Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Nessus NASL 阅读笔记 ping_host.nasl

wpadmin~August 12, 2018 /InfoSec

Nessus NASL 阅读笔记 ping_host.nasl

通用信息

1 nasl 使用 # 来注释
2 使用 形如 include("compat.inc"); 来添加 (疑似 C 代码) 的引用
3 在 if(description) 区域也有对其他 nasl 脚本的引用 script_dependencies("apache_http_version.nasl");
4 nasl-parser 是基于 ruby 的
5 D:\Program Files\Tenable\Nessus\nessus\nessus-services 是一个类似 Nmap 的 nmap-service 的文件

参考资料

NASL parser
https://github.com/tenable/nasl

NASL 的文档生成器
https://github.com/tenable/nasldoc

Ruby nasl 的文档
https://www.rubydoc.info/gems/nasl/0.0.8/Nasl/Grammar

Notepad++ 的 NASL 语法高亮插件
https://github.com/tenable/notepadpp-nasl

Atom NASL 语法高亮
https://github.com/paulewog/language-nasl

Sublime Text 语法高亮
https://github.com/tenable/sublimetext-nasl

另外有几本古老的书对 NASL 的语法有过简单介绍

Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits
Elsevier, Apr 26, 2005
by James C Foster
Chapter 2 NASL Scripting
https://books.google.com/books?id=ZNI5dvBSfZoC&printsec=frontcover#v=onepage&q&f=false

http://jack.akprind.ac.id/doc/materi/progjar/Syngress.Sockets.Shellcode.Porting.and.Coding.pdf

Nessus Network Auditing: Jay Beale Open Source Security Series
Syngress; 1 edition (October 14, 2004)
by Jay Beale
Chapter 11 NASL
https://books.google.com/books?id=gUKveBFIP6wC&printsec=frontcover&source=gbs_atb#v=onepage&q&f=false

https://epdf.tips/queue/nessus-network-auditing490f22813e96356008d9043c17c9f2173612.html

Nessus 的 ping

Nessus was able to determine if the remote host is alive using one or
more of the following ping types :

防火墙及其他网络设备检测代码片段

不过这些检测代码都有点年代久远,可能不太可靠。

Fortinet

#
# Fortinet Firewalls act as an AV gateway. They do that
# by acting as a man-in-the-middle between the connection
# and the recipient. If there is NO recipient, then sending
# data to one of the filtered ports will result in a timeout.
#
# By default, Fortinet listens on port 21,25,80,110 and 143.
#
#
function check_fortinet_av_gateway()
{
 local_var soc, now, r;

 if ( did_arp ) return FALSE;
 if ( fast_network_discovery == "yes" ) return FALSE;
 soc = open_sock_tcp(25, timeout:3);
 if ( !soc ) return 0;
 now = unixtime();
 r = recv_line(socket:soc, length:1024, timeout:5);
 if ( r || unixtime() - now < 4 ) return 0;
 close(soc);


 soc = open_sock_tcp(110, timeout:3);
 if ( ! soc ) return 0;
 now = unixtime();
 r = recv_line(socket:soc, length:1024, timeout:5);
 if ( r || unixtime() - now < 4 ) return 0;
 close(soc);

 soc = open_sock_tcp(143, timeout:3);
 if ( ! soc ) return 0;
 now = unixtime();
 r = recv_line(socket:soc, length:1024, timeout:5);
 if ( r || unixtime() - now < 4 ) return 0;
 close(soc);

