New module using what-vpn

README.md

@@ -43,6 +43,9 @@ NASK is relieved of such liability to the fullest extent possible.
 The module is disabled by default - to enable it, rename `docker-compose.additional.wpscan.yml.disabled` to
 `docker-compose.additional.wpscan.yml` and re-run ``./scripts/start``.
 
+### what-vpn
+Uses https://github.com/dlenski/what-vpn under the hood. Identifies servers running various SSL VPNs and is licensed under GPL-3.0-or-later.
+
 ## Testing
 To run the tests, run:
 

docker-compose.yml

@@ -48,6 +48,16 @@ services:
     command: "python3 -m artemis.modules.karton_ssl_checks"
     profiles: [not-arm]
 
+  karton-whatvpn:
+    build:
+      context: Artemis-modules-extra
+      dockerfile: karton_whatvpn/Dockerfile
+    volumes: ["./docker/karton.ini:/etc/karton/karton.ini", "${DOCKER_COMPOSE_ADDITIONAL_SHARED_DIRECTORY:-./shared}:/shared/"]
+    depends_on: [karton-system]
+    env_file: .env
+    restart: always
+    command: "python3 -m artemis.modules.karton_whatvpn"
+
   autoreporter:
     volumes:
       - ./Artemis-modules-extra/extra_modules_config.py:/opt/extra_modules_config.py

extra_modules_config.py

@@ -54,5 +54,13 @@ class ExtraModulesConfig:
         ),
     )
 
+    # Timeout counted in seconds, after which the what-vpn module terminates a connection and starts using the next sniffer.
+    # Some of VPN gateways do not respond in any way to the HTTP(S) requests, so the timeout variable should be optimized in
+    # order to avoid false negatives while not blocking the task for too long.
+    WHATVPN_TIMEOUT_SECONDS = decouple.config(
+        "WHATVPN_TIMEOUT_SECONDS",
+        default="2",
+    )
+
     # WPScan API key
     WPSCAN_API_KEY = decouple.config("WPSCAN_API_KEY", default=None)

karton_whatvpn/Dockerfile

@@ -0,0 +1,9 @@
+FROM certpl/artemis:latest
+
+RUN apk add git
+RUN pip3 install https://github.com/dlenski/what-vpn/archive/607c351037acb1fae06ba98760f462a3aa61b359.zip
+# Last release v0.7 is from 2022, but current master branch contains significant improvements
+
+WORKDIR /opt/
+COPY karton_whatvpn/karton_whatvpn.py ./artemis/modules
+COPY extra_modules_config.py .

karton_whatvpn/karton_whatvpn.py

@@ -0,0 +1,62 @@
+import subprocess
+
+from artemis import load_risk_class, utils
+from artemis.binds import TaskStatus, TaskType
+from artemis.module_base import ArtemisBase
+from artemis.task_utils import get_target_host
+from karton.core import Task
+
+from extra_modules_config import ExtraModulesConfig
+
+logger = utils.build_logger(__name__)
+
+
+@load_risk_class.load_risk_class(load_risk_class.LoadRiskClass.LOW)
+class WhatVPN(ArtemisBase):  # type: ignore
+    """
+    Runs what-vpn -> SSL VPN identifier
+    """
+
+    identity = "what-vpn"
+    filters = [{"type": TaskType.IP.value}]
+
+    def _process(self, current_task: Task, host: str) -> None:
+        output = subprocess.run(
+            ["what-vpn", "--keep-going-after-exception", "--timeout", ExtraModulesConfig.WHATVPN_TIMEOUT_SECONDS, host],
+            capture_output=True,
+        )
+        output_str = output.stdout.decode("utf-8")
+        detected_vpn = None
+
+        error_messages = ["error", "timeout"]
+        if any(msg in output_str for msg in error_messages):
+            status = TaskStatus.ERROR
+            status_reason = "Error or timeout occurred"
+        elif "no match" in output_str:
+            status = TaskStatus.OK
+            status_reason = "Could not identify a VPN gateway"
+        else:
+            # Format of what-vpn output:
+            # scanned_host: identified_VPN [VPN_version]
+            detected_vpn = output_str.split(" ", 1)[1]
+            status = TaskStatus.INTERESTING
+            status_reason = f"Detected {detected_vpn}"
+
+        # Save the task result to the database
+        self.db.save_task_result(
+            task=current_task,
+            status=status,
+            status_reason=status_reason,
+            data=detected_vpn,
+        )
+
+    def run(self, current_task: Task) -> None:
+        target_host = get_target_host(current_task)
+
+        self.log.info("Requested to check if %s is a VPN gateway", target_host)
+
+        self._process(current_task, target_host)
+
+
+if __name__ == "__main__":
+    WhatVPN().loop()