From kost at linux.hr Fri Nov 14 13:47:45 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 14 Nov 2008 13:47:45 +0100 Subject: [Openvas-plugins] OpenVAS and backtrack Message-ID: <491D7371.1030400@linux.hr> As OpenVAS is not in Backtrack 3 by default (yet!). You can download lzm module or download remastered backtrack3 which includes OpenVAS lzm (it still fits on 700 Mb CD). It's good way of testing OpenVAS in case you want to try it out. And also if you want to write (and test) NASL checks, but you don't have development enviroment ready. Read more and download here: http://www.openvas.org/openvas-bt.html Hope it helps! Kost PS Christian Eric - this is for you ;) From c_edjenguele at yahoo.it Sat Nov 15 14:45:38 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Sat, 15 Nov 2008 13:45:38 +0000 (GMT) Subject: [Openvas-plugins] OpenVAS and backtrack References: Message-ID: <241466.92587.qm@web28603.mail.ukl.yahoo.com> o excellent. thanks. ?--- Christian Eric Edjenguele IT Security Software Developer & Researcher mobile: +39 3408580513 ----- Messaggio originale ----- Da: "openvas-plugins-request at wald.intevation.org" A: openvas-plugins at wald.intevation.org Inviato: Sabato 15 novembre 2008, 12:00:07 Oggetto: Openvas-plugins Digest, Vol 12, Issue 2 Send Openvas-plugins mailing list submissions to ??? openvas-plugins at wald.intevation.org To subscribe or unsubscribe via the World Wide Web, visit ??? http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins or, via email, send a message with subject or body 'help' to ??? openvas-plugins-request at wald.intevation.org You can reach the person managing the list at ??? openvas-plugins-owner at wald.intevation.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Openvas-plugins digest..." Today's Topics: ? 1. OpenVAS and backtrack (Vlatko Kosturjak) ---------------------------------------------------------------------- Message: 1 Date: Fri, 14 Nov 2008 13:47:45 +0100 From: Vlatko Kosturjak Subject: [Openvas-plugins] OpenVAS and backtrack To: openvas-plugins , ??? openvas-devel , ??? openvas-discuss at wald.intevation.org Message-ID: <491D7371..1030400 at linux.hr> Content-Type: text/plain; charset=ISO-8859-1 As OpenVAS is not in Backtrack 3 by default (yet!). You can download lzm module or download remastered backtrack3 which includes OpenVAS lzm (it still fits on 700 Mb CD). It's good way of testing OpenVAS in case you want to try it out. And also if you want to write (and test) NASL checks, but you don't have development enviroment ready. Read more and download here: http://www.openvas.org/openvas-bt.html Hope it helps! Kost PS Christian Eric - this is for you ;) ------------------------------ _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins End of Openvas-plugins Digest, Vol 12, Issue 2 ********************************************** Unisciti alla community di Io fotografo e video, il nuovo corso di fotografia di Gazzetta dello sport: http://www.flickr.com/groups/iofotografoevideo From lists at securityspace.com Mon Nov 17 18:46:08 2008 From: lists at securityspace.com (Thomas Reinke) Date: Mon, 17 Nov 2008 12:46:08 -0500 Subject: [Openvas-plugins] [Openvas-devel] Solaris Local Security Checks In-Reply-To: <20081117141250.GF21680@intevation.de> References: <200810312236.55376.timb@nth-dimension.org.uk> <20081117141250.GF21680@intevation.de> Message-ID: <4921ADE0.8030407@securityspace.com> Michael Wiegand wrote: > compare it to "SUSE"). I have commented out the SuSE test for now, it > would be great if someone with access to a SuSE system could write a > more reliable test. > SuSE has now been re-enabled in gather-package-list.nasl with updated detection logic properly working. Thomas From timb at nth-dimension.org.uk Mon Nov 17 23:21:53 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Mon, 17 Nov 2008 22:21:53 +0000 Subject: [Openvas-plugins] [Openvas-devel] Solaris Local Security Checks In-Reply-To: <4921ADE0.8030407@securityspace.com> References: <200810312236.55376.timb@nth-dimension.org.uk> <20081117141250.GF21680@intevation.de> <4921ADE0.8030407@securityspace.com> Message-ID: <200811172221.54094.timb@nth-dimension.org.uk> On Monday 17 November 2008 17:46:08 Thomas Reinke wrote: > Michael Wiegand wrote: > > compare it to "SUSE"). I have commented out the SuSE test for now, it > > would be great if someone with access to a SuSE system could write a > > more reliable test. > > SuSE has now been re-enabled in gather-package-list.nasl with > updated detection logic properly working. Cheers Michael and Thomas, but actually that's not the problem :(. I'd actually fixed the SuSE bug in my branch as follows: < rls = toupper(ssh_cmd(socket:sock, cmd:"cat /etc/SuSE-release")); < if("SUSE"> From michael.wiegand at intevation.de Tue Nov 18 08:00:56 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Tue, 18 Nov 2008 08:00:56 +0100 