Added nmap with basic (-sV) configuration.

Squashed commit of the following:

commit 075aba1389b0afc9e117f40a930e0ee2b873983c
Author: Anže Žitnik <anze.zitnik@xlab.si>
Date:   Sat Mar 14 23:07:48 2020 +0100

    CI fix

commit 34a4087477d3d8b9d1b9cc7f2aaa3b08365303b1
Author: Anže Žitnik <anze.zitnik@xlab.si>
Date:   Sat Mar 14 23:01:52 2020 +0100

    CI fix

commit b61354066af06888e22c60f36fd1c2c384f3adff
Author: Anže Žitnik <anze.zitnik@xlab.si>
Date:   Sat Mar 14 22:55:01 2020 +0100

    Updated README

commit 69898a19399d762a8662b16bb9be74c0b421b11e
Author: Anže Žitnik <anze.zitnik@xlab.si>
Date:   Sat Mar 14 22:46:06 2020 +0100

    Adding nmap

.gitignore

 **.swp
 wiser-wcs-reports/.idea/*
 wiser-wcs-reports/env/*
-wiser-wcs-reports/example_nmap_output/*
 wiser-wcs-reports/__pycache__/*
+wiser-wcs-reports/example_output/*
 

.gitlab-ci.yml

@@ -18,15 +18,18 @@ test:
     script:
     - docker network create test-genscan
     - docker run --rm -d --network=test-genscan --name dvwa vulnerables/web-dvwa
-    - cp "${CI_PROJECT_DIR}/config-example.json" /tmp
-    - docker run --rm --network=test-genscan -e TARGET="http://dvwa/" -v /tmp/:/root/out registry-gitlab.xlab.si/cyberwiser/$SERVICE:$VERSION
-    - cat /tmp/cscan-log.txt
-    - grep -q "W3af" /tmp/genscan-out.json
-    - grep -q "OWASP ZAP" /tmp/genscan-out.json
+    - cp "${CI_PROJECT_DIR}/config-example.json" /tmp/
+    - mkdir /tmp/out
+    - docker run --rm --network=test-genscan -v /tmp/config-example.json:/root/config.json -v /tmp/out:/root/out registry-gitlab.xlab.si/cyberwiser/$SERVICE:$VERSION
+    - cat /tmp/out/cscan-log.txt
+    - grep -q "W3af" /tmp/out/genscan-out.json
+    - grep -q "OWASP ZAP" /tmp/out/genscan-out.json
+    - grep -q "nmap" /tmp/out/genscan-out.json
     after_script:
     - docker kill dvwa || docker network rm test-genscan
     - docker network rm test-genscan
-    - rm /tmp/genscan-out.json
+    - rm /tmp/genscan-out.json || true
+    - rm -rf /tmp/out
 
 push:
     stage: push

Dockerfile

@@ -18,6 +18,8 @@ COPY wiser-wcs-reports /service/wiser-wcs-reports/
 COPY install/wiser-wcs.sh /tmp/install/
 RUN chmod +x /tmp/install/wiser-wcs.sh && /tmp/install/wiser-wcs.sh
 
+RUN apt install -y nmap
+
 COPY install/cleanup.sh /tmp/install/
 RUN chmod +x /tmp/install/cleanup.sh && /tmp/install/cleanup.sh
 

MANIFEST

-VERSION=v1.3.4
+VERSION=v1.4.0
 SERVICE=vat-genscan
 

Makefile

@@ -21,6 +21,7 @@ test:
 	docker network rm test-genscan
 	grep -q "W3af" $(TEST_DIR)genscan-out.json
 	grep -q "OWASP ZAP" $(TEST_DIR)genscan-out.json
+	grep -q "nmap" $(TEST_DIR)genscan-out.json
 
 start:
 ifdef OUTPUT_DIR

README.md

@@ -20,6 +20,8 @@ Supported scanners and their profiles:
 	* `fast_scan`: no parameters
 * `zap`
 	* `basic`: no parameters
+* `nmap`
+	* `basic_discovery`: no parameters
 
 Example JSON config file:
 
@@ -35,6 +37,9 @@ Example JSON config file:
         },
         "zap": {
             "profile": "basic"
+        },
+        "nmap": {
+            "profile": "basic_discovery"
         }
     }
 }
@@ -42,8 +47,6 @@ Example JSON config file:
 
 ### TODOs and FIXMEs:
 
-* use latest w3af and zap (now fetching static, old commits)
-* use cscan from Faraday repo (newer?)
 * include some configuration options (at least authenticated scans for w3af)
 
