v0.4

README.md

@@ -2,6 +2,15 @@
 
 用于被动式的嗅探相关高危指纹和蜜罐特征，并进行告警的谷歌插件
 
+![image-20220815004318147](README.assets/image-20220815004318147.png)
+
+![image-20220814220214770](README.assets/image-20220814220214770.png)
+
+
+## 安装
+
+Chrome-扩展设置-开发者模式-加载已解压的扩展程序
+
 ## 使用须知
 
 1、插件的识别对象基于【域名+端口】或【IP+端口】，对于同一web服务下通过路由分发的不同业务系统不做进一步区分
@@ -22,17 +31,15 @@
 
 1、对响应体检测前进行筛选【v0.2 已完成】
 
-2、插件级别的暂停功能
+2、插件级别的暂停功能【v0.4 已完成】
 
-3、主动扫描部分指纹
+3、主动扫描部分指纹【经过研判后取消此项Todo，考虑到谷歌插件自身语言和架构（JavaScript）对主动发包探测的效率和效果、已有主动识别指纹的开源项目的丰富程度，决定不追加该功能】
 
 4、UA、Cookie自定义
 
-4、机器码伪装
-
-6、联合规则检测
+5、机器码伪装
 
-7、嵌入Wappalyzer
+6、嵌入Wappalyzer
 
 ## 致谢
 

resource/data/data.db

@@ -88,6 +88,14 @@ var printerData = [
         rulecontent:{"name":"Set-Cookie","value":/rememberme/im },
         combinedrule: null
     },
+    {
+        rulename: "apache_shiro_responsecookie_4",
+        type: 1,
+        commandments:"Shiro: 响应头中包含shiro-deleteMe特征",
+        ruleposition: 4,
+        rulecontent:{"name":"Set-Cookie","value":/deleteMe/im },
+        combinedrule: null
+    },
     {
         rulename: "f5_bigip_requestcookie_1",
         type: 1,

resource/html/popup.html

@@ -23,14 +23,14 @@
 
                     <div style="display:inline-flex;align-items: center;justify-content: flex-end; flex-grow: 1;">
                         <el-tooltip class="box-item" effect="dark" content="暂停插件"  placement="bottom-end" v-if="pluginSwitch">
-                            <el-button type="default" circle @click="changePlugin" disabled>
+                            <el-button type="default" circle @click="changePlugin">
                                 <el-icon style="vertical-align: middle;">
                                     <svg viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg" data-v-78e17ca8=""><path fill="currentColor" d="M352 159.872V230.4a352 352 0 1 0 320 0v-70.528A416.128 416.128 0 0 1 512 960a416 416 0 0 1-160-800.128z"></path><path fill="currentColor" d="M512 64q32 0 32 32v320q0 32-32 32t-32-32V96q0-32 32-32z"></path></svg>
                                 </el-icon>
                             </el-button>
                         </el-tooltip>
                         <el-tooltip class="box-item" effect="dark" content="启用插件"  placement="bottom-end" v-else>
-                            <el-button type="default" circle  @click="changePlugin" disabled>
+                            <el-button type="default" circle  @click="changePlugin">
                                 <el-icon style="vertical-align: middle;">
                                     <svg viewBox="0 0 1024 1024" xmlns="http://www.w3.org/2000/svg" data-v-78e17ca8=""><path fill="currentColor" d="M384 192v640l384-320.064z"></path></svg>
                                 </el-icon>

resource/js/html/background.js

@@ -1,19 +1,13 @@
 'use strict'
 
-var HConfig = {"keyWordSniff" : true, "noPageCache" : true, "blockHoneypot" : false, "responseCheck" : false, "randomMachine" : false, "modifyUA": ""}
+var HConfig = {"keyWordSniff" : true, "noPageCache" : true, "blockHoneypot" : false, "responseCheck" : false, "randomMachine" : false, "pluginStart" : true, "modifyUA": ""}
 var HPrinter = {"position1" : [], "position2" : [], "position3" : [], "position4" : [], "position5" : []};
 var HSniffResult = {shost: "localhost", sresult:[]}
 var nowTabs = -999
 var responseBodyHost = {}
 
 // 清除配置缓存
-// chrome.storage.local.set({HConfig: null}, function() {});
-
-
-
-
-
-
+//chrome.storage.local.set({HConfig: null}, function() {});
 
