Escaneos Air gap con la API en PowerShell

Los scripts de escaneos Air gap requieren autenticarse siguiendo este procedimiento.

En el caso de que el certificado TLS del servidor Cyberwatch no pueda ser reconocido por la maquina en la que se ejecuta este script, es necesario ejecutar el siguiente snippet de código antes en el script:

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Scripts de escaneos Air gap + funcionamiento

  1. Recuperar el script de descarga de escaneos Air gap y el script de upload, completar las variables $API_URL y $CREDENTIALS

  2. Después de ejecutar el script de descarga, se crea una carpeta scripts que contiene los scripts para generar resultados

  3. Para ejecutar los scripts, debe mover la carpeta en si hacia el activo que desea analizar y ejecutar el script run. Para evitar cualquier riesgo de ejecución de un script no deseado, tome la carpeta en si, y no solo su contenido.
    Linux : bash ./run.sh > result.txt
    PowerShell : \.\run.ps1 | Out-File -Encoding ASCII -FilePath result.txt\

    Esto creara un archivo result.txt con el resultado. Luego, mueva result.txt a una carpeta uploads en el sistema con el script de upload.

  4. Enviar los resultados de los scripts presentes en la carpeta uploads con el script de Upload

Script de descarga de escaneos Air gap

Mostrar el código fuente del script
# -------------------------------------
# CONFIGURATION
# Please check and complete these items
# -------------------------------------

$API_URL = ""
$CREDENTIALS = "access_key:secret_key"

# -------------------------
# RUN
# -------------------------

Write-Output "-------------------------------------------"
Write-Output "Cyberwatch - Get Air gap scripts"
Write-Output "-------------------------------------------"

$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($CREDENTIALS))

Function FetchImporterScripts
{
<#
.SYNOPSIS
        Example script to fetch Importer scanning scripts
#>


Write-Output "-------------------------------------------"
Write-Output "Cyberwatch - Fetch scanning scripts for Importer"
Write-Output "-------------------------------------------"

Write-Output "Would you like to download scripts attachments like .cab file? (Default is Yes)"
    $Readhost = Read-Host " ( y / n ) "
    Switch ($ReadHost)
     {
       Y {Write-Output "Yes, download attachments"; $DownloadAttachments=$true}
       N {Write-Output "No, skip attachments"; $DownloadAttachments=$false}
       Default {Write-Output "Default, download attachments"; $DownloadAttachments=$true}
     }

  # Test the client connection
  Write-Output "INFO: Checking API connection and credentials..."
  try {
    $response = Invoke-WebRequest -URI $API_URL/api/v3/ping -Method Get -Headers @{
      "Accept"      = "application/json; charset=utf-8"
      Authorization = "Basic $encodedCreds"
    }

    $response.Content
  }
  catch {
    Write-Output "ERROR: Connection failed. Please check the following error message : '$_'"
    Return
  }


# Clean old files
Write-Output "INFO: Cleaning old files..."
Remove-Item -LiteralPath ".\scripts" -Force -Recurse -ErrorAction Ignore
Write-Output "INFO: Done."

# Create the base folders
New-Item -path ".\scripts" -Force -ItemType Directory | Out-Null
New-Item -path ".\uploads" -Force -ItemType Directory | Out-Null

# Fetch available scanning scripts from the API
Write-Output "INFO: Fetching available scanning scripts..."

# Fetch available scanning scripts from the API
Write-Output "INFO: Fetching available scanning scripts..."
$response = Invoke-RestMethod -URI "$API_URL/api/v2/cbw_scans/scripts" -Method Get -Headers @{
"Accept"      = "application/json; charset=utf-8"
Authorization = "Basic $encodedCreds"
}

Write-Output $response


# Fetch content of each scripts and attachments
$response | ForEach-Object{
    Write-Output "INFO: Fetching content for $($_.Type) ..."
    $id = ($_.id)
    $scanning_script = Invoke-RestMethod -URI "$API_URL/api/v2/cbw_scans/scripts/$id" -Method Get -Headers @{
        "Accept"      = "application/json; charset=utf-8"
        Authorization = "Basic $encodedCreds"
        }

        Write-Output $scanning_script
    
    $scanning_script_path = ".\"+$scanning_script.type.ToLower().replace("::", "\")

    if ($scanning_script.type -like '*Linux*') {
        $scanning_script_path = $scanning_script_path + '.sh'

    } elseif ($scanning_script.type -like '*Windows*') {
        $scanning_script_path = $scanning_script_path + '.ps1'
    }

    $scanning_script.contents | New-Item -path $scanning_script_path -Force -ItemType File | Out-Null

    if($scanning_script.attachment -And $DownloadAttachments) {
        $attachment_name  = ($scanning_script.attachment -split '/')[-1]
        $path = $scanning_script_path.SubString(0, $scanning_script_path.LastIndexOf('\')) + '\' + $attachment_name
        Invoke-WebRequest -Uri $scanning_script.attachment -OutFile $path
    }

