076Sybase EAServer<" >< r || egrep(pattern:"076Sybase EAServer", string:r))) security_note(port); ? # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele <christian.edjenguele at owasp.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "Sybase Enterprise Application Server service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Sybase Enterprise Application Server JSP Administration Console.? Solution : It's recommended to allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "Sybase EAServer is the open application server from Sybase Inc an enterprise software and services company exclusively focused on managing and mobilizing information. "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if ( ! port ) exit(0); if(!get_port_state(port))exit(0); buf = http_get(item:"/WebConsole/Login.jsp", port:port); r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); if( r == NULL )exit(0); if(("<TITLE>076Sybase Management Console Login<" >< r || egrep(pattern:"076Sybase Management Console Login", string:r))) security_note(port); ? ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From lists at securityspace.com Thu Sep 4 16:52:35 2008 From: lists at securityspace.com (Thomas Reinke) Date: Thu, 04 Sep 2008 10:52:35 -0400 Subject: [Openvas-plugins] [Openvas-devel] HTTPS Request ! In-Reply-To: <841472.3927.qm@web26007.mail.ukl.yahoo.com> References: <841472.3927.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48BFF633.6020206@securityspace.com> IIRC, you don't need to do anything - it's already done for you. Just issue your GET requests, and if the port was an SSL capable port, the server will talk over SSL to it. I believe (again, going on memory), that if there are cases where both SSL and regular non-encrypted traffic are supported on the same port, you may need to force the transport layer to be SSL. An example of this usage appears to be in checkpoint_secureplatform.nasl But, this is an exception, in most cases you shouldn't have to do this. Thomas Christian Eric EDJENGUELE wrote: > Hello all, > how can I perform an HTTP GET Request over ssl with nasl api ? > is there something like httplib.HTTPSConnection from httplib of python standard libraries ? > if yes: what's the syntax ? > thanks. > === > Christian Eric Edjenguele > IT Security Software Developer & Researcher > tel. +39 3408580513 > View my linkedin profile: http://www.linkedin.com/in/edjenguele > My blog: http://www.edjenguele.blogspot.com > --- > Management, Developers, Security Professionals ? can only result in one thing?? better security. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 > > __________________________________________________ > Do You Yahoo!? > Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi > http://mail.yahoo.it > _______________________________________________ > Openvas-devel mailing list > Openvas-devel at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-devel From kost at linux.hr Thu Sep 4 17:12:45 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 04 Sep 2008 17:12:45 +0200 Subject: [Openvas-plugins] [Openvas-devel] HTTPS Request ! In-Reply-To: <841472.3927.qm@web26007.mail.ukl.yahoo.com> References: <841472.3927.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48BFFAED.2010203@linux.hr> Christian Eric EDJENGUELE wrote: > Hello all, > how can I perform an HTTP GET Request over ssl with nasl api ? > is there something like httplib.HTTPSConnection from httplib of python standard libraries ? > if yes: what's the syntax ? I've just cross referenced this question to openvas-plugins, so please reply to this thread to openvas-plugins mailing list as it is plugins related. Here's the simplest example, but first grab the file openvas-https.inc via SVN (it's new!) or via this URL: http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/openvas-https.inc?rev=1280&root=openvas&view=auto This is the example: include("http_func.inc"); include("http_keepalive.inc"); include("openvas-https.inc"); port = 3994; if(get_port_state(port)) { req = http_get(item:"/deploymentmanager/index.jsp", port:port); rep = https_req_get(request:req, port:port); if( rep == NULL ) exit(0); if ("<title>SiteProtector

From kost at linux.hr Mon Sep 1 00:30:07 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Mon, 01 Sep 2008 00:30:07 +0200 Subject: [Openvas-plugins] [Fwd: [Openvas-commits] r1251 - in trunk/openvas-plugins: . scripts] Message-ID: <48BB1B6F.8030506@linux.hr> I need some OIDS/IDs to put in these scripts. Currently, I'm using some placeholder values. Thanks in advance! -------- Original Message -------- Subject: [Openvas-commits] r1251 - in trunk/openvas-plugins: . scripts Date: Sun, 31 Aug 2008 23:34:06 +0200 (CEST) From: scm-commit at wald.intevation.org Reply-To: openvas-devel at wald.intevation.org To: openvas-commits at wald.intevation.org Author: kost Date: 2008-08-31 23:34:05 +0200 (Sun, 31 Aug 2008) New Revision: 1251 Added: trunk/openvas-plugins/scripts/ike-scan.nasl trunk/openvas-plugins/scripts/pnscan.nasl trunk/openvas-plugins/scripts/portbunny.nasl Modified: trunk/openvas-plugins/ChangeLog Log: added support for two more TCP port scanners (as NASL wrappers) and one for IKE (VPN's). From timb at nth-dimension.org.uk Tue Sep 2 14:01:08 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Tue, 2 Sep 2008 13:01:08 +0100 Subject: [Openvas-plugins] [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) In-Reply-To: <161802.88731.qm@web26008.mail.ukl.yahoo.com> References: <161802.88731.qm@web26008.mail.ukl.yahoo.com> Message-ID: <200809021301.08754.timb@nth-dimension.org.uk> On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this. Either the >< operator or stridx can be used for this purpose. For example: if (response >< Win32) { ... } or: if (stridx(response, "Win32)) >= 0) { ... } Cheers, Tim -- Tim Brown From c_edjenguele at yahoo.it Tue Sep 2 14:25:33 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 2 Sep 2008 12:25:33 +0000 (GMT) Subject: [Openvas-plugins] [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) Message-ID: <570889.38196.qm@web26001.mail.ukl.yahoo.com> yes, I have made exactly in that way. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ----- Messaggio originale ----- Da: Tim Brown A: openvas-plugins at wald.intevation.org Cc: Christian Eric EDJENGUELE ; openvas-devel at wald.intevation.org Inviato: Marted? 2 settembre 2008, 14:01:08 Oggetto: Re: [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this.? Either the >< operator or stridx can be used for this purpose.? For example: if (response >< Win32) { ??? ... } or: if (stridx(response, "Win32)) >= 0) { ??? ... } Cheers, Tim -- Tim Brown __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From c_edjenguele at yahoo.it Tue Sep 2 14:59:05 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 2 Sep 2008 12:59:05 +0000 (GMT) Subject: [Openvas-plugins] MS00-06 NVT Message-ID: <822313.20262.qm@web26006.mail.ukl.yahoo.com> Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and EMC Legato information gathering modules. Note that the script_id is missing. # OpenVAS Vulnerability Test # $Id$ # Description: # This program test for the following vulnerabilities: # Microsoft Index Server File Information and Path Disclosure Vulnerability (MS00-006) # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal Vulnerability (MS00-006) # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) # # Author: # Christian Eric Edjenguele # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # ? ?if(description) { script_id(00000); script_bugtraq_id(950); script_xref(name: "Microsoft", value: "MS00-006"); script_cve_id("CVE-2000-0097"); name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; script_name(english:name["english"]); ? ?desc["english"] = " The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability.? Solution : To Fix that, you must download the latest upodates from microsoft security website: http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. Risk factor : Medium"; script_description(english:desc["english"]); ? summary["english"] = "A vulnerability on Microsoft index server allows unauthorized predictable file location"; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes"); script_require_ports("Services/www", 80); ?exit(0); } # # The script code starts here # include("http_func.inc"); port = get_http_port(default:80); # Asp files the plugin will test pages? = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') # open http connection to the remote host soc = http_open_soc(port); if (!soc) return(1); # Build the malicious request ?foreach asp_files (pages) { ? ?req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + '%20&CiRestriction=none&CiHiliteType=Full')); ?send(socket:soc, data: req); ? # Get back the response reply_code = recv_line(socket:soc, length:1204); if(reply_code) { reply_header = recv_headers2(socket:soc); reply_headers = strcat(reply_code, reply_header); reply_body = http_recv_body(socket:soc, headers: reply_headers); reply_bodylowerized = reply_body.lower(); } # clode http connection http_close_socket(soc); # check the reply for vulnerability if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('') >< reply_bodylowerized) security_hole(port); ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From kost at linux.hr Tue Sep 2 15:59:57 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 02 Sep 2008 15:59:57 +0200 Subject: [Openvas-plugins] MS00-06 NVT In-Reply-To: <822313.20262.qm@web26006.mail.ukl.yahoo.com> References: <822313.20262.qm@web26006.mail.ukl.yahoo.com> Message-ID: <48BD46DD.8090209@linux.hr> Hello! Thanks for the submission. But it seems your nasl script does not work (it has syntax errors!). Have you tested the script? I made few fixes to your script, but I stopped fixing it because there is lot more errors. here's the latest one: openvas-nasl -X remote-ms00-06-kost.