 
 
@@ -28,8 +22,6 @@ var responseBodyHost = {}
 // }, {urls: ["<all_urls>"]}, ["responseHeaders","extraHeaders"]);
 
 
-
-
 // 删除 User-Agent 标头：
 
 // chrome.webRequest.onBeforeSendHeaders.addListener(
@@ -52,8 +44,6 @@ Init()
 
 
 
-
-
 function Init() {
   initConfig()
   //initPrinter()
@@ -63,7 +53,7 @@ function Init() {
 
 function initConfig(){
   chrome.browserAction.setBadgeBackgroundColor({color: "#107c10"})
-  HConfig = {"keyWordSniff" : true, "noPageCache" : true, "blockHoneypot" : false, "responseCheck" : false, "randomMachine" : false, "modifyUA": ""}
+  HConfig = {"keyWordSniff" : true, "noPageCache" : true, "blockHoneypot" : false, "responseCheck" : false, "randomMachine" : false,  "pluginStart" : true, "modifyUA": ""}
   chrome.storage.local.get(['HConfig'], function(webstorage) {
     if (webstorage.HConfig != null && webstorage.HConfig != {}){
         HConfig = webstorage.HConfig
@@ -77,7 +67,6 @@ function initConfig(){
 
 function initPrinter(){
   HPrinter = {"position1" : [], "position2" : [], "position3" : [], "position4" : [], "position5" : []};
-
   if (HConfig.keyWordSniff == false){
     for ( let i of printerData ) {
       if (i.type != 2){
@@ -117,7 +106,7 @@ function initData(){
 }
 
 function initMonitor(){
-  // 杂项
+  // 工具杂项
   initToolsMonitor()
   // tabs 变更逻辑
   initTabsMonitor()
@@ -146,15 +135,10 @@ function initToolsMonitor() {
       console.log("modify config",changes.HConfig.newValue);
     }
   });
-  // 右键菜单监听
-  chrome.contextMenus.create({
-    title: "发起主动扫描",
-    enabled: false,
-    onclick: function(){alert('功能暂不可用！');}
-  });
 }
 
 
+
 function checkRule(checkContent, checkRule){
   if (checkContent.search(checkRule) == -1){
     return false
@@ -163,12 +147,16 @@ function checkRule(checkContent, checkRule){
   }
 }
 
+
+
 function refreshResult(){
   chrome.storage.local.set({HSniffResult: HSniffResult}, function() {
     console.log('Result is ' + JSON.stringify(HSniffResult));
   });
 }
 
+
+
 function tabsOnActiveChangedListener(tabId, selectInfo) {
   chrome.tabs.query({currentWindow: true, active: true}, function(tabArray) {
     if (tabArray[0].id != null && tabArray[0].id == tabId){
@@ -190,7 +178,6 @@ function tabsOnActiveChangedListener(tabId, selectInfo) {
 function tabsOnUpdatedListener(tabId, changeInfo, tab) {
   if(changeInfo.status == "complete" && tab.url != null){
     chrome.tabs.query({currentWindow: true, active: true}, function(tabArray) {
-      console.log(tabArray);
       if (tabArray[0].id != null && tabArray[0].id == tab.id){
         let hhost = tab.url.split('/')[2]
         if (HSniffResult.shost != hhost){
@@ -212,12 +199,30 @@ function tabsOnUpdatedListener(tabId, changeInfo, tab) {
   }
 }
 
+
+
 function initCheckMonitor(){
   chrome.webRequest.onBeforeRequest.addListener(webRequestOnbeforeRequestListener, {urls: ["http://*/*","https://*/*"]}, ["requestBody","extraHeaders", "blocking"]);
   chrome.webRequest.onBeforeSendHeaders.addListener(webRequestOnBeforeSendHeadersListener, {urls: ["http://*/*","https://*/*"]}, ["requestHeaders","extraHeaders"]);
   chrome.webRequest.onResponseStarted.addListener(webRequestOnResponseStartedListener, {urls: ["<all_urls>"]}, ["responseHeaders","extraHeaders"]);
 }
 
+function deleteCheckMonitor(){
+  chrome.webRequest.onBeforeRequest.removeListener(webRequestOnbeforeRequestListener);
+  chrome.webRequest.onBeforeSendHeaders.removeListener(webRequestOnBeforeSendHeadersListener);
+  chrome.webRequest.onResponseStarted.removeListener(webRequestOnResponseStartedListener);
+  console.log("存在监听器",chrome.webRequest.onResponseStarted.hasListener(webRequestOnResponseStartedListener))
+  if (chrome.tabs.onActivated.hasListener(responseBodyCheckListener)){
+    chrome.tabs.onActivated.removeListener(responseBodyCheckListener)
+    if (nowTabs != -999) {
+      chrome.debugger.detach({tabId: nowTabs})
+    }
+  }
+  if (chrome.debugger.onEvent.hasListener(allNetworkEventHandler)) {
+    chrome.debugger.onEvent.removeListener(allNetworkEventHandler)
+  }
+}
+
 function setResponseCheckListener(){
   if (chrome.tabs.onActivated.hasListener(responseBodyCheckListener)){
     chrome.tabs.onActivated.removeListener(responseBodyCheckListener)
@@ -237,29 +242,20 @@ function setResponseCheckListener(){
 
 }
 
-
 function webRequestOnbeforeRequestListener(details) {
   if(details.type == 'main_frame' || details.type == 'sub_frame' || details.type == 'script' || details.type == 'xmlhttprequest' || details.type == 'other' || details.type == 'object'){
     // url check
     for ( let i of HPrinter.position1 ) {
       let checkResult = checkRule(details.url,i.rulecontent)
       if (checkResult == true){
-        if (i.type == 4 && HSniffResult.shost.search(i.rulecontent) != -1) {
-          // 匹配蜜罐规则，但是访问网站本身就是规则指向的网站，此时不做处理
-        } else {
-          let nowResult
-          if (details.initiator != null) {
-            nowResult = {sid: i.type, scontent: i.commandments, sshost: details.initiator.split('/')[2]}
-          } else if (details.type == "main_frame" && details.url != null){
-            nowResult = {sid: i.type, scontent: i.commandments, sshost: details.url.split('/')[2]}
-          }
-          if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
-            HSniffResult.sresult.push(nowResult)
-            refreshResult()
-          }
-          if (i.type == 4 && HConfig.blockHoneypot == true){
-            return {cancel: true}; 
-          }
+        let nowResult
+        nowResult = {sid: i.type, scontent: i.commandments, sshost: getRealHost(details)}
+        if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
+          HSniffResult.sresult.push(nowResult)
+          refreshResult()
+        }
+        if (i.type == 4 && HConfig.blockHoneypot == true){
+          return {cancel: true}; 
         }
       }
     }
@@ -275,7 +271,7 @@ function webRequestOnbeforeRequestListener(details) {
           requestBodyContent = decodeURIComponent(encodeURIComponent(String.fromCharCode.apply(null, new Uint8Array(details.requestBody.raw[0].bytes))))
         } else {
           //other
-          for ( let i of details.requestBody.raw ) {
+          for (let i of details.requestBody.raw) {
             if (i.bytes != null){
               requestBodyContent = requestBodyContent + decodeURIComponent(encodeURIComponent(String.fromCharCode.apply(null, new Uint8Array(details.requestBody.raw[0].bytes))))
             } else {
@@ -289,7 +285,7 @@ function webRequestOnbeforeRequestListener(details) {
       for ( let i of HPrinter.position3 ) {
         let checkResult = checkRule(requestBodyContent,i.rulecontent)
         if (checkResult == true){
-          let nowResult = {sid: i.type, scontent: i.commandments, sshost: details.initiator.split('/')[2]}
+          let nowResult = {sid: i.type, scontent: i.commandments, sshost: getRealHost(details)}
           if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
             HSniffResult.sresult.push(nowResult)
             refreshResult()
@@ -298,6 +294,7 @@ function webRequestOnbeforeRequestListener(details) {
       }
     }
   } else if (details.type == 'websocket' || details.type == 'stylesheet' || details.type == 'image' || details.type == 'media' || details.type == 'font'  || details.type == 'csp_report' || details.type == 'ping'){}
+    //其他类型的请求，暂不处理
 }
 
