def _AnalyzeHadoopAppRoot(self, collected_artifacts, output_dir): """Runs a naive AppRoot files parsing method. This extracts strings from the saved task file, and searches for usual post-compromise suspicious patterns. TODO: properly parse the Proto. Some documentation can be found over there: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23.7/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto Args: collected_artifacts(list(str)): a list of paths to extracted files output_dir(str): The base directory the artfacts are in. Returns: Tuple( list(str): The report data as a list of lines report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] evil_commands = [] strings_count = 0 priority = Priority.MEDIUM summary = '' for filepath in collected_artifacts: relpath = os.path.relpath(filepath, output_dir) command = 'strings -a "{0:s}"'.format(filepath) log.debug('Running command [{0:s}]'.format(command)) proc = subprocess.Popen( command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) strings_output, _ = proc.communicate() strings_output = codecs.decode(strings_output, 'utf-8') for line in strings_output.splitlines(): strings_count += 1 if (line.find('curl') >= 0) or (line.find('wget') >= 0): evil_commands.append((relpath, line)) if evil_commands: msg = 'Found suspicious commands!' report.append(fmt.heading4(fmt.bold(msg))) summary = msg priority = Priority.CRITICAL else: msg = 'Did not find any suspicious commands.' report.append(fmt.heading4(msg)) summary = msg for filepath, command in evil_commands: report.append(fmt.bullet(fmt.bold('Command:'))) report.append(fmt.code(command)) report.append('Found in file:') report.append(fmt.code(filepath)) msg = 'Extracted {0:d} strings from {1:d} file(s)'.format( strings_count, len(collected_artifacts)) report.append(fmt.bullet(msg)) return (report, priority, summary)
def analyze_jenkins(version, credentials, timeout=300): """Analyses a Jenkins configuration. Args: version (str): Version of Jenkins. credentials (list): of tuples with username and password hash. timeout (int): Time in seconds to run password bruteforcing. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] summary = '' priority = Priority.LOW credentials_registry = { hash: username for username, hash in credentials } # '3200' is "bcrypt $2*$, Blowfish (Unix)" weak_passwords = bruteforce_password_hashes( credentials_registry.keys(), tmp_dir=None, timeout=timeout, extra_args='-m 3200') if not version: version = 'Unknown' report.append(fmt.bullet('Jenkins version: {0:s}'.format(version))) if weak_passwords: priority = Priority.CRITICAL summary = 'Jenkins analysis found potential issues' report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} weak password(s) found:'.format(len(weak_passwords)) report.append(fmt.bullet(fmt.bold(line))) for password_hash, plaintext in weak_passwords: line = 'User "{0:s}" with password "{1:s}"'.format( credentials_registry.get(password_hash), plaintext) report.append(fmt.bullet(line, level=2)) elif credentials_registry or version != 'Unknown': summary = ( 'Jenkins version {0:s} found with {1:d} credentials, but no issues ' 'detected'.format(version, len(credentials_registry))) report.insert(0, fmt.heading4(summary)) priority = Priority.MEDIUM else: summary = 'No Jenkins instance found' report.insert(0, fmt.heading4(summary)) report = '\n'.join(report) return (report, priority, summary)
def analyze_jenkins(version, credentials): """Analyses a Jenkins configuration. Args: version (str): Version of Jenkins. credentials (list): of tuples with username and password hash. