Set(self.client.Schema.USERNAMES([user])) self.client.Set(self.client.Schema.LAST_INTERFACES([interface])) self.client.Flush() args = rdfvalue.EndToEndTestFlowArgs(test_names=[ "TestListDirectoryOSLinuxDarwin", "MockEndToEndTest", "TestListDirectoryOSLinuxDarwin" ]) self.assertRaises( flow.FlowError, list, test_lib.TestFlowHelper("EndToEndTestFlow", self.client_mock, client_id=self.client_id, token=self.token, args=args))
def testStatsHuntFilterLocalhost(self): statshunt = aff4.FACTORY.Create("aff4:/temp", "StatsHunt") self.assertTrue( statshunt.ProcessInterface(rdfvalue.Interface(mac_address="123"))) self.assertFalse( statshunt.ProcessInterface(rdfvalue.Interface(ifname="lo")))