 

config-example.json

 {
     "target": {
-        "url": "http://dvwa/"
+        "url": "http://dvwa/",
+        "ip": "dvwa"
     },
     "config": {
         "w3af": {
@@ -8,6 +9,9 @@
         },
         "zap": {
             "profile": "basic"
+        },
+        "nmap": {
+            "profile": "basic_discovery"
         }
     }
 }

configure.py

@@ -6,6 +6,7 @@ import configparser
 Supported scanners:
     - w3af
     - zap
+    - nmap
 '''
 
 
@@ -49,6 +50,13 @@ def configure():
             if profile != "basic":
                 raise UnsupportedProfileException()
             cs_scripts.append("zap.sh")
+        elif scanner == "nmap":
+            cscan_config["NMAP"] = {"CS_NMAP": "nmap"}
+            if profile == "basic_discovery":
+                cscan_config["NMAP"]["CS_NMAP_ARGS"] = "-sV"
+            else:
+                raise UnsupportedProfileException()
+            cs_scripts.append("nmap.sh")
         else:
             raise UnsupportedScannerException()
     

wiser-wcs-reports/main.py

@@ -6,6 +6,7 @@ import configparser
 import json
 import w3af
 import zap
+import nmap
 
 
 class Options(object):
@@ -55,6 +56,8 @@ def list_vulnerabilities(reports):
 			vulnerabilities.extend(zap.WiserZapReport(report_dict['OWASPZAPReport']).get_report())
 		if "w3af-run" in report_dict:
 			vulnerabilities.extend(w3af.WiserW3afReport(report_dict['w3af-run']).get_report())
+		if "nmaprun" in report_dict:
+			vulnerabilities.extend(nmap.WiserNmapReport(report_dict['nmaprun']).get_report())
 	return vulnerabilities
 
 if __name__ == "__main__":

wiser-wcs-reports/nmap.py

+from wiser import WiserReport, WiserVulnerability
+from collections import OrderedDict
+import re
+
+
+def _safe_get(ordered_dict, key):
+	try:
+		return ordered_dict[key]
+	except KeyError:
+		return ""
+
+
+class WiserNmapVulnerability(WiserVulnerability):
+
+	def __init__(self):
+		super().__init__()
+		self.risk_level = "Information"
+		self.source_pentest = "nmap"
+		self.w_risk_level = 1
+
+	@staticmethod
+	def from_port_report(report_port, address):
+		vuln = WiserNmapVulnerability()
+		vuln.short_desc = "Port %d on host %s is %s." % (report_port['@portid'],
+		                                                address,
+		                                                report_port['state']['@state'])
+		vuln.desc = ''
+		if 'service' in report_port:
+			vuln.desc = "Host %s is likely running the following service on port %d %s: " \
+			            "%s %s %s (%s) (%s) " \
+			            % (address, report_port['@portid'], report_port['@protocol'],
+			               _safe_get(report_port['service'], '@name'), _safe_get(report_port['service'], '@product'),
+			               _safe_get(report_port['service'], '@version'), _safe_get(report_port['service'], '@extrainfo'),
+			               _safe_get(report_port['service'], '@ostype'))
+		vuln.desc = re.sub('\\(\\)', '', vuln.desc).strip()
+		return vuln
+
+	@staticmethod
+	def from_host(address, state):
+		vuln = WiserNmapVulnerability()
+		vuln.short_desc = "Host %s appears to be %s." % (address, state)
+		return vuln
+
+
+class WiserNmapReport(WiserReport):
+
+	def __init__(self, report):
+		super().__init__()
+		self.parse_report(report)
+
+	def parse_report(self, report_dict):
+		if isinstance(report_dict['host'], OrderedDict):
+			self.parse_host(report_dict['host'])
+		else:
+			for i in report_dict['host']:
+				self.parse_host(i)
+
+	def parse_host(self, report_host):
+		address = ''
+		if isinstance(report_host['address'], OrderedDict):
+			address = report_host['address']['@addr']
+		else:
+			for i in report_host['address']:
+				if i['@addrtype'] == 'ipv4':
+					address = i['@addr']
+					break
+
+		if 'port' in report_host['ports']:
+			if isinstance(report_host['ports']['port'], OrderedDict):
+				self.report.append(WiserNmapVulnerability.from_port_report(report_host['ports']['port'], address))
+			else:
+				for i in report_host['ports']['port']:
+					self.report.append(WiserNmapVulnerability.from_port_report(i, address))
+		else:
+			self.report.append(WiserNmapVulnerability.from_host(address, report_host['status']['@state']))

wiser-wcs-reports/wiser.py

@@ -32,12 +32,6 @@ class WiserVulnerability(IterMixin):
 	def __init__(self):
 		pass
 
-	def parse_from_alert(self, alert_dict, type):
-		pass
-
-	def parse_report(self, report_dict):
-		pass
-
 	"""
 	Sets WISER risk level to the Vulnerability.
 	"""