started fixing the JARM implementation

Author: caffix

engine/plugins/jarm.go

@@ -0,0 +1,161 @@
+// Copyright © by Jeff Foley 2017-2024. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+// SPDX-License-Identifier: Apache-2.0
+
+package plugins
+
+import (
+	"errors"
+	"log/slog"
+
+	"github.com/owasp-amass/amass/v4/engine/plugins/support"
+	et "github.com/owasp-amass/amass/v4/engine/types"
+	dbt "github.com/owasp-amass/asset-db/types"
+	oam "github.com/owasp-amass/open-asset-model"
+	"github.com/owasp-amass/open-asset-model/domain"
+	"github.com/owasp-amass/open-asset-model/network"
+	"github.com/owasp-amass/open-asset-model/property"
+	"github.com/owasp-amass/open-asset-model/relation"
+	"github.com/owasp-amass/open-asset-model/service"
+)
+
+type jarmPlugin struct {
+	name   string
+	log    *slog.Logger
+	source *et.Source
+}
+
+func NewJARMFingerprints() et.Plugin {
+	return &jarmPlugin{
+		name: "JARM-Fingerprint",
+		source: &et.Source{
+			Name:       "JARM-Fingerprint",
+			Confidence: 90,
+		},
+	}
+}
+
+func (j *jarmPlugin) Name() string {
+	return j.name
+}
+
+func (j *jarmPlugin) Start(r et.Registry) error {
+	j.log = r.Log().WithGroup("plugin").With("name", j.name)
+
+	if err := r.RegisterHandler(&et.Handler{
+		Plugin:       j,
+		Name:         j.name + "-Handler",
+		MaxInstances: 25,
+		Transforms:   []string{string(oam.Service)},
+		EventType:    oam.Service,
+		Callback:     j.check,
+	}); err != nil {
+		return err
+	}
+
+	j.log.Info("Plugin started")
+	return nil
+}
+
+func (j *jarmPlugin) Stop() {
+	j.log.Info("Plugin stopped")
+}
+
+func (j *jarmPlugin) check(e *et.Event) error {
+	_, ok := e.Entity.Asset.(*service.Service)
+	if !ok {
+		return errors.New("failed to extract the Service asset")
+	}
+
+	if !j.hasCertificate(e) {
+		return nil
+	}
+
+	since, err := support.TTLStartTime(e.Session.Config(), string(oam.Service), string(oam.Service), j.name)
+	if err != nil {
+		return err
+	}
+
+	src := j.source
+	if !support.AssetMonitoredWithinTTL(e.Session, e.Entity, src, since) {
+		j.query(e)
+		support.MarkAssetMonitored(e.Session, e.Entity, src)
+	}
+	return nil
+}
+
+func (j *jarmPlugin) hasCertificate(e *et.Event) bool {
+	if edges, err := e.Session.Cache().OutgoingEdges(e.Entity, e.Session.Cache().StartTime(), "certificate"); err == nil && len(edges) > 0 {
+		for _, edge := range edges {
+			if a, err := e.Session.Cache().FindEntityById(edge.ToEntity.ID); err == nil && a != nil {
+				if a.Asset.AssetType() == oam.TLSCertificate {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+type fingerprint struct {
+	asset *dbt.Entity
+	port  *dbt.Edge
+	hash  string
+}
+
+func (j *jarmPlugin) query(e *et.Event) {
+	var targets []*fingerprint
+
+	if edges, err := e.Session.Cache().IncomingEdges(e.Entity, e.Session.Cache().StartTime(), "port"); err == nil && len(edges) > 0 {
+		for _, edge := range edges {
+			portrel, ok := edge.Relation.(*relation.PortRelation)
+			if !ok {
+				continue
+			}
+			if a, err := e.Session.Cache().FindEntityById(edge.FromEntity.ID); err == nil && a != nil {
+				switch a.Asset.(type) {
+				case *domain.FQDN:
+					if portrel.Protocol == "https" {
+						t := &fingerprint{
+							asset: e.Entity,
+							port:  edge,
+						}
+						targets = append([]*fingerprint{t}, targets...)
+					}
+				case *network.IPAddress:
+					if portrel.Protocol == "https" {
+						targets = append(targets, &fingerprint{
+							asset: e.Entity,
+							port:  edge,
+						})
+					}
+				}
+			}
+		}
+	}
+
+	var results []*fingerprint
+	for _, target := range targets {
+		portrel := target.port.Relation.(*relation.PortRelation)
+		if fp, err := support.JARMFingerprint(target.asset.Asset, portrel); err == nil && fp != "" {
+			results = append(results, &fingerprint{
+				asset: target.asset,
+				port:  target.port,
+				hash:  fp,
+			})
+		}
+	}
+
+	if len(results) > 0 {
+		j.store(e, results)
+	}
+}
+
+func (j *jarmPlugin) store(e *et.Event, fps []*fingerprint) {
+	for _, fp := range fps {
+		_, _ = e.Session.Cache().CreateEdgeProperty(fp.port, &property.SimpleProperty{
+			PropertyName:  "JARM",
+			PropertyValue: fp.hash,
+		})
+	}
+}

engine/plugins/load.go

@@ -54,7 +54,7 @@ var pluginNewFuncs = []func() et.Plugin{
 	scrape.NewSiteDossier,
 	whois.NewWHOIS,
 	NewIPNetblock,
-	//NewJARMFingerprint,
+	NewJARMFingerprints,
 	NewKnownFQDN,
 	NewVerifiedEmail,
 }

engine/plugins/service_discovery/http_probes/plugin.go

@@ -156,15 +156,17 @@ func (hp *httpProbing) store(e *et.Event, resp *http.Response, entity *dbt.Entit
 	serv.BannerLen = int(resp.Length)
 	serv.Headers = resp.Header
 
+	proto := "http"
 	var c *oamcert.TLSCertificate
 	if firstAsset != nil {
+		proto = "https"
 		c = firstAsset.Asset.(*oamcert.TLSCertificate)
 	}
 
 	portrel := &relation.PortRelation{
 		Name:       "port",
 		PortNumber: port,
-		Protocol:   "tcp",
+		Protocol:   proto,
 	}
 
 	s, err := support.CreateServiceAsset(e.Session, entity, portrel, serv, c)

engine/plugins/support/fingerprinting.go

@@ -14,21 +14,32 @@ import (
 	jarm "github.com/caffix/jarm-go"
 	"github.com/owasp-amass/amass/v4/utils/net"
 	oam "github.com/owasp-amass/open-asset-model"
+	"github.com/owasp-amass/open-asset-model/domain"
+	"github.com/owasp-amass/open-asset-model/network"
+	"github.com/owasp-amass/open-asset-model/relation"
 )
 
-func JARMFingerprint(target oam.Asset) (string, error) {
-	var port int
+func JARMFingerprint(target oam.Asset, portrel *relation.PortRelation) (string, error) {
 	var ipv6 bool
 	var host string
 
+	if fqdn, ok := target.(*domain.FQDN); ok {
+		host = fqdn.Name
+	} else if ip, ok := target.(*network.IPAddress); ok {
+		ipv6 = ip.Address.Is6()
+		host = ip.Address.String()
+	} else {
+		return "", errors.New("target must be a FQDN or IPAddress")
+	}
+
 	addr := host
 	if ipv6 {
 		addr = "[" + addr + "]"
 	}
-	addr += ":" + strconv.Itoa(port)
+	addr += ":" + strconv.Itoa(portrel.PortNumber)
 
 	var results []string
-	for _, probe := range jarm.GetProbes(host, port) {
+	for _, probe := range jarm.GetProbes(host, portrel.PortNumber) {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()