Merge branch 'master' into hp_printer_jarm

rapid7 · Jan 26, 2022 · aaf05ce · aaf05ce
2 parents a0be88a + 858b900
commit aaf05ce
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 2 deletions.
diff --git a/.vscode/bin/monitor-recog-fingerprints.sh b/.vscode/bin/monitor-recog-fingerprints.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]
+then
+    echo "Usage: $(basename $0) <xml fingerprint directory>"
+    exit 1
+fi
+
+if [ ! -d "$1" ]
+then
+    echo "The XML fingerprint file directory must be supplied."
+    exit 1
+fi
+
+bin/recog_verify "$1/*.xml"
+
+if ! type fswatch &>/dev/null;
+then 
+    echo "'fswatch' is required to monitor fingerprint files for changes and update the editor."
+    echo "See: https://emcrisostomo.github.io/fswatch/ or install with:"
+    echo " MacOS Homebrew: brew install fswatch"
+    echo " Ubuntu/Debian:  apt install fswatch"
+    echo
+    echo "Otherwise, you can re-run this task using the Visual Studio Code command palette"
+    exit 1
+fi
+
+echo "Waiting for changes..."
+fswatch -0 $1 | while read -d "" event; do {
+    echo "Changes detected, validating: ${event}"
+    # TODO: VSCode doesn't support individual/incremental updates to files yet.
+    bin/recog_verify "$1/*.xml"
+    echo "Waiting for changes..."
+}; done
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -0,0 +1,73 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Recog Verify - Background Monitor",
+            "command": ".vscode/bin/monitor-recog-fingerprints.sh",
+            "args": [
+                "${workspaceFolder}/xml"
+            ],
+            "windows": {
+                "command": ""
+            },
+            "type": "process",
+            "isBackground": true,
+            "problemMatcher": {
+                "owner": "recog",
+                "fileLocation": [
+                    "absolute"
+                ],
+                "pattern": {
+                    "regexp": "^(.*):(\\d+):\\s+(WARN|FAIL):\\s+(.*)$",
+                    "file": 1,
+                    "severity": 3,
+                    "message": 4,
+                    "location": 2
+                },
+                "background": {
+                    "activeOnStart": true,
+                    "beginsPattern": "^Changes detected",
+                    "endsPattern": "^Waiting for changes"
+                },
+            },
+            "presentation": {
+                "reveal": "always",
+                "revealProblems": "onProblem"
+            },
+            "runOptions": {
+                "runOn": "folderOpen"
+            }
+        },
+        {
+            "label": "Recog Verify",
+            "command": "bin/recog_verify",
+            "args": [
+                "${workspaceFolder}/xml/*.xml"
+            ],
+            "windows": {
+                "command": ""
+            },
+            "type": "process",
+            "problemMatcher": {
+                "owner": "recog",
+                "fileLocation": [
+                    "absolute"
+                ],
+                "pattern": {
+                    "regexp": "^(.*):(\\d+):\\s+(WARN|FAIL):\\s+(.*)$",
+                    "file": 1,
+                    "severity": 3,
+                    "message": 4,
+                    "location": 2
+                }
+            },
+            "presentation": {
+                "reveal": "always",
+                "revealProblems": "onProblem"
+            },
+            "runOptions": {
+                "runOn": "folderOpen"
+            }
+        }
+    ]
+}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -141,6 +141,8 @@ $ echo 'OpenSSH_6.6p1 Ubuntu-2ubuntu1' | bin/recog_match xml/ssh_banners.xml -
 MATCH: {"matched"=>"OpenSSH running on Ubuntu 14.04", "service.version"=>"6.6p1", "openssh.comment"=>"Ubuntu-2ubuntu1", "service.vendor"=>"OpenBSD", "service.family"=>"OpenSSH", "service.product"=>"OpenSSH", "os.vendor"=>"Ubuntu", "os.device"=>"General", "os.family"=>"Linux", "os.product"=>"Linux", "os.version"=>"14.04", "service.protocol"=>"ssh", "fingerprint_db"=>"ssh.banner", "data"=>"OpenSSH_6.6p1 Ubuntu-2ubuntu1"}
 ```
 
+Additionally, in Visual Studio Code, there is a task (.vscode/tasks.json) which will automatically run recog_verify in the background to watch all the XML fingerprint files (under the xml/ subdirectory of this repository). Additionally, if [fswatch](https://github.com/emcrisostomo/fswatch) is installed, whenever XML fingerprint files are added or modified this task will automatically update the Visual Studio Code user interface and highlight any errors or warnings discovered through recog_verify on the correct file/line. You can also manually run the task by bringing up the Visual Studio Code command menu (cmd + shift + P on mac, or ctrl + shift + P for linux/windows) -> Tasks: Run Task -> Recog Verify). Note that in order for the task to run successfully, you must have a valid ruby installed on your PATH with the gems from `bundle install` installed using bundler for that ruby engine. JRuby is not supported as it has issues related to line numbering due to a bug in Nokogiri.
