Skip to content

Commit

Permalink
Merge branch 'develop' of github.com:Patrowl/PatrowlEngines into 166-…
Browse files Browse the repository at this point in the history 
…apivoid-errors
  • Loading branch information
@sebastien-powl
sebastien-powl committed Apr 17, 2023
2 parents f501fc4 + ed5d7cb commit 7bdd2ac
Show file tree
Hide file tree
Showing 5 changed files with 189 additions and 106 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.5.11
1.5.11-rc1
2 changes: 1 addition & 1 deletion engines/owl_dns/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
FROM ubuntu:20.04
LABEL Name="Patrowl\ DNS\ \(Patrowl engine\)" Version="1.5.0"
LABEL Name="Patrowl\ DNS\ \(Patrowl engine\)" Version="1.5.1-rc1"

# Install dependencies
RUN apt-get update && \
Expand Down
2 changes: 1 addition & 1 deletion engines/owl_dns/VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.5.0
1.5.1-rc1
69 changes: 62 additions & 7 deletions engines/owl_dns/engine-owl_dns.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,12 @@ def start_scan():
if asset["datatype"] == "ip":
th = this.pool.submit(_cloud_check, scan_id, asset["value"], asset["datatype"])
this.scans[scan_id]['futures'].append(th)

if 'do_saas_check' in scan['options'].keys() and data['options']['do_saas_check']:
for asset in data["assets"]:
if asset["datatype"] == "ip":
th = this.pool.submit(_saas_check, scan_id, asset["value"], asset["datatype"])
this.scans[scan_id]['futures'].append(th)

res.update({
"status": "accepted",
Expand Down Expand Up @@ -426,6 +432,7 @@ def _reverse_whois(scan_id, asset, datatype):

return res


def is_ipaddr_in_subnet(ip: str, subnet: str) -> bool:
"""Check if the IP address is part of the subnet"""
try:
Expand All @@ -437,32 +444,34 @@ def is_ipaddr_in_subnet(ip: str, subnet: str) -> bool:


def _check_ip(ip: str, record_types: list = []) -> dict:
"""Check IP from CDN, WAF, Cloud providers public records."""
"""Check IP from CDN, WAF, Cloud, SaaS providers public records."""

with open(this.scanner['external_ip_ranges_path']) as all_data_file:
all_data = json.loads(all_data_file.read())

all_data_types = all_data.keys() # ["cdn", "waf", "cloud", "parking"]
all_data_types = all_data.keys() # ["cdn", "waf", "cloud", "parking", "saas"]
data_types = []
ip_provider = ""

if len(record_types) > 0:
for record_type in record_types:
if record_type not in all_data.keys():
all_data_types = [record_type]

for data_type in all_data_types:
if record_type in all_data.keys():
data_types.append(record_type)
else:
data_types = all_data_types

for data_type in data_types:
for provider in all_data[data_type].keys():
for subnet in all_data[data_type][provider]["ipv4"]:
if is_ipaddr_in_subnet(ip, subnet):
data_types.append(data_type)
ip_provider = provider
break

if ip_provider == "": # no results
return {}
return {"attributes": data_types, "provider": ip_provider}


def __get_ip_targets(asset : str, datatype: str) -> list:
targets = []
if datatype == "ip":
Expand Down Expand Up @@ -532,6 +541,26 @@ def _cloud_check(scan_id: str, asset: str, datatype: str) -> dict:

return res


def _saas_check(scan_id: str, asset: str, datatype: str) -> dict:
targets = __get_ip_targets(asset, datatype)

if len(targets) == 0:
return {}

for target in targets:
res = _check_ip(target, ["saas"])

scan_lock = threading.RLock()
with scan_lock:
if 'saas_check' not in this.scans[scan_id]['findings'].keys():
this.scans[scan_id]['findings']['saas_check'] = {}
if bool(res):
this.scans[scan_id]['findings']['saas_check'].update({asset: res})

return res


def _recursive_spf_lookups(spf_line):
spf_lookups = 0
for word in spf_line.split(" "):
Expand All @@ -545,6 +574,7 @@ def _recursive_spf_lookups(spf_line):
spf_lookups += _recursive_spf_lookups(value)
return spf_lookups


