minvws · Souf149 · Jul 31, 2024 · Aug 7, 2024 · Aug 13, 2024 · Aug 19, 2024
@@ -40,7 +40,7 @@ images:  # Build the images for the containerized boefjes
 	# docker build -f images/base.Dockerfile -t ghcr.io/minvws/openkat/dns-records --build-arg BOEFJE_PATH=./boefjes/plugins/kat_dns .
 	docker build -f ./boefjes/plugins/kat_dnssec/boefje.Dockerfile -t ghcr.io/minvws/openkat/dns-sec:latest .
 	docker build -f ./boefjes/plugins/kat_nmap_tcp/boefje.Dockerfile -t ghcr.io/minvws/openkat/nmap:latest  .
-
+	docker build -f ./boefjes/plugins/kat_nikto/boefje.Dockerfile -t openkat/nikto .
 
 ##
 ##|------------------------------------------------------------------------|

@@ -486,5 +486,11 @@
     "source": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers",
     "impact": "Nonstandard headers may not be supported by all browsers and may not provide the security that is expected.",
     "recommendation": "Remove the nonstandard headers from the response."
+  },
+  "KAT-OUTDATED-SOFTWARE": {
+    "description": "A newer version of existing software has been found.",
+    "risk": "recommendation",
+    "impact": "Depending on what software is outdated this can be critical.",
+    "recommendation": "Inspect the software version, determine if additional measures need to be taken and install updates to reduce the attack surface."
   }
 }
@@ -0,0 +1,14 @@
+FROM node:19-bullseye
+
+WORKDIR /app
+RUN apt update
+RUN apt install -y git
+
+RUN git clone https://github.com/sullo/nikto
+
+ARG BOEFJE_PATH=./boefjes/plugins/kat_nikto
+COPY $BOEFJE_PATH ./
+
+RUN npm ci
+
+ENTRYPOINT [ "node", "./" ]
@@ -0,0 +1,14 @@
+{
+  "id": "nikto",
+  "name": "Nikto",
+  "description": "Uses Nikto",
+  "consumes": [
+    "IPAddressV4",
+    "IPAddressV6",
+    "Hostname"
+  ],
+  "environment_keys": [],
+  "scan_level": 3,
+  "oci_image": "openkat/nikto",
+  "oci_arguments": []
+}
@@ -0,0 +1,15 @@
+# Nikto
+
+Nikto 2.5 is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
+
+(taken from [CIRT.net](https://cirt.net/Nikto2))
+
+### Input OOIs
+
+Nikto expects an IpAddress or a Hostname OOI.
+
+### Output OOIs
+
+Nikto outputs the following the found outdated software and a finding explaining that the software is outdated.
+
+**Cat name**: Kitty
@@ -0,0 +1,54 @@
+import fs from "node:fs";
+import { execSync } from "node:child_process";
+
+/**
+ * @param {{}} boefje_meta The string input to base64 encode
+ * @returns {(string | string[])[][]}
+ */
+export default function (boefje_meta) {
+  // Depending on what OOI triggered this task, the hostname / address will be in a different location
+  const object_type = boefje_meta.arguments.input.object_type;
+  let ooi = "";
+  if (["IPAddressV4", "IPAddressV6"].includes(object_type))
+    ooi = boefje_meta.arguments.input.address;
+  else if (object_type == "Hostname") ooi = boefje_meta.arguments.input.name;
+  else throw new Error("Unexpected boefje_meta");
+
+  // Running nikto and outputting to a file
+  try {
+    execSync(`./nikto/program/nikto.pl -h ${ooi} -o ./output.json`, {
+      stdio: "inherit",
+    });
+  } catch (e) {
+    console.error(e);
+    throw new Error(
+      "Something went wrong running the nikto command.\n" + e.message,
+    );
+  }
+
+  const raws = [];
+
+  // Reading the file created by nikto
+  try {
+    var file_contents = fs.readFileSync("./output.json").toString();
+    raws.push([["boefje/nikto-output"], file_contents]);
+  } catch (e) {
+    console.error(e.message);
+    throw new Error(
+      "Something went wrong reading the file from the nikto command.\n" +
+        e.message,
+    );
+  }
+
+  // Looking if outdated software has been found
+  try {
+    const data = JSON.parse(file_contents);
+    for (const vulnerability of data["vulnerabilities"])
+      if (vulnerability["id"].startsWith("6"))
+        raws.push([["openkat/finding"], "KAT-OUTDATED-SOFTWARE"]);
+  } catch (e) {
+    console.error(e.message);
+  }
+
+  return raws;
+}
@@ -0,0 +1,38 @@
+import json
+from collections.abc import Iterable
+
+from boefjes.job_models import NormalizerOutput
+from octopoes.models import Reference
+from octopoes.models.ooi.findings import Finding, KATFindingType
+from octopoes.models.ooi.software import Software, SoftwareInstance
+
+
+def scan_outdated_software(data: dict, ooi_ref: Reference) -> Iterable[NormalizerOutput]:
+    for scan in data:
+        for vulnerability in scan["vulnerabilities"]:
+            # If the scanned vulnerability has to do with outdated software
+            if vulnerability["id"].startswith("6"):
+                # Example of `vulnerability["msg"]`
+                # @SOFTWARE/@RUNNING_VER appears to be outdated (current is at least @CURRENT_VER)
+                software_name, found_version = vulnerability["msg"].split()[0].split("/")
+
+                software = Software(name=software_name, version=found_version)
+                software_instance = SoftwareInstance(ooi=ooi_ref, software=software.reference)
+                yield software
+                yield software_instance
+
