[Openvas-commits] r1142 - trunk/openvas-compendium

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Aug 18 10:50:49 CEST 2008 

Author: mwiegand
Date: 2008-08-18 10:50:49 +0200 (Mon, 18 Aug 2008)
New Revision: 1142

Modified:
   trunk/openvas-compendium/ChangeLog
   trunk/openvas-compendium/openvas-compendium.tex
Log:
Started section about NASL structure, migrated
section about NASL testing and debugging.


Modified: trunk/openvas-compendium/ChangeLog
===================================================================
--- trunk/openvas-compendium/ChangeLog	2008-08-15 13:54:41 UTC (rev 1141)
+++ trunk/openvas-compendium/ChangeLog	2008-08-18 08:50:49 UTC (rev 1142)
@@ -1,42 +1,49 @@
+2008-08-18  Michael Wiegand <michael.wiegand at intevation.de>
+
+	* openvas-compendium.tex: Started section about NASL structure, migrated
+	section about NASL testing and debugging.
+
+	* ChangeLog: Fixed misspelling of "compendium" in the last entries. :)
+
 2008-08-15  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Reordered sections to bring them in the same
+	* openvas-compendium.tex: Reordered sections to bring them in the same
 	order as they are presented in the GUI; added KB configuration
 	screenshot.
 
 2008-08-15  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added section about client side KB saving
+	* openvas-compendium.tex: Added section about client side KB saving
 	configuration.
 
 2008-08-15  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added sections about source code management,
+	* openvas-compendium.tex: Added sections about source code management,
 	code quality and patch submission.
 
 2008-08-15  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added screenshots for WLSCs.
+	* openvas-compendium.tex: Added screenshots for WLSCs.
 
 2008-08-15  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added information about KB entries set by NES
+	* openvas-compendium.tex: Added information about KB entries set by NES
 	scripts.
 
 2008-08-14  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added first set of information about KB entries
+	* openvas-compendium.tex: Added first set of information about KB entries
 	obtained by a grep for set_kb_item in openvas-plugins/scripts.
 
 2008-08-14  Michael Wiegand <michael.wiegand at intevation.de>
 
-	* openvas-compedium.tex: Added information about NVT feeds from website,
+	* openvas-compendium.tex: Added information about NVT feeds from website,
 	added an introduction to NASL, collected and added built-in functions
 	for NASL1 and NASL2.
 
 2008-08-13  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
 
-	* openvas-compedium.tex: Various little improvements/cleanup
+	* openvas-compendium.tex: Various little improvements/cleanup
 	and some new section/chapter headers.
 
 2008-08-04  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
@@ -45,7 +52,7 @@
 
 	* VERSION: Set to 0.2.0.SVN.
 
-	* openvas-compedium.tex: Version set to 0.2.0.SVN.
+	* openvas-compendium.tex: Version set to 0.2.0.SVN.
 
 2008-08-04  Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
 

Modified: trunk/openvas-compendium/openvas-compendium.tex
===================================================================
--- trunk/openvas-compendium/openvas-compendium.tex	2008-08-15 13:54:41 UTC (rev 1141)
+++ trunk/openvas-compendium/openvas-compendium.tex	2008-08-18 08:50:49 UTC (rev 1142)
@@ -2165,8 +2165,58 @@
 
 \section{Basic Structure of NASL Scripts}
 
-\compendiumauthor{Tim Brown}
+All NASL scripts have to contain a set of information about themselves by which
+they can be distinguished from other plugins and referenced by other tools like
+the client. This information is contained in the \verb|description| or
+\verb|register| section which is mandatory for all NASL scripts and is usually
+right at the beginning of any NASL script.
 
+A basic NASL script might start like this:
+\begin{verbatim}
+#
+# This is an example NASL script.
+#
+
+if(description)
+{
+ script_oid("1.3.6.1.4.1.25623.1.0.12345")
+ script_version ("1.2");
+ name["english"] = "Foo Bar 2.5 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "
+   This plugin checks for the vulnerability in the Foo Bar 2.5 server component
+   as described in CVE 2009-4321.
+
+   Risk factor : None";
+
+ script_description(english:desc["english"]);
+
+ summary["english"] = "Check for vulnerability in Foo Bar 2.5";
+ script_summary(english:summary["english"]);
+
+ script_copyright(english:"This script is under GPLv2+");
+
+ ...
+
+ exit(0);
+}
+
+...
+\end{verbatim}
+
+The plugin description has to be contained in the \verb|if (description)| block
+so the OpenVAS server can retrieve it. The first time it the server encounters a
+new plugin, it will be called with the global variable \verb|description| set
+to \verb|TRUE|. The information provided by the plugin will be cached in
+the \verb|.desc| subdirectory in the plugins directory. When the script is
+called during a scan, it will be called with \verb|description| set
+to \verb|FALSE|.
+
+For a complete list of NASL commands that can be used in the script
+description, please refer to the section \ref{sec:NASL-desc} of the NASL API
+documentation.
+
 \section{NASL API Documentation}
 
 \subsection{Built-In Functions}
@@ -2337,6 +2387,8 @@
 
 \subsection{script\_oid()}
 
+\compendiumauthor{Tim Brown}
+
 This function is intended to replace \verb!script_id!, the current method of uniquely
 identifying NASL scripts. The logic behind this is that \verb!script_id! has only a single
 global namespace. With plans by several organisations to develop and contribute
@@ -2372,6 +2424,7 @@
 \end{verbatim} 
 
 \subsection{Knowledge Base}
+\label{sec:NASL-KB}
 
 In order to facilitate the exchange of information between different NVTs and to
 speed up the scanning process, information collected by plugins can be to stored
@@ -2699,7 +2752,250 @@
  \item[zonealarm/version] zone\_alarm\_local\_dos.nasl
 \end{description}
 
+\section{Test and debugging procedures}
 
+There are different approaches to test your OpenVAS NVTs; for example, the
+network TCP/IP tests differs from the local security tests.
+For the local security test, it is important to see the command line and what
+was queried on a local system using a shell.
+An excellent start is using the \verb|openvas-nasl| tool to execute your script
+on the target environment to see if any error messages come up.
+
+\subsection{Testing a local vulnerability}
+
+Here is an example of using the \verb|openvas-nasl| tool to perform a test:
+
+First test if your script written in NASL is syntactically correct. This could
+be done by using openvas-nasl with the -p option, e.g.:
+\begin{verbatim}
+# openvas-nasl -p broken-example.nasl
+syntax error, unexpected IDENT, expecting ')'
+Parse error at or near line 17
+\end{verbatim} 
+
+This is telling us that this script has a syntax error.
+Test the functionality of your script only after you made sure your script
+contains only syntactically correct NASL.
+
+Now you can test on your target host, if the LVT is correct, by writing
+debug-output into a debug file:
+
+\begin{verbatim}
+ openvas-nasl  -T /tmp/debug-lvt.txt -X  example-lvt.nasl
+\end{verbatim}
+
+The debug output will be written into the debug-lvt.txt file, which in this
+example will look like this:
+
+\begin{verbatim}
+[...]
+NASL:0196> make_list(...)
+[9831]() NASL> [080c9968] <- "qpkg"
+[9831]() NASL> [080c9a00] <- "-nc"
+[9831]() NASL> [080c9f38] <- "-I"
+[9831]() NASL> [080c9f98] <- "-v"
+[9831](example-lvt.nasl) NASL> Call make_list(1: "qpkg", 2: "-nc", 3: "-I", 4:
+"-v")
+[9831](example-lvt.nasl) NASL> Return make_list: ???? (DYN_ARRAY (64))
+[9831]() NASL> [080c9e88] <- (VAR2_ARRAY)
+[9831](example-lvt.nasl) NASL> Call pread(cmd: "qpkg", argv: ???? (DYN_ARRAY
+(64)))
+[9831](example-lvt.nasl) NASL> Return pread: "qpkg: invalid option -- n
+Usage: qpkg <opt..."
+[9831]() NASL> [080c95c0] <- "qpkg: invalid option -- n
+Usage: qpkg <opts> <misc args> : manipulate Gentoo binpkgs
+
+Options: -[cpP:vqChV]
+  -c, --clean          * clean pkgdir of unused binary files
+  -p, --pretend        * pretend only
+  -P, --pkgdir   <arg> * alternate package directory
+  -v, --verbose        * Make a lot of noise
+  -q, --quiet          * Tighter output; suppress warnings
+  -C, --nocolor        * Don't output color
+  -h, --help           * Print this help and exit
+  -V, --version        * Print version and exit
+"
+NASL:0199> if (! (qpkg_list)) { ... }
+[9831](example-lvt.nasl) NASL> [080c95c0] -> "qpkg: invalid option -- n
+Usage: qpkg <opts> <misc args> : manipulate Gentoo binpkgs
+
+Options: -[cpP:vqChV]
+  -c, --clean          * clean pkgdir of unused binary files
+  -p, --pretend        * pretend only
+  -P, --pkgdir   <arg> * alternate package directory
+  -v, --verbose        * Make a lot of noise
+  -q, --quiet          * Tighter output; suppress warnings
+  -C, --nocolor        * Don't output color
+  -h, --help           * Print this help and exit