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] summary = '' priority = Priority.LOW credentials_registry = { hash: username for username, hash in credentials } # TODO: Add timeout parameter when dynamic configuration is ready. # Ref: https://github.com/google/turbinia/issues/244 weak_passwords = bruteforce_password_hashes( credentials_registry.keys()) if not version: version = 'Unknown' report.append(fmt.bullet('Jenkins version: {0:s}'.format(version))) if weak_passwords: priority = Priority.CRITICAL summary = 'Jenkins analysis found potential issues' report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} weak password(s) found:'.format(len(weak_passwords)) report.append(fmt.bullet(fmt.bold(line))) for password_hash, plaintext in weak_passwords: line = 'User "{0:s}" with password "{1:s}"'.format( credentials_registry.get(password_hash), plaintext) report.append(fmt.bullet(line, level=2)) elif credentials_registry or version != 'Unknown': summary = ( 'Jenkins version {0:s} found with {1:d} credentials, but no issues ' 'detected'.format(version, len(credentials_registry))) report.insert(0, fmt.heading4(summary)) priority = Priority.MEDIUM else: summary = 'No Jenkins instance found' report.insert(0, fmt.heading4(summary)) report = '\n'.join(report) return (report, priority, summary)
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ # TODO(dfjxs): Use evidence name instead of evidence_description (#718) evidence_description = None if hasattr(evidence, 'embedded_path'): evidence_description = ':'.join( (evidence.disk_name, evidence.embedded_path)) elif hasattr(evidence, 'disk_name'): evidence_description = evidence.disk_name else: evidence_description = evidence.source_path result.log( 'Scanning [{0:s}] for partitions'.format(evidence_description)) success = False dfvfs_definitions.PREFERRED_GPT_BACK_END = ( dfvfs_definitions.TYPE_INDICATOR_GPT) mediator = dfvfs_classes.UnattendedVolumeScannerMediator() path_specs = [] try: scanner = volume_scanner.VolumeScanner(mediator=mediator) path_specs = scanner.GetBasePathSpecs(evidence.local_path) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence_description) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log( 'Scanning of [{0:s}] is complete'.format(evidence_description)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result
def analyse_crontab(self, crontab): """Analyses a Cron file. Args: crontab (str): file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ findings = [] wget_or_curl = re.compile(r'(wget|curl)', re.IGNORECASE | re.MULTILINE) pipe_to_sh = re.compile(r'\|(.*)sh ', re.IGNORECASE | re.MULTILINE) get_piped_to_sh = re.compile(r'((wget|curl).*\|)+(.*sh)', re.IGNORECASE | re.MULTILINE) if re.search(get_piped_to_sh, crontab): findings.append( fmt.bullet('Remote file retrieval piped to a shell.')) elif re.search(wget_or_curl, crontab): findings.append(fmt.bullet('Remote file retrieval')) elif re.search(pipe_to_sh, crontab): findings.append(fmt.bullet('File piped to shell')) if findings: summary = 'Potentially backdoored crontab found.' findings.insert(0, fmt.heading4(fmt.bold(summary))) report = '\n'.join(findings) return (report, Priority.HIGH, summary) report = 'No issues found in crontabs' return (report, Priority.LOW, report)
def _is_traversal_in_logs(self, result, basedir, logfiles): """Checks to see if there is evidence of directory traversal in the logs. Args: result (TurbiniaTaskResult): The object to place task results into. basedir (str): the root of the evidence. logfiles (str): The file(s) to check Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ check = " ".join(glob.glob(os.path.join(basedir, logfiles))) if not len(check): return ('', Priority.LOW, '') cmd = ['zgrep', '"%2F..%2F..%2F..%2F"', check] ret, result = self.execute(cmd, result, success_codes=[0, 1]) if ret == 0: summary = 'directory traversal exploit detected in {}'.format( logfiles) report = fmt.heading4(fmt.bold(summary)) return (report, Priority.HIGH, summary) return ('', Priority.LOW, '')
def analyse_shadow_file(self, shadow, hashes): """Analyses a Linux shadow file. Args: shadow (list): shadow file content (list of str). hashes (dict): dict of hashes to usernames Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] summary = 'No weak passwords found' priority = Priority.LOW weak_passwords = bruteforce_password_hashes(shadow) if weak_passwords: priority = Priority.CRITICAL summary = 'Shadow file analysis found {0:n} weak password(s)'.format( len(weak_passwords)) report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} weak password(s) found:'.format(len(weak_passwords)) report.append(fmt.bullet(fmt.bold(line))) for password_hash, plaintext in weak_passwords: line = """User '{0:s}' with password '{1:s}'""".format( hashes[password_hash], plaintext) report.append(fmt.bullet(line, level=2)) report = '\n'.join(report) return (report, priority, summary)