def _do_dmarc_check(scan_id,asset_value):
dmarc_dict = {"no_dmarc_record": "info"}
dns_records = __dns_resolve_asset(asset_value, "TXT")
Expand All @@ -566,6 +596,7 @@ def _do_dmarc_check(scan_id,asset_value):
this.scans[scan_id]["findings"]["dmarc_dict"] = {asset_value: dmarc_dict}
this.scans[scan_id]["findings"]["dmarc_dict_dns_records"] = {asset_value: dns_records}


def _do_dkim_check(scan_id, asset_value):
dkim_dict = {}
found_dkim = False
Expand All @@ -587,6 +618,7 @@ def _do_dkim_check(scan_id, asset_value):
this.scans[scan_id]["findings"]["dkim_dict"] = {asset_value: dkim_dict}
this.scans[scan_id]["findings"]["dkim_dict_dns_records"] = {asset_value: dns_records}


def _perform_spf_check(scan_id,asset_value):
dns_records = __dns_resolve_asset(asset_value, "TXT")
spf_dict = {
Expand Down Expand Up @@ -1286,6 +1318,29 @@ def _parse_results(scan_id):
"timestamp": ts
})

# is IP supported by a SaaS service ?
if 'saas_check' in scan['findings'].keys():
for asset in scan['findings']['saas_check'].keys():
nb_vulns['info'] += 1
provider = scan['findings']['saas_check'][asset]["provider"]
issues.append({
"issue_id": len(issues) + 1,
"severity": "info", "confidence": "certain",
"target": {
"addr": [asset],
"protocol": "domain"
},
"title": f"Behind SaaS Provider: '{provider}'",
"description": f"Behind SaaS Provider: '{provider}'",
"solution": "n/a",
"metadata": {
"tags": ["saas", provider]
},
"type": "saas_check",
"raw": scan['findings']['saas_check'][asset],
"timestamp": ts
})

# subdomain list

# bad messages replied by Sublist3r
Expand Down
220 changes: 124 additions & 96 deletions engines/owl_dns/etc/ip-ranges.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -710,6 +710,17 @@
"2a06:98c0::/29",
"2c0f:f248::/32"
]
},
"sucuri": {
"ipv4": [
"192.88.134.0/23",
"185.93.228.0/22",
"66.248.200.0/22",
"208.109.0.0/22"
],
"ipv6": [
"2a02:fe80::/29"
]
}
},
"cloud": {
Expand Down Expand Up @@ -5714,102 +5725,6 @@

