puppet templates

cves/2020/CVE-2020-7943.yaml

@@ -0,0 +1,38 @@
+id: CVE-2020-7943
+
+info:
+  name: Puppet Server and PuppetDB sensitive information disclosure
+  severity: high
+  author: c-sh0
+  description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information
+  reference:
+    - https://puppet.com/security/cve/CVE-2020-7943
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-7943
+    - https://tickets.puppetlabs.com/browse/PDB-4876
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.50
+    cve-id: CVE-2020-7943
+    cwe-id: CWE-276
+  tags: cve,cve2020,puppet,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/metrics/v1/mbeans"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: word
+        part: body
+        words:
+          - "trapperkeeper"

exposed-panels/puppetboard-panel.yaml

@@ -0,0 +1,22 @@
+id: puppetboard-panel
+
+info:
+  name: Puppetlabs Puppetboard
+  author: c-sh0
+  severity: info
+  metadata:
+    shodan-query: http.title:"Puppetboard"
+  tags: panel,puppet,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Puppetboard</title>"

technologies/puppetdb-detect.yaml

@@ -0,0 +1,34 @@
+id: puppetdb-detect
+
+info:
+  name: PuppetDB Detection
+  author: c-sh0
+  severity: info
+  reference: https://puppet.com/docs/puppetdb/7/api/meta/v1/version.html#pdbmetav1version
+  tags: puppet,tech,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pdb/meta/v1/version"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: word
+        part: body
+        words:
+          - '"version"'
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - '"version"\s:\s"([0-9.]+)"'

technologies/puppetserver-detect.yaml

@@ -0,0 +1,35 @@
+id: puppetserver-detect
+
+info:
+  name: Puppetserver Detection
+  author: c-sh0
+  severity: info
+  reference: https://insinuator.net/2020/09/puppet-assessment-techniques/
+  tags: tech,puppet,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/puppet-ca/v1/certificate_request/{{randstr}}"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 404
+
+      - type: word
+        part: header
+        words:
+          - "x-puppet-version"
+        case-insensitive: true
+
+      - type: word
+        part: body
+        words:
+          - "{{randstr}}"
+
+    extractors:
+      - type: kval
+        kval:
+          - x_puppet_version