Subject: [Openvas-plugins] [Openvas-devel] Solaris Local Security Checks In-Reply-To: <200811172221.54094.timb@nth-dimension.org.uk> References: <200810312236.55376.timb@nth-dimension.org.uk> <20081117141250.GF21680@intevation.de> <4921ADE0.8030407@securityspace.com> <200811172221.54094.timb@nth-dimension.org.uk> Message-ID: <20081118070056.GB15568@intevation.de> * Tim Brown [17. Nov 2008]: > Cheers Michael and Thomas, but actually that's not the problem :(. > > Obviously your check is an improvement on that ;). I may have the chance to > run my scripts on a real world box this week, so I'll see if I can nail down > where my problem lies. That would have probably been too easy. :) Do you have any other hints as to what the problem might be? What goes wrong? I have access to a Solaris Box as well, so if there is anything you want me to test, just let me know. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From timb at nth-dimension.org.uk Wed Nov 19 01:09:03 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Wed, 19 Nov 2008 00:09:03 +0000 Subject: [Openvas-plugins] =?iso-8859-15?q?=5BOpenvas-devel=5D__Solaris_Lo?= =?iso-8859-15?q?cal_Security=09Checks?= In-Reply-To: <20081118070056.GB15568@intevation.de> References: <200810312236.55376.timb@nth-dimension.org.uk> <200811172221.54094.timb@nth-dimension.org.uk> <20081118070056.GB15568@intevation.de> Message-ID: <200811190009.04748.timb@nth-dimension.org.uk> On Tuesday 18 November 2008 07:00:56 Michael Wiegand wrote: > * Tim Brown [17. Nov 2008]: > > Cheers Michael and Thomas, but actually that's not the problem :(. > > > > Obviously your check is an improvement on that ;). I may have the chance > > to run my scripts on a real world box this week, so I'll see if I can > > nail down where my problem lies. > > That would have probably been too easy. :) Do you have any other hints > as to what the problem might be? What goes wrong? I have access to a > Solaris Box as well, so if there is anything you want me to test, just > let me know. Okay, I got the chance to do a bit of debugging this evening. At the start of my copy of gather-package-list.nasl: uname = ssh_cmd(socket:sock, cmd:"uname -a"); is called. This successfully results in uname being set to "SunOS obfuscated 5.o Generic_oooooo-oo sun4u sparc SUNW,UltraSPARC-IIi-cEngine". Then at the end of the script, if uname is detected as starting with "SunOS ", then some more commands are run: security_note(port:port, data:uname); osversion = ssh_cmd(socket:sock, cmd:"uname -r"); security_note(port:port, data:osversion); set_kb_item(name: "ssh/login/solosversion", value:osversion); hardwaretype = ssh_cmd(socket:sock, cmd:"uname -p"); security_note(port:port, data:hardwaretype); set_kb_item(name: "ssh/login/solhardwaretype", value:hardwaretype); buf = ssh_cmd(socket:sock, cmd:"pkginfo"); security_note(port:port, data:buf); set_kb_item(name: "ssh/login/solpackages", value:buf); buf = ssh_cmd(socket:sock, cmd:"showrev -p"); security_note(port:port, data:buf); set_kb_item(name: "ssh/login/solpatches", value:buf); However, it appears that osversion etc never get populated. Each debug security_note results in a hole being noted which contains the following data: "This script will, if given a userid/password or key to the remote system, login to that system, determine the OS it is running, and for supported systems, extract the list of installed packages/rpms." This is the default value (description) which is used when (I believe) security_note is passed a null data parameter. If I reorder the script so that the Solaris checks are carried out directly after the initial uname then it works. In essence, the later ssh_cmd do not appear to run correctly. I did try your patch to libopenvas MIchael, but that didn't seem to resolve it. Cheers, Tim -- Tim Brown From michael.wiegand at intevation.de Wed Nov 19 08:44:01 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 19 Nov 2008 08:44:01 +0100 Subject: [Openvas-plugins] [Openvas-devel] Solaris Local Security Checks In-Reply-To: <200811190009.04748.timb@nth-dimension.org.uk> References: <200810312236.55376.timb@nth-dimension.org.uk> <200811172221.54094.timb@nth-dimension.org.uk> <20081118070056.GB15568@intevation.de> <200811190009.04748.timb@nth-dimension.org.uk> Message-ID: <20081119074401.GA18497@intevation.de> * Tim Brown [19. Nov 2008]: > security_note(port:port, data:uname); > osversion = ssh_cmd(socket:sock, cmd:"uname -r"); > ... > > However, it appears that osversion etc never get populated. Odd. Just to clarify: - Is osversion *never* populated or *not always*? - Do uname -r etc yield reasonable output on your target system? > If I reorder the script so that the Solaris checks are carried out > directly after the initial uname then it works. > > In essence, the later ssh_cmd do not appear to run correctly. Yes, I'm suspecting this too. I think it