Merge pull request #660 from m-1-k-3/restart_emulation

JNAP unauth check

modules/L10_system_emulation.sh

@@ -1503,9 +1503,9 @@ iterate_vlans() {
 
     # check this later
     # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth0" "$VLAN_ID" "$NETWORK_MODE"
-    # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth0" "NONE" "$NETWORK_MODE"
+    # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth0" "0" "$NETWORK_MODE"
     # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth1" "$VLAN_ID" "$NETWORK_MODE"
-    # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth1" "NONE" "$NETWORK_MODE"
+    # store_interface_details "$IP_ADDRESS_" "$NETWORK_DEVICE" "eth1" "0" "$NETWORK_MODE"
 
     # if we have entries without an interface name, we need to identify an interface name:
     # register_vlan_dev[PID: 212 (vconfig)]: dev:vlan1 vlan_id:1

modules/L22_upnp_hnap_checks.sh

@@ -41,6 +41,7 @@ L22_upnp_hnap_checks() {
       if [[ -v HOSTNETDEV_ARR ]]; then
         check_basic_upnp "${HOSTNETDEV_ARR[@]}"
         check_basic_hnap_jnap
+        [[ "$JNAP_UP" -gt 0 ]] && check_jnap_access
       else
         print_output "[!] No network interface found"
       fi
@@ -161,6 +162,56 @@ check_basic_hnap_jnap() {
   fi
 
   print_ln
-  print_output "[*] HNAP basic enumeration finished"
+  print_output "[*] HNAP/JNAP basic enumeration finished"
 }
 
+check_jnap_access() {
+  sub_module_title "JNAP enumeration for unauthenticated JNAP endpoints"
+  local JNAP_ENDPOINTS=()
+  local SYSINFO_CGI_ARR=()
+  local SYSINFO_CGI=""
+  local JNAP_EPT=""
+
+  mapfile -t JNAP_ENDPOINTS < <(find "$LOG_DIR"/firmware -type f -exec grep "\[.*/jnap/.*\]\ =" {} \; | cut -d\' -f2 | sort -u 2>/dev/null || true)
+
+  # Todo: PORT!!!
+  local PORT=80
+
+  # https://korelogic.com/Resources/Advisories/KL-001-2015-006.txt
+  mapfile -t SYSINFO_CGI_ARR < <(find "$LOG_DIR"/firmware -type f -name "sysinfo.cgi" -o -name "getstinfo.cgi"| sort -u 2>/dev/null || true)
+
+  for SYSINFO_CGI in "${SYSINFO_CGI_ARR[@]}"; do
+    print_output "[*] Testing for sysinfo.cgi" "no_log"
+    curl -v -L --max-redir 0 -f -m 5 -s -X GET http://"${IP_ADDRESS_}":"${PORT}"/"${SYSINFO_CGI}" > "${LOG_PATH_MODULE}"/JNAP_"${SYSINFO_CGI}".log || true
+
+    if grep -q "wl0_ssid=\|wl1_ssid=\|wl0_passphrase=\|wl1_passphrase=\|wps_pin=\|default_passphrase=" "${LOG_PATH_MODULE}"/JNAP_"${SYSINFO_CGI}".log; then
+      print_output "[+] Found sensitive information in sysinfo.cgi - see https://korelogic.com/Resources/Advisories/KL-001-2015-006.txt:"
+      grep "wl0_ssid=\|wl1_ssid=\|wl0_passphrase=\|wl1_passphrase=\|wps_pin=\|default_passphrase=" "${LOG_PATH_MODULE}"/JNAP_"${SYSINFO_CGI}".log | tee -a "$LOG_FILE"
+    fi
+  done
+
+  for JNAP_EPT in "${JNAP_ENDPOINTS[@]}"; do
+    print_output "[*] Testing JNAP action: ${ORANGE}${JNAP_EPT}${NC}" "no_log"
+    JNAP_EPT_NAME="$(echo "${JNAP_EPT}" | rev | cut -d '/' -f1 | rev)"
+    JNAP_ACTION="X-JNAP-Action: ${JNAP_EPT}"
+    DATA="{}"
+    curl -v -L --max-redir 0 -f -m 5 -s -X POST -H "${JNAP_ACTION}" -d "${DATA}" http://"${IP_ADDRESS_}":"${PORT}"/JNAP/ > "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log || true
+
+    if [[ -s "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log ]]; then
+      if grep -q "_ErrorUnauthorized" "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log; then
+        print_output "[-] Authentication needed for ${ORANGE}${JNAP_EPT}${NC}" "no_log"
+        [[ -f "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log ]] && rm "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log
+      fi
+      if [[ -f "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log ]] && grep -q "_ErrorInvalidInput" "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log; then
+        print_output "[-] Invalid request detected for ${ORANGE}${JNAP_EPT}${NC}" "no_log"
+        [[ -f "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log ]] && rm "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log
+      fi
+    else
+      rm "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log
+    fi
+
+    if [[ -f "${LOG_PATH_MODULE}"/JNAP_"${JNAP_EPT_NAME}".log ]]; then
+      print_output "[+] Unauthenticated JNAP endpoint detected - ${ORANGE}${JNAP_EPT_NAME}${NC}" "" "${LOG_PATH_MODULE}/JNAP_${JNAP_EPT_NAME}.log"
+    fi
+  done
+}

modules/L25_web_checks.sh

@@ -323,7 +323,9 @@ web_access_crawler() {
 
   if [[ -f "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" ]]; then
     grep -A1 Testing "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" | grep -i -B1 "200 OK" | grep Testing | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" | sed "s/.*$IP_:$PORT//" | sort -u >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_-200ok.log" || true
+    grep -A1 Testing "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log" | grep -i -B1 "401 Unauth" | grep Testing | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" | sed "s/.*$IP_:$PORT//" | sort -u >> "$LOG_PATH_MODULE/crawling_$IP_-$PORT_-401Unauth.log" || true
     CRAWL_RESP_200=$(wc -l "$LOG_PATH_MODULE/crawling_$IP_-$PORT_-200ok.log" | awk '{print $1}')
+    CRAWL_RESP_401=$(wc -l "$LOG_PATH_MODULE/crawling_$IP_-$PORT_-401Unauth.log" | awk '{print $1}')
 
     # Colorizing the log file:
     sed -i -r "s/.*HTTP\/.*\ 200\ .*/\x1b[32m&\x1b[0m/" "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
@@ -332,6 +334,9 @@ web_access_crawler() {
     if [[ "$CRAWL_RESP_200" -gt 0 ]]; then
       print_output "[+] Found $ORANGE$CRAWL_RESP_200$GREEN valid responses - please check the log for further details" "" "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
     fi
+    if [[ "$CRAWL_RESP_401" -gt 0 ]]; then
+      print_output "[+] Found $ORANGE$CRAWL_RESP_401$GREEN unauthorized responses - please check the log for further details" "" "$LOG_PATH_MODULE/crawling_$IP_-$PORT_.log"
+    fi
 
     if [[ -f "$LOG_PATH_MODULE/crawling_$IP_-$PORT_-200ok.log" ]] && [[ -f "$LOG_DIR"/s22_php_check/semgrep_php_results_xml.log ]]; then
       while read -r WEB_PATH; do