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [17659]() Unknown escape sequence \/ [17659]() Unknown escape sequence \/ syntax error, unexpected '.', expecting ';' Parse error at or near line 84 Please, test your script at least with "openvas-nasl -X" Christian Eric EDJENGUELE wrote: > Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and EMC Legato information gathering modules. Note that the script_id is missing. > > # OpenVAS Vulnerability Test > # $Id$ > # Description: > # This program test for the following vulnerabilities: > # Microsoft Index Server File Information and Path Disclosure Vulnerability (MS00-006) > # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal Vulnerability (MS00-006) > # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) > # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) > # > # Author: > # Christian Eric Edjenguele > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License version 2 and later, > # as published by the Free Software Foundation > # > # This program is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > # GNU General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. > # > > > if(description) > { > script_id(00000); > script_bugtraq_id(950); > script_xref(name: "Microsoft", value: "MS00-006"); > script_cve_id("CVE-2000-0097"); > name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; > script_name(english:name["english"]); > > desc["english"] = " > The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, > aka the "Malformed Hit-Highlighting Argument" vulnerability. > > Solution : > To Fix that, you must download the latest upodates from microsoft security website: > http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. > Risk factor : Medium"; > script_description(english:desc["english"]); > > summary["english"] = "A vulnerability on Microsoft index server allows unauthorized predictable file location"; > script_summary(english:summary["english"]); > > script_category(ACT_GATHER_INFO); > > script_copyright(english:"This script is under GPL v2 +"); > family["english"] = "General"; > script_family(english:family["english"]); > script_dependencie("find_service.nes"); > script_require_ports("Services/www", 80); > > exit(0); > } > # > # The script code starts here > # > include("http_func.inc"); > port = get_http_port(default:80); > # Asp files the plugin will test > pages = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') > # open http connection to the remote host > soc = http_open_soc(port); > if (!soc) return(1); > # Build the malicious request > foreach asp_files (pages) > { > > req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + '%20&CiRestriction=none&CiHiliteType=Full')); > send(socket:soc, data: req); > > # Get back the response > reply_code = recv_line(socket:soc, length:1204); > if(reply_code) > { > reply_header = recv_headers2(socket:soc); > reply_headers = strcat(reply_code, reply_header); > reply_body = http_recv_body(socket:soc, headers: reply_headers); > reply_bodylowerized = reply_body.lower(); > } > # clode http connection > http_close_socket(soc); > # check the reply for vulnerability > if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('') >< reply_bodylowerized) > security_hole(port); > === > Christian Eric Edjenguele > IT Security Software Developer & Researcher > tel. +39 3408580513 > View my linkedin profile: http://www.linkedin.com/in/edjenguele > My blog: http://www.edjenguele.blogspot.com > --- > Management, Developers, Security Professionals ? can only result in one thing?? better security. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 > > __________________________________________________ > Do You Yahoo!? > Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi > http://mail.yahoo.it > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: remote-ms00-06-kost.nasl Url: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080902/252d9237/remote-ms00-06-kost.pot From c_edjenguele at yahoo.it Tue Sep 2 16:35:44 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 2 Sep 2008 14:35:44 +0000 (GMT) Subject: [Openvas-plugins] Filemaker Pro NVT Message-ID: <82760.21662.qm@web26007.mail.ukl.yahoo.com> # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "FileMaker service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Filemaker database server.? Solution : You should Allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "FileMaker Pro is a cross-platform relational database application from FileMaker Inc. (a subsidiary of Apple Inc.), has compatible versions for both the Mac OS X and Microsoft Windows operating systems "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # default port for Filemaker port = 5003 filemaker_auth_packet =??? '\x47\x49\x4f\x50\x01\x02\x01\x00\x14\x01\x00\x00\x04\x00\x00\x00'; filemaker_auth_packet +=? '\x03\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\xff\x6f\x6d\x6e'; filemaker_auth_packet +=? '\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f\x41\x00\x46\x4d'; filemaker_auth_packet +=? '\x52\x50\x4f\x00\x08\x00\x00\x00\x43\x6f\x6e\x6e\x65\x63\x74\x00'; filemaker_auth_packet +=? '\x00\x00\x00\x00\x05\x00\x00\x00\x0c\x00\x00\x00\x49\x44\x4c\x3a'; filemaker_auth_packet +=? '\x52\x50\x4f\x3a\x31\x2e\x30\x00\x01\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x6c\x00\x00\x00\x01\x01\x02\x00\x0b\x00\x00\x00\x31\x30\x2e\x34'; filemaker_auth_packet +=? '\x2e\x31\x31\x2e\x39\x34\x00\x00\x8b\x13\x00\x00\x17\x00\x00\x00'; filemaker_auth_packet +=? '\xff\x6f\x6d\x6e\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f'; filemaker_auth_packet +=? '\x41\x00\x46\x4d\x52\x50\x4f\x00\x02\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x08\x00\x00\x00\x01\x00\x00\x00\x00\x54\x54\x41\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x1c\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x01\x00\x01\x05\x09\x01\x01\x00\x01\x00\x00\x00\x09\x01\x01\x00'; filemaker_auth_packet +=? '\x4c\x00\x00\x00\x01\x01\x08\x2d\x22\x2a\x3f\x34\x29\x2a\x68\x23'; filemaker_auth_packet +=? '\x69\x62\x0c\x6e\x6f\x0e\x17\x17\x63\x14\x14\x0e\x62\x6c\x6e\x63'; filemaker_auth_packet +=? '\x0c\x6d\x63\x6f\x69\x6f\x6d\x68\x0e\x10\x17\x0c\x17\x68\x02\x14'; filemaker_auth_packet +=? '\x11\x0e\x0e\x09\x0a\x28\x35\x7a\x62\x74\x6a\x2c\x6b\x11\x6a\x6a'; filemaker_auth_packet +=? '\x60\x6a\x39\x60\x68\x63\x60\x6f\x69\x60\x39\x6e\x60\x6c\x3b\x15'; # declare that Filemaker is not installed yet is_filemaker = 0; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { ? send(socket:soc, data: filemaker_auth_packet); reply = recv(socket:soc, length:136); # Check that Filemaker is not tcpwrapped. And that it's really Filemaker if(stridx(reply, "GIOP", 0)) is_filemaker = 1; } close(soc); } # # Report Filemaker installed #? if(is_filemaker == 1) { ? report = "This host seems to running the Filemaker database server"; ? security_note(port:port, data:report); } ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From c_edjenguele at yahoo.it Tue Sep 2 16:54:31 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 2 Sep 2008 14:54:31 +0000 (GMT) Subject: [Openvas-plugins] NVT's Message-ID: <492728.13810.qm@web26005.mail.ukl.yahoo.com> Hello, the error in the?previous?script that?I've sent, was caused by the?encoding of my?mail client. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ----- Messaggio originale ----- Da: "openvas-plugins-request at wald.intevation.org" A: openvas-plugins at wald.intevation.org Inviato: Marted? 2 settembre 2008, 16:35:58 Oggetto: Openvas-plugins Digest, Vol 10, Issue 2 Send Openvas-plugins mailing list submissions to ??? openvas-plugins at wald.intevation.org To subscribe or unsubscribe via the World Wide Web, visit ??? http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins or, via email, send a message with subject or body 'help' to ??? openvas-plugins-request at wald.intevation.org You can reach the person managing the list at ??? openvas-plugins-owner at wald.intevation.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Openvas-plugins digest..." Today's Topics: ? 1. Re: [Openvas-devel] Plugins development (moved to??? -plugins, ? ? ? please do not cc -devel in further responses) (Tim Brown) ? 2. Re: [Openvas-devel] Plugins development (moved to??? -plugins, ? ? ? please do not cc -devel in further responses) ? ? ? (Christian Eric EDJENGUELE) ? 3. MS00-06 NVT (Christian Eric EDJENGUELE) ? 4. Re: MS00-06 NVT (Vlatko Kosturjak) ? 5. Filemaker Pro NVT (Christian Eric EDJENGUELE) ---------------------------------------------------------------------- Message: 1 Date: Tue, 2 Sep 2008 13:01:08 +0100 From: Tim Brown Subject: Re: [Openvas-plugins] [Openvas-devel] Plugins development ??? (moved to??? -plugins, please do not cc -devel in further responses) To: openvas-plugins at wald.intevation.org Cc: Christian Eric EDJENGUELE , ??? openvas-devel at wald.intevation.org Message-ID: <200809021301.08754.timb at nth-dimension.org.uk> Content-Type: text/plain;? charset="utf-8" On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this.? Either the >< operator or stridx can be used for this purpose.? For example: if (response >< Win32) { ??? ... } or: if (stridx(response, "Win32)) >= 0) { ??? ... } Cheers, Tim -- Tim Brown ------------------------------ Message: 2 Date: Tue, 2 Sep 2008 12:25:33 +0000 (GMT) From: Christian Eric EDJENGUELE Subject: Re: [Openvas-plugins] [Openvas-devel] Plugins development ??? (moved to??? -plugins, please do not cc -devel in further responses) To: Tim Brown , ??? openvas-plugins at wald.intevation.org Cc: openvas-devel at wald.intevation.org Message-ID: <570889.38196.qm at web26001.mail.ukl.yahoo.com> Content-Type: text/plain; charset=utf-8 yes, I have made exactly in that way. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ----- Messaggio originale ----- Da: Tim Brown A: openvas-plugins at wald.intevation.org Cc: Christian Eric EDJENGUELE ; openvas-devel at wald.intevation.org Inviato: Marted? 