 # ?
 soc = open_sock_tcp(80, timeout:3);
 if ( ! soc ) return 0;
 send(socket:soc, data:http_get(item:"/", port:80));
 now = unixtime();
 r = recv_line(socket:soc, length:1024, timeout:5);
 if ( r || unixtime() - now < 4 ) return 0;
 close(soc);


 return 1;
}

Riverhead

Riverhead Networks 于 2004 年已被 Cisco 收购。

function check_riverhead_and_consorts()
{
 local_var ip, tcpip, i, is, flags, j, r;

  if ( TARGET_IS_IPV6 ) return 0;
  if ( did_arp ) return 0;
  if ( fast_network_discovery == "yes") return 0;

   ip = forge_ip_packet(ip_v : 4,
                        ip_hl : 5,
                        ip_tos : 0,
                        ip_len : 40,
                        ip_id : rand() % 65535,
                        ip_p : IPPROTO_TCP,
                        ip_ttl : 175,
                        ip_off : 0,
            ip_src : this_host());



 is = make_list();
 for ( i = 0 ; i < 10 ; i ++ )
 {
   is = make_list(is, i);
 }
 for ( i = 1 ; i < 5 ; i++ )
 {
   is = make_list(is, (rand() % 1024) + 10);
 }

 foreach i (is)
 {
    tcpip = forge_tcp_packet(ip       : ip,
                             th_sport : 63000 + i,
                             th_dport : 60000 + i,
                             th_flags : TH_SYN,
                             th_seq   : rand(),
                             th_ack   : 0,
                             th_x2    : 0,
                             th_off   : 5,
                             th_win   : 512,
                 data:  tcp_opt);

    for ( j = 0 ; j < 3 ; j ++ )
    {
      r = send_packet(tcpip, pcap_active:TRUE, pcap_filter:"src host " + get_host_ip()+ " and dst host " + this_host() + " and src port " + int(60000 + i) + " and dst port " + int(63000 + i ), pcap_timeout:1);
      if ( r ) break;
    }
    if ( ! r ) return 0;
    flags = get_tcp_element(tcp:r, element:"th_flags");
    if( flags != (TH_SYN|TH_ACK) ) return 0;
 }

 security_note(extra:"
The remote host seems to be a RiverHead device, or some sort of decoy (it 
returns a SYN|ACK for any port), so Nessus will not scan it. If you want 
to force a scan of this host, disable the 'ping' plugin and restart a 
scan.", port:0);
 return 1;
}

Novell Netware

于 2009 年左右已经被淘汰的网络设备操作系统,基本上可以无视了。

function check_netware()
{
 local_var ports, then, port, soc, num_sockets, num_ready, ready;
 local_var report, banner;

 if ( NASL_LEVEL < 3000 ) return 0;
 if (  get_kb_item("Scan/Do_Scan_Novell") ) return 0;

 report = "
The remote host appears to be running Novell Netware.  This operating
system has a history of crashing or otherwise being adversely affected
by scans.  As a result, the scan has been disabled against this host. 

http://www.nessus.org/u?08f07636
http://www.nessus.org/u?87d03f4c

If you want to scan the remote host enable the option 'Scan Novell
Netware hosts' in the Nessus client and re-scan it. ";

  ports = make_list(80, 81, 8009);
  then = unixtime();
  foreach port ( ports )
     soc[port] = open_sock_tcp(port, nonblocking:TRUE);

  while ( TRUE )
  {
   num_sockets = 0;
   num_ready   = 0;
   foreach port ( ports )
   {
    if ( soc[port] )
    {
    num_sockets ++;
    if ( (ready = socket_ready(soc[port])) != 0 ) 
    {
     num_ready ++;
     if ( ready > 0 )
      {
          send(socket:soc[port], data:string("GET / HTTP/1.0\r\n\r\n"));
      banner = recv(socket:soc[port], length:4096);
      }
     else banner = NULL;
     close(soc[port]);
     soc[port] = 0;
     if ( banner && egrep(pattern:"Server: (NetWare HTTP Stack|Apache(/[^ ]*)? \(NETWARE\))", string:banner) )
        {
             security_note(port:0, extra:report);
             return 1;
        }
    }
    }
  }

  if ( num_sockets == 0 ) return 0;
  if ( num_ready   == 0 && (unixtime() - then) >= 3 ) return 0;
  usleep(50000);
 }
 return 0;
}

关于 Nmap 与 Nessus 的关系

https://www.tenable.com/blog/using-nmap-results-with-nessus-batch-scanning

Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s.

Leave a Reply

Your email address will not be published. Required fields are marked *