    Write-Output "INFO: Script saved at $($(Resolve-Path -Path $scanning_script_path).Path)."
}

$SH_EXECUTE_SCRIPT = '#!/bin/bash
set -eu

readonly DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

# Define priority scripts
declare -a priority_scripts=("infoscript.sh" "dockerimagesscansscript.sh")

# Execute priority scripts first
for script in "${priority_scripts[@]}"; do
    script_path="$DIR/$script"
    if [[ -f "$script_path" ]]; then
        chmod +x "$script_path"
        >&2 printf "Executing %s..." "$script_path"
        ( "$script_path" || >&2 echo "Error" ; ) && >&2 echo "Done"
    fi
done

# Execute all other scripts
for script in $(find "$DIR" -name "*.sh" -not -name "run.sh" -not -name "infoscript.sh" -not -name "dockerimagesscansscript.sh"); do
    chmod +x "$script"
    >&2 printf "Executing %s..." "$script"
    ( "$script" || >&2 echo "Error" ; ) && >&2 echo "Done"
done
'

$SH_EXECUTE_SCRIPT | New-Item -path ".\scripts\docker\run.sh" -Force -ItemType File | Out-Null
$SH_EXECUTE_SCRIPT | New-Item -path ".\scripts\linux\run.sh" -Force -ItemType File | Out-Null

$PS1_EXECUTE_SCRIPT = '
$ScriptDir = Split-Path $MyInvocation.MyCommand.Path

# Execute priority script first
$priorityScript = "$ScriptDir\InfoScript.ps1"
if (Test-Path $priorityScript) {
    & $priorityScript
}

# Execute all other scripts
$scripts = Get-ChildItem -Path $ScriptDir -Filter "*.ps1" | Where-Object { $_.Name -ne "run.ps1" -and $_.Name -ne "InfoScript.ps1" }

foreach ($script in $scripts) {
    & "$ScriptDir\$script"
}
'

$PS1_EXECUTE_SCRIPT | New-Item -path ".\scripts\windows\run.ps1" -Force -ItemType File | Out-Null

Write-Output "---------------------------------------------------------------------"
Write-Output "Script completed!"
Write-Output "To continue, please now:"
Write-Output "1) Run the fetched scripts on the targeted systems"
Write-Output "2) Put the result.txt in the 'upload' folder"
Write-Output "3) Run the 'upload' script"
Write-Output "---------------------------------------------------------------------"
  
}

FetchImporterScripts

Script de upload de escaneos Air gap

Mostrar el código fuente del script
# -------------------------------------
# CONFIGURATION
# Please check and complete these items
# -------------------------------------

$API_URL = ""
$CREDENTIALS = "access_key:secret_key"

# -------------------------
# RUN
# -------------------------

Write-Output "-------------------------------------------"
Write-Output "Cyberwatch - Send results for analysis"
Write-Output "-------------------------------------------"

$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($CREDENTIALS))


Function SendResultsImporter
{
<#
.SYNOPSIS
        Script to send Importer scanning scripts results
#>

# Test the client connection
try {
    $response = Invoke-WebRequest -URI $API_URL/api/v3/ping -Method Get -Headers @{
        "Accept"      = "application/json; charset=utf-8"
        Authorization = "Basic $encodedCreds"
    }

    $response.Content
}
catch {
    Write-Output "ERROR: Connection failed. Please check the following error message : '$_'"
    Return
}

# Load results and send them to Cyberwatch
Write-Output "INFO: Searching for available results..."
$available_results = Get-ChildItem -Recurse -File -Path ".\uploads"
Write-Output "INFO: Done. Found $($available_results.count) results to be processed and sent for analysis."

$available_results | ForEach-Object {
    Write-Output "INFO: Reading $($_.FullName) content..."
    $content = [IO.File]::ReadAllText($_.FullName)
    Write-Output "INFO: Sending $($_.FullName) content to the API..."
    $body_content = @{ output = $content } | ConvertTo-Json
    $utf8Bytes = [System.Text.Encoding]::UTF8.GetBytes($body_content)
    Write-Output $body_content
    $response = Invoke-WebRequest -URI $API_URL/api/v2/cbw_scans/scripts -Method POST -Body $utf8Bytes -Headers @{
        "Accept"      = "application/json; charset=utf-8"
        "Content-Type" = "application/json"
        Authorization = "Basic $encodedCreds"
    }
    Write-Output "INFO: Done."
}

Write-Output "---------------------------------------------------------------------"
Write-Output "Script completed!"
Write-Output "Your scans are now being processed by your Cyberwatch nodes."
Write-Output "Please log on $API_URL to see the results."
Write-Output "---------------------------------------------------------------------"

}

SendResultsImporter

Volver arriba

English Français Español