2 settembre 2008, 14:01:08 Oggetto: Re: [Openvas-devel] Plugins development (moved to -plugins, please do not cc -devel in further responses) On Monday 01 September 2008 18:37:43 Christian Eric EDJENGUELE wrote: > so, i made a HTTP GET REQUEST,?does openvas has a function to?lookup for > specific string in the header ? > > for example if the response look like this: > > date: 12/30/2008 > server: apache 2.25 (Win32) > > can I get the header 'server' and lookup for the string Win32 ? or they are > not function that do that, and I've to use alternate method (regular Yes, there are several ways to do this.? Either the >< operator or stridx can be used for this purpose.? For example: if (response >< Win32) { ??? ... } or: if (stridx(response, "Win32)) >= 0) { ??? ... } Cheers, Tim -- Tim Brown __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ Message: 3 Date: Tue, 2 Sep 2008 12:59:05 +0000 (GMT) From: Christian Eric EDJENGUELE Subject: [Openvas-plugins] MS00-06 NVT To: openvas-plugins Message-ID: <822313.20262.qm at web26006.mail.ukl.yahoo.com> Content-Type: text/plain; charset=utf-8 Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and EMC Legato information gathering modules. Note that the script_id is missing. # OpenVAS Vulnerability Test # $Id$ # Description: # This program test for the following vulnerabilities: # Microsoft Index Server File Information and Path Disclosure Vulnerability (MS00-006) # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal Vulnerability (MS00-006) # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) # # Author: # Christian Eric Edjenguele # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # ? ?if(description) { script_id(00000); script_bugtraq_id(950); script_xref(name: "Microsoft", value: "MS00-006"); script_cve_id("CVE-2000-0097"); name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; script_name(english:name["english"]); ? ?desc["english"] = " The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability.? Solution : To Fix that, you must download the latest upodates from microsoft security website: http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. Risk factor : Medium"; script_description(english:desc["english"]); ? summary["english"] = "A vulnerability on Microsoft index server allows unauthorized predictable file location"; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes"); script_require_ports("Services/www", 80); ?exit(0); } # # The script code starts here # include("http_func.inc"); port = get_http_port(default:80); # Asp files the plugin will test pages? = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') # open http connection to the remote host soc = http_open_soc(port); if (!soc) return(1); # Build the malicious request ?foreach asp_files (pages) { ? ?req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + '%20&CiRestriction=none&CiHiliteType=Full')); ?send(socket:soc, data: req); ? # Get back the response reply_code = recv_line(socket:soc, length:1204); if(reply_code) { reply_header = recv_headers2(socket:soc); reply_headers = strcat(reply_code, reply_header); reply_body = http_recv_body(socket:soc, headers: reply_headers); reply_bodylowerized = reply_body.lower(); } # clode http connection http_close_socket(soc); # check the reply for vulnerability if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('') >< reply_bodylowerized) security_hole(port); ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ Message: 4 Date: Tue, 02 Sep 2008 15:59:57 +0200 From: Vlatko Kosturjak Subject: Re: [Openvas-plugins] MS00-06 NVT To: openvas-plugins Message-ID: <48BD46DD.8090209 at linux.hr> Content-Type: text/plain; charset="utf-8" Hello! Thanks for the submission. But it seems your nasl script does not work (it has syntax errors!). Have you tested the script? I made few fixes to your script, but I stopped fixing it because there is lot more errors. here's the latest one: openvas-nasl -X remote-ms00-06-kost.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [17659]() Unknown escape sequence \/ [17659]() Unknown escape sequence \/ syntax error, unexpected '.', expecting ';' Parse error at or near line 84 Please, test your script at least with "openvas-nasl -X" Christian Eric EDJENGUELE wrote: > Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and EMC Legato information gathering modules. Note that the script_id is missing. > > # OpenVAS Vulnerability Test > # $Id$ > # Description: > # This program test for the following vulnerabilities: > # Microsoft Index Server File Information and Path Disclosure Vulnerability (MS00-006) > # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal Vulnerability (MS00-006) > # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006) > # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006) > # > # Author: > # Christian Eric Edjenguele > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License version 2 and later, > # as published by the Free Software Foundation > # > # This program is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the > # GNU General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. > # > >? >? if(description) > { > script_id(00000); > script_bugtraq_id(950); > script_xref(name: "Microsoft", value: "MS00-006"); > script_cve_id("CVE-2000-0097"); > name["english"] = "Malformed Hit-Highlighting Argument Vulnerability "; > script_name(english:name["english"]); >? >? desc["english"] = " > The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, > aka the "Malformed Hit-Highlighting Argument" vulnerability.? > > Solution : > To Fix that, you must download the latest upodates from microsoft security website: > http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp. > Risk factor : Medium"; > script_description(english:desc["english"]); >? > summary["english"] = "A vulnerability on Microsoft index server allows unauthorized predictable file location"; > script_summary(english:summary["english"]); >? > script_category(ACT_GATHER_INFO); >? > script_copyright(english:"This script is under GPL v2 +"); > family["english"] = "General"; > script_family(english:family["english"]); > script_dependencie("find_service.nes"); > script_require_ports("Services/www", 80); > >? exit(0); > } > # > # The script code starts here > # > include("http_func.inc"); > port = get_http_port(default:80); > # Asp files the plugin will test > pages? = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp') > # open http connection to the remote host > soc = http_open_soc(port); > if (!soc) return(1); > # Build the malicious request >? foreach asp_files (pages) > { >? >? req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file + '%20&CiRestriction=none&CiHiliteType=Full')); >? send(socket:soc, data: req); >? > # Get back the response > reply_code = recv_line(socket:soc, length:1204); > if(reply_code) > { > reply_header = recv_headers2(socket:soc); > reply_headers = strcat(reply_code, reply_header); > reply_body = http_recv_body(socket:soc, headers: reply_headers); > reply_bodylowerized = reply_body.lower(); > } > # clode http connection > http_close_socket(soc); > # check the reply for vulnerability > if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('') >< reply_bodylowerized) > security_hole(port); >? === > Christian Eric Edjenguele > IT Security Software Developer & Researcher > tel. +39 3408580513 > View my linkedin profile: http://www.linkedin.com/in/edjenguele > My blog: http://www.edjenguele.blogspot.com > --- > Management, Developers, Security Professionals ? can only result in one thing?? better security. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 > > __________________________________________________ > Do You Yahoo!? > Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi > http://mail.yahoo.it > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: remote-ms00-06-kost.nasl Url: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080902/252d9237/remote-ms00-06-kost.pot ------------------------------ Message: 5 Date: Tue, 2 Sep 2008 14:35:44 +0000 (GMT) From: Christian Eric EDJENGUELE Subject: [Openvas-plugins] Filemaker Pro NVT To: openvas-plugins Message-ID: <82760.21662.qm at web26007.mail.ukl.yahoo.com> Content-Type: text/plain; charset=utf-8 # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "FileMaker service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Filemaker database server.? Solution : You should Allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "FileMaker Pro is a cross-platform relational database application from FileMaker Inc. (a subsidiary of Apple Inc.), has compatible versions for both the Mac OS X and Microsoft Windows operating systems "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # default port for Filemaker port = 5003 filemaker_auth_packet =??? '\x47\x49\x4f\x50\x01\x02\x01\x00\x14\x01\x00\x00\x04\x00\x00\x00'; filemaker_auth_packet +=? '\x03\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\xff\x6f\x6d\x6e'; filemaker_auth_packet +=? '\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f\x41\x00\x46\x4d'; filemaker_auth_packet +=? '\x52\x50\x4f\x00\x08\x00\x00\x00\x43\x6f\x6e\x6e\x65\x63\x74\x00'; filemaker_auth_packet +=? '\x00\x00\x00\x00\x05\x00\x00\x00\x0c\x00\x00\x00\x49\x44\x4c\x3a'; filemaker_auth_packet +=? '\x52\x50\x4f\x3a\x31\x2e\x30\x00\x01\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x6c\x00\x00\x00\x01\x01\x02\x00\x0b\x00\x00\x00\x31\x30\x2e\x34'; filemaker_auth_packet +=? '\x2e\x31\x31\x2e\x39\x34\x00\x00\x8b\x13\x00\x00\x17\x00\x00\x00'; filemaker_auth_packet +=? '\xff\x6f\x6d\x6e\x69\x49\x4e\x53\x50\x4f\x41\xff\x46\x4d\x50\x4f'; filemaker_auth_packet +=? '\x41\x00\x46\x4d\x52\x50\x4f\x00\x02\x00\x00\x00\x00\x00\x00\x00'; filemaker_auth_packet +=? '\x08\x00\x00\x00\x01\x00\x00\x00\x00\x54\x54\x41\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x1c\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\x01\x00\x00\x00'; filemaker_auth_packet +=? '\x01\x00\x01\x05\x09\x01\x01\x00\x01\x00\x00\x00\x09\x01\x01\x00'; filemaker_auth_packet +=? '\x4c\x00\x00\x00\x01\x01\x08\x2d\x22\x2a\x3f\x34\x29\x2a\x68\x23'; filemaker_auth_packet +=? '\x69\x62\x0c\x6e\x6f\x0e\x17\x17\x63\x14\x14\x0e\x62\x6c\x6e\x63'; filemaker_auth_packet +=? '\x0c\x6d\x63\x6f\x69\x6f\x6d\x68\x0e\x10\x17\x0c\x17\x68\x02\x14'; filemaker_auth_packet +=? '\x11\x0e\x0e\x09\x0a\x28\x35\x7a\x62\x74\x6a\x2c\x6b\x11\x6a\x6a'; filemaker_auth_packet +=? '\x60\x6a\x39\x60\x68\x63\x60\x6f\x69\x60\x39\x6e\x60\x6c\x3b\x15'; # declare that Filemaker is not installed yet is_filemaker = 0; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { ? send(socket:soc, data: filemaker_auth_packet); reply = recv(socket:soc, length:136); # Check that Filemaker is not tcpwrapped. And that it's really Filemaker if(stridx(reply, "GIOP", 0)) is_filemaker = 1; } close(soc); } # # Report Filemaker installed #? if(is_filemaker == 1) { ? report = "This host seems to running the Filemaker database server"; ? security_note(port:port, data:report); } ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it ------------------------------ _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins End of Openvas-plugins Digest, Vol 10, Issue 2 ********************************************** __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From jan-oliver.wagner at intevation.de Tue Sep 2 17:19:38 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Tue, 2 Sep 2008 17:19:38 +0200 Subject: [Openvas-plugins] Defining IDs for NASL scripts In-Reply-To: <48BB1B6F.8030506@linux.hr> References: <48BB1B6F.8030506@linux.hr> Message-ID: <200809021719.40585.jan-oliver.wagner@intevation.de> On Montag, 1. September 2008, Vlatko Kosturjak wrote: > I need some OIDS/IDs to put in these scripts. Currently, I'm using some > placeholder values. Here is a quick proposal for the time being until OID settled:

1NNNN: Scripts inherited from Nessus
2NNNN: Scripts inherited from Nessus
3NNNN: Not assigned yet.
4NNNN: Not assigned yet.
5NNNN: Contributions by Security Space
6NNNN: Contributions by Security Space
7NNNN: Not assgined yet.
8NNNN: Not assgined yet.
9NNNN: Contributions by DN Systems
10NNNN: Not assgined yet.
...
20NNNN: Contributions by Ferdy Riphagen
...
90NNNN: Contributions by SecPod

At least thats what I found so far. I've seen you just recently using 9NNNN as well. Perhaps reassign to on of the free groups? Anyone: Please let me know if some slipped out of my attention. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From lists at securityspace.com Tue Sep 2 17:23:23 2008 From: lists at securityspace.com (Thomas Reinke) Date: Tue, 02 Sep 2008 11:23:23 -0400 Subject: [Openvas-plugins] MS00-06 NVT In-Reply-To: <822313.20262.qm@web26006.mail.ukl.yahoo.com> References: <822313.20262.qm@web26006.mail.ukl.yahoo.com> Message-ID: <48BD5A6B.6090304@securityspace.com> > # Build the malicious request > foreach asp_files (pages) ^^^^^^^^^ > { > > req = http_get(item:string('\/null.htw?CiWebHitsFile=\/'+asp_file+'%20&C ... ^^^^^^^^ You sure this script worked? Thomas From kost at linux.hr Tue Sep 2 19:07:53 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 02 Sep 2008 19:07:53 +0200 Subject: [Openvas-plugins] Defining IDs for NASL scripts In-Reply-To: <200809021719.40585.jan-oliver.wagner@intevation.de> References: <48BB1B6F.8030506@linux.hr> <200809021719.40585.jan-oliver.wagner@intevation.de> Message-ID: <48BD72E9.2010602@linux.hr> We must be aware of AlienVault's ID's too. I took few minutes to take out their list of all script_id's and script_oid's, so you can look here: http://kost.com.hr/dl/alienvault.txt http://kost.com.hr/dl/alienvault-oid.txt Hope there's good communication with AlienVault, so we can arrange ID/OIDS together. I would make a suggestion to reserve 8NNNN for OpenVAS contributors (like me). I can manage 8NNNN tree and get random contributions for that tree (there's no point in having whole tree if somebody submits few nasl scripts, so I can manage that numbers inside 8NNNN tree). Jan-Oliver Wagner wrote: > On Montag, 1. September 2008, Vlatko Kosturjak wrote: >> I need some OIDS/IDs to put in these scripts. Currently, I'm using some >> placeholder values. > > Here is a quick proposal for the time being until OID settled: > >

1NNNN: Scripts inherited from Nessus >
2NNNN: Scripts inherited from Nessus >
3NNNN: Not assigned yet. >
4NNNN: Not assigned yet. >
5NNNN: Contributions by Security Space >
6NNNN: Contributions by Security Space >
7NNNN: Not assgined yet. >
8NNNN: Not assgined yet. >
9NNNN: Contributions by DN Systems >
10NNNN: Not assgined yet. >
... >
20NNNN: Contributions by Ferdy Riphagen >
... >
90NNNN: Contributions by SecPod >

> > At least thats what I found so far. > > I've seen you just recently using 9NNNN as well. > Perhaps reassign to on of the free groups? > > > Anyone: Please let me know if some slipped out of my attention. > > > Best > > Jan > From michael.wiegand at intevation.de Wed Sep 3 08:06:47 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Wed, 3 Sep 2008 08:06:47 +0200 Subject: [Openvas-plugins] Defining IDs for NASL scripts In-Reply-To: <48BD72E9.2010602@linux.hr> References: <48BB1B6F.8030506@linux.hr> <200809021719.40585.jan-oliver.wagner@intevation.de> <48BD72E9.2010602@linux.hr> Message-ID: <200809030806.47255.michael.wiegand@intevation.de> Am Dienstag, 2. September 2008 19:07:53 schrieb Vlatko Kosturjak: > > Here is a quick proposal for the time being until OID settled: > > > >

1NNNN: Scripts inherited from Nessus > >
2NNNN: Scripts inherited from Nessus > >
3NNNN: Not assigned yet. > >
4NNNN: Not assigned yet. > >
5NNNN: Contributions by Security Space > >
6NNNN: Contributions by Security Space > >
7NNNN: Not assgined yet. > >
8NNNN: Not assgined yet. > >
9NNNN: Contributions by DN Systems > >
10NNNN: Not assgined yet. > >
... > >
20NNNN: Contributions by Ferdy Riphagen > >
... > >
90NNNN: Contributions by SecPod > >

> > > > Anyone: Please let me know if some slipped out of my attention. According to openvas-libnasl/doc/nasl_guide.tex, the IDs between 90000 and 99000 are intended for private use: "If you plan to distribute your nasl script, then the nessus.org folks will attribute one for you. If you plan to keep your set of scripts private (booo!), then you can use any ID number between 90000 and 99000." Maybe we should continue this scheme and ask contributors without an assigned block to use these numbers; Kost could assign them an 8XXXX number once they are accepted into -plugins. I myself will need a block for OVAL plugins as well; they all have working OIDs as per CR #13, but until we switch OTP to OID-only, I need to have an legacy ID block for them as well. I'll think of a scheme for the IDs and will let you know how many I need. Regards, Michael -- Michael Wiegand OpenPGP key: D7D049EC Intevation GmbH, Osnabr?ck http://www.intevation.de/ Amtsgericht Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Wed Sep 3 10:38:21 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Wed, 3 Sep 2008 10:38:21 +0200 Subject: [Openvas-plugins] Defining IDs for NASL scripts In-Reply-To: <48BD72E9.2010602@linux.hr> References: <48BB1B6F.8030506@linux.hr> <200809021719.40585.jan-oliver.wagner@intevation.de> <48BD72E9.2010602@linux.hr> Message-ID: <200809031038.24316.jan-oliver.wagner@intevation.de> On Dienstag, 2. September 2008, Vlatko Kosturjak wrote: > We must be aware of AlienVault's ID's too. I took few minutes to take > out their list of all script_id's and script_oid's, so you can look here: > http://kost.com.hr/dl/alienvault.txt > http://kost.com.hr/dl/alienvault-oid.txt > Hope there's good communication with AlienVault, so we can arrange > ID/OIDS together. Their own scripts (I assume alien_*) would match 10NNNNN which is currently not assigned, so no problem with that. Not sure where the DSA and GLSA come from. They would match with the above as well. Then there are some scripts I do know out of the box where they belong to: mailenable_imap_dos.nasl:script_id(1020008); modicon_plc_ftp_server.nasl:script_id(1020001); nctsoft_audiofileax.nasl:script_id(1020006); realplayer_rmoc3260.nasl:script_id(1020005); realvnc_client_dos.nasl:script_id(1020007); The secpod_* are no problem again. And then again some others we also need to judge individually: siteserver_xss.nasl:script_id(90137); smb_login.nasl:script_id(10394); smb_registry_access.nasl:script_id(10400); smb_registry_full_access.nasl:script_id(10428); smb_reg_service_pack.nasl:script_id(10401); ssh_get_info.nasl:script_id(50282); surgemail_imap_dos.nasl:script_id(1020003); vsftpd_memory_consumption.nasl:script_id(1020002); webex_activex_atucfobj_overflow.nasl:script_id(1020025); wingate_imap_buffer_overflow.nasl:script_id(1020007); > I would make a suggestion to reserve 8NNNN for OpenVAS contributors > (like me). I can manage 8NNNN tree and get random contributions for that > tree (there's no point in having whole tree if somebody submits few nasl > scripts, so I can manage that numbers inside 8NNNN tree). we have enough of the big ranges, so why not use them? It is only temporary anway as the actual goal is OID. Just my quick analysis. Takers for clarification of the remaining issues as described above? Other problems? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From c_edjenguele at yahoo.it Thu Sep 4 16:41:30 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 4 Sep 2008 14:41:30 +0000 (GMT) Subject: [Openvas-plugins] NVTs: Sybase information garthering modules Message-ID: <170964.9195.qm@web26007.mail.ukl.yahoo.com> Hi here two plugins for Sybase info gathering todo: modify the plugins in order to perform the request also?over ssl. # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "Sybase Enterprise Application Server service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Sybase Enterprise Application Server.? Solution : It's recommended to allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "Sybase EAServer is the open application server from Sybase Inc an enterprise software and services company exclusively focused on managing and mobilizing information. "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if ( ! port ) exit(0); if(!get_port_state(port))exit(0); buf = http_get(item:"/", port:port); r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); if( r == NULL )exit(0); if(("076Sybase EAServer<" >< r || egrep(pattern:"076Sybase EAServer", string:r))) security_note(port); ? # OpenVAS Vulnerability Test # $Id$ # Description: This script ensure that the FileMaker database server is installed # # Author: # Christian Eric Edjenguele <christian.edjenguele at owasp.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 and later, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.? See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(00000); name["english"] = "Sybase Enterprise Application Server service detection"; script_name(english:name["english"]); ? ?desc["english"] = " The remote host is running the Sybase Enterprise Application Server JSP Administration Console.? Solution : It's recommended to allow connection to this host only from trusted host or networks, or disable the service if not used. Risk factor : None"; script_description(english:desc["english"]); ? summary["english"] = "Sybase EAServer is the open application server from Sybase Inc an enterprise software and services company exclusively focused on managing and mobilizing information. "; script_summary(english:summary["english"]); ? script_category(ACT_GATHER_INFO); ? script_copyright(english:"This script is under GPL v2 +"); family["english"] = "Service detection"; script_family(english:family["english"]); ?exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if ( ! port ) exit(0); if(!get_port_state(port))exit(0); buf = http_get(item:"/WebConsole/Login.jsp", port:port); r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1); if( r == NULL )exit(0); if(("<TITLE>076Sybase Management Console Login<" >< r || egrep(pattern:"076Sybase Management Console Login", string:r))) security_note(port); ? ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From lists at securityspace.com Thu Sep 4 16:52:35 2008 From: lists at securityspace.com (Thomas Reinke) Date: Thu, 04 Sep 2008 10:52:35 -0400 Subject: [Openvas-plugins] [Openvas-devel] HTTPS Request ! In-Reply-To: <841472.3927.qm@web26007.mail.ukl.yahoo.com> References: <841472.3927.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48BFF633.6020206@securityspace.com> IIRC, you don't need to do anything - it's already done for you. Just issue your GET requests, and if the port was an SSL capable port, the server will talk over SSL to it. I believe (again, going on memory), that if there are cases where both SSL and regular non-encrypted traffic are supported on the same port, you may need to force the transport layer to be SSL. An example of this usage appears to be in checkpoint_secureplatform.nasl But, this is an exception, in most cases you shouldn't have to do this. Thomas Christian Eric EDJENGUELE wrote: > Hello all, > how can I perform an HTTP GET Request over ssl with nasl api ? > is there something like httplib.HTTPSConnection from httplib of python standard libraries ? > if yes: what's the syntax ? > thanks. > === > Christian Eric Edjenguele > IT Security Software Developer & Researcher > tel. +39 3408580513 > View my linkedin profile: http://www.linkedin.com/in/edjenguele > My blog: http://www.edjenguele.blogspot.com > --- > Management, Developers, Security Professionals ? can only result in one thing?? better security. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 > > __________________________________________________ > Do You Yahoo!? > Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi > http://mail.yahoo.it > _______________________________________________ > Openvas-devel mailing list > Openvas-devel at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-devel From kost at linux.hr Thu Sep 4 17:12:45 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 04 Sep 2008 17:12:45 +0200 Subject: [Openvas-plugins] [Openvas-devel] HTTPS Request ! In-Reply-To: <841472.3927.qm@web26007.mail.ukl.yahoo.com> References: <841472.3927.