+  -V, --version        * Print version and exit
+"
+NASL:0201> if (((arch) && (my_arch)) && (my_arch >!< arch)) { ... }
+[9831](example-lvt.nasl) NASL> [080c9948] -> undef
+NASL:0201> l=egrep(...);
+NASL:0201> egrep(...)
+[9831](example-lvt.nasl) NASL> [080c95c0] -> "qpkg: invalid option -- n
+Usage: qpkg <opts> <misc args> : manipulate Gentoo binpkgs
+
+Options: -[cpP:vqChV]
+  -c, --clean          * clean pkgdir of unused binary files
+  -p, --pretend        * pretend only
+  -P, --pkgdir   <arg> * alternate package directory
+  -v, --verbose        * Make a lot of noise
+  -q, --quiet          * Tighter output; suppress warnings
+  -C, --nocolor        * Don't output color
+  -h, --help           * Print this help and exit
+  -V, --version        * Print version and exit
+"
+[9831]() NASL> [080c9890] <- "qpkg: invalid option ? n
+[...]
+\end{verbatim}
+
+ The last line tells us that an incorrect syntax for the qpkg tool was given to
+the LVT.
+
+\subsection{Testing a network vulnerability}
+
+Here is an example using the openvas-nasl tool to perform a test:
+
+First test if your script written in NASL is syntactically correct. This could
+be done by using the openvas-nasl tool with the -p option, e.g.:
+\begin{verbatim}
+# openvas-nasl -p broken-example.nasl
+syntax error, unexpected IDENT, expecting ')'
+Parse error at or near line 17
+\end{verbatim} 
+
+This is telling us that this script has a syntax error. 
+Test the functionality of your script after making sure that your script
+contains only correct NASL.
+
+The test on the network is a bit more complicated. To test if the right packet
+was sent, you can use TCPDUMP to capture the communication between the host can
+the client, e.g.:
+
+\begin{verbatim}
+# tcpdump -i lo -w debug.pcap -s 1450
+tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1450 bytes
+10 packets captured
+20 packets received by filter
+0 packets dropped by kernel
+\end{verbatim}
+
+Now it is possible to decode the content of the network communication.
+
+\begin{verbatim}
+ # tcpdump -vvvv -n -r debug.pcap
+reading from file debug.pcap, link-type EN10MB (Ethernet)
+15:45:52.474613 IP (tos 0x0, ttl 64, id 60969, offset 0, flags [DF], proto TCP
+(6), length 60) 127.0.0.1.53655 > 127.0.0.1.24: S, cksum 0x80c9 (correct),
+1315997236:1315997236(0) win 32792 <mss 16396,sackOK,timestamp 5466141
+0,nop,wscale 6>
+15:45:52.474618 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
+length 60) 127.0.0.1.24 > 127.0.0.1.53655: S, cksum 0x64b5 (correct),
+1311860089:1311860089(0) ack 1315997237 win 32768 <mss 16396,sackOK,timestamp
+5466141 5466141,nop,wscale 6>
+15:45:52.474638 IP (tos 0x0, ttl 64, id 60970, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x4bd8 (correct),
+1:1(0) ack 1 win 513 <nop,nop,timestamp 5466141 5466141>
+15:45:52.474797 IP (tos 0x0, ttl 64, id 3431, offset 0, flags [DF], proto TCP
+(6), length 72) 127.0.0.1.24 > 127.0.0.1.53655: P, cksum 0xfe3c (incorrect (->
+0x941e), 1:21(20) ack 1 win 512 <nop,nop,timestamp 5466141 5466141>
+15:45:52.474829 IP (tos 0x0, ttl 64, id 60971, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x4bc3 (correct),
+1:1(0) ack 21 win 513 <nop,nop,timestamp 5466142 5466141>
+15:45:52.475572 IP (tos 0x0, ttl 64, id 60972, offset 0, flags [DF], proto TCP
+(6), length 68) 127.0.0.1.53655 > 127.0.0.1.24: P, cksum 0xfe38 (incorrect (->
+0xefa4), 1:17(16) ack 21 win 513 <nop,nop,timestamp 5466142 5466141>
+15:45:52.475586 IP (tos 0x0, ttl 64, id 3432, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.24 > 127.0.0.1.53655: ., cksum 0x4bb3 (correct),
+21:21(0) ack 17 win 512 <nop,nop,timestamp 5466142 5466142>
+15:45:57.479223 IP (tos 0x0, ttl 64, id 60973, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: F, cksum 0x46ce (correct),
