minvws · Souf149 · Jul 31, 2024 · Aug 7, 2024 · Aug 13, 2024 · Aug 19, 2024
@@ -40,6 +40,7 @@ images:  # Build the images for the containerized boefjes
 	# docker build -f images/base.Dockerfile -t ghcr.io/minvws/openkat/dns-records --build-arg BOEFJE_PATH=./boefjes/plugins/kat_dns .
 	docker build -f ./boefjes/plugins/kat_dnssec/boefje.Dockerfile -t ghcr.io/minvws/openkat/dns-sec:latest .
 	docker build -f ./boefjes/plugins/kat_nmap_tcp/boefje.Dockerfile -t ghcr.io/minvws/openkat/nmap:latest  .
+	docker build -f ./boefjes/plugins/kat_nikto/boefje.Dockerfile -t openkat/nikto .
 	docker build -f ./boefjes/plugins/kat_export_http/boefje.Dockerfile -t ghcr.io/minvws/openkat/export-http:latest .
 
 

@@ -516,5 +516,11 @@
     "source": "Check the nameservers of the host or iprange manually.",
     "impact": "No resolving can be done for this IP or host. This might cause problems for mailservers or slow down connections.",
     "recommendation": "Verify that the listed nameservers are reachable and have valid hostnames."
+  },
+  "KAT-OUTDATED-SOFTWARE": {
+    "description": "A newer version of existing software has been found.",
+    "risk": "recommendation",
+    "impact": "Depending on what software is outdated this can be critical.",
+    "recommendation": "Inspect the software version, determine if additional measures need to be taken and install updates to reduce the attack surface."
   }
 }
@@ -0,0 +1,13 @@
+FROM perl:5.40
+
+WORKDIR /app
+RUN apt update
+RUN apt install -y git
+RUN apt install -y nodejs
+
+RUN git clone https://github.com/sullo/nikto
+
+ARG BOEFJE_PATH=./boefjes/plugins/kat_nikto
+COPY $BOEFJE_PATH ./
+
+ENTRYPOINT [ "node", "./" ]
@@ -0,0 +1,15 @@
+{
+  "id": "nikto",
+  "name": "Nikto",
+  "description": "Uses Nikto",
+  "consumes": [
+    "HostnameHTTPURL"
+  ],
+  "environment_keys": [
+    "HTTP_PROXY",
+    "USERAGENT"
+  ],
+  "scan_level": 3,
+  "oci_image": "openkat/nikto",
+  "oci_arguments": []
+}
@@ -0,0 +1,16 @@
+# Nikto
+
+Nikto 2.5 is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
+(taken from [CIRT.net](https://cirt.net/Nikto2))
+
+This boefje has been developed by Soufyan Abdellati from Cynalytics, with help from Edward Hasekamp from IP-Zorg. ♥
+
+### Input OOIs
+
+Nikto expects an HostnameHTTPURL OOI.
+
+### Output OOIs
+
+This boefje outputs found outdated software and findings about the HostnameHTTPURL.
