f49887290d
* remove unnecessary indirection on net.Conn * Ignore *.pyc * fix NPE on nil handshake * refactoring -- move status to status.go; add Open() methods for ScanTarget * cherry-pick .gitignore fix * pull in TLS fix * status.go comments * trim over-generalizations * use /usr/bin/env bash instead of absolute path * remove debug tcpwrap * add integration tests for postgres * hack for cleanup.sh to work on mingw -- use //var/lib instead of /var/lib * cleanup should actually stop the process though * comments / rearrange * Bump up timeout in postgres tests; only pass user if explicitly requested to do so * add schema stubs to new.sh * Integration test fixes -- use /usr/bin/env bash; log all validation failures * add postgres schemas * fill out zcrypto.client_hello schema * handle early get of TLSLog * postgres: return SCAN_SUCCESS on success * cleanup * fix new.sh * fix typo * postgres container cleanup * build.sh docs * standardize container/image names * add not to check for success * shift mysql's connection management to ScanTarget.Open(); wrap Read/Write methods returned by ScanTarget.Open() to enforce timeouts * catch schematically-valid but non-successful scans * postgres: clean up output format; more scanning * cleanup; better error handling; get detailed protocol version error * refactor modules * clean up dangling connections * split gigantic postgres.go * remove unused * ServerParams gets its own type * refactor integration tests: run zgrab2 in its own container, which is linked to the service containers, so that we don't need to keep track of unique ports on the host any more * rename entrypoint; remove duplicate postgres tests * comments for postgres schema * Use param expansion to check for env variable [minor] This is a *very* minor change to `docker-runner/docker-run.sh` checks to see if the environment variable required to run the script has been set to a non-empty string. If not, the script exits with a non-zero status code and displays a default message: ``` ❯ docker-runner/docker-run.sh docker-runner/docker-run.sh: line 7: CONTAINER_NAME: parameter null or not set ``` This was the behavior before, but just uses a one-liner declarative bash idiom. For further reading on parameter expansion, see https://stackoverflow.com/a/307735. @justinbastress can tell me if I did something wrong and broke the intent of the script :-) * Add integration_test targets to makefile; use makefile instead of directly calling go build everywhere; run postgres schema through PEP8 linter * use make in docker-runner entrypoint * add .integration_test_setup to .gitignore * more .gitignore items * Makefile updates: Windows support; add docker-runner target; better cleanup. * docker-runner Dockerfile: start from zgrab2_runner_base image * cleanup postgres setup * make travis use make * add .gitattributes, try to prevent it from overriding lfs with crlfs in shell scripts at least * fix folder name in Makefile * update go (one of our dependencies now works only with >= 1.9) * From travis: `I don't have any idea what to do with '1.9.0'.` * explicit clean make * fix dep order * fix build.sh location * popd * use make to ensure zgrab2_runner exists * Make docker-runner an order-dependency for integration-test-cleanup; don't do a cleanup after each integration test * use explicit tag name for zgrab2_runner * Add container-clean target to Makefile, to remove cyclic dependency on docker; use .id files to track docker images; add servce-base image; use Make to build / track images * use LF in Makefiles; update .gitignore; use zgrab_service_base image in ssh container; fix line endings (?) * remove overzealous cleanup * let setup continue even if some containers are already running * zgrab depends on *.go * docker-runner depends on zgrab2 binary * clean output before running integration tests
92 lines
3.6 KiB
Go
92 lines
3.6 KiB
Go
package zgrab2
|
|
|
|
import (
|
|
"io"
|
|
"net"
|
|
)
|
|
|
|
// ScanStatus is the enum value that states how the scan ended.
|
|
type ScanStatus string
|
|
|
|
// TODO: Conform to standard string const format (names, capitalization, hyphens/underscores, etc)
|
|
// TODO: Enumerate further status types
|
|
const (
|
|
SCAN_SUCCESS = "success" // The protocol in question was positively identified and the scan encountered no errors
|
|
SCAN_CONNECTION_REFUSED = "connection-refused" // TCP connection was actively rejected
|
|
SCAN_CONNECTION_TIMEOUT = "connection-timeout" // No response to TCP connection request
|
|
|
|
// TODO: lump connection closed / io timeout?
