Added a new Hook "nmap-subsequent-scans" which implements an imperative scanner combination approach

Author: rfelber

.github/workflows/ci.yaml

@@ -214,6 +214,14 @@ jobs:
           repository: scbexperimental/generic-webhook
           path: ./hooks/generic-webhook/
           tag_with_ref: true
+      - uses: docker/build-push-action@v1
+        name: "Build & Push NmapSubsequentScans Hook Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/hook-nmap-subsequent-scans
+          path: ./hooks/nmap-subsequent-scans/
+          tag_with_ref: true
   scannerImages:
     # Note we only build images for scanner that don't provider official public container images
     name: "Build / Scanner"

README.md

@@ -22,6 +22,7 @@
   - [Prerequisites](#prerequisites)
   - [Deployment](#deployment)
   - [Examples](#examples)
+  - [Access Services](#access-services)
 - [How does it work?](#how-does-it-work)
 - [Architecture](#architecture)
 - [License](#license)
@@ -62,7 +63,7 @@ There is a german article about [Security DevOps – Angreifern (immer) einen Sc
 ```bash
 # Deploy secureCodeBox Operator
 kubectl create namespace securecodebox-system
-helm -n securecodebox-system install securecodebox-operator ./operator/
+helm -n securecodebox-system install securecodebox-operator ./operator/ --set image.tag=hooks
 
 # Deploy definitions for the integrated scanners
 helm install amass ./integrations/amass/
@@ -73,13 +74,15 @@ helm install ssh-scan ./integrations/ssh_scan/
 helm install sslyze ./integrations/sslyze/
 helm install trivy ./integrations/trivy/
 helm install zap ./integrations/zap/
+helm install wpscan ./integrations/wpscan/
 
 # Optional Deploy some Demo Apps for scanning
 helm install dummy-ssh ./demo-apps/dummy-ssh/
 
 # Deploy secureCodeBox Hooks 
 helm install add-attributes ./hooks/add-attributes/
 helm install generic-webhook ./hooks/generic-webhook/
+helm install nmap-subsequent-scans ./hooks/nmap-subsequent-scans/
 
 ## Persistence Provider: Elasticsearch
 helm install persistence-elastic ./hooks/persistence-elastic/
@@ -98,15 +101,30 @@ kubectl apply -f operator/config/samples/execution_v1_scan/trivy_mediawiki.yaml
 kubectl apply -f operator/config/samples/execution_v1_scan/trivy_juiceshop.yaml
 ## Public Scan Examples
 # E.g. www.securecodebox.io sslyze scan
+kubectl apply -f operator/config/samples/execution_v1_scan/nmap_securecodebox_io.yaml
 kubectl apply -f operator/config/samples/execution_v1_scan/amass_securecodebox_io.yaml
 kubectl apply -f operator/config/samples/execution_v1_scan/sslyze_securecodebox_io.yaml
 kubectl apply -f operator/config/samples/execution_v1_scan/nikto_securecodebox_io.yaml
 
 kubectl apply -f operator/config/samples/execution_v1_scan/ssh_iteratec_de.yaml
+kubectl apply -f operator/config/samples/execution_v1_scan/wpscan_nurdemteam_org.yaml
 # Then get the current State of the Scan by running:
 kubectl get scans
 ```
 
+### Access Services
+
+* Minio UI
+  * AccessKey: `kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.accesskey}' | base64 --decode; echo`
+  * SecretKey: `kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.secretkey}' | base64 --decode; echo`
+  * Port Forward Minio UI: `kubectl port-forward -n securecodebox-system service/securecodebox-operator-minio 9000:9000`
+* Elastic / Kibana UI
+ * User: `elastic`
+ * Password: `kubectl get secret scb-elasticsearch-es-elastic-user -n scb-analytics -o=jsonpath='{.data.elastic}' | base64 --decode; echo`
+ * Port Forward Kibana: `kubectl port-forward -n default service/persistence-elastic-kibana 5601:5601`
+ * Port Forward Elasticsearch: `kubectl port-forward -n default service/elasticsearch-master 9200:9200` 
+
+
 ## How does it work?
 
