[Openvas-commits] r1614 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Oct 24 19:16:59 CEST 2008
Author: kost
Date: 2008-10-24 19:16:58 +0200 (Fri, 24 Oct 2008)
New Revision: 1614
Added:
trunk/openvas-plugins/scripts/http_ids_evasion.nasl
trunk/openvas-plugins/scripts/ids_evasion.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added GPL plugins from Nessus
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-10-24 13:52:41 UTC (rev 1613)
+++ trunk/openvas-plugins/ChangeLog 2008-10-24 17:16:58 UTC (rev 1614)
@@ -1,3 +1,8 @@
+2008-10-20 Vlatko Kosturjak <kost at linux.hr>
+
+ * scripts/http_ids_evasion.nasl, scripts/ids_evasion.nasl:
+ Added GPL plugins from Nessus
+
2008-10-24 Chandrashekhar B <bchandra at secpod.com>
* scripts/gb_wireshark_mult_vuln_oct08_lin.nasl,
scripts/gb_wireshark_mult_vuln_oct08_win.nasl,
Added: trunk/openvas-plugins/scripts/http_ids_evasion.nasl
===================================================================
--- trunk/openvas-plugins/scripts/http_ids_evasion.nasl 2008-10-24 13:52:41 UTC (rev 1613)
+++ trunk/openvas-plugins/scripts/http_ids_evasion.nasl 2008-10-24 17:16:58 UTC (rev 1614)
@@ -0,0 +1,275 @@
+#
+# This script was written by Michel Arboi <arboi at alussinan.org>
+#
+# The HTTP IDS evasion mode comes from Whisker, by RFP.
+# Read http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+#
+# GPL, blah blah blah
+# See the Nessus Scripts License for details
+#
+# kst-4check
+
+
+if ( NASL_LEVEL >= 3000 ) exit(0);
+
+if(description)
+{
+ script_id(80010);
+ script_version ("$Revision: 1.13 $");
+
+ name["english"] = "HTTP NIDS evasion";
+ name["francais"] = "Fonctions HTTP Anti NIDS (détecteur d'intrusions)";
+
+ script_name(english:name["english"],
+ francais:name["francais"]);
+
+ desc["english"] = "
+This plugin configures Nessus for NIDS evasion (see the 'Prefs' panel).
+NIDS evasion options are useful if you want to determine
+the quality of the expensive NIDS you just bought.
+
+HTTP evasion techniques :
+- HEAD: use HEAD method instead of GET
+- URL encoding:
+ - Hex: change characters to %XX
+ - MS UTF-16: change characters to %uXXXX. This works only with IIS.
+ - UTF-16: change characters to %00%XX. This should *not* work!
+ - Broken UTF-8: change characters to invalid multibyte UTF8 sequences.
+- Absolute URI: insert scheme://host/ in front of the relative URI.
+- Double slashes: change every / to //
+- Reverse traversal: change / into /dirname/../
+ 'Basic' inserts 8 characters random directory names; 'Long' means 1000
+ character directory name.
+- Self-reference: changes every / to /./
+- Premature request ending: just like 'reverse traversal', but the directory
+ name contains %0d%0a (could be translated to CR LF)
+- CGI.pm: uses ';' instead of '&' in the query string.
+- Parameter hiding: another form of reverse traversal. The directory contains
+ %3F (could be translated to ?)
+- Dos/Windows: uses \ instead of /
+- Null method: insert %00 between the method and the URI
+- TAB: uses TAB instead of SPACE between the method, the URL and the HTTP
+ version
+- HTTP/0.9: uses HTTP/0.9 requests (method & URI only, no HTTP version field)
+
+'Premature request ending' and 'Parameter hiding' target 'smart' IDS.
+
+Read http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+for more information.
+
+Warning: those features are experimental and some
+options may result in false negatives!
+This plugin does not do any security check.
