Lair Drone for Bizsploit (rough hacky storage till i create a proper repo)

LairDrone-Bizsploit-bin-drone-bizsploit.

#!/usr/bin/env python
# Copyright (c) 2013 Glenn 'devalias' Grant

import os
import sys
##############
# /dev/alias Import path hack for ./drone-bizsploit
##############
import pprint
mypath = os.path.abspath(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..'))
sys.path.insert(0,
    mypath
)
print "Mypath: %s" % mypath
##############
sys.path.append(os.path.abspath(
    os.path.join(os.path.dirname(__file__), '..'))
)
from optparse import OptionParser
from lairdrone import api
from lairdrone import bizsploit

def main():
    """
    main point of execution

    :return:
    """

    # Support for environment variable project id
    env_lair_project_id = os.getenv('LAIR_PROJECT_ID')
    if env_lair_project_id == None:
        env_lair_project_id = os.getenv('LAIR_PID')

    usage = "usage: `%prog <project_id> <file>`\n    or `%prog <file>` when LAIR_PROJECT_ID env var set"
    description = "%prog imports Bizsploit files into Lair [ALPHA]"
    parser = OptionParser(usage=usage, description=description,
                          version="%prog 0.0.1")
    (options, args) = parser.parse_args()
    if len(args) != 2 and env_lair_project_id == None:
        print parser.get_usage()
        print "opt1"
        sys.exit(1)
#    elif len(args) != 2:
#        print parser.get_usage()
#        print "opt2"
#        sys.exit(1)

    if len(args) == 1:
      lair_project_id = env_lair_project_id
      lair_file = args[0]
      print "Using ProjectId from ENV: %s" % lair_project_id
    elif len(args) == 2:
      lair_project_id = args[0]
      lair_file = args[1]

    # Connect to the database
    db = api.db_connect()

    project = bizsploit.parse(lair_project_id, lair_file)
    #api.save(project, db, bizsploit.TOOL)
    print "Save to database currently disabled. Displaying details instead:"
    pp = pprint.PrettyPrinter(indent=4)
    pp.pprint(project)

    sys.exit(0)

if __name__ == '__main__':
    main()

LairDrone-Bizsploit-lairdrone-

#!/usr/bin/env python
# Copyright (c) 2013 Glenn 'devalias' Grant

import os
import copy
#import xml.etree.ElementTree as et
from lairdrone import drone_models as models
from lairdrone import helper

OS_WEIGHT = 10
TOOL = "bizsploit"

PRODUCT_SAP_etc = 'SAPetc'

# Output strings that may be of use
#root@netherdrake:~/pentest/bizsploit# ./bizploit -t ~/pentest/assessments/foo/bizsploit-foo_targets.stf 
#Warning: It was not possible to load the RFC library, some connectors might not work.
#bizploit - Open Source ERP Penetration Testing Framework (v1.50)
#
#TCP-Pinging remote system 10.2.3.4 first. Available.
#The port scanning is being performed. Please wait, it could take a while.
#OPEN ports on target 10.2.3.4:
#Port                Default Service
#----                ---------------
#1128/tcp            SAPHostControl
#3200/tcp            SAP Dispatcher
#3300/tcp            SAP Gateway
#3600/tcp            SAP Message Server
#8000/tcp            SAP ICM HTTP
#8025/tcp            SAP ICM HTTP
#8100/tcp            SAP Message Server HTTP
#8101/tcp            SAP Message Server HTTP
#40000/tcp           SAP IGS - Multiplexer
#40001/tcp           SAP IGS - Portwatcher
#40002/tcp           SAP IGS - Portwatcher
#40080/tcp           SAP IGS - HTTP Administration
#50013/tcp           SAP Start Service
#50014/tcp           SAP Start Service
#50113/tcp           SAP Start Service
#59704/tcp           SAP J2EE Dispatcher - P4
#59713/tcp           SAP Start Service
#Added SAPICM connector to target 0.
#Added SAPICM connector to target 0.
#Added SAPMC connector to target 0.
#Added SAPMC connector to target 0.
#Added SAPMC connector to target 0.
#Added SAPMC connector to target 0.
#Connector discovery completed.
#
#TCP-Pinging remote system 10.2.3.5 first. Available.
#The port scanning is being performed. Please wait, it could take a while.
#No OPEN ports on target 10.2.3.5
#Connector discovery completed.
#
#Running 'icmInfo' against [10.2.3.4(0)-SAPICM(0)]
#	Checking if the service is available...
#	[VULN] The SAP ICM Info service is enabled at '/sap/public/info'
#	Remote system information:
#		RFC Log Version: 011
#		Release Status of SAP System: 701
#		Kernel Release: 720
#		Operating System: MyOS
#		Database Host: my-db-host
#		Central Database System: ORACLE
#		Integer Format: Big Endian
#		Hostname: my-sap-host
#		Float Type Format: IEEE
#		IP Address: 10.2.3.4
#		System ID: ABC
#		RFC Destination: my-sap-host_ABC_00
#		Timezone:  36000 (diff from UTC in seconds)
#		Character Set: 4102
#		Machine ID:   370
#Execution finished with result code: OK

def parse(project, resource):
    """Parses a Bizsploit console output file and updates the Lair database