def analyse_redis_config(self, config): """Analyses a Redis configuration. Args: config (str): configuration file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ findings = [] bind_everywhere_re = re.compile( r'^\s*bind[\s"]*0\.0\.0\.0', re.IGNORECASE | re.MULTILINE) if re.search(bind_everywhere_re, config): findings.append(fmt.bullet('Redis listening on every IP')) if findings: summary = 'Insecure Redis configuration found.' findings.insert(0, fmt.heading4(fmt.bold(summary))) report = '\n'.join(findings) return (report, Priority.HIGH, summary) report = 'No issues found in Redis configuration' return (report, Priority.LOW, report)
def testPartitionEnumerationRunAPFS(self, mock_getbasepathspecs, _): """Test PartitionEnumeration task run on APFS.""" self.result.setup(self.task) filedir = os.path.dirname(os.path.realpath(__file__)) test_data = os.path.join(filedir, '..', '..', 'test_data', 'apfs.raw') test_os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_data) test_raw_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec) test_apfs_container_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_APFS_CONTAINER, location='/apfs1', volume_index=0, parent=test_raw_path_spec) mock_getbasepathspecs.return_value = [test_apfs_container_path_spec] result = self.task.run(self.evidence, self.result) # Ensure run method returns a TurbiniaTaskResult instance. expected_report = [] expected_report.append( fmt.heading4('Found 1 partition(s) in [{0:s}]:'.format( self.evidence.local_path))) expected_report.append(fmt.heading5('/apfs1:')) expected_report.append(fmt.bullet('Volume index: 0')) expected_report = '\n'.join(expected_report) self.assertEqual(result.report_data, expected_report)
def testPartitionEnumerationRunLVM(self, mock_getbasepathspecs, _): """Test PartitionEnumeration task run on LVM.""" self.result.setup(self.task) filedir = os.path.dirname(os.path.realpath(__file__)) test_data = os.path.join(filedir, '..', '..', 'test_data', 'lvm.raw') test_os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_data) test_raw_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_RAW, parent=test_os_path_spec) test_lvm_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_LVM, location='/lvm1', parent=test_raw_path_spec) test_xfs_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_XFS, location='/', parent=test_lvm_path_spec) mock_getbasepathspecs.return_value = [test_xfs_path_spec] result = self.task.run(self.evidence, self.result) # Ensure run method returns a TurbiniaTaskResult instance. expected_report = [] expected_report.append( fmt.heading4('Found 1 partition(s) in [{0:s}]:'.format( self.evidence.local_path))) expected_report.append(fmt.heading5('/lvm1:')) expected_report.append(fmt.bullet('Source evidence is a volume image')) expected_report = '\n'.join(expected_report) self.assertEqual(result.report_data, expected_report)
def analyse_config(self, jupyter_config): """Extract security related configs from Jupyter configuration files. Args: config (str): configuration file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ findings = [] num_misconfigs = 0 for line in jupyter_config.split('\n'): if all(x in line for x in ['disable_check_xsrf', 'True']): findings.append(fmt.bullet('XSRF protection is disabled.')) num_misconfigs += 1 continue if all(x in line for x in ['allow_root', 'True']): findings.append( fmt.bullet('Juypter Notebook allowed to run as root.')) num_misconfigs += 1 continue if 'NotebookApp.password' in line: if all(x in line for x in ['required', 'False']): findings.append( fmt.bullet( 'Password is not required to access this Jupyter Notebook.' )) num_misconfigs += 1 continue if 'required' not in line: password_hash = line.split('=') if len(password_hash) > 1: if password_hash[1].strip() == "''": findings.append( fmt.bullet( 'There is no password set for this Jupyter Notebook.' )) num_misconfigs += 1 if all(x in line for x in ['allow_remote_access', 'True']): findings.append( fmt.bullet( 'Remote access is enabled on this Jupyter Notebook.')) num_misconfigs += 1 continue if findings: summary = 'Insecure Jupyter Notebook configuration found. Total misconfigs: {}'.format( num_misconfigs) findings.insert(0, fmt.heading4(fmt.bold(summary))) report = '\n'.join(findings) return (report, Priority.HIGH, summary) report = 'No issues found in Jupyter Notebook configuration.' return (report, Priority.LOW, report)
def analyze_wp_access_logs(self, config): """Analyses access logs containing Wordpress traffic. Args: config (str): access log file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] findings_summary = set() for log_line in config.split('\n'): if self.install_step_regex.search(log_line): line = '{0:s}: Wordpress installation successful'.format( self._get_timestamp(log_line)) report.append(fmt.bullet(line)) findings_summary.add('install') match = self.theme_editor_regex.search(log_line) if match: line = '{0:s}: Wordpress theme editor edited file ({1:s})'.format( self._get_timestamp(log_line), match.group('edited_file')) report.append(fmt.bullet(line)) findings_summary.add('theme_edit') if report: findings_summary = ', '.join(sorted(list(findings_summary))) summary = 'Wordpress access logs found ({0:s})'.format( findings_summary) report.insert(0, fmt.heading4(fmt.bold(summary))) report_text = '\n'.join(report) return (report_text, Priority.HIGH, summary) report_text = 'No Wordpress install or theme editing found in access logs' return (fmt.heading4(report_text), Priority.LOW, report_text)
def testFormatting(self): """Test text formatting.""" self.assertEqual('**testing**', fmt.bold(self.test_string)) self.assertEqual('# testing', fmt.heading1(self.test_string)) self.assertEqual('## testing', fmt.heading2(self.test_string)) self.assertEqual('### testing', fmt.heading3(self.test_string)) self.assertEqual('#### testing', fmt.heading4(self.test_string)) self.assertEqual('##### testing', fmt.heading5(self.test_string)) self.assertEqual('* testing', fmt.bullet(self.test_string)) self.assertEqual(' * testing', fmt.bullet(self.test_string, level=3)) self.assertEqual('`testing`', fmt.code(self.test_string))
def analyse_tomcat_file(self, tomcat_file): """Analyse a Tomcat file. - Search for clear text password entries in user configuration file - Search for .war deployment - Search for management control panel activity Args: tomcat_file (str): Tomcat file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ findings = [] tomcat_user_passwords_re = re.compile('(^.*password.*)', re.MULTILINE) tomcat_deploy_re = re.compile( '(^.*Deploying web application archive.*)', re.MULTILINE) tomcat_manager_activity_re = re.compile( '(^.*POST /manager/html/upload.*)', re.MULTILINE) count = 0 for password_entry in re.findall(tomcat_user_passwords_re, tomcat_file): findings.append( fmt.bullet('Tomcat user: '******'Tomcat App Deployed: ' + deployment_entry.strip())) count += 1 for mgmt_entry in re.findall(tomcat_manager_activity_re, tomcat_file): findings.append( fmt.bullet('Tomcat Management: ' + mgmt_entry.strip())) count += 1 if findings: msg = 'Tomcat analysis found {0:d} results'.format(count) findings.insert(0, fmt.heading4(fmt.bold(msg))) report = '\n'.join(findings) return (report, Priority.HIGH, msg) report = 'No Tomcat findings to report' return (report, Priority.LOW, report)