|
|
SCAN_CONNECTION_CLOSED = "connection-closed" // The TCP connection was unexpectedly closed
|
|
SCAN_IO_TIMEOUT = "io-timeout" // Timed out waiting on data
|
|
SCAN_PROTOCOL_ERROR = "protocol-error" // Received data incompatible with the target protocol
|
|
// TODO: Add SCAN_TLS_PROTOCOL_ERROR? For purely TLS-wrapped protocols, SCAN_PROTOCOL_ERROR is fine -- but for protocols that have a non-TLS bootstrap (e.g. a STARTTLS procedure), SCAN_PROTOCOL_ERROR is misleading, since it did get far-enough into the application protocol to start TLS handshaking -- but a garbled TLS handshake is certainly not a SCAN_APPLICATION_ERROR
|
|
SCAN_APPLICATION_ERROR = "application-error" // The application reported an error
|
|
SCAN_UNKNOWN_ERROR = "unknown-error" // Catch-all for unrecognized errors
|
|
)
|
|
|
|
// ScanError an error that also includes a ScanStatus.
|
|
type ScanError struct {
|
|
Status ScanStatus
|
|
Err error
|
|
}
|
|
|
|
// Error is an implementation of the builtin.error interface -- just forward the wrapped error's Error() method
|
|
func (err *ScanError) Error() string {
|
|
if err.Err == nil {
|
|
return "<nil>"
|
|
}
|
|
return err.Err.Error()
|
|
}
|
|
|
|
func (err *ScanError) Unpack(results interface{}) (ScanStatus, interface{}, error) {
|
|
return err.Status, results, err.Err
|
|
}
|
|
|
|
// NewScanError returns a ScanError with the given status and error.
|
|
func NewScanError(status ScanStatus, err error) *ScanError {
|
|
return &ScanError{Status: status, Err: err}
|
|
}
|
|
|
|
// DetectScanError returns a ScanError that attempts to detect the status from the given error.
|
|
func DetectScanError(err error) *ScanError {
|
|
return &ScanError{Status: TryGetScanStatus(err), Err: err}
|
|
}
|
|
|
|
// TryGetScanStatus attempts to get the ScanStatus enum value corresponding to the given error.
|
|
// Mostly supports network errors. A nil error is interpreted as SCAN_SUCCESS.
|
|
// An unrecognized error is interpreted as SCAN_UNKNOWN_ERROR.
|
|
func TryGetScanStatus(err error) ScanStatus {
|
|
if err == nil {
|
|
return SCAN_SUCCESS
|
|
}
|
|
if err == io.EOF {
|
|
// Presumably the caller did not call TryGetScanStatus if the EOF was expected
|
|
return SCAN_IO_TIMEOUT
|
|
}
|
|
switch e := err.(type) {
|
|
case *ScanError:
|
|
return e.Status
|
|
case *net.OpError:
|
|
switch e.Op {
|
|
case "dial":
|
|
// TODO: Distinguish connection timeout / connection refused
|
|
// Windows examples:
|
|
// "dial tcp 192.168.30.3:22: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."
|
|
// "dial tcp 127.0.0.1:22: connectex: No connection could be made because the target machine actively refused it."
|
|
return SCAN_CONNECTION_TIMEOUT
|
|
case "read":
|
|
// TODO: Distinguish connection reset vs timeout
|
|
return SCAN_IO_TIMEOUT
|
|
case "write":
|
|
// TODO: Distinguish connection reset vs timeout
|
|
return SCAN_IO_TIMEOUT
|
|
default:
|
|
// TODO: Do we need a generic network error?
|
|
return SCAN_UNKNOWN_ERROR
|
|
}
|
|
// TODO: More error types
|
|
default:
|
|
return SCAN_UNKNOWN_ERROR
|
|
}
|
|
}
|