+
 [^back to top](#contributing-to-recog)
 
 

diff --git a/xml/tls_jarm.xml b/xml/tls_jarm.xml
@@ -56,9 +56,10 @@
     <param pos="0" name="os.device" value="Router"/>
   </fingerprint>
 
-  <fingerprint pattern="^07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d$">
+  <fingerprint pattern="^07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d|07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823$">
     <description>Metasploit listener</description>
     <example>07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d</example>
+    <example>07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823</example>
     <param pos="0" name="service.vendor" value="Rapid7"/>
     <param pos="0" name="service.product" value="Metasploit"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:rapid7:metasploit:-"/>
@@ -67,9 +68,10 @@
   <!-- This fingerprint matches Java's TLS stack,
     see https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/ for details -->
 
-  <fingerprint pattern="^07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1$">
+  <fingerprint pattern="^07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1|07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2$">
     <description>Cobalt Strike listener</description>
     <example>07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1</example>
+    <example>07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2</example>
     <param pos="0" name="service.vendor" value="Strategic Cyber LLC"/>
     <param pos="0" name="service.product" value="Cobalt Strike Listener"/>
     <param pos="0" name="service.certainty" value="0.3"/>
-Original file line number
+Diff line change
@@ Expand Up @@
     MATCH: {"matched"=>"OpenSSH running on Ubuntu 14.04", "service.version"=>"6.6p1", "openssh.comment"=>"Ubuntu-2ubuntu1", "service.vendor"=>"OpenBSD", "service.family"=>"OpenSSH", "service.product"=>"OpenSSH", "os.vendor"=>"Ubuntu", "os.device"=>"General", "os.family"=>"Linux", "os.product"=>"Linux", "os.version"=>"14.04", "service.protocol"=>"ssh", "fingerprint_db"=>"ssh.banner", "data"=>"OpenSSH_6.6p1 Ubuntu-2ubuntu1"}
     ```
+    Additionally, in Visual Studio Code, there is a task (.vscode/tasks.json) which will automatically run recog_verify in the background to watch all the XML fingerprint files (under the xml/ subdirectory of this repository). Additionally, if [fswatch](https://github.com/emcrisostomo/fswatch) is installed, whenever XML fingerprint files are added or modified this task will automatically update the Visual Studio Code user interface and highlight any errors or warnings discovered through recog_verify on the correct file/line. You can also manually run the task by bringing up the Visual Studio Code command menu (cmd + shift + P on mac, or ctrl + shift + P for linux/windows) -> Tasks: Run Task -> Recog Verify). Note that in order for the task to run successfully, you must have a valid ruby installed on your PATH with the gems from `bundle install` installed using bundler for that ruby engine. JRuby is not supported as it has issues related to line numbering due to a bug in Nokogiri.
     [^back to top](#contributing-to-recog)
@@ Expand Down @@