def testPartitionEnumerationRun(self, mock_getbasepathspecs): """Test PartitionEnumeration task run.""" os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location='test.dd') raw_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_RAW, parent=os_path_spec) tsk_p1_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, parent=raw_path_spec, location='/p1', part_index=2, start_offset=1048576) ntfs_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_NTFS, parent=tsk_p1_spec, location='\\') tsk_p2_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, parent=raw_path_spec, location='/p2', part_index=6, start_offset=11534336) tsk_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_NTFS, parent=tsk_p2_spec, location='/') mock_getbasepathspecs.return_value = [ntfs_spec, tsk_spec] result = self.task.run(self.evidence, self.result) # Ensure run method returns a TurbiniaTaskResult instance. self.assertIsInstance(result, TurbiniaTaskResult) self.assertEqual(result.task_name, 'PartitionEnumerationTask') self.assertEqual(len(result.evidence), 2) expected_report = [] expected_report.append( fmt.heading4('Found 2 partition(s) in [{0:s}]:'.format( self.evidence.local_path))) expected_report.append(fmt.heading5('/p1:')) expected_report.append(fmt.bullet('Partition index: 2')) expected_report.append(fmt.bullet('Partition offset: 1048576')) expected_report.append(fmt.heading5('/p2:')) expected_report.append(fmt.bullet('Partition index: 6')) expected_report.append(fmt.bullet('Partition offset: 11534336')) expected_report = '\n'.join(expected_report) self.assertEqual(result.report_data, expected_report)
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ result.log('Scanning [{0:s}] for partitions'.format( evidence.local_path)) success = False mediator = dfvfs_classes.UnattendedVolumeScannerMediator() try: scanner = volume_scanner.VolumeScanner(mediator=mediator) path_specs = scanner.GetBasePathSpecs(evidence.local_path) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence.local_path) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( evidence.local_path, path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log('Scanning of [{0:s}] is complete'.format( evidence.local_path)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result
def runLoki(self, result, evidence): log_file = os.path.join(self.output_dir, 'loki.log') stdout_file = os.path.join(self.output_dir, 'loki_stdout.log') stderr_file = os.path.join(self.output_dir, 'loki_stderr.log') cmd = [ 'python', '/opt/loki/loki.py', '-w', '0', '--csv', '--intense', '--noprocscan', '--dontwait', '--noindicator', '-l', log_file, '-p', evidence.local_path ] (ret, result) = self.execute( cmd, result, log_files=[log_file], stdout_file=stdout_file, stderr_file=stderr_file, cwd='/opt/loki/') if ret != 0: raise TurbiniaException('Return code: {0:d}'.format(ret)) report = [] summary = 'No Loki threats found' priority = Priority.LOW report_lines = [] with open(stdout_file, 'r') as loki_report_csv: lokireader = csv.DictReader( loki_report_csv, fieldnames=['Time', 'Hostname', 'Level', 'Log']) for row in lokireader: if row['Level'] == 'ALERT': report_lines.append(row['Log']) if report_lines: priority = Priority.HIGH summary = 'Loki analysis found {0:d} alert(s)'.format(len(report_lines)) report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} alerts(s) found:'.format(len(report_lines)) report.append(fmt.bullet(fmt.bold(line))) for line in report_lines: report.append(fmt.bullet(line, level=2)) report = '\n'.join(report) return (report, priority, summary)
def _analyse_wordpress_creds(self, creds, hashnames, timeout=300): """Attempt to brute force extracted Wordpress credentials. Args: creds (list): List of strings containing raw extracted credentials hashnames (dict): Dict mapping hash back to username for convenience. timeout (int): How long to spend cracking. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] summary = 'No weak passwords found' priority = Priority.LOW # 1000 is "phpass" weak_passwords = bruteforce_password_hashes( creds, tmp_dir=self.tmp_dir, timeout=timeout, extra_args='--username -m 400') if weak_passwords: priority = Priority.CRITICAL summary = 'Wordpress analysis found {0:d} weak password(s)'.format( len(weak_passwords)) report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} weak password(s) found:'.format(len(weak_passwords)) report.append(fmt.bullet(fmt.bold(line))) for password_hash, plaintext in weak_passwords: if password_hash in hashnames: line = """User '{0:s}' with password '{1:s}'""".format( hashnames[password_hash], plaintext) report.append(fmt.bullet(line, level=2)) report = '\n'.join(report) return (report, priority, summary)