+
+**Cat name**: Kitty
@@ -0,0 +1,99 @@
+import fs from "node:fs";
+import { execSync } from "node:child_process";
+
+/**
+ * @param {string} scheme
+ * @returns {string}
+ */
+function get_config_content(scheme) {
+  const IS_USING_PROXY = !!process.env.HTTP_PROXY;
+
+  // Setup config file
+  try {
+    let config_contents =
+      "PROMPTS=no\nUPDATES=no\nCLIOPTS=-404code=301,302,307,308 -o ./output.json";
+
+    if (scheme == "https") config_contents += " -ssl";
+    if (IS_USING_PROXY) config_contents += " -useproxy";
+    config_contents += "\n";
+
+    if (IS_USING_PROXY) {
+      const PROXY = new URL(process.env.HTTP_PROXY);
+      const PROXY_HOST = PROXY.hostname;
+      const PROXY_PORT = PROXY.port || "8080";
+      const PROXY_USER = PROXY.username || "";
+      const PROXY_PASS = PROXY.password || "";
+
+      config_contents += `PROXYHOST=${PROXY_HOST}\n`;
+      config_contents += `PROXYPORT=${PROXY_PORT}\n`;
+      config_contents += `PROXYUSER=${PROXY_USER}\n`;
+      config_contents += `PROXYPASS=${PROXY_PASS}\n`;
+    }
+
+    if (process.env.USERAGENT)
+      config_contents += `USERAGENT=${process.env.USERAGENT}\n`;
+
+    return config_contents;
+  } catch (e) {
+    throw new Error("Something went wrong writing to the config file.\n" + e);
+  }
+}
+
+/**
+ * @param {Object} boefje_meta Information about the task
+ * @param {Object} boefje_meta.arguments
+ * @param {Object} boefje_meta.arguments.input
+ * @param {string} boefje_meta.arguments.input.object_type
+ * @param {"http" | "https"} boefje_meta.arguments.input.scheme
+ * @param {number} boefje_meta.arguments.input.port
+ * @param {Object} boefje_meta.arguments.input.netloc
+ * @param {string} boefje_meta.arguments.input.netloc.name
+ * @returns {(string | string[])[][]}
+ */
+export default function (boefje_meta) {
+  // Depending on what OOI triggered this task, the hostname / address will be in a different location
+  const hostname = boefje_meta.arguments.input.netloc.name;
+
+  const config_contents = get_config_content(
+    boefje_meta.arguments.input.scheme,
+  );
+  fs.writeFileSync("./nikto.conf", config_contents);
+
+  // Running nikto and outputting to a file
+  try {
+    execSync(`./nikto/program/nikto.pl -h ${hostname} -config ./nikto.conf`, {
+      stdio: "inherit",
+    });
+  } catch (e) {
+    throw new Error(
+      "Something went wrong running the nikto command.\n" +
+        e +
+        "\n" +
+        config_contents,
+    );
+  }
+
+  const raws = [];
+
+  // Reading the file created by nikto
+  try {
+    var file_contents = fs.readFileSync("./output.json").toString();
+    raws.push([["boefje/nikto-output"], file_contents]);
+  } catch (e) {
+    throw new Error(
+      "Something went wrong reading the file from the nikto command.\n" + e,
+    );
+  }
+
+  // Looking if outdated software has been found
+  try {
+    const data = JSON.parse(file_contents);
+    for (const vulnerability of data["vulnerabilities"])
+      if (vulnerability["id"].startsWith("6"))
+        raws.push([["openkat/finding"], "KAT-OUTDATED-SOFTWARE"]);
+  } catch (e) {
+    console.error(e);
+  }
+
+  return raws;
+}
@@ -0,0 +1,64 @@
+import json
+from collections.abc import Iterable
+from typing import Any
+
+from boefjes.job_models import NormalizerOutput
+from octopoes.models import Reference
+from octopoes.models.ooi.findings import Finding, KATFindingType
+from octopoes.models.ooi.software import Software, SoftwareInstance
+
+MISSING_HEADER_TO_KAT_FINDING_TYPE = {
+    "strict-transport-security": "KAT-HSTS-VULNERABILITIES",
+    "x-content-type-options": "KAT-NO-X-CONTENT-TYPE-OPTIONS",
+    "content-security-policy": "KAT-CSP-VULNERABILITIES",
+    "referrer-policy": "KAT-NO-REFERRER-POLICY",
+    "permissions-policy": "KAT-NO-PERMISSIONS-POLICY",
+}
+
+
+def scan_nikto_output(data: list[dict[str, Any]], ooi_ref: Reference) -> Iterable[NormalizerOutput]:
+    for scan in data:
+        for vulnerability in scan["vulnerabilities"]:
+            vulnerability_id: str = vulnerability["id"]
+
+            # If the scanned vulnerability has to do with outdated software
+            if vulnerability_id.startswith("6"):
+                # Example of `vulnerability["msg"]`
+                # @SOFTWARE/@RUNNING_VER appears to be outdated (current is at least @CURRENT_VER)
+                software_name, found_version = vulnerability["msg"].split()[0].split("/")
+
+                software = Software(name=software_name, version=found_version)
+                software_instance = SoftwareInstance(ooi=ooi_ref, software=software.reference)
+                yield software
+                yield software_instance
+
+                finding_type = KATFindingType(id="KAT-OUTDATED-SOFTWARE")
+                yield finding_type
+                yield Finding(
+                    finding_type=finding_type.reference,
+                    ooi=software_instance.reference,
+                    description=vulnerability["msg"],
+                )
+
+            # If the scanned vulnerability has to do with security headers missing
+            elif vulnerability_id == "013587":
+                missing_header = vulnerability["msg"].split()[-1].strip(".")