has something to do with the way ssh_func.inc handles connections in ssh_reuse_connection(). There were some changes in there which seem to cause problem with ssh_cmd acquiring the shared ssh socket, but I haven't yet been able to pinpoint the exact issue. Could you try your tests with an older version of ssh_func.inc, prior to rev 1226? I had the issue that gather-package-list.nasl would sometime correctly report the remote OS, but on the next run wouldn't report anything at all. This is probably SSH-related as well, did you observe something similar? > I did try your patch to libopenvas MIchael, but that didn't seem to > resolve it. Well, it didn't resolve it either for me. ;) But since it was obviously broken, I decided to fix it before we forget the issue. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From lists at securityspace.com Wed Nov 19 19:41:01 2008 From: lists at securityspace.com (Thomas Reinke) Date: Wed, 19 Nov 2008 13:41:01 -0500 Subject: [Openvas-plugins] Script family for windows local checks Message-ID: <49245DBD.6010905@securityspace.com> Hi, We've been noting that tests that would be, for lack of a better name, classified as Windows local security checks are being categorized in the family "Misc.", "General", "Denial of Service", and so on. These tests appear (unless we've missed a few) all the equivalent of local security checks for linux type systems, requiring registry access. Shouldn't these put into a family that reflects their nature? E.g. existing category "Windows"? Or if this is too generic, something like "Windows local security checks"? For MS bulletins, the category currently being used is "Windows", but there is already a category specifically for these, i.e. "Windows : Microsoft Bulletins". I suspect the various *ms08*.nasl scripts should be using that family. Thomas From michael.wiegand at intevation.de Mon Nov 17 15:12:50 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 17 Nov 2008 15:12:50 +0100 Subject: [Openvas-plugins] [Openvas-devel] Solaris Local Security Checks In-Reply-To: <200810312236.55376.timb@nth-dimension.org.uk> References: <200810312236.55376.timb@nth-dimension.org.uk> Message-ID: <20081117141250.GF21680@intevation.de> * Tim Brown [ 3. Nov 2008]: > Whilst the plugins themselves (and solaris.inc) are, I believe correct, the > limited testing I have done this far, indicates a problem with > gather-package-list.nasl which is used to gather the information and set > knowledge base entries on which these checks depend. I'm going to be very > busy with work for the next 5 weeks and so I'd invite any of you that have > access to Solaris boxes to have a play and see if the problems I experienced > can be resolved. Good news everyone, I found the bug in gather-package-list.nasl and was able to retrieve a package list from a Solaris box. The checks seem to have been executed as well, but they don't seem to return a message just yet if I'm not mistaken. I've attached a KB of the test run in case anyone is interested. The cause of the bug was the SuSE detection in gather-package-list.nasl; it evaluated ("SUSE"> References: <49245DBD.6010905@securityspace.com> Message-ID: <20081120093334.GB1575@intevation.de> * Thomas Reinke [20. Nov 2008]: > These tests appear (unless we've missed a few) all the equivalent > of local security checks for linux type systems, requiring registry > access. > > Shouldn't these put into a family that reflects their nature? > E.g. existing category "Windows"? Or if this is too generic, something > like "Windows local security checks"? I think this is a good idea. It would make the structure much more consistent with the other {Debian,FreeBSD,etc} Local Security Checks. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Fri Nov 21 10:38:23 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 21 Nov 2008 10:38:23 +0100 Subject: [Openvas-plugins] Script family for windows local checks In-Reply-To: <49245DBD.6010905@securityspace.com> References: <49245DBD.6010905@securityspace.com> Message-ID: <200811211038.23644.jan-oliver.wagner@intevation.de> Am Wednesday 19 November 2008 19:41:01 schrieb Thomas Reinke: > We've been noting that tests that would be, for lack of a better name, > classified as Windows local security checks are being categorized > in the family "Misc.", "General", "Denial of Service", and so on. > > These tests appear (unless we've missed a few) all the equivalent > of local security checks for linux type systems, requiring registry > access. > > Shouldn't these put into a family that reflects their nature? > E.g. existing category "Windows"? Or if this is too generic, something > like "Windows local security checks"? > > For MS bulletins, the category currently being used is "Windows", > but there is already a category specifically for these, > i.e. "Windows : Microsoft Bulletins". I suspect the various > *ms08*.nasl scripts should be using that family. it is a long-standing issue to me that we need to consolidate the families. Perhaps the best approach is to write a CR that provides definitions (or some other sort of characterization) for the families we should maintain. This might be a challenging task and it might take some time to agree on the (potentially changed/extend) set of families. This might also relate to the thoughts about OID scheme, but I am not sure yet. Best Jan From michael.wiegand at intevation.de Mon Nov 24 10:24:34 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 24 Nov 2008 10:24:34 +0100 Subject: [Openvas-plugins] Script family for windows local checks In-Reply-To: <200811211038.23644.jan-oliver.wagner@intevation.de> References: <49245DBD.6010905@securityspace.com> <200811211038.23644.jan-oliver.wagner@intevation.de> Message-ID: <20081124092434.GB17969@intevation.de> * Jan-Oliver Wagner [21. Nov 2008]: > it is a long-standing issue to me that we need to consolidate the > families. > > Perhaps the best approach is to write a CR that provides definitions > (or some other sort of characterization) for the families we should > maintain. This might be a challenging task and it might take some time > to agree on the (potentially changed/extend) set of families. > > This might also relate to the thoughts about OID scheme, but I am not > sure yet. I agree. I've thought about integrating the family in the OID, but then again an NVT might belong to more than one family. I think a more flexible approach would be best instead of forcing an organisation along family lines. It might be more useful to some people to sort them by CVE, affected product, affected service or whatever. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Wed Nov 26 10:40:10 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Wed, 26 Nov 2008 15:10:10 +0530 Subject: [Openvas-plugins] Script family for windows local checks In-Reply-To: <20081124092434.GB17969@intevation.de> References: <49245DBD.6010905@securityspace.com><200811211038.23644.jan-oliver.wagner@intevation.de> <20081124092434.GB17969@intevation.de> Message-ID: Families are decided in most cases based on the characteristics of the vulnerability. I can start with the documentation. Thanks, Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Michael Wiegand Sent: Monday, November 24, 2008 2:55 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] Script family for windows local checks * Jan-Oliver Wagner [21. Nov 2008]: > it is a long-standing issue to me that we need to consolidate the > families. > > Perhaps the best approach is to write a CR that provides definitions > (or some other sort of characterization) for the families we should > maintain. This might be a challenging task and it might take some time > to agree on the (potentially changed/extend) set of families. > > This might also relate to the thoughts about OID scheme, but I am not > sure yet. I agree. I've thought about integrating the family in the OID, but then again an NVT might belong to more than one family. I think a more flexible approach would be best instead of forcing an organisation along family lines. It might be more useful to some people to sort them by CVE, affected product, affected service or whatever. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From meyer at strato-rz.de Wed Nov 26 12:16:22 2008 From: meyer at strato-rz.de (Michael Meyer) Date: Wed, 26 Nov 2008 12:16:22 +0100 Subject: [Openvas-plugins] Unknown services banners Message-ID: <20081126111622.GB5172@strato-rz.de> Hello, An unknown server is running on this port. If you know what it is, please send this banner to the OpenVAS team: 0x00: 35 00 00 00 0A 34 2E 31 2E 31 30 61 00 9F 00 00 5....4.1.10a.... 0x10: 00 4B 56 4D 60 7A 65 6B 6C 00 2C A2 08 02 00 00 .KVM`zekl.,..... 0x20: 00 00 00 00 00 00 00 00 00 00 00 00 59 59 34 37 ............YY47 0x30: 58 36 44 34 74 6E 4A 66 00 16 00 00 01 FF 13 04 X6D4tnJf........ 0x40: 23 30 38 53 30 31 42 61 64 20 68 61 6E 64 73 68 #08S01Bad handsh 0x50: 61 6B 65 ake ^ MySQL (3306) Michael From michael.wiegand at intevation.de Fri Nov 28 16:23:16 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 28 Nov 2008 16:23:16 +0100 Subject: [Openvas-plugins] CR #22: script_tag command - Call For Votes Message-ID: <20081128152316.GF4017@intevation.de> Hello, I've just uploaded another change request. This one proposes adding a script_tag command to NASL which would help NVT writers to manage the properties of their scripts in a more flexible way. The change request is available at: http://www.openvas.org/openvas-cr-22.html I'd like to ask all of you to take a look at it (especially the NASL developers) and to cast your vote. Let me know if you have any suggestions or questions. Thank you and have a great weekend! Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner