Nessus NASL 阅读笔记 ping_host.nasl
Contents
通用信息
1 nasl 使用 # 来注释
2 使用 形如 include("compat.inc"); 来添加 (疑似 C 代码) 的引用
3 在 if(description) 区域也有对其他 nasl 脚本的引用 script_dependencies("apache_http_version.nasl");
4 nasl-parser 是基于 ruby 的
5 D:\Program Files\Tenable\Nessus\nessus\nessus-services 是一个类似 Nmap 的 nmap-service 的文件
参考资料
NASL parser
https://github.com/tenable/nasl
NASL 的文档生成器
https://github.com/tenable/nasldoc
Ruby nasl 的文档
https://www.rubydoc.info/gems/nasl/0.0.8/Nasl/Grammar
Notepad++ 的 NASL 语法高亮插件
https://github.com/tenable/notepadpp-nasl
Atom NASL 语法高亮
https://github.com/paulewog/language-nasl
Sublime Text 语法高亮
https://github.com/tenable/sublimetext-nasl
另外有几本古老的书对 NASL 的语法有过简单介绍
Sockets, Shellcode, Porting, and Coding: Reverse Engineering Exploits
Elsevier, Apr 26, 2005
by James C Foster
Chapter 2 NASL Scripting
https://books.google.com/books?id=ZNI5dvBSfZoC&printsec=frontcover#v=onepage&q&f=false
http://jack.akprind.ac.id/doc/materi/progjar/Syngress.Sockets.Shellcode.Porting.and.Coding.pdf
Nessus Network Auditing: Jay Beale Open Source Security Series
Syngress; 1 edition (October 14, 2004)
by Jay Beale
Chapter 11 NASL
https://books.google.com/books?id=gUKveBFIP6wC&printsec=frontcover&source=gbs_atb#v=onepage&q&f=false
https://epdf.tips/queue/nessus-network-auditing490f22813e96356008d9043c17c9f2173612.html
Nessus 的 ping
Nessus was able to determine if the remote host is alive using one or
more of the following ping types :
- An ARP ping, provided the host is on the local subnet
and Nessus is running over Ethernet. -
An ICMP ping.
-
A TCP ping, in which the plugin sends to the remote host
a packet with the flag SYN, and the host will reply with
a RST or a SYN/ACK. -
A UDP ping (e.g., DNS, RPC, and NTP).
防火墙及其他网络设备检测代码片段
不过这些检测代码都有点年代久远,可能不太可靠。
Fortinet
#
# Fortinet Firewalls act as an AV gateway. They do that
# by acting as a man-in-the-middle between the connection
# and the recipient. If there is NO recipient, then sending
# data to one of the filtered ports will result in a timeout.
#
# By default, Fortinet listens on port 21,25,80,110 and 143.
#
#
function check_fortinet_av_gateway()
{
local_var soc, now, r;
if ( did_arp ) return FALSE;
if ( fast_network_discovery == "yes" ) return FALSE;
soc = open_sock_tcp(25, timeout:3);
if ( !soc ) return 0;
now = unixtime();
r = recv_line(socket:soc, length:1024, timeout:5);
if ( r || unixtime() - now < 4 ) return 0;
close(soc);
soc = open_sock_tcp(110, timeout:3);
if ( ! soc ) return 0;
now = unixtime();
r = recv_line(socket:soc, length:1024, timeout:5);
if ( r || unixtime() - now < 4 ) return 0;
close(soc);
soc = open_sock_tcp(143, timeout:3);
if ( ! soc ) return 0;
now = unixtime();
r = recv_line(socket:soc, length:1024, timeout:5);
if ( r || unixtime() - now < 4 ) return 0;
close(soc);
# ?
soc = open_sock_tcp(80, timeout:3);
if ( ! soc ) return 0;
send(socket:soc, data:http_get(item:"/", port:80));
now = unixtime();
r = recv_line(socket:soc, length:1024, timeout:5);
if ( r || unixtime() - now < 4 ) return 0;
close(soc);
return 1;
}
Riverhead
Riverhead Networks 于 2004 年已被 Cisco 收购。
function check_riverhead_and_consorts()
{
local_var ip, tcpip, i, is, flags, j, r;
if ( TARGET_IS_IPV6 ) return 0;
if ( did_arp ) return 0;
if ( fast_network_discovery == "yes") return 0;
ip = forge_ip_packet(ip_v : 4,
ip_hl : 5,
ip_tos : 0,
ip_len : 40,
ip_id : rand() % 65535,
ip_p : IPPROTO_TCP,
ip_ttl : 175,
ip_off : 0,
ip_src : this_host());
is = make_list();
for ( i = 0 ; i < 10 ; i ++ )
{
is = make_list(is, i);
}
for ( i = 1 ; i < 5 ; i++ )
{
is = make_list(is, (rand() % 1024) + 10);
}
foreach i (is)
{
tcpip = forge_tcp_packet(ip : ip,
th_sport : 63000 + i,
th_dport : 60000 + i,
th_flags : TH_SYN,
th_seq : rand(),
th_ack : 0,
th_x2 : 0,
th_off : 5,
th_win : 512,
data: tcp_opt);
for ( j = 0 ; j < 3 ; j ++ )
{
r = send_packet(tcpip, pcap_active:TRUE, pcap_filter:"src host " + get_host_ip()+ " and dst host " + this_host() + " and src port " + int(60000 + i) + " and dst port " + int(63000 + i ), pcap_timeout:1);
if ( r ) break;
}
if ( ! r ) return 0;
flags = get_tcp_element(tcp:r, element:"th_flags");
if( flags != (TH_SYN|TH_ACK) ) return 0;
}
security_note(extra:"
The remote host seems to be a RiverHead device, or some sort of decoy (it
returns a SYN|ACK for any port), so Nessus will not scan it. If you want
to force a scan of this host, disable the 'ping' plugin and restart a
scan.", port:0);
return 1;
}
Novell Netware
于 2009 年左右已经被淘汰的网络设备操作系统,基本上可以无视了。
function check_netware()
{
local_var ports, then, port, soc, num_sockets, num_ready, ready;
local_var report, banner;
if ( NASL_LEVEL < 3000 ) return 0;
if ( get_kb_item("Scan/Do_Scan_Novell") ) return 0;
report = "
The remote host appears to be running Novell Netware. This operating
system has a history of crashing or otherwise being adversely affected
by scans. As a result, the scan has been disabled against this host.
http://www.nessus.org/u?08f07636
http://www.nessus.org/u?87d03f4c
If you want to scan the remote host enable the option 'Scan Novell
Netware hosts' in the Nessus client and re-scan it. ";
ports = make_list(80, 81, 8009);
then = unixtime();
foreach port ( ports )
soc[port] = open_sock_tcp(port, nonblocking:TRUE);
while ( TRUE )
{
num_sockets = 0;
num_ready = 0;
foreach port ( ports )
{
if ( soc[port] )
{
num_sockets ++;
if ( (ready = socket_ready(soc[port])) != 0 )
{
num_ready ++;
if ( ready > 0 )
{
send(socket:soc[port], data:string("GET / HTTP/1.0\r\n\r\n"));
banner = recv(socket:soc[port], length:4096);
}
else banner = NULL;
close(soc[port]);
soc[port] = 0;
if ( banner && egrep(pattern:"Server: (NetWare HTTP Stack|Apache(/[^ ]*)? \(NETWARE\))", string:banner) )
{
security_note(port:0, extra:report);
return 1;
}
}
}
}
if ( num_sockets == 0 ) return 0;
if ( num_ready == 0 && (unixtime() - then) >= 3 ) return 0;
usleep(50000);
}
return 0;
}
关于 Nmap 与 Nessus 的关系
https://www.tenable.com/blog/using-nmap-results-with-nessus-batch-scanning
Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s.
Leave a Reply