+
+Risk factor : None";
+
+
+ script_description(english:desc["english"]);
+
+ summary["english"] = "NIDS evasion options";
+ summary["francais"] = "Options anti NIDS";
+ script_summary(english:summary["english"],
+ francais:summary["francais"]);
+
+ script_category(ACT_SETTINGS);
+
+ script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi / Renaud Deraison");
+ family["english"] = "Settings";
+ family["francais"] = "Configuration";
+ script_family(english:family["english"], francais:family["francais"]);
+
+ script_add_preference(name:"HTTP User-Agent", type:"entry", value:"");
+ script_add_preference(name:"Use HTTP HEAD instead of GET", type:"checkbox", value:"no");
+ script_add_preference(name:"URL encoding", type:"radio", value:"none;Hex;UTF-16 (double byte); UTF-16 (MS %u);Incorrect UTF-8");
+ # Pavel kankovsky's suggestion
+ script_add_preference(name:"Absolute URI type", type:"radio", value:"none;file;gopher;http");
+ script_add_preference(name:"Absolute URI host", type:"radio", value:"none;host name;host IP;random name;random IP");
+
+ script_add_preference(name:"Double slashes", type:"checkbox", value:"no");
+ script_add_preference(name:"Reverse traversal", type:"radio", value:"none;Basic;Long URL");
+
+ script_add_preference(name:"Self-reference directories", type:"checkbox", value:"no");
+ script_add_preference(name:"Premature request ending", type:"checkbox", value:"no");
+# CGI.pm "anti NIDS" discovered by Securiteam
+ script_add_preference(name:"CGI.pm semicolon separator", type:"checkbox", value:"no");
+ script_add_preference(name:"Parameter hiding", type:"checkbox", value:"no");
+ script_add_preference(name:"Dos/Windows syntax", type:"checkbox", value:"no");
+ script_add_preference(name:"Null method", type:"checkbox", value:"no");
+ script_add_preference(name:"TAB separator", type:"checkbox", value:"no");
+ script_add_preference(name:"HTTP/0.9 requests", type:"checkbox", value:"no");
+
+ script_add_preference(name:"Force protocol string : ", type:"entry", value:"");
+ script_add_preference(name:"Random case sensitivity (Nikto only)", type:"checkbox", value:"no");
+ exit(0);
+}
+
+# TBD: Implement "Random case sensitivity" from Nikto
+
+whisker_nids = 'X';
+
+opt = script_get_preference("HTTP User-Agent");
+if (opt)
+ set_kb_item(name:"http/user-agent", value:opt);
+
+opt = script_get_preference("Use HTTP HEAD instead of GET");
+warn = 0;
+
+if(opt == "yes")
+{
+set_kb_item(name:"NIDS/HTTP/head", value:"yes");
+warn = 1;
+}
+
+opt = script_get_preference("URL encoding");
+if("none" >< opt)opt = 0;
+
+if(opt)
+{
+ set_kb_item(name:"NIDS/HTTP/URL_encoding", value:opt);
+ whisker_nids = '1';
+ warn = 1;
+}
+
+
+opt = script_get_preference("Double slashes");
+
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/double_slash", value:"yes");
+ warn = 1;
+}
+
+opt = script_get_preference("Reverse traversal");
+if("none" >< opt)opt = 0;
+
+if (opt)
+{
+ if (opt == "Basic")
+ {
+ set_kb_item(name:"NIDS/HTTP/reverse_traversal", value:8);
+ warn = 1;
+ }
+ if (opt == "Long URL")
+ {
+ set_kb_item(name:"NIDS/HTTP/reverse_traversal", value:1000);
+ warn = 1;
+ whisker_nids = '4';
+ }
+}
+
+
+opt = script_get_preference("Absolute URI type");
+
+
+if(opt && !("none" >< opt))
+{
+set_kb_item(name:"NIDS/HTTP/absolute_URI/type", value:opt);
+warn = 1;
+}
+
+
+
+opt = script_get_preference("Absolute URI host");
+
+
+if(opt && !("none" >< opt))
+{
+ set_kb_item(name:"NIDS/HTTP/absolute_URI/host", value:opt);
+ warn = 1;
+}
+
+
+opt = script_get_preference("Self-reference directories");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/self_ref_dir", value:"yes");
+ whisker_nids = '2';
+ warn = 1;
+}
+
+
+opt = script_get_preference("Dos/Windows syntax");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/dos_win_syntax", value:"yes");
+ warn = 1;
+ whisker_nids = '8';
+}
+
+
+opt = script_get_preference("Null method");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/null_method", value:"yes");
+ warn = 1;
+}
+
+
+
+opt = script_get_preference("TAB separator");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/tab_separator", value:"yes");
+ warn = 1;
+ whisker_nids = '6';
+}
+
+
+opt = script_get_preference("HTTP/0.9 requests");
+
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/http09", value:"yes");
+ warn = 1;
+}
+
+
+opt = script_get_preference("Premature request ending");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/premature_request_ending", value:"yes");
+ warn = 1;
+ whisker_nids = '3';
+}
+
+
+opt = script_get_preference("CGI.pm semicolon separator");
+
+if(opt == "yes")
+{
+set_kb_item(name:"NIDS/HTTP/CGIpm_param", value:"yes");
+warn = 1;
+}
+
+opt = script_get_preference("Parameter hiding");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/param_hiding", value:"yes");
+ warn = 1;
+ whisker_nids = 5;
+}
+
+
+p = script_get_preference("Force protocol string : ");
+if(p && (p != "no"))
+{
+ set_kb_item(name:"NIDS/HTTP/protocol_string", value:p);
+ warn = 1;
+}
+
+opt = script_get_preference("Random case sensitivity (Nikto only)");
+if(opt == "yes")
+{
+ set_kb_item(name:"NIDS/HTTP/random_case", value: "yes");
+ whisker_nids = 7;
+ #warn = 1;
+}
+
+set_kb_item(name:"/Settings/Whisker/NIDS", value:string(whisker_nids));
+
+if(warn)
+{
+w="HTTP NIDS evasion functions are enabled.