 ## Architecture

hooks/nmap-subsequent-scans/.dockerignore

@@ -0,0 +1 @@
+node_modules/

hooks/nmap-subsequent-scans/.gitignore

@@ -0,0 +1 @@
+node_modules

hooks/nmap-subsequent-scans/.helmignore

@@ -0,0 +1,30 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore

hooks/nmap-subsequent-scans/Chart.lock

@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2020-05-26T16:56:03.119255+02:00"

hooks/nmap-subsequent-scans/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: nmap-subsequent-scans
+description: Starts possible subsequent security scans based on nmap findings with open ports.
+
+type: application
+
+version: 0.1.0
+
+appVersion: latest
+
+dependencies: []

hooks/nmap-subsequent-scans/Dockerfile

@@ -0,0 +1,3 @@
+FROM scbexperimental/hook-sdk-nodejs:latest
+WORKDIR /home/app/hook-wrapper/hook/
+COPY --chown=app:app ./hook.js ./hook.js

hooks/nmap-subsequent-scans/hook.js

@@ -0,0 +1,244 @@
+const k8s = require('@kubernetes/client-node');
+
+// configure k8s client
+const kc = new k8s.KubeConfig();
+kc.loadFromDefault();
+
+const k8sApiCRD = kc.makeApiClient(k8s.CustomObjectsApi);
+
+async function handle({
+  getFindings,
+  attributeName = process.env["ATTRIBUTE_NAME"],
+  attributeValue = process.env["ATTRIBUTE_VALUE"],
+}) {
+  
+  const findings = await getFindings();
+
+  console.log(findings);
+
+  // const sslyzeYaml = k8s.dumpYaml(sslyzeJSONString);
+  // const sslyzeYaml = k8s.loadYaml(sslyzeScanDefinition);
+
+  console.log(`Found  #${findings.length} findings... trying to find possible subsequent security scans.`);
+
+  for (const finding of findings) {
+    if(finding.category == "Open Port") {
+      console.log("Found open port finding for service: " + finding.attributes.port);
+
+      if(finding.attributes.state = "open") {
+      
+        // search for HTTP ports and start subsequent Nikto Scan
+        if(finding.attributes.service == "http" ) {
+          console.log(" --> starting HTTP Service Scan: Nikto")
+
+          startNiktoScan(finding.attributes.hostname, finding.attributes.port);
+        }
+
+        // search for HTTPS ports and start subsequent SSLyze Scan
+        if(finding.attributes.service == "ssl" || finding.attributes.service == "https") {
+          console.log(" --> starting HTTP(S) Service Scan: SSLyze")
+          startSSLyzeScan(finding.attributes.hostname, finding.attributes.port);
+
+          console.log(" --> starting HTTP(S) Service Scan: ZAP Baseline Scan")
+          startZAPBaselineScan(finding.attributes.hostname, finding.attributes.port);
+        }
+        
+        // search for HTTPS ports and start subsequent SSH Scan
+        if(finding.attributes.service == "ssh" ) {
+          console.log(" --> starting SSH Service Scan: SSH")
+
+          startSSHScan(finding.attributes.hostname, finding.attributes.port);
+        }
+      }
+    }
+  }
+
+  // const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
+
+  // console.log("list namespaced Pods")
+  // k8sApi.listNamespacedPod('default').then((res) => {
+	//   console.log(res.body);
+  // });
+
+  // const k8sApiCRD = kc.makeApiClient(k8s.CustomObjectsApi);
+
+  // // found at: https://github.com/kubernetes-client/javascript/issues/144
+  // console.log("list namespaced CRDs")
+  // k8sApiCRD.listNamespacedCustomObject(
+  //   'execution.experimental.securecodebox.io',
+  //   'v1',
+  //   'default',
+  //   'scans',
+  //   'false'
+  // ).then((res) => {
+	//   console.log(res.body);
+  // });
+}
+
+/**
+ * Creates a new subsequent SCB ZAP Scan for the given hostname.
+ * @param {*} hostname The hostname to start a new subsequent ZAP scan for.
+ * @param {*} port The port to start a new subsequent ZAP scan for.
+ */
+function startZAPBaselineScan(hostname, port) {
+  const zapScanDefinition = {
+    apiVersion: "execution.experimental.securecodebox.io/v1",
+    kind: "Scan",
+    metadata: {
+      "name": "zap-" + hostname.toLowerCase(),
+      "labels": {
+        "organization": "secureCodeBox"
+      }
+    },
+    spec: {
+      "scanType": "zap-baseline",
+      "parameters": [
+        "-t",
+        "https://" + hostname + ":" + port
+      ]
+    }