 function webRequestOnBeforeSendHeadersListener(details) {
@@ -308,17 +305,23 @@ function webRequestOnBeforeSendHeadersListener(details) {
     }
     for ( let i of HPrinter.position2 ) {
       if (nowlist.indexOf(i.rulecontent.name) != -1){
-        let checkResult = checkRule(details.requestHeaders[nowlist.indexOf(i.rulecontent.name)].value,i.rulecontent.value)
-        if (checkResult == true){
-          let nowResult = {sid: i.type, scontent: i.commandments, sshost: details.initiator.split('/')[2]}
-          if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
-            HSniffResult.sresult.push(nowResult)
-            refreshResult()
+        for (let j=0; j<nowlist.length; j++){
+          if (nowlist[j] == i.rulecontent.name){
+            let checkResult = checkRule(details.requestHeaders[j].value,i.rulecontent.value)
+            if (checkResult == true){
+              let nowResult = {sid: i.type, scontent: i.commandments, sshost: getRealHost(details)}
+              if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
+                HSniffResult.sresult.push(nowResult)
+                refreshResult()
+              }
+              break
+            }
           }
         }
       }
     } 
   } else if (details.type == 'websocket' || details.type == 'stylesheet' || details.type == 'image' || details.type == 'media' || details.type == 'font'  || details.type == 'csp_report' || details.type == 'ping'){}
+    //其他类型的请求，暂不处理
 }
 
 function webRequestOnResponseStartedListener(details) {
@@ -329,17 +332,23 @@ function webRequestOnResponseStartedListener(details) {
     }
     for ( let i of HPrinter.position4 ) {
       if (nowlist.indexOf(i.rulecontent.name) != -1){
-        let checkResult = checkRule(details.responseHeaders[nowlist.indexOf(i.rulecontent.name)].value,i.rulecontent.value)
-        if (checkResult == true){
-          let nowResult = {sid: i.type, scontent: i.commandments, sshost: details.initiator.split('/')[2]}
-          if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
-            HSniffResult.sresult.push(nowResult)
-            refreshResult()
+        for (let j=0; j<nowlist.length; j++){
+          if (nowlist[j] == i.rulecontent.name){
+            let checkResult = checkRule(details.responseHeaders[j].value,i.rulecontent.value)
+            if (checkResult == true){
+              let nowResult = {sid: i.type, scontent: i.commandments, sshost: getRealHost(details)}
+              if (!HSniffResult.sresult.some(item => { if (item.scontent == i.commandments) return true })){
+                HSniffResult.sresult.push(nowResult)
+                refreshResult()
+              }
+              break
+            }
           }
         }
       }
     } 
   } else if (details.type == 'websocket' || details.type == 'stylesheet' || details.type == 'image' || details.type == 'media' || details.type == 'font'  || details.type == 'csp_report' || details.type == 'ping'){}
+    //其他类型的请求，暂不处理 
 }
 
 
@@ -416,4 +425,13 @@ function allNetworkEventHandler(debuggerId, message, params) {
       }
     }
   }
+}
+
+
+function getRealHost(details){
+  if (details.initiator != null) {
+    return details.initiator.split('/')[2]
+  } else if (details.url != null) {
+    return details.url.split('/')[2]
+  }
 }

resource/js/html/popup.js

@@ -22,6 +22,8 @@ const App = {
     },
     methods: {
         initPopupConfig(nowConf){
+            this.pluginSwitch = nowConf.pluginStart
+
             this.responseCheckSwitch = nowConf.responseCheck
             this.blockHoneypotSwitch = nowConf.blockHoneypot
             this.keyWordSniffSwitch = nowConf.keyWordSniff
@@ -39,7 +41,15 @@ const App = {
               });
         },
         changePlugin(){
+            if (this.pluginSwitch == true){
+                chrome.extension.getBackgroundPage().deleteCheckMonitor()
+
+            } else if (this.pluginSwitch == false){
+                chrome.extension.getBackgroundPage().initMonitor()
+            }
             this.pluginSwitch =! this.pluginSwitch
+            chrome.extension.getBackgroundPage().HConfig.pluginStart = this.pluginSwitch
+            chrome.storage.local.set({HConfig: chrome.extension.getBackgroundPage().HConfig}, function() {})
         },
         removePopupResult(event){
             var _this = this;