def testPartitionEnumerationRun(self, mock_getbasepathspecs, _): """Test PartitionEnumeration task run.""" self.result.setup(self.task) filedir = os.path.dirname(os.path.realpath(__file__)) test_data = os.path.join(filedir, '..', '..', 'test_data', 'tsk_volume_system.raw') os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_data) raw_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_RAW, parent=os_path_spec) tsk_p2_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, parent=raw_path_spec, location='/p2', part_index=6, start_offset=180224) tsk_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_NTFS, parent=tsk_p2_spec, location='/') mock_getbasepathspecs.return_value = [tsk_spec] result = self.task.run(self.evidence, self.result) # Ensure run method returns a TurbiniaTaskResult instance. self.assertIsInstance(result, TurbiniaTaskResult) self.assertEqual(result.task_name, 'PartitionEnumerationTask') self.assertEqual(len(result.evidence), 1) expected_report = [] expected_report.append( fmt.heading4('Found 1 partition(s) in [{0:s}]:'.format( self.evidence.local_path))) expected_report.append(fmt.heading5('/p2:')) expected_report.append(fmt.bullet('Partition index: 6')) expected_report.append(fmt.bullet('Partition offset: 180224')) expected_report.append(fmt.bullet('Partition size: 1294336')) expected_report = '\n'.join(expected_report) self.assertEqual(result.report_data, expected_report)
def analyse_sshd_config(self, config): """Analyses an SSH configuration. Args: config (str): configuration file content. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ findings = [] permit_root_login_re = re.compile( r'^\s*PermitRootLogin\s*(yes|prohibit-password|without-password)', re.IGNORECASE | re.MULTILINE) password_authentication_re = re.compile( r'^\s*PasswordAuthentication[\s"]*No', re.IGNORECASE | re.MULTILINE) permit_empty_passwords_re = re.compile( r'^\s*PermitEmptyPasswords[\s"]*Yes', re.IGNORECASE | re.MULTILINE) if re.search(permit_root_login_re, config): findings.append(fmt.bullet('Root login enabled.')) if not re.search(password_authentication_re, config): findings.append(fmt.bullet('Password authentication enabled.')) if re.search(permit_empty_passwords_re, config): findings.append(fmt.bullet('Empty passwords permitted.')) if findings: summary = 'Insecure SSH configuration found.' findings.insert(0, fmt.heading4(fmt.bold(summary))) report = '\n'.join(findings) return (report, 20, summary) report = 'No issues found in SSH configuration' return (report, 60, report)
def analyse_shadow_file(self, shadow, hashes, timeout=300): """Analyses a Linux shadow file. Args: shadow (list): shadow file content (list of str). hashes (dict): dict of hashes to usernames timeout (int): Time in seconds to run password bruteforcing. Returns: Tuple( report_text(str): The report data report_priority(int): The priority of the report (0 - 100) summary(str): A summary of the report (used for task status) ) """ report = [] summary = 'No weak passwords found' priority = Priority.LOW # 1800 is "sha512crypt $6$, SHA512 (Unix)" weak_passwords = bruteforce_password_hashes(shadow, tmp_dir=self.tmp_dir, timeout=timeout, extra_args='-m 1800') if weak_passwords: priority = Priority.CRITICAL summary = 'Shadow file analysis found {0:n} weak password(s)'.format( len(weak_passwords)) report.insert(0, fmt.heading4(fmt.bold(summary))) line = '{0:n} weak password(s) found:'.format(len(weak_passwords)) report.append(fmt.bullet(fmt.bold(line))) for password_hash, plaintext in weak_passwords: line = """User '{0:s}' with password '{1:s}'""".format( hashes[password_hash], plaintext) report.append(fmt.bullet(line, level=2)) report = '\n'.join(report) return (report, priority, summary)