+17:17(0) ack 21 win 513 <nop,nop,timestamp 5467393 5466142>
+15:45:57.479279 IP (tos 0x0, ttl 64, id 3433, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.24 > 127.0.0.1.53655: F, cksum 0x41eb (correct),
+21:21(0) ack 18 win 512 <nop,nop,timestamp 5467393 5467393>
+15:45:57.479296 IP (tos 0x0, ttl 64, id 60974, offset 0, flags [DF], proto TCP
+(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x41ea (correct),
+18:18(0) ack 22 win 513 <nop,nop,timestamp 5467393 5467393>
+\end{verbatim} 
+
+If a deeper packet analysis is needed, tools like \verb|wireshark| are able to
+read such files in \verb|pcap| format, and perform a close analysis of all type
+of network communication packets.
+
+The \verb|openvas-nasl| interpreter also provides us with a logfile at
+ \verb|/tmp/debug-nvt.txt|. This file helps us to debug NASL based NVTs:
+
+\begin{verbatim}
+[...]
+NASL:0277> register_int_in_kb(...)
+[9905](ssh_detect24.nasl) NASL> [0811e310] -> 0
+[9905]() NASL> [08120328] <- 0
+[9905]() NASL> [08120358] <- "Secret/SSH/bugged_sshd"
+[9905](ssh_detect24.nasl) NASL> Call register_int_in_kb(int: 0, name:
+"Secret/SSH/bugged_sshd")
+NASL:0055> if ((! (defined_func(...))) || (! (_reuse_connection))) { ... }
+NASL:0054> defined_func(...)
+[9905]() NASL> [081203a8] <- "replace_kb_item"
+[9905](ssh_detect24.nasl) NASL> Call defined_func(1: "replace_kb_item")
+[9905](ssh_detect24.nasl) NASL> Return defined_func: 1
+[9905](ssh_detect24.nasl) NASL> [0811e2d8] -> undef
+NASL:0054> return 0;
+[9905](ssh_detect24.nasl) NASL> Return register_int_in_kb: 0
+[9905](ssh_detect24.nasl) NASL> Return init: FAKE
+NASL:1771> server_version=ssh_exchange_identification(...);
+NASL:1771> ssh_exchange_identification(...)
+[9905](ssh_detect24.nasl) NASL> [0811fde0] -> 1000000
+[9905]() NASL> [08120688] <- 1000000
+[9905](ssh_detect24.nasl) NASL> Call ssh_exchange_identification(socket:
+1000000)
+NASL:0377> local_var ...
+NASL:0379> buf=recv_line(...);
+NASL:0379> recv_line(...)
+[9905](ssh_detect24.nasl) NASL> [08120688] -> 1000000
+[9905]() NASL> [081207b0] <- 1000000
+[9905]() NASL> [081207d0] <- 1024
+[9905](ssh_detect24.nasl) NASL> Call recv_line(socket: 1000000, length: 1024)
+[9905](ssh_detect24.nasl) NASL> Return recv_line: "SSH-2.0-FreeSSH_9.9
+"
+[9905]() NASL> [081202d0] <- "SSH-2.0-FreeSSH_9.9
+"
+NASL:0388> if (! (buf)) { ... }
+[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
+"
+NASL:0394> if (! (ereg(...))) { ... }
+NASL:0388> ereg(...)
+[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
+"
+[9905]() NASL> [081206a8] <- "SSH-2.0-FreeSSH_9.9
+"
+[9905]() NASL> [081207b0] <- "^SSH-*[0-9]\.*[0-9]-*[^\n]"
+[9905](ssh_detect24.nasl) NASL> Call ereg(string: "SSH-2.0-FreeSSH_9.9
+", pattern: "^SSH-*[0-9]\.*[0-9]-*[^\n]")
+[9905](ssh_detect24.nasl) NASL> Return ereg: 1
+NASL:0394> sshversion=split(...);
+NASL:0394> split(...)
+[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
+"
+[9905]() NASL> [08120638] <- "SSH-2.0-FreeSSH_9.9
+"
+[9905]() NASL> [081207b0] <- "-"
+[9905]() NASL> [0811fff8] <- 0
+[9905](ssh_detect24.nasl) NASL> Call split(1: "SSH-2.0-FreeSSH_9.9
+", sep: "-", keep: 0)
+[9905](ssh_detect24.nasl) NASL> Return split: ???? (DYN_ARRAY (64))
+[9905]() NASL> [081202f0] <- (VAR2_ARRAY)
+NASL:0395> num=split(...);
+NASL:0395> split(...)
+[...]
+\end{verbatim}
+
+This information should be sufficient to solve the problem. If not, it might be
+an OpenVAS bug in the script engine.
+To detect this, compile OpenVAS NASL with debug symbols and use GDB. More
+information on GBD can be found at: http://www.gnu.org/software/gdb/gdb.html.
+
 \section{Writing SMBclient-based WLSC NASL Scripts}
 
 \compendiumauthor{Carsten Koch Mauthe}

More information about the Openvas-commits mailing list