]
},
"salesforce": {
"ipv4": [
"13.108.0.0/14",
"66.231.80.0/20",
"68.232.192.0/20",
"96.43.144.0/20",
"128.17.0.0/16",
"128.245.0.0/16",
"136.146.0.0/15",
"198.245.80.0/20",
"199.122.120.0/21",
"204.14.232.0/21",
"34.226.36.48/28",
"34.211.108.32/28",
"13.58.135.64/28",
"13.56.32.176/28",
"35.182.14.32/28",
"52.60.248.0/22",
"52.60.252.0/22",
"3.98.2.135/32",
"3.98.8.160/32",
"3.97.226.192/32",
"13.210.4.0/22",
"13.210.8.0/22",
"13.210.180.120/32",
"13.238.98.67/32",
"54.252.37.181/32",
"3.6.203.25/32",
"13.127.212.138/32",
"15.206.226.165/32",
"15.207.181.18/32",
"15.207.182.186/32",
"65.0.79.252/32",
"3.225.240.254/32",
"18.204.28.162/32",
"18.214.12.209/32",
"34.202.86.120/32",
"34.204.111.166/32",
"52.44.156.44/32",
"44.233.69.21/32",
"44.237.79.66/32",
"52.36.20.11/32",
"35.80.213.208/32",
"35.161.141.162/32",
"44.234.249.148/32",
"85.222.128.0/19",
"159.92.128.0/17",
"160.8.0.0/16",
"161.71.0.0/17",
"163.76.128.0/17",
"163.79.128.0/17",
"185.79.140.0/22",
"34.253.190.64/28",
"35.158.127.48/28",
"35.176.92.16/28",
"13.36.84.96/28",
"13.37.59.29/32",
"15.236.110.244/32",
"15.236.160.173/32",
"13.50.12.176/28",
"101.53.160.0/19",
"104.161.128.0/17",
"161.32.64.0/18",
"161.32.128.0/17",
"161.71.128.0/17",
"182.50.76.0/22",
"202.129.242.0/23",
"13.113.196.48/28",
"13.228.64.80/28",
"13.124.145.0/28",
"13.126.23.64/28",
"13.210.3.208/28",
"13.215.171.240/28",
"35.73.89.117/32",
"18.181.43.11/32",
"54.95.206.252/32",
"54.254.118.123/32",
"13.251.9.241/32",
"13.250.175.171/32",
"43.201.151.176/28",
"54.233.205.0/28",
"177.71.229.247/32",
"18.228.66.156/32",
"18.228.207.180/32",
"13.109.128.0/19",
"13.109.160.0/21",
"13.109.192.0/19",
"101.53.176.0/20",
"160.8.0.0/21",
"161.71.16.0/20",
"161.71.40.0/22",
"161.71.176.0/21",
"182.50.76.0/22"
],
"ipv6": []
},
"ibm": {
"ipv4": [
"12.96.160.0/21",
Expand Down Expand Up @@ -6216,5 +6131,118 @@
],
"ipv6": []
}
},
"saas": {
"salesforce": {
"ipv4": [
"13.108.0.0/14",
"66.231.80.0/20",
"68.232.192.0/20",
"96.43.144.0/20",
"128.17.0.0/16",
"128.245.0.0/16",
"136.146.0.0/15",
"198.245.80.0/20",
"199.122.120.0/21",
"204.14.232.0/21",
"34.226.36.48/28",
"34.211.108.32/28",
"13.58.135.64/28",
"13.56.32.176/28",
"35.182.14.32/28",
"52.60.248.0/22",
"52.60.252.0/22",
"3.98.2.135/32",
"3.98.8.160/32",
"3.97.226.192/32",
"13.210.4.0/22",
"13.210.8.0/22",
"13.210.180.120/32",
"13.238.98.67/32",
"54.252.37.181/32",
"3.6.203.25/32",
"13.127.212.138/32",
"15.206.226.165/32",
"15.207.181.18/32",
"15.207.182.186/32",
"65.0.79.252/32",
"3.225.240.254/32",
"18.204.28.162/32",
"18.214.12.209/32",
"34.202.86.120/32",
"34.204.111.166/32",
"52.44.156.44/32",
"44.233.69.21/32",
"44.237.79.66/32",
"52.36.20.11/32",
"35.80.213.208/32",
"35.161.141.162/32",
"44.234.249.148/32",
"85.222.128.0/19",
"159.92.128.0/17",
"160.8.0.0/16",
"161.71.0.0/17",
"163.76.128.0/17",
"163.79.128.0/17",
"185.79.140.0/22",
"34.253.190.64/28",
"35.158.127.48/28",
"35.176.92.16/28",
"13.36.84.96/28",
"13.37.59.29/32",
"15.236.110.244/32",
"15.236.160.173/32",
"13.50.12.176/28",
"101.53.160.0/19",
"104.161.128.0/17",
"161.32.64.0/18",
"161.32.128.0/17",
"161.71.128.0/17",
"182.50.76.0/22",
"202.129.242.0/23",
"13.113.196.48/28",
"13.228.64.80/28",
"13.124.145.0/28",
"13.126.23.64/28",
"13.210.3.208/28",
"13.215.171.240/28",
"35.73.89.117/32",
"18.181.43.11/32",
"54.95.206.252/32",
"54.254.118.123/32",
"13.251.9.241/32",
"13.250.175.171/32",
"43.201.151.176/28",
"54.233.205.0/28",
"177.71.229.247/32",
"18.228.66.156/32",
"18.228.207.180/32",
"13.109.128.0/19",
"13.109.160.0/21",
"13.109.192.0/19",
"101.53.176.0/20",
"160.8.0.0/21",
"161.71.16.0/20",
"161.71.40.0/22",
"161.71.176.0/21",
"182.50.76.0/22"
],
"ipv6": []
},
"wix": {
"ipv4": [
"3.104.90.0/24",
"18.228.249.0/24",
"3.122.181.0/24",
"3.112.80.0/24",
"3.1.77.0/24",
"54.244.51.0/24",
"185.230.60.0/22",
"199.15.160.0/24",
"199.15.163.0/24",
"204.2.207.0/24"
],
"ipv6": []
}
}
}

0 comments on commit 7bdd2ac

Please sign in to comment.