def generate_summary_report(self, output_file_path): """Generate a summary report from the resulting bulk extractor run. Args: output_file_path(str): the path to the bulk extractor output. Returns: tuple: containing: report_test(str): The report data summary(str): A summary of the report (used for task status) """ findings = [] features_count = 0 report_path = os.path.join(output_file_path, 'report.xml') # Check if report.xml was not generated by bulk extractor. if not os.path.exists(report_path): report = 'Execution successful, but the report is not available.' return (report, report) # Parse existing XML file. self.xml = xml_tree.parse(report_path) # Place in try/except statement to continue execution when # an attribute is not found and NoneType is returned. try: # Retrieve summary related results. findings.append(fmt.heading4('Bulk Extractor Results')) findings.append(fmt.heading5('Run Summary')) findings.append( fmt.bullet( 'Program: {0} - {1}'.format( self.check_xml_attrib('creator/program'), self.check_xml_attrib('creator/version')))) findings.append( fmt.bullet( 'Command Line: {0}'.format( self.check_xml_attrib( 'creator/execution_environment/command_line')))) findings.append( fmt.bullet( 'Start Time: {0}'.format( self.check_xml_attrib( 'creator/execution_environment/start_time')))) findings.append( fmt.bullet( 'Elapsed Time: {0}'.format( self.check_xml_attrib('report/elapsed_seconds')))) # Retrieve results from each of the scanner runs feature_files = self.xml.find('feature_files') if feature_files is not None: feature_iter = feature_files.iter() findings.append(fmt.heading5('Scanner Results')) for f in feature_iter: if f.tag == 'feature_file': name = next(feature_iter) count = next(feature_iter) findings.append(fmt.bullet('{0}:{1}'.format(name.text, count.text))) features_count += int(count.text) else: findings.append(fmt.heading5("There are no findings to report.")) except AttributeError as exception: log.warning( 'Error parsing feature from Bulk Extractor report: {0!s}'.format( exception)) summary = '{0} artifacts have been extracted.'.format(features_count) report = '\n'.join(findings) return (report, summary)
def run(self, evidence, result): """Scan a raw disk for partitions. Args: evidence (Evidence object): The evidence we will process. result (TurbiniaTaskResult): The object to place task results into. Returns: TurbiniaTaskResult object. """ # TODO(dfjxs): Use evidence name instead of evidence_description (#718) evidence_description = None if hasattr(evidence, 'embedded_path'): evidence_description = ':'.join( (evidence.disk_name, evidence.embedded_path)) elif hasattr(evidence, 'disk_name'): evidence_description = evidence.disk_name else: evidence_description = evidence.source_path result.log( 'Scanning [{0:s}] for partitions'.format(evidence_description)) path_specs = [] success = False try: path_specs = partitions.Enumerate(evidence) status_summary = 'Found {0:d} partition(s) in [{1:s}]:'.format( len(path_specs), evidence_description) # Debug output path_spec_debug = ['Base path specs:'] for path_spec in path_specs: path_spec_types = [path_spec.type_indicator] child_path_spec = path_spec while child_path_spec.HasParent(): path_spec_types.insert( 0, child_path_spec.parent.type_indicator) child_path_spec = child_path_spec.parent path_spec_debug.append(' | '.join( ('{0!s}'.format(path_spec.CopyToDict()), ' -> '.join(path_spec_types)))) log.debug('\n'.join(path_spec_debug)) except dfvfs_errors.ScannerError as e: status_summary = 'Error scanning for partitions: {0!s}'.format(e) status_report = [fmt.heading4(status_summary)] try: for path_spec in path_specs: partition_evidence, partition_status = self._ProcessPartition( path_spec) status_report.extend(partition_status) result.add_evidence(partition_evidence, evidence.config) status_report = '\n'.join(status_report) success = True except TurbiniaException as e: status_summary = 'Error enumerating partitions: {0!s}'.format(e) status_report = status_summary result.log( 'Scanning of [{0:s}] is complete'.format(evidence_description)) result.report_priority = Priority.LOW result.report_data = status_report result.close(self, success=success, status=status_summary) return result