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48BFFAED.2010203@linux.hr> Christian Eric EDJENGUELE wrote: > Hello all, > how can I perform an HTTP GET Request over ssl with nasl api ? > is there something like httplib.HTTPSConnection from httplib of python standard libraries ? > if yes: what's the syntax ? I've just cross referenced this question to openvas-plugins, so please reply to this thread to openvas-plugins mailing list as it is plugins related. Here's the simplest example, but first grab the file openvas-https.inc via SVN (it's new!) or via this URL: http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/openvas-https.inc?rev=1280&root=openvas&view=auto This is the example: include("http_func.inc"); include("http_keepalive.inc"); include("openvas-https.inc"); port = 3994; if(get_port_state(port)) { req = http_get(item:"/deploymentmanager/index.jsp", port:port); rep = https_req_get(request:req, port:port); if( rep == NULL ) exit(0); if ("<title>SiteProtector" >< rep && egrep(pattern:"Welcome to SiteProtector Deployment Manager", string:rep)) { security_note(port); } } Note that is basic example. Well written script should do (instead of just defining port): https = get_kb_list("Services/https"); and then: foreach port (https) and then in foreach loop execute the script above. (Because there might be web servers listening on different port than default). This is also case for using plain http: http = get_kb_list("Services/www"); and then: foreach port (http) and then in foreach loop execute the script. Kost From kost at linux.hr Thu Sep 4 17:17:59 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 04 Sep 2008 17:17:59 +0200 Subject: [Openvas-plugins] [Openvas-devel] HTTPS Request ! In-Reply-To: <48BFF633.6020206@securityspace.com> References: <841472.3927.qm@web26007.mail.ukl.yahoo.com> <48BFF633.6020206@securityspace.com> Message-ID: <48BFFC27.50701@linux.hr> Thomas Reinke wrote: > IIRC, you don't need to do anything - it's already done for you. > > Just issue your GET requests, and if the port was an SSL capable port, > the server will talk over SSL to it. > > I believe (again, going on memory), that if there are cases where > both SSL and regular non-encrypted traffic are supported on the > same port, you may need to force the transport layer to be SSL. > An example of this usage appears to be in checkpoint_secureplatform.nasl > But, this is an exception, in most cases you shouldn't have to > do this. I moved that example (you mentioned checkpoint_secureplatform.nasl, but I used iis*nasl one) into openvas-https.inc, as there is no reason that each nasl script have that f() defined (and I see that quite number of scripts have that function) if they need to force SSL traffic. Difference is that function from openvas-https.inc is called https_req_get in order not to break other scripts which already have function with the same name. Kost From c_edjenguele at yahoo.it Thu Sep 4 19:02:30 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 4 Sep 2008 17:02:30 +0000 (GMT) Subject: [Openvas-plugins] NVT for XRMS, CVE-2008-3664 Message-ID: <631072.37822.qm@web26002.mail.ukl.yahoo.com> Hi all, if nobody is already working in the implementation of this, I'll do it Multiple Cross Site Scripting (XSS) and SQL injection Vulnerabilities in XRMS, CVE-2008-3664? thanks. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From c_edjenguele at yahoo.it Thu Sep 4 19:36:24 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 4 Sep 2008 17:36:24 +0000 (GMT) Subject: [Openvas-plugins] NVT google chrome beta Message-ID: <412029.95381.qm@web26003.mail.ukl.yahoo.com> Bugtraq ID: 31000 I also implement the follwing Bugtraq id: 31000 the recent security flow for google chrome beta web browser. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From jan-oliver.wagner at intevation.de Fri Sep 5 16:36:35 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 5 Sep 2008 16:36:35 +0200 Subject: [Openvas-plugins] NVTs: Sybase information garthering modules In-Reply-To: <170964.9195.qm@web26007.mail.ukl.yahoo.com> References: <170964.9195.qm@web26007.mail.ukl.yahoo.com> Message-ID: <200809051636.38021.jan-oliver.wagner@intevation.de> Hello Christian, On Donnerstag, 4. September 2008, Christian Eric EDJENGUELE wrote: > Hi here two plugins for Sybase info gathering can you resend all of your scripts to the list in an archive file (to avoid encoding problems you had with your first postings). Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From kost at linux.hr Fri Sep 5 17:00:38 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 05 Sep 2008 17:00:38 +0200 Subject: [Openvas-plugins] NVTs: Sybase information garthering modules In-Reply-To: <170964.9195.qm@web26007.mail.ukl.yahoo.com> References: <170964.9195.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48C14996.30704@linux.hr> I tried your script and it seems it works now. But I think we found interesting issue in (by my guess) http*inc files: openvas-nasl -X remote-sybase-easerver-detection.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [9173] plug_set_key:internal_send(0)['3 Services/www/80/working=1; ']: Socket operation on non-socket [9173] plug_set_key:internal_send(0)['1 www/80/keepalive=yes; ']: Socket operation on non-socket [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or undefined parameter length or soc [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or undefined parameter length or soc Anyone have idea why it happends? Christian Eric EDJENGUELE wrote: > Hi here two plugins for Sybase info gathering > todo: modify the plugins in order to perform the request also over ssl. > > # OpenVAS Vulnerability Test > # $Id$ > # Description: This script ensure that the FileMaker database server is installed > # > # Author: > # Christian Eric Edjenguele > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License version 2 and later, > # as published by the Free Software Foundation From bchandra at secpod.com Fri Sep 5 17:09:19 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 5 Sep 2008 20:39:19 +0530 Subject: [Openvas-plugins] NVTs: Sybase information garthering modules In-Reply-To: <48C14996.30704@linux.hr> References: <170964.9195.qm@web26007.mail.ukl.yahoo.com> <48C14996.30704@linux.hr> Message-ID: <007a01c90f69$61c39480$0201a8c0@mahesh> ** WARNING : packet forgery will not work ** as NASL is not running as root This comes when we are running as non-root but installed OpenVAS as root. Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Vlatko Kosturjak Sent: Friday, September 05, 2008 8:31 PM To: openvas-plugins Subject: Re: [Openvas-plugins] NVTs: Sybase information garthering modules I tried your script and it seems it works now. But I think we found interesting issue in (by my guess) http*inc files: openvas-nasl -X remote-sybase-easerver-detection.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [9173] plug_set_key:internal_send(0)['3 Services/www/80/working=1; ']: Socket operation on non-socket [9173] plug_set_key:internal_send(0)['1 www/80/keepalive=yes; ']: Socket operation on non-socket [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or undefined parameter length or soc [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or undefined parameter length or soc Anyone have idea why it happends? Christian Eric EDJENGUELE wrote: > Hi here two plugins for Sybase info gathering > todo: modify the plugins in order to perform the request also over ssl. > > # OpenVAS Vulnerability Test > # $Id$ > # Description: This script ensure that the FileMaker database server is installed > # > # Author: > # Christian Eric Edjenguele > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License version 2 and later, > # as published by the Free Software Foundation _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From kost at linux.hr Fri Sep 5 17:46:30 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 05 Sep 2008 17:46:30 +0200 Subject: [Openvas-plugins] NVTs: Sybase information garthering modules In-Reply-To: <007a01c90f69$61c39480$0201a8c0@mahesh> References: <170964.9195.qm@web26007.mail.ukl.yahoo.com> <48C14996.30704@linux.hr> <007a01c90f69$61c39480$0201a8c0@mahesh> Message-ID: <48C15456.8070902@linux.hr> Not that issue, that's with root is okay :) but this one: > [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or > undefined parameter length or soc > [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or > undefined parameter length or soc I googled for it, and found out that nessus guys had that problem and fixed it.... Chandrashekhar B wrote: > ** WARNING : packet forgery will not work > ** as NASL is not running as root > > This comes when we are running as non-root but installed OpenVAS as root. > > Chandra. > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Vlatko > Kosturjak > Sent: Friday, September 05, 2008 8:31 PM > To: openvas-plugins > Subject: Re: [Openvas-plugins] NVTs: Sybase information garthering modules > > I tried your script and it seems it works now. But I think we found > interesting issue in (by my guess) http*inc files: > > openvas-nasl -X remote-sybase-easerver-detection.nasl > ** WARNING : packet forgery will not work > ** as NASL is not running as root > [9173] plug_set_key:internal_send(0)['3 Services/www/80/working=1; > ']: Socket operation on non-socket > [9173] plug_set_key:internal_send(0)['1 www/80/keepalive=yes; > ']: Socket operation on non-socket > [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or > undefined parameter length or soc > [9173](remote-sybase-easerver-detection.nasl) recv_line: missing or > undefined parameter length or soc > > Anyone have idea why it happends? > > Christian Eric EDJENGUELE wrote: >> Hi here two plugins for Sybase info gathering >> todo: modify the plugins in order to perform the request also over ssl. >> >> # OpenVAS Vulnerability Test >> # $Id$ >> # Description: This script ensure that the FileMaker database server is > installed >> # >> # Author: >> # Christian Eric Edjenguele >> # >> # This program is free software; you can redistribute it and/or modify >> # it under the terms of the GNU General Public License version 2 and > later, >> # as published by the Free Software Foundation > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From bchandra at secpod.com Mon Sep 8 08:41:31 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 8 Sep 2008 12:11:31 +0530 Subject: [Openvas-plugins] Missing dependencies Message-ID: <002301c9117d$f10e24f0$0201a8c0@mahesh> For the Windows related plugins to work, we need the following plugins, as also noticed by Carsten (DN-Systems), which are currently missing in the OpenVAS plugin set. smb_login.nasl smb_registry_access.nasl smb_registry_full_access.nasl I have these from the 2005 plugin set and as far as I understand, there is no license issue. The license headers say, # This script was written by Renaud Deraison # See the Nessus Scripts License for details I do not know the reason why these were rejected in the initial audits. Can I commit these now? Thanks, Chandra. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080908/b4788290/attachment.html From c_edjenguele at yahoo.it Mon Sep 8 11:06:44 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Mon, 8 Sep 2008 09:06:44 +0000 (GMT) Subject: [Openvas-plugins] Openvas-plugins Digest, Vol 10, Issue 6 Message-ID: <192152.20644.qm@web26008.mail.ukl.yahoo.com> ? Hello Christian, On Donnerstag, 4. September 2008, Christian Eric EDJENGUELE wrote: > Hi here two plugins for Sybase info gathering can you resend all of your scripts to the list in an archive file (to avoid encoding problems you had with your first postings). Best ??? Jan ok. -- Dr. Jan-Oliver Wagner? ? ? ? ? ? ? ? ? ? ? ? Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998? ? ? ? ? ? http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner === Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From jan-oliver.wagner at intevation.de Mon Sep 8 15:10:21 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 8 Sep 2008 15:10:21 +0200 Subject: [Openvas-plugins] Missing dependencies In-Reply-To: <002301c9117d$f10e24f0$0201a8c0@mahesh> References: <002301c9117d$f10e24f0$0201a8c0@mahesh> Message-ID: <200809081510.23880.jan-oliver.wagner@intevation.de> Hello Chandra, On Montag, 8. September 2008, Chandrashekhar B wrote: > For the Windows related plugins to work, we need the following plugins, as > also noticed by Carsten (DN-Systems), which are currently missing in the > OpenVAS plugin set. > > smb_login.nasl > > smb_registry_access.nasl > > smb_registry_full_access.nasl > > I have these from the 2005 plugin set and as far as I understand, there is > no license issue. The license headers say, > > # This script was written by Renaud Deraison > > # See the Nessus Scripts License for details > > I do not know the reason why these were rejected in the initial audits. Can > I commit these now? after our discussion about smb_nt.inc I requested clean snapshots of the Nessus GPL feed. I reveived two of them (not from the nessus team!) meanwhile and now uploaded them here: http://www.openvas.org/download/misc/ Perhaps you find things in there that help for filling the gaps with GPL versions of the scripts. If things are not in there, we likely have to re-implement them. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Mon Sep 8 15:52:41 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 8 Sep 2008 19:22:41 +0530 Subject: [Openvas-plugins] Missing dependencies In-Reply-To: <200809081510.23880.jan-oliver.wagner@intevation.de> References: <002301c9117d$f10e24f0$0201a8c0@mahesh> <200809081510.23880.jan-oliver.wagner@intevation.de> Message-ID: <004001c911ba$2a5eb990$0201a8c0@mahesh> Jan, These files are missing in that, so we are re-writing them. Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Jan-Oliver Wagner Sent: Monday, September 08, 2008 6:40 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] Missing dependencies Hello Chandra, On Montag, 8. September 2008, Chandrashekhar B wrote: > For the Windows related plugins to work, we need the following plugins, as > also noticed by Carsten (DN-Systems), which are currently missing in the > OpenVAS plugin set. > > smb_login.nasl > > smb_registry_access.nasl > > smb_registry_full_access.nasl > > I have these from the 2005 plugin set and as far as I understand, there is > no license issue. The license headers say, > > # This script was written by Renaud Deraison > > # See the Nessus Scripts License for details > > I do not know the reason why these were rejected in the initial audits. Can > I commit these now? after our discussion about smb_nt.inc I requested clean snapshots of the Nessus GPL feed. I reveived two of them (not from the nessus team!) meanwhile and now uploaded them here: http://www.openvas.org/download/misc/ Perhaps you find things in there that help for filling the gaps with GPL versions of the scripts. If things are not in there, we likely have to re-implement them. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From c_edjenguele at yahoo.it Mon Sep 8 16:33:21 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Mon, 8 Sep 2008 14:33:21 +0000 (GMT) Subject: [Openvas-plugins] NVTs archive Message-ID: <435239.31955.qm@web26005.mail.ukl.yahoo.com> there is a .rar archive?attached with?5 nvt. ? ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: contest-nvt.rar Type: application/octet-stream Size: 7881 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080908/9d1217c3/contest-nvt.obj From c_edjenguele at yahoo.it Tue Sep 9 11:18:23 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 9 Sep 2008 09:18:23 +0000 (GMT) Subject: [Openvas-plugins] String operations Message-ID: <580545.78479.qm@web26004.mail.ukl.yahoo.com> Hi all, I'm writting a nvt, and working with strings! so how?using nasl can I get?back?all the?string except the last character, is there something like slicing in python s[:-1] ? for ex. if s = "help" s[:-1] = "hel" thanks. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From bchandra at secpod.com Tue Sep 9 11:46:37 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 9 Sep 2008 15:16:37 +0530 Subject: [Openvas-plugins] String operations In-Reply-To: <580545.78479.qm@web26004.mail.ukl.yahoo.com> References: <580545.78479.qm@web26004.mail.ukl.yahoo.com> Message-ID: <007d01c91260$f8487bb0$0201a8c0@mahesh> You can do, substr(string, 0, len - 2); Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian Eric EDJENGUELE Sent: Tuesday, September 09, 2008 2:48 PM To: openvas-plugins Subject: [Openvas-plugins] String operations Hi all, I'm writting a nvt, and working with strings! so how?using nasl can I get?back?all the?string except the last character, is there something like slicing in python s[:-1] ? for ex. if s = "help" s[:-1] = "hel" thanks. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From kost at linux.hr Tue Sep 9 13:35:44 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 09 Sep 2008 13:35:44 +0200 Subject: [Openvas-plugins] NVTs archive In-Reply-To: <435239.31955.qm@web26005.mail.ukl.yahoo.com> References: <435239.31955.qm@web26005.mail.ukl.yahoo.com> Message-ID: <48C65F90.1060907@linux.hr> Christian Eric EDJENGUELE wrote: > there is a .rar archive attached with 5 nvt. Hello Christian and thanks for the contribution. Again, did you tried/tested all the nasl scripts you sent? I'm still getting syntax errors for MS00-006.nasl script. Look below: $ openvas-nasl -X MS00-006.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root syntax error, unexpected IDENT, expecting ';' Parse error at or near line 42 I'll test the rest of scripts thorougly and if they are working, I'll commit them to the SVN repository. Kost From kost at linux.hr Tue Sep 9 17:16:40 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Tue, 09 Sep 2008 17:16:40 +0200 Subject: [Openvas-plugins] NVTs archive In-Reply-To: <290633.17492.qm@web26006.mail.ukl.yahoo.com> References: <290633.17492.qm@web26006.mail.ukl.yahoo.com> Message-ID: <48C69358.8010406@linux.hr> Christian Eric EDJENGUELE wrote: > Hi, > here is the fix attached as zip file... about 3 missing ";" > because I'm doing too much things at the same time :) Thanks Christian for the fix. Although Your zip file still did not fix it. I found the problem for MS0 syntax error, unexpected IDENT, expecting ';' Parse error at or near line 42 The fix was to remove quotes in quotes. Take a look at the svn: http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/remote-MS00-006.nasl?rev=1313&root=openvas&view=markup Also, Sybase_easerver_detect.nasl have following line: include("openvas-htts.inc"); which doesn't exist, but it exits: include("openvas-https.inc"); I also fixed some minor things in Filemaker_detect.nasl. Specifically, this error: [28041](Filemaker_detect.nasl) close(): invalid argument There's also few stuff in Sybase_*.nasl scripts, here's extracton from your code: ========= http_servers = get_kb_list("Services/www"); soc_timeout = 10; # if the server accept clear http if(http_server) { foreach port (http_servers) ========== Are you sure this works?? (you don't have variable http_server anywhere declared). This again comes to question I asked before, but never got the answer. Have you EVER tested your NASL script if it works? Have you EVER tried to see if it detects sybase, filemaker or not? PLEASE, CHECK AND TEST your script before submitting. At least, try to run following before submitting (on host which have service/vulnerability and on one which hasn't): openvas-nasl -X -t 192.168.1.1 yourscript.nasl Guys on openvas-plugins, I need your help to check (as 3rd party) if this checks are really working. Does anybody have filemaker/sybase to test? also about other scripts Christian contributed. They are in trunk of openvas-plugins in scripts directory named remote-*.nasl. Thanks in advance! Kost From c_edjenguele at yahoo.it Tue Sep 9 20:19:46 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 9 Sep 2008 18:19:46 +0000 (GMT) Subject: [Openvas-plugins] Put Header with a HTTP GET Request Message-ID: <719779.62768.qm@web26005.mail.ukl.yahoo.com> Hello list, is there a way to put headers?to?a web server with a http get request with nasl ? just like the putheader method?from httplib module?of python does ? for example with python I can do as follow: import httplib ? http = httplib.HTTPSConnectionconn = http(target_host_ip, port) ? thanks. request = '/' + asp_file + '\\' ? conn.putrequest('GET', request) conn.putheader('Host', host_ip) conn.putheader('Translate', 'f') conn.endheaders()=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From lists at securityspace.com Wed Sep 10 02:34:33 2008 From: lists at securityspace.com (Thomas Reinke) Date: Tue, 09 Sep 2008 20:34:33 -0400 Subject: [Openvas-plugins] Put Header with a HTTP GET Request In-Reply-To: <719779.62768.qm@web26005.mail.ukl.yahoo.com> References: <719779.62768.qm@web26005.mail.ukl.yahoo.com> Message-ID: <48C71619.9070600@securityspace.com> Check out aspjar_sql_injection.nasl as an example. Thomas Christian Eric EDJENGUELE wrote: > Hello list, > is there a way to put headers to a web server with a http get request with nasl ? > just like the putheader method from httplib module of python does ? > > for example with python I can do as follow: > > import httplib > > http = httplib.HTTPSConnectionconn = http(target_host_ip, port) > > thanks. > request = '/' + asp_file + '\\' > > conn.putrequest('GET', request) > conn.putheader('Host', host_ip) > conn.putheader('Translate', 'f') > conn.endheaders()=== From bchandra at secpod.com Wed Sep 10 11:22:34 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Wed, 10 Sep 2008 14:52:34 +0530 Subject: [Openvas-plugins] Missing dependencies Message-ID: <002601c91326$c625c9a0$0201a8c0@mahesh> All, These are the list of plugins that are missing in the repository (most likely license issue). There are number of plugins which are depending on these. We can either invalidate those based on the importance of vulnerability check they are doing or we can take them for re-writing. We'll take some of them for re-writing, if others are interested, please take it up. apcnisd_detect.nasl cisco_ids_manager_detect.nasl cubecart_detect.nasl cutenews_detect.nasl cvstrac_detect.nasl dns_server.nasl e107_detect.nasl ftp_anonymous.nasl httpver.nasl invision_power_board_detect.nasl ldap_detect.nasl macosx_SecUpd20041202.nasl mandrake_MDKSA-2004-065.nasl mantis_detect.nasl moodle_detect.nasl mozilla_firefox_code_exec.nasl ms_telnet_overflow.nasl msrpc_dcom2.nasl openca_html_injection.nasl opera_multiple_flaws.nasl os_fingerprint.nasl phorum_detect.nasl phpMyAdmin_detect.nasl php_fusion_detect.nasl php_nuke_installed.nasl phpbb_detect.nasl phpgroupware_detect.nasl phpmyfaq_detect.nasl postnuke_detect.nasl proxy_use.nasl putty_version_check.nasl redhat-RHSA-2004-591.nasl rpc_portmap.nasl rsync_modules.nasl sendmail_expn.nasl serendipity_detect.nasl smb_nativelanman.nasl smtp_settings.nasl subversion_detection.nasl sybase_detect.nasl tftpd_detect.nasl webcalendar_detect.nasl webmirror.nasl ws_ftp_client_overflows.nasl www_too_long_url.nasl xoops_detect.nasl yahoo_msg_running.nasl Chandra. From jan-oliver.wagner at intevation.de Wed Sep 10 15:17:35 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Wed, 10 Sep 2008 15:17:35 +0200 Subject: [Openvas-plugins] Missing dependencies In-Reply-To: <002601c91326$c625c9a0$0201a8c0@mahesh> References: <002601c91326$c625c9a0$0201a8c0@mahesh> Message-ID: <200809101517.37992.jan-oliver.wagner@intevation.de> Hello Chandra, On Mittwoch, 10. September 2008, Chandrashekhar B wrote: > These are the list of plugins that are missing in the repository (most > likely license issue). There are number of plugins which are depending on > these. We can either invalidate those based on the importance of > vulnerability check they are doing or we can take them for re-writing. > > We'll take some of them for re-writing, if others are interested, please > take it up. thanks a lot for taking up. I think it would be good to drop a note here on which scripts you will be woring next to avoid conflicts. I don't think we should explicitely invalidate scripts. We do see the message in the log file. Hopefully we will see this info also in the client in the near future. All the best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From c_edjenguele at yahoo.it Wed Sep 10 18:24:40 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Wed, 10 Sep 2008 16:24:40 +0000 (GMT) Subject: [Openvas-plugins] ZIP archive with 5 new scripts Message-ID: <902936.5308.qm@web26006.mail.ukl.yahoo.com> Hi, there is a zip archive with 5 new scripts and some modifications on other scripts ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From c_edjenguele at yahoo.it Wed Sep 10 18:26:03 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Wed, 10 Sep 2008 16:26:03 +0000 (GMT) Subject: [Openvas-plugins] ZIP attachement Message-ID: <148718.31159.qm@web26005.mail.ukl.yahoo.com> this is the missing zip file. sorry !. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: contest.zip Type: application/x-zip-compressed Size: 18230 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080910/535a793e/contest.bin From c_edjenguele at yahoo.it Thu Sep 11 11:09:37 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 11 Sep 2008 09:09:37 +0000 (GMT) Subject: [Openvas-plugins] Dantz Retrospect NVT Message-ID: <948399.59982.qm@web26007.mail.ukl.yahoo.com> Hello, there is a zip attached with with the dantz retrospect info gathering plugin ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: remote-detect-dantz.zip Type: application/x-zip-compressed Size: 1911 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080911/99b14d33/remote-detect-dantz.bin From c_edjenguele at yahoo.it Thu Sep 11 15:11:27 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 11 Sep 2008 13:11:27 +0000 (GMT) Subject: [Openvas-plugins] Microsoft IIS WebDAV Denial of Service Vulnerability NVT Message-ID: <411402.20903.qm@web26008.mail.ukl.yahoo.com> attached the zip file MS01-016 security check. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: remote-MS01-016.zip Type: application/x-zip-compressed Size: 1948 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080911/8e5d1874/remote-MS01-016.bin From kost at linux.hr Thu Sep 11 15:22:00 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 11 Sep 2008 15:22:00 +0200 Subject: [Openvas-plugins] Dantz Retrospect NVT In-Reply-To: <948399.59982.qm@web26007.mail.ukl.yahoo.com> References: <948399.59982.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48C91B78.1060204@linux.hr> Christian Eric EDJENGUELE wrote: > Hello, > there is a zip attached with with the dantz retrospect info gathering plugin Hello Christian! Thanks for your continuos contributions to OpenVAS. Again, your scripts have SYNTAX ERRORS which seems like you're NOT testing the script(s) at all. How you could test the script against the vulnerable and non-vulnerable host and how come they reported good results when your script have syntax error? Here's output of your NASL script: openvas-nasl -X remote-detect-dantz.nasl syntax error, unexpected '{' Parse error at or near line 94 Please test your script. Requirements that some script is commited to OpenVAS SVN repository is that: - you tested your script against syntax errors and there is no syntax errors - you tested your script against vulnerable host and reported OK - you tested your script against non-vulnerable host and reported OK Please, take a look at your script and test the script as it is required. I believe you can fix it and test it. Don't let this discourage you, it takes few minutes of your time if you have host with mentioned applications. Thanks in advance! Kost From kost at linux.hr Thu Sep 11 15:31:02 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 11 Sep 2008 15:31:02 +0200 Subject: [Openvas-plugins] Microsoft IIS WebDAV Denial of Service Vulnerability NVT In-Reply-To: <411402.20903.qm@web26008.mail.ukl.yahoo.com> References: <411402.20903.qm@web26008.mail.ukl.yahoo.com> Message-ID: <48C91D96.2030003@linux.hr> Christian Eric EDJENGUELE wrote: > attached the zip file MS01-016 security check. Again, your scripts have SYNTAX ERRORS which seems like you're NOT testing the script(s) at all. How you could test the script against the vulnerable and non-vulnerable host and how come they reported good results when your script have syntax error? Here's the output of executing remote-MS01-016.nasl: openvas-nasl -X remote-MS01-016.nasl syntax error, unexpected '-' Parse error at or near line 116 Please, fix it, TEST IT and send back! Thanks in advance! Kost From bchandra at secpod.com Fri Sep 12 09:27:42 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 12 Sep 2008 12:57:42 +0530 Subject: [Openvas-plugins] FreeBSD plugins say undefined function 'lib' Message-ID: <003a01c914a9$15a01110$0301a8c0@mahesh> All FreeBSd checks are saying Undefined function 'lib'. Inside the checks, I see, !isnull(bver) && revisions-lib(a:bver, b:"3.2.0_7")<0 I think, revisions-lib() should be replaced with revcomp(). Chandra. From jan-oliver.wagner at intevation.de Fri Sep 12 12:28:50 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 12 Sep 2008 12:28:50 +0200 Subject: [Openvas-plugins] FreeBSD plugins say undefined function 'lib' In-Reply-To: <003a01c914a9$15a01110$0301a8c0@mahesh> References: <003a01c914a9$15a01110$0301a8c0@mahesh> Message-ID: <200809121228.53766.jan-oliver.wagner@intevation.de> On Freitag, 12. September 2008, Chandrashekhar B wrote: > All FreeBSd checks are saying Undefined function 'lib'. Inside the checks, I > see, > > !isnull(bver) && revisions-lib(a:bver, b:"3.2.0_7")<0 > > I think, revisions-lib() should be replaced with revcomp(). Thomas? (BTW: There is need to consolidate the revision comparison APIs as well, but we should only take one step after the next) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From lists at securityspace.com Fri Sep 12 14:27:12 2008 From: lists at securityspace.com (Thomas Reinke) Date: Fri, 12 Sep 2008 08:27:12 -0400 Subject: [Openvas-plugins] FreeBSD plugins say undefined function 'lib' In-Reply-To: <003a01c914a9$15a01110$0301a8c0@mahesh> References: <003a01c914a9$15a01110$0301a8c0@mahesh> Message-ID: <48CA6020.3080506@securityspace.com> Doh!!! Fixed. Chandrashekhar B wrote: > All FreeBSd checks are saying Undefined function 'lib'. Inside the checks, I > see, > > !isnull(bver) && revisions-lib(a:bver, b:"3.2.0_7")<0 > > I think, revisions-lib() should be replaced with revcomp(). > > Chandra. > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > From timb at nth-dimension.org.uk Tue Sep 16 12:14:40 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Tue, 16 Sep 2008 11:14:40 +0100 Subject: [Openvas-plugins] Solaris local checks? Message-ID: <200809161114.41200.timb@nth-dimension.org.uk> Anyone considered getting Solaris local checks up and running? I have access to Solaris 7, 8 and 10 boxes here to test against so if noone has already done it, I though I would make a start? Tim -- Tim Brown From c_edjenguele at yahoo.it Wed Sep 17 13:13:40 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Wed, 17 Sep 2008 11:13:40 +0000 (GMT) Subject: [Openvas-plugins] Enhancement for openvas plugins development Message-ID: <501963.24839.qm@web26001.mail.ukl.yahoo.com> Hello all, so?during the week, I've worked on enhancing the openvas plugins development, I've also seen the way openvas grab?software banners, and according to me, it's too "hard", and then I've developed a routine to make it more easy, here the explainations: Programming language: python Modules? used: sax, sys, socket, os, re Advantages: 1) software information are stored in xml format, that makes informations more portable 2) only one script to parses all banner: http, ssh, telnet, pop3, smtp, etc... 3) no need to write new script to detect a new software, only add the banner in the xml file, I've already done with http.xml, ssh.xml, telnet.xml, pop3.xml, and more ... 4) Well documented 5) fast Disadvantages: 1) It's seems openvas does not have a xml parser like sax, but all other modules exits, and then the code can be easly ported to nasl Note: I've attached a zip archive with 3 file 1) smtp.xml: file to be parsed for os fingerprint 2) bannerparser.py: python routine to parsing the banner passed to it as parameter 3) remote-smtp-detect.py: python script example to remotly fingerprint os through smtp banner, also print the banner, you can also find in the code an ip address to test.? in the code just change SRC_DIR = 'E:\\projects\\openvas\\contest' variable to the path in with all the 3 file are. syntax (assuming that python is in your PATH): python remote-smtp-detect.py 140.105.60.207? 25 or: python remote-smtp-detect.py?a.b.c.d? 465 ssl test it, and let me know, I think it will be more useful. thanks. === Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: contest.zip Type: application/x-zip-compressed Size: 7532 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080917/af4dc86f/contest.bin From jan-oliver.wagner at intevation.de Sun Sep 21 21:30:08 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Sun, 21 Sep 2008 21:30:08 +0200 Subject: [Openvas-plugins] Solaris local checks? In-Reply-To: <200809161114.41200.timb@nth-dimension.org.uk> References: <200809161114.41200.timb@nth-dimension.org.uk> Message-ID: <200809212130.11184.jan-oliver.wagner@intevation.de> On Tuesday 16 September 2008 12:14, Tim Brown wrote: > Anyone considered getting Solaris local checks up and running? I have > access to Solaris 7, 8 and 10 boxes here to test against so if noone has > already done it, I though I would make a start? not that I know of. Solaris support would be really nice. Any chances for automatic creation of local security checsks? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From timb at nth-dimension.org.uk Mon Sep 22 00:55:13 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Sun, 21 Sep 2008 23:55:13 +0100 Subject: [Openvas-plugins] Solaris local checks? In-Reply-To: <200809212130.11184.jan-oliver.wagner@intevation.de> References: <200809161114.41200.timb@nth-dimension.org.uk> <200809212130.11184.jan-oliver.wagner@intevation.de> Message-ID: <200809212355.13431.timb@nth-dimension.org.uk> On Sunday 21 September 2008 20:30:08 Jan-Oliver Wagner wrote: > On Tuesday 16 September 2008 12:14, Tim Brown wrote: > > Anyone considered getting Solaris local checks up and running? I have > > access to Solaris 7, 8 and 10 boxes here to test against so if noone has > > already done it, I though I would make a start? > > not that I know of. Solaris support would be really nice. > > Any chances for automatic creation of local security checsks? > > Best > > Jan I believe so, hence the query. I just don't want to either duplicate effort or stand on the toes of others. Tim -- Tim Brown From jan-oliver.wagner at intevation.de Mon Sep 22 09:13:13 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 22 Sep 2008 09:13:13 +0200 Subject: [Openvas-plugins] Solaris local checks? In-Reply-To: <200809212355.13431.timb@nth-dimension.org.uk> References: <200809161114.41200.timb@nth-dimension.org.uk> <200809212130.11184.jan-oliver.wagner@intevation.de> <200809212355.13431.timb@nth-dimension.org.uk> Message-ID: <200809220913.16093.jan-oliver.wagner@intevation.de> On Montag, 22. September 2008, Tim Brown wrote: > On Sunday 21 September 2008 20:30:08 Jan-Oliver Wagner wrote: > > On Tuesday 16 September 2008 12:14, Tim Brown wrote: > > > Anyone considered getting Solaris local checks up and running? I have > > > access to Solaris 7, 8 and 10 boxes here to test against so if noone has > > > already done it, I though I would make a start? > > > > not that I know of. Solaris support would be really nice. > > > > Any chances for automatic creation of local security checsks? > > > > Best > > > > Jan > > I believe so, hence the query. I just don't want to either duplicate effort > or stand on the toes of others. my toes are currently somewhere else in the OpenVAS project ;-) I haven't seen any other toes in the Solaris area yet. Note: It might be worth to look the OVAL checks for Solaris. Either one can learn from this how to write clever NASLs or it might even be an option to collect anything necessary for OVAL via a ssh access to the target system and then fill the system charactereristics file to drive ovaldi - just like it is implemented for RHEL already. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Mon Sep 22 09:57:47 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 22 Sep 2008 13:27:47 +0530 Subject: [Openvas-plugins] Solaris local checks? In-Reply-To: <200809220913.16093.jan-oliver.wagner@intevation.de> References: <200809161114.41200.timb@nth-dimension.org.uk><200809212130.11184.jan-oliver.wagner@intevation.de><200809212355.13431.timb@nth-dimension.org.uk> <200809220913.16093.jan-oliver.wagner@intevation.de> Message-ID: <00ab01c91c88$ea243060$0201a8c0@mahesh> solaris.inc is already available from the GPL release and we need to update gather-package-list.nasl with Solaris portion. I'll commit these changes if someone isn't already working on it. After that, it is generation of local checks... Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Jan-Oliver Wagner Sent: Monday, September 22, 2008 12:43 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] Solaris local checks? On Montag, 22. September 2008, Tim Brown wrote: > On Sunday 21 September 2008 20:30:08 Jan-Oliver Wagner wrote: > > On Tuesday 16 September 2008 12:14, Tim Brown wrote: > > > Anyone considered getting Solaris local checks up and running? I have > > > access to Solaris 7, 8 and 10 boxes here to test against so if noone has > > > already done it, I though I would make a start? > > > > not that I know of. Solaris support would be really nice. > > > > Any chances for automatic creation of local security checsks? > > > > Best > > > > Jan > > I believe so, hence the query. I just don't want to either duplicate effort > or stand on the toes of others. my toes are currently somewhere else in the OpenVAS project ;-) I haven't seen any other toes in the Solaris area yet. Note: It might be worth to look the OVAL checks for Solaris. Either one can learn from this how to write clever NASLs or it might even be an option to collect anything necessary for OVAL via a ssh access to the target system and then fill the system charactereristics file to drive ovaldi - just like it is implemented for RHEL already. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From timb at nth-dimension.org.uk Tue Sep 23 11:14:57 2008 From: timb at nth-dimension.org.uk (Tim Brown) Date: Tue, 23 Sep 2008 10:14:57 +0100 Subject: [Openvas-plugins] [Openvas-devel] Gentoo local security checks In-Reply-To: <48D844D6.10304@securityspace.com> References: <48D13B34.2000701@securityspace.com> <48D844D6.10304@securityspace.com> Message-ID: <200809231014.58106.timb@nth-dimension.org.uk> Thomas, Copying to openvas-plugins to ensure it is seen by everyone (seems the right place to discuss this). Incidentally, did you see my similar query regarding Solaris? > Thomas Reinke wrote: > > As mentioned earlier, the gentoo local checks are > > non-functional due to a missing prerequisite, and > > are no longer being kept up to date with new GPLed > > scripts. > > > > Does anyone have an issue with the entire set being > > replaced with an up-to-date set of Gentoo scripts > > that work using the existing gather-package-list.nasl > > script as a prerequisite? Tim -- Tim Brown From c_edjenguele at yahoo.it Tue Sep 23 12:37:21 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Tue, 23 Sep 2008 10:37:21 +0000 (GMT) Subject: [Openvas-plugins] Question on get_kb_item Message-ID: <217691.16872.qm@web26008.mail.ukl.yahoo.com> Hello?all, I've stupid question, I have a plugin that set a software version number: plugin1.nasl? -> set_kb_item("Software/version" value:"x.y.zz"); then in another plugin, I want to verify that some version of software is installed by getting it from previous plugin ... so how can I get the value x.y.zz from plugin1.nasl plugin2.nasl -> get_kb_item(?) I don't know very well how it works. thanks. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing?? better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From bchandra at secpod.com Tue Sep 23 14:22:10 2008 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 23 Sep 2008 17:52:10 +0530 Subject: [Openvas-plugins] Question on get_kb_item In-Reply-To: <217691.16872.qm@web26008.mail.ukl.yahoo.com> References: <217691.16872.qm@web26008.mail.ukl.yahoo.com> Message-ID: <005501c91d77$037569f0$0201a8c0@bchandra> Add dependency as script_dependencies("plugins1.nasl") in plugins2.nasl and script_require_keys("Software/version") in plugins2.nasl And in the code of plugins2.nasl, get_kb_item("Software/version"); Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian Eric EDJENGUELE Sent: Tuesday, September 23, 2008 4:07 PM To: openvas-plugins Subject: [Openvas-plugins] Question on get_kb_item Hello?all, I've stupid question, I have a plugin that set a software version number: plugin1.nasl? -> set_kb_item("Software/version" value:"x.y.zz"); then in another plugin, I want to verify that some version of software is installed by getting it from previous plugin ... so how can I get the value x.y.zz from plugin1.nasl plugin2.nasl -> get_kb_item(?) I don't know very well how it works. thanks. ?=== Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com --- Management, Developers, Security Professionals ? can only result in one thing better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From lists at securityspace.com Tue Sep 23 16:53:46 2008 From: lists at securityspace.com (Thomas Reinke) Date: Tue, 23 Sep 2008 10:53:46 -0400 Subject: [Openvas-plugins] Solaris local checks? In-Reply-To: <200809212355.13431.timb@nth-dimension.org.uk> References: <200809161114.41200.timb@nth-dimension.org.uk> <200809212130.11184.jan-oliver.wagner@intevation.de> <200809212355.13431.timb@nth-dimension.org.uk> Message-ID: <48D902FA.4060507@securityspace.com> Tim Brown wrote: > On Sunday 21 September 2008 20:30:08 Jan-Oliver Wagner wrote: >> On Tuesday 16 September 2008 12:14, Tim Brown wrote: >>> Anyone considered getting Solaris local checks up and running? I have >>> access to Solaris 7, 8 and 10 boxes here to test against so if noone has >>> already done it, I though I would make a start? >> not that I know of. Solaris support would be really nice. >> >> Any chances for automatic creation of local security checsks? >> >> Best >> >> Jan > > I believe so, hence the query. I just don't want to either duplicate effort > or stand on the toes of others. > > Tim We don't have Solaris checks, so definitely no duplication of effort here. (Sorry for the lack of response til now). Thomas From c_edjenguele at yahoo.it Wed Sep 24 17:41:58 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Wed, 24 Sep 2008 15:41:58 +0000 (GMT) Subject: [Openvas-plugins] SMB packet forgery Message-ID: <39079.19968.qm@web26004.mail.ukl.yahoo.com> Hello all, I'm developing the following NVT for?OpenVAS, * MS04-022 * MS05-007 * MS05-051 * MS06-018? they are smb related vulnerabilties, but now I want to set some values in the packet! I've seen It works very well with?impacket from Core Security, using these python modules: dcerpc,uuid,transport does?openvas libraries provides an alternate method to do that ? if not did you consider?impacket integration into openvas ? it's under apache like license... by?he way, I've about 30 plugins to commit in the svn repository, but first I've to make?minor fix in some of them. you can follow my work progress, by viewing my diary at: http://wald.intevation.org/developer/diary.php?diary_id=7&diary_user=3930? thaks. ?--- Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From c_edjenguele at yahoo.it Thu Sep 25 12:24:50 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 25 Sep 2008 10:24:50 +0000 (GMT) Subject: [Openvas-plugins] 3 new NVT to commit Message-ID: <731898.11781.qm@web26007.mail.ukl.yahoo.com> Hello, there is a zip file attached with 3 new plugin to detect dameware version and test two buffer overflow vulnerabilities, to commit into the svn repository thanks.--- Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it -------------- next part -------------- A non-text attachment was scrubbed... Name: contest.zip Type: application/x-zip-compressed Size: 0 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20080925/6ba8eb15/contest.bin From kost at linux.hr Thu Sep 25 13:02:27 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 25 Sep 2008 13:02:27 +0200 Subject: [Openvas-plugins] 3 new NVT to commit In-Reply-To: <731898.11781.qm@web26007.mail.ukl.yahoo.com> References: <731898.11781.qm@web26007.mail.ukl.yahoo.com> Message-ID: <48DB6FC3.8010701@linux.hr> Christian Eric EDJENGUELE wrote: > Hello, > > there is a zip file attached with 3 new plugin to detect dameware version and test two buffer overflow vulnerabilities, to commit into the svn repository > thanks.--- Hello Christian! Thanks for your contribution. Again, it seems you did not test your NASL scripts. Please, test them before contributing them for SVN. For example: in remote-dameware-user-buffer-overflow.nasl you have typo which prevents plugin from executing: script_dependencies("find_service.nes", "remote-detect-damware.nasl") in remote-detect-dameware.nasl you have syntax errors: /openvas-nasl -X remote-detect-dameware.nasl syntax error, unexpected ')', expecting ';' Parse error at or near line 106 Please, fix the errors, TEST the scripts on vulnerable and non-vulnerable hosts, and then submit it here for SVN. That means for this contribution and for any other future contribution. Thanks in advance! Kost From c_edjenguele at yahoo.it Thu Sep 25 13:44:41 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 25 Sep 2008 11:44:41 +0000 (GMT) Subject: [Openvas-plugins] 3 new NVT to commit Message-ID: <935126.5210.qm@web26003.mail.ukl.yahoo.com> I know, as I said yesterday, I've to make some minor fix in some of those?scripts. all the scripts are tested, on vulnerable and non vulnerable host, in fact my workflow is: download a trial?version of the software install client and server?on different machines forge the communication protocol?using packet capture implement?a basic protocol in python?and test it at low network level?using sockets implement the nasl script => and here I need your for debuging because I'm not very familar with this ! so anyone available to test over 30 nasl script right now ? thanks. ?--- Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com ----- Messaggio originale ----- Da: Vlatko Kosturjak A: Christian Eric EDJENGUELE Cc: openvas-plugins Inviato: Gioved? 25 settembre 2008, 13:02:27 Oggetto: Re: [Openvas-plugins] 3 new NVT to commit Christian Eric EDJENGUELE wrote: > Hello, > > there is a zip file attached with 3 new plugin to detect dameware version and test two buffer overflow vulnerabilities, to commit into the svn repository > thanks.--- Hello Christian! Thanks for your contribution. Again, it seems you did not test your NASL scripts. Please, test them before contributing them for SVN. For example: in? remote-dameware-user-buffer-overflow.nasl you have typo which prevents plugin from executing: script_dependencies("find_service.nes", "remote-detect-damware.nasl") in? remote-detect-dameware.nasl you have syntax errors: /openvas-nasl -X remote-detect-dameware.nasl syntax error, unexpected ')', expecting ';' Parse error at or near line 106 Please, fix