forked from muratozfidan/playbooks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
macos_ard_enumeration.py
88 lines (66 loc) · 3.26 KB
/
macos_ard_enumeration.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
"""
This helper playbook uses an nmap scan to build a custom list of endpoints running an open service on TCP port 5900. This custom list will be used to enumerate MacOS High Sierra endpoints to respond to the 2017-11-28 disclosure of root user access without a password.
"""
import phantom.rules as phantom
import json
from datetime import datetime, timedelta
def on_start(container):
phantom.debug('on_start() called')
# call 'scan_port_5900' block
scan_port_5900(container=container)
return
"""
Scan the given subnet with a TCP syn-ack on port 5900 to detect VNC or ARD services.
"""
def scan_port_5900(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('scan_port_5900() called')
# collect data for 'scan_port_5900' call
parameters = []
# build parameters list for 'scan_port_5900' call
parameters.append({
'portlist': 5900,
'script-args': "",
'script': "",
'ip_hostname': "198.51.100.*",
'udp_scan': "",
})
phantom.act("scan network", parameters=parameters, assets=['nmap'], callback=filter_1, name="scan_port_5900")
return
"""
Only pass on ip addresses that are found to have open ports.
"""
def filter_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('filter_1() called')
# collect filtered artifact ids for 'if' condition 1
matched_artifacts_1, matched_results_1 = phantom.condition(
container=container,
action_results=results,
conditions=[
["scan_port_5900:action_result.data.*.tcp.*.state", "==", "open"],
],
name="filter_1:condition_1")
# call connected blocks if filtered artifacts or results
if matched_artifacts_1 or matched_results_1:
add_addresses_to_list(action=action, success=success, container=container, results=results, handle=handle, filtered_artifacts=matched_artifacts_1, filtered_results=matched_results_1)
return
"""
Create a custom list with the given IP addresses or add to one if it exists.
"""
def add_addresses_to_list(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None):
phantom.debug('add_addresses_to_list() called')
filtered_results_data_1 = phantom.collect2(container=container, datapath=["filtered-data:filter_1:condition_1:scan_port_5900:action_result.data.*.addresses.ipv4.*.ip"])
filtered_results_item_1_0 = [item[0] for item in filtered_results_data_1]
phantom.add_list("macos_endpoints", filtered_results_item_1_0)
return
def on_finish(container, summary):
phantom.debug('on_finish() called')
# This function is called after all actions are completed.
# summary of all the action and/or all detals of actions
# can be collected here.
# summary_json = phantom.get_summary()
# if 'result' in summary_json:
# for action_result in summary_json['result']:
# if 'action_run_id' in action_result:
# action_results = phantom.get_action_results(action_run_id=action_result['action_run_id'], result_data=False, flatten=False)
# phantom.debug(action_results)
return