+                finding_type = KATFindingType(id="KAT-OUTDATED-SOFTWARE")
+                yield finding_type
+                yield Finding(
+                    finding_type=finding_type.reference,
+                    ooi=software_instance.reference,
+                    description=vulnerability["msg"],
+                )
+
+
+def run(input_ooi: dict, raw: bytes) -> Iterable[NormalizerOutput]:
+    data = json.loads(raw)
+
+    ooi_ref = Reference.from_str(input_ooi["primary_key"])
+
+    yield from scan_outdated_software(data, ooi_ref)
@@ -0,0 +1,10 @@
+{
+  "id": "kat_nikto_normalize",
+  "consumes": [
+    "boefje/nikto-output"
+  ],
+  "produces": [
+    "Software",
+    "SoftwareInstance"
+  ]
+}
@@ -0,0 +1,62 @@
+import { execSync } from "node:child_process";
+import run from "./main.js";
+
+/**
+ * @param {string} inp The string input to base64
+ * @returns {string}
+ */
+function b64encode(inp) {
+  return Buffer.from(inp).toString("base64");
+}
+
+function main() {
+  const input_url = process.argv[process.argv.length - 1];
+
+  // Getting the boefje input
+  try {
+    var boefje_input = JSON.parse(
+      execSync(`curl --request GET --url ${input_url} -s`).toString(),
+    );
+  } catch (error) {
+    console.error(`Getting boefje input went wrong with URL: ${input_url}`);
+    throw new Error(error.message);
+  }
+
+  let out = undefined;
+  let output_url = boefje_input.output_url;
+  try {
+    // Getting the raw files
+    const raws = run(boefje_input.boefje_meta);
+    out = {
+      status: "COMPLETED",
+      files: raws.map((x) => ({
+        content: b64encode(x[1]),
+        tags: x[0],
+      })),
+    };
+  } catch (error) {
+    out = {
+      status: "FAILED",
+      files: [
+        {
+          content: b64encode("Boefje caught an error: " + error.message),
+          tags: ["error/boefje"],
+        },
+      ],
+    };
+  }
+
+  // Example command
+  /*
+    curl --request POST \
+      --url http://boefje:8000/api/v0/tasks/7342e8dd-b945-4185-aaec-787205b7b664 \
+      --header 'Content-Type: application/json' \
+      --data '{"status":"COMPLETED","files":[{"content":"BASE_64_ENCODED_CONTENT","tags":[]}]}'
+  */
+  const out_json = JSON.stringify(out);
+  const cmd = `curl --request POST --url ${output_url} --header "Content-Type: application/json" --data '${out_json}'`;
+
+  execSync(cmd);
+}
+
+main();
@@ -0,0 +1,10 @@
+{
+  "name": "kat-nikto",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "oci_adapter.js",
+  "author": "cynalytics",
+  "dependencies": {
+    "@types/node": "^22.1.0"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "title": "Arguments",
+  "type": "object",
+  "properties": {},
+  "required": []
+}
@@ -0,0 +1,23 @@
+[
+  {
+    "host": "example.com",
+    "ip": "178.128.108.228",
+    "port": "80",
+    "banner": "",
+    "vulnerabilities": [
+      {
+        "id": "600575",
+        "method": "HEAD",
+        "url": "/",
+        "msg": "nginx/1.18.0 appears to be outdated (current is at least 1.25.3)."
+      },
+      {
+        "id": "999103",
+        "references": "https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/",
+        "method": "GET",
+        "url": "/",
+        "msg": "The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type."
+      }
+    ]
+  }
+]
@@ -0,0 +1,16 @@
+[
+  {
+    "host": "non-existing.com",
+    "ip": "2.1.3.5",
+    "port": "6667",
+    "banner": "",
+    "vulnerabilities": [
+      {
+        "id": "0",
+        "method": "GET",
+        "url": "/",
+        "msg": "Unable to connect to non-existing.com."
+      }
+    ]
+  }
+]
@@ -0,0 +1,41 @@
+from unittest import TestCase
+
+from boefjes.plugins.kat_nikto.normalize import run
+from octopoes.models import Reference
+from octopoes.models.ooi.findings import KATFindingType
+from octopoes.models.ooi.software import Software, SoftwareInstance
+from octopoes.models.types import Finding
+from tests.loading import get_dummy_data
+
+
+class CVETest(TestCase):
+    def test_outdated_found(self):
+        input_ooi = {"primary_key": "Hostname|internet|example.com"}
+        ooi_ref = Reference.from_str(input_ooi["primary_key"])
+
+        oois = list(run(input_ooi, get_dummy_data("raw/nikto-example.com.json")))
+
+        software = Software(name="nginx", version="1.18.0")
+        finding_type = KATFindingType(id="KAT-OUTDATED-SOFTWARE")
+        software_instance = SoftwareInstance(ooi=ooi_ref, software=software.reference)
+        finding = Finding(
+            finding_type=finding_type.reference,
+            ooi=software_instance.reference,
+            description="nginx/1.18.0 appears to be outdated (current is at least 1.25.3).",
+        )
+
+        expected = [
+            software,
+            software_instance,
+            finding_type,
+            finding,
+        ]
+
+        self.assertEqual(expected, oois)
+
+    def test_nothing_found(self):
+        input_ooi = {"primary_key": "Hostname|internet|non-existing.com"}
+
+        oois = list(run(input_ooi, get_dummy_data("raw/nikto-non-existing.com.json")))
+
+        self.assertEqual([], oois)