+
+                kat_finding_type_id = MISSING_HEADER_TO_KAT_FINDING_TYPE.get(missing_header)
+                if kat_finding_type_id is None:
+                    kat_finding_type_id = "KAT-MISSING-HEADER"
+                finding_type = KATFindingType(id=kat_finding_type_id)
+                yield finding_type
+                yield Finding(finding_type=finding_type.reference, ooi=ooi_ref, description=vulnerability["msg"])
+            # if the site uses TLS and the Strict-Transport-Security HTTP header is not defined
+            elif vulnerability_id == "999970":
+                finding_type = KATFindingType(id="KAT-HSTS-VULNERABILITIES")
+                yield Finding(finding_type=finding_type.reference, ooi=ooi_ref, description=vulnerability["msg"])
+
+
+def run(input_ooi: dict, raw: bytes) -> Iterable[NormalizerOutput]:
+    data = json.loads(raw)
+
+    ooi_ref = Reference.from_str(input_ooi["primary_key"])
+
+    yield from scan_nikto_output(data, ooi_ref)
@@ -0,0 +1,13 @@
+{
+  "id": "kat_nikto_normalize",
+  "name": "Nikto",
+  "consumes": [
+    "boefje/nikto-output"
+  ],
+  "produces": [
+    "Software",
+    "SoftwareInstance",
+    "Finding",
+    "KATFindingType"
+  ]
+}
@@ -0,0 +1,64 @@
+import { execSync } from "node:child_process";
+import run from "./main.js";
+
+/**
+ * @param {string} inp The string input to base64
+ * @returns {string}
+ */
+function b64encode(inp) {
+  return Buffer.from(inp).toString("base64");
+}
+
+function main() {
+  const input_url = process.argv[process.argv.length - 1];
+
+  // Getting the boefje input
+  try {
+    var boefje_input = JSON.parse(
+      execSync(`curl --request GET --url ${input_url}`).toString(),
+    );
+  } catch (error) {
+    console.error(`Getting boefje input went wrong with URL: ${input_url}`);
+    throw new Error(error);
+  }
+
+  Object.assign(process.env, boefje_input["boefje_meta"]["environment"]);
+
+  let out = undefined;
+  let output_url = boefje_input.output_url;
+  try {
+    // Getting the raw files
+    const raws = run(boefje_input.boefje_meta);
+    out = {
+      status: "COMPLETED",
+      files: raws.map((x) => ({
+        content: b64encode(x[1]),
+        tags: x[0],
+      })),
+    };
+  } catch (error) {
+    out = {
+      status: "FAILED",
+      files: [
+        {
+          content: b64encode("Boefje caught an error: " + error.message),
+          tags: ["error/boefje"],
+        },
+      ],
+    };
+  }
+
+  // Example command
+  /*
+    curl --request POST \
+      --url http://boefje:8000/api/v0/tasks/7342e8dd-b945-4185-aaec-787205b7b664 \
+      --header 'Content-Type: application/json' \
+      --data '{"status":"COMPLETED","files":[{"content":"BASE_64_ENCODED_CONTENT","tags":[]}]}'
+  */
+  const out_json = JSON.stringify(out);
+  const cmd = `curl --request POST --url ${output_url} --header "Content-Type: application/json" --data '${out_json}'`;
+
+  execSync(cmd);
+}
+
+main();
@@ -0,0 +1,10 @@
+{
+  "name": "kat-nikto",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "oci_adapter.js",
+  "author": "cynalytics",
+  "dependencies": {
+    "@types/node": "^22.1.0"
+  }
+}
@@ -0,0 +1,18 @@
+{
+  "title": "Arguments",
+  "type": "object",
+  "properties": {
+    "HTTP_PROXY": {
+      "title": "HTTP_PROXY",
+      "maxLength": 512,
+      "type": "string",
+      "description": "The full URL for the proxy.\nE.g. \"http://user:[email protected]:8080/\""
+    },
+    "USERAGENT": {
+      "title": "USERAGENT",
+      "maxLength": 256,
+      "type": "string"
+    }
+  },
+  "required": []
+}