    :param project: The project id
    :param resource: The Bizsploit console output file
    """
    # or xml string to be parsed

    # Attempt to parse resource as file or string
    try:
        if os.path.isfile(resource):
            file = open(resource,'r')
            #tree = et.parse(resource)
            #root = tree.getroot()
        #else:
        #    root = et.fromstring(resource)
    #except et.ParseError:
    except IOError:
        raise

    # Create the project dictionary which acts as foundation of document
    project_dict = copy.deepcopy(models.project_model)
    project_dict['project_id'] = project

    # Pull the command from the file
    command_dict = copy.deepcopy(models.command_model)
    command_dict['tool'] = TOOL
    command_dict['command'] = './bizsploit TODO STUFF HERE > %s' % resource

    #if root.tag == 'nmaprun':
    #    command_dict['command'] = root.attrib['args']
    #else:
    #    command = root.find('nmaprun')
    #    if command is not None:
    #        command_dict['command'] = command.attrib['args']

    #project_dict['commands'].append(command_dict)
    project_dict['commands'].append(command_dict)

    host_dict = copy.deepcopy(models.host_model)
    host_dict['string_addr'] = 'localhost'
    host_dict['long_addr'] = helper.ip2long('127.0.0.1')
    host_dict['mac_addr'] = '00:11:22:33:44'
    host_dict['last_modified_by'] = TOOL

    port_dict = copy.deepcopy(models.port_model)
    port_dict['port'] = 80
    port_dict['protocol'] = models.PROTOCOL_TCP
    port_dict['service'] = 'MyService'
    port_dict['product'] = 'MyProduct' + " " + 'v0.1'
    port_dict['last_modified_by'] = TOOL

    credential_dict = copy.deepcopy(models.credential_model)
    credential_dict['username'] = 'MyUsername'
    credential_dict['password'] = 'MyPassword'
    credential_dict['hash'] = 'MyHash'

    port_dict['credentials'].append(credential_dict)

    note_dict = copy.deepcopy(models.note_model)
    note_dict['title'] = 'Note Title'
    note_dict['content'] = 'Note Contents'
    note_dict['last_modified_by'] = TOOL

    port_dict['notes'].append(note_dict)

    host_dict['ports'].append(port_dict)


    os_dict = copy.deepcopy(models.os_model)
    os_dict['tool'] = TOOL
    os_dict['weight'] = OS_WEIGHT
    os_dict['fingerprint'] = 'MyOsFingerprint'

    host_dict['os'].append(os_dict)

    project_dict['hosts'].append(host_dict)

#    # Process each 'host' in the file
#    for host in root.findall('host'):
#
#        host_dict = copy.deepcopy(models.host_model)
#
#        # Find the host status
#        status = host.find('status')
#        if status is not None:
#            if status.attrib['state'] != 'up':
#                host_dict['alive'] = False
#
#        if status is None or not host_dict.get('alive', False):
#            # Don't import dead hosts
#            continue
#
#        # Find the IP address and/or MAC address
#        for addr in host.findall('address'):
#
#            # Get IP address
#            if addr.attrib['addrtype'] == 'ipv4':
#                host_dict['string_addr'] = addr.attrib['addr']
#                host_dict['long_addr'] = helper.ip2long(addr.attrib['addr'])
#            elif addr.attrib['addrtype'] == 'mac':
#                host_dict['mac_addr'] = addr.attrib['addr']
#
#        # Find the host names
#        for hostname in host.iter('hostname'):
#            host_dict['hostnames'].append(hostname.attrib['name'])
#
#        # Find the ports
#        for port in host.iter('port'):
#            port_dict = copy.deepcopy(models.port_model)
#            port_dict['port'] = int(port.attrib['portid'])
#            port_dict['protocol'] = port.attrib['protocol']
#
#            # Find port status
#            status = port.find('state')
#            if status is not None:
#                if status.attrib['state'] != 'open':
#                    continue
#                port_dict['alive'] = True
#
#            # Find port service and product
#            service = port.find('service')
#            if service is not None:
#                port_dict['service'] = service.attrib['name']
#                if 'product' in service.attrib:
#                    if 'version' in service.attrib:
#                        port_dict['product'] = service.attrib['product'] + " " + service.attrib['version']
#                    else:
#                        port_dict['product'] = service.attrib['product']
#                else:
#                    port_dict['product'] = "unknown"
#
#            # Find NSE script output
#            for script in port.findall('script'):
#                note_dict = copy.deepcopy(models.note_model)
#                note_dict['title'] = script.attrib['id']
#                note_dict['content'] = script.attrib['output']
#                note_dict['last_modified_by'] = TOOL
#                port_dict['notes'].append(note_dict)
#
#            host_dict['ports'].append(port_dict)
#
#        # Find the Operating System
#        os_dict = copy.deepcopy(models.os_model)
#        os_dict['tool'] = TOOL
#        os_list = list(host.iter('osmatch'))
#        if os_list:
#            os_dict['weight'] = OS_WEIGHT
#            os_dict['fingerprint'] = os_list[0].attrib['name']
#
#        host_dict['os'].append(os_dict)
#
#        project_dict['hosts'].append(host_dict)
#
    return project_dict