Updates

Author: voltsparx

lib/asrfacet_rb/scanner/probe_db.rb

@@ -44,6 +44,23 @@ def to_h
       ROOT = File.expand_path("../../../temp/nmap", __dir__)
       SERVICES_PATH = File.join(ROOT, "nmap-services")
       PROBES_PATH = File.join(ROOT, "nmap-service-probes")
+      SERVICE_FAMILY_ALIASES = {
+        "null" => { probe_names: ["NULL"], services: [] },
+        "genericlines" => { probe_names: ["GenericLines"], services: [] },
+        "httpoptions" => { probe_names: ["HTTPOptions"], services: ["http"] },
+        "rtsprequest" => { probe_names: ["RTSPRequest"], services: ["rtsp"] },
+        "sslsessionreq" => { probe_names: ["SSLSessionReq"], services: ["ssl", "https"] },
+        "sshsessionreq" => { probe_names: [], services: ["ssh"] },
+        "smtprequest" => { probe_names: [], services: ["smtp"] },
+        "ftprequest" => { probe_names: [], services: ["ftp"] },
+        "mssqlquery" => { probe_names: ["Sqlping"], services: ["ms-sql-s"] },
+        "mysqlrequest" => { probe_names: [], services: ["mysql", "mysqlx"] },
+        "postgresrequest" => { probe_names: [], services: ["postgresql"] },
+        "redisrequest" => { probe_names: ["redis-server"], services: ["redis"] },
+        "mongodbrequest" => { probe_names: ["mongodb"], services: ["mongodb"] },
+        "dnsquery" => { probe_names: ["DNSVersionBindReq", "DNSVersionBindReqTCP", "DNSStatusRequest", "DNSStatusRequestTCP", "DNS-SD", "DNS-SD-TCP", "DNS_SD_QU"], services: ["domain", "mdns"] },
+        "sipoptions" => { probe_names: ["SIPOptions"], services: ["sip"] }
+      }.freeze
 
       class << self
         private
@@ -238,6 +255,31 @@ def service_for(port, proto)
       def top_ports(count)
         TOP_PORTS.first(count.to_i)
       end
+
+      def probes_for_service(service, proto: nil)
+        family = SERVICE_FAMILY_ALIASES.fetch(service.to_s.strip.downcase, {
+          probe_names: [service.to_s],
+          services: [service.to_s.downcase]
+        })
+        PROBES.select do |probe|
+          next false if proto && probe.proto != proto.to_sym
+
+          family[:probe_names].include?(probe.name) || service_match?(probe, family[:services])
+        end
+      end
+
+      def supports_service?(service, proto: nil)
+        !probes_for_service(service, proto: proto).empty?
+      end
+
+      private
+
+      def service_match?(probe, services)
+        return false if services.empty?
+
+        all_services = probe.matches.map { |entry| entry[:service] } + probe.softmatches.map { |entry| entry[:service] }
+        services.any? { |service| all_services.include?(service) }
+      end
     end
   end
 end

spec/scanner/probe_db_spec.rb

@@ -34,4 +34,17 @@
   it "looks up a service name for a known TCP port" do
     expect(probe_db.service_for(22, :tcp)).to eq("ssh")
   end
+
+  it "supports the requested source-derived service families" do
+    expect(probe_db.supports_service?("SSHSessionReq", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("SMTPRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("FTPRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("MSSQLQuery", proto: :udp)).to be(true)
+    expect(probe_db.supports_service?("MySQLRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("PostgresRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("RedisRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("MongoDBRequest", proto: :tcp)).to be(true)
+    expect(probe_db.supports_service?("DNSQuery")).to be(true)
+    expect(probe_db.supports_service?("SIPOptions")).to be(true)
+  end
 end

spec/scanner/scan_types/ack_scan_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::AckScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST reply to unfiltered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:unfiltered)
+  end
+
+  it "maps no reply to filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:filtered)
+  end
+end

spec/scanner/scan_types/fin_scan_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::FinScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST reply to closed" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+  end
+
+  it "maps no reply to open_filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:open_filtered)
+  end
+end

spec/scanner/scan_types/maimon_scan_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::MaimonScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST reply to closed" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+  end
+
+  it "maps no reply to open_filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:open_filtered)
+  end
+end

spec/scanner/scan_types/null_scan_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::NullScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST reply to closed" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+  end
+
+  it "maps no reply to open_filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:open_filtered)
+  end
+end

spec/scanner/scan_types/service_scan_spec.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::ServiceScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:version_detector) { instance_double(ASRFacet::Scanner::VersionDetector) }
+  let(:context) do
+    instance_double(
+      ASRFacet::Scanner::ScanContext,
+      timing: ASRFacet::Scanner::Timing.get(3),
+      probe_db: probe_db,
+      version_detector: version_detector
+    )
+  end
+
+  it "annotates an open TCP port with version metadata" do
+    socket = instance_double(TCPSocket, close: true)
+    socket_class = class_double(TCPSocket, new: socket)
+    allow(version_detector).to receive(:detect).and_return(service: "http", version: "Apache 2.4.57", extra: "server", cpe: "cpe:/a:apache:http_server:2.4.57", banner: "HTTP/1.1 200 OK")
+
+    result = described_class.new(context, socket_class: socket_class).probe("example.com", 80)
+
+    expect(result.state).to eq(:open)
+    expect(result.version).to eq("Apache 2.4.57")
+    expect(result.cpe).to eq("cpe:/a:apache:http_server:2.4.57")
+  end
+
+  it "does not attempt version detection for a closed port" do
+    socket_class = class_double(TCPSocket)
+    allow(socket_class).to receive(:new).and_raise(Errno::ECONNREFUSED)
+    allow(version_detector).to receive(:detect)
+
+    result = described_class.new(context, socket_class: socket_class).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+    expect(version_detector).not_to have_received(:detect)
+  end
+end

spec/scanner/scan_types/window_scan_spec.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::WindowScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST with a positive window to open" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 1024 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:open)
+  end
+
+  it "maps an RST with a zero window to closed" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+  end
+
+  it "maps no reply to filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:filtered)
+  end
+end

spec/scanner/scan_types/xmas_scan_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# For use only on systems you own or have explicit
+# written authorization to test.
+# SPDX-License-Identifier: Proprietary
+#
+# ASRFacet-Rb: Attack Surface Reconnaissance Framework
+# Copyright (c) 2026 voltsparx
+#
+# Author: voltsparx
+# Repository: https://github.com/voltsparx/ASRFacet-Rb
+# Contact: voltsparx@gmail.com
+# License: See LICENSE file in the project root
+#
+# This file is part of ASRFacet-Rb and is subject to the terms
+# and conditions defined in the LICENSE file.
+
+require "spec_helper"
+
+RSpec.describe ASRFacet::Scanner::ScanTypes::XmasScan do
+  let(:probe_db) { instance_double(ASRFacet::Scanner::ProbeDB, service_for: "http") }
+  let(:timing) { ASRFacet::Scanner::Timing.get(3) }
+
+  it "maps an RST reply to closed" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :rst, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:closed)
+  end
+
+  it "maps no reply to open_filtered" do
+    context = instance_double(ASRFacet::Scanner::ScanContext, timing: timing, probe_db: probe_db, tcp_prober: instance_double(ASRFacet::Scanner::Probes::TCPProber, send_probe: { reply: :timeout, window: 0 }))
+
+    result = described_class.new(context).probe("example.com", 80)
+
+    expect(result.state).to eq(:open_filtered)
+  end
+end