+  };
+
+  // Starting another subsequent sslyze scan based on the nmap results
+  // found at: https://github.com/kubernetes-client/javascript/blob/79736b9a608c18d818de61a6b44503a08ea3a78f/src/gen/api/customObjectsApi.ts#L209
+  k8sApiCRD.createNamespacedCustomObject(
+    'execution.experimental.securecodebox.io',
+    'v1',
+    'default',
+    'scans',
+    zapScanDefinition,
+    'false'
+  ).then((res) => {
+    console.log(res.body);
+  })
+  .catch((e) => {
+    console.log(e);
+  });
+}
+
+/**
+ * Creates a new subsequent SCB SSH Scan for the given hostname.
+ * @param {*} hostname The hostname to start a new subsequent SSH scan for.
+ * @param {*} port The port to start a new subsequent SSH scan for.
+ */
+function startSSHScan(hostname, port) {
+  const sshScanDefintion = {
+    "apiVersion": "execution.experimental.securecodebox.io/v1",
+    "kind": "Scan",
+    "metadata": {
+      "name": "ssh-" + hostname.toLowerCase(),
+      "labels": {
+        "organization": "secureCodeBox"
+      }
+    },
+    "spec": {
+      "scanType": "ssh-scan",
+      "parameters": [
+        "-t",
+        hostname
+      ]
+    }
+  };
+
+  // Starting another subsequent sslyze scan based on the nmap results
+  // found at: https://github.com/kubernetes-client/javascript/blob/79736b9a608c18d818de61a6b44503a08ea3a78f/src/gen/api/customObjectsApi.ts#L209
+  k8sApiCRD.createNamespacedCustomObject(
+    'execution.experimental.securecodebox.io',
+    'v1',
+    'default',
+    'scans',
+    sshScanDefintion,
+    'false'
+  ).then((res) => {
+    console.log(res.body);
+  })
+  .catch((e) => {
+    console.log(e);
+  });
+}
+
+/**
+ * Creates a new subsequent SCB Nikto Scan for the given hostname.
+ * @param {*} hostname The hostname to start a new subsequent Nikto scan for.
+ * @param {*} port The port to start a new subsequent Nikto scan for.
+ */
+function startNiktoScan(hostname, port) {
+  const niktoScanDefinition = {
+    "apiVersion": "execution.experimental.securecodebox.io/v1",
+    "kind": "Scan",
+    "metadata": {
+      "name": "nikto-" + hostname.toLowerCase(),
+      "labels": {
+        "organization": "secureCodeBox"
+      }
+    },
+    "spec": {
+      "scanType": "nikto",
+      "parameters": [
+        "-h",
+        "https://" + hostname,
+        "-Tuning",
+        "1,2,3,5,7,b"
+      ]
+    }
+  };
+
+  // Starting another subsequent sslyze scan based on the nmap results
+  // found at: https://github.com/kubernetes-client/javascript/blob/79736b9a608c18d818de61a6b44503a08ea3a78f/src/gen/api/customObjectsApi.ts#L209
+  k8sApiCRD.createNamespacedCustomObject(
+    'execution.experimental.securecodebox.io',
+    'v1',
+    'default',
+    'scans',
+    niktoScanDefinition,
+    'false'
+  ).then((res) => {
+    console.log(res.body);
+  })
+  .catch((e) => {
+    console.log(e);
+  });
+}
+
+/**
+ * Creates a new subsequent SCB SSLyze Scan for the given hostname.
+ * @param {*} hostname The hostname to start a new subsequent SSLyze scan for.
+ * @param {*} port The port to start a new subsequent SSLyze scan for.
+ */
+function startSSLyzeScan(hostname, port) {
+  const sslyzeScanDefinition = {
+    apiVersion: 'execution.experimental.securecodebox.io/v1',
+    kind: 'Scan',
+    metadata: {
+      "name": "sslyze-" + hostname.toLowerCase(),
+      "labels": {
+        "organization": "secureCodeBox"
+      }
+    },
+    "spec": {
+      "scanType": "sslyze",
+      "parameters": [
+        "--regular",
+        hostname
+      ]
+    }
+  };
+
+  // Starting another subsequent sslyze scan based on the nmap results
+  // found at: https://github.com/kubernetes-client/javascript/blob/79736b9a608c18d818de61a6b44503a08ea3a78f/src/gen/api/customObjectsApi.ts#L209
+  k8sApiCRD.createNamespacedCustomObject(
+    'execution.experimental.securecodebox.io',
+    'v1',
+    'default',
+    'scans',
+    sslyzeScanDefinition,
+    'false'
+    ).then((res) => {
+      console.log(res.body);
+    })
+    .catch((e) => {
+      console.log(e);
+    });
+}
+
+module.exports.handle = handle;

hooks/nmap-subsequent-scans/hook.test.js

@@ -0,0 +1,2 @@
+const { handle } = require("./hook");
+