+You may get some false negative results";
+ security_note(port:0, data:w);
+}
Added: trunk/openvas-plugins/scripts/ids_evasion.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ids_evasion.nasl 2008-10-24 13:52:41 UTC (rev 1613)
+++ trunk/openvas-plugins/scripts/ids_evasion.nasl 2008-10-24 17:16:58 UTC (rev 1614)
@@ -0,0 +1,145 @@
+#
+# This script was written by Michel Arboi <arboi at alussinan.org>
+# and Renaud Deraison
+#
+# The HTTP IDS evasion mode comes from Whisker, by RFP.
+# It has been moved to http_ids_evasion.nasl
+#
+# The TCP IDS evasion techniques are largely inspired by
+# the work from Tom Ptacek and Tim Newsham.
+#
+# GPL, blah blah blah
+# See the Nessus Scripts License for details
+#
+# kst-4check
+
+if ( NASL_LEVEL >= 3000 ) exit(0);
+
+if(description)
+{
+ script_id(80011);
+ script_version ("$Revision: 1.23 $");
+
+ name["english"] = "NIDS evasion";
+ name["francais"] = "Anti NIDS (détecteur d'intrusions)";
+
+ script_name(english:name["english"],
+ francais:name["francais"]);
+
+ desc["english"] = "
+This plugin configures Nessus for NIDS evasion (see the 'Prefs' panel).
+NIDS evasion options are useful if you want to determine
+the quality of the expensive NIDS you just bought.
+
+TCP Evasion techniques :
+- Split : send data one byte at a time. This confuses
+ NIDSes which do not perform stream reassembly
+
+- Injection : same as split, but malformed TCP packets
+ containing bogus data are sent between normal packets.
+ Here, a 'malformed' tcp packet means a legitimate TCP packet
+ with a bogus checksum.
+ This confuses NIDSes which perform stream reassembly but do
+ not accurately verify the checksum of the packets or
+ which do not determine if the remote host actually
+ receives the packets seen ;
+
+- Short TTL : same as split, but a valid TCP packets
+ containing bogus data are sent between normal packets.
+ These packets have a short (N-1), meaning that if
+ the NIDS is on a gateway, it will see these packets
+ go through, but they will not reach the target
+ host.
+ This confuses NIDSes which perform stream reassembly
+ but do not accurately check if the packet can actually
+ reach the remote host or which do not determine if the
+ remote host actually receives the packets seen ;
+
+- Fake RST : each time a connection is established, Nessus
+ will send a RST packet with a bogus tcp checksum or
+ a bogus ttl (depending on the options you chose above),
+ thus making the IDS believe the connection was closed
+ abruptly.
+ This confuses badly written NIDSes which believe
+ anything they see.
+
+Warning: those features are experimental and some
+options may result in false negatives!
+This plugin does not do any security check.
+
+Risk factor : None";
+
+
+ script_description(english:desc["english"]);
+
+ summary["english"] = "NIDS evasion options";
+ summary["francais"] = "Options anti NIDS";
+ script_summary(english:summary["english"],
+ francais:summary["francais"]);
+
+ script_category(ACT_SETTINGS);
+
+ script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi / Renaud Deraison");
+ family["english"] = "Settings";
+ family["francais"] = "Configuration";
+ script_family(english:family["english"], francais:family["francais"]);
+
+ script_add_preference(name:"TCP evasion technique", type:"radio", value:"none;split;injection;short ttl");
+
+ script_add_preference(name:"Send fake RST when establishing a TCP connection",
+ type:"checkbox", value:"no");
+ exit(0);
+}
+
+pref = script_get_preference("TCP evasion technique");
+if(!pref)exit(0);
+
+if(pref == "none")exit(0);
+
+
+if(pref == "none;split;injection;short ttl")exit(0);
+
+if(pref == "split")
+{
+ set_kb_item(name:"NIDS/TCP/split", value:"yes");
+
+ if (! get_kb_item("/Settings/Whisker/NIDS"))
+ set_kb_item(name:"/Settings/Whisker/NIDS", value: "9");
+
+w="TCP split NIDS evasion function is enabled. Some tests might
+run slowly and you may get some false negative results";
+ security_note(port:0, protocol:"tcp", data:w);
+}
+
+if(pref == "injection")
+{
+ set_kb_item(name:"NIDS/TCP/inject", value:"yes");
+w="TCP inject NIDS evasion function is enabled. Some tests might
+run slowly and you may get some false negative results.";
+ security_note(port:0, protocol:"tcp", data:w);
+}
+
+
+if(pref == "short ttl")
+ {
+ set_kb_item(name:"NIDS/TCP/short_ttl", value:"yes");
+w="TCP short ttl NIDS evasion function is enabled. Some tests might
+run slowly and you may get some false negative results.";
+ security_note(port:0, protocol:"tcp", data:w);
+ }
+
+
+pref = script_get_preference("Send fake RST when establishing a TCP connection");
+if(!pref) exit(0);
+
+if(pref == "no")exit(0);
+
+
+
+if(pref == "yes") {
+ set_kb_item(name:"NIDS/TCP/fake_rst", value:"yes");
+w="TCP fake RST NIDS evasion function is enabled. Some tests might
+run slowly and you may get some false negative results.";
+ security_note(port:0, protocol:"tcp", data:w);
+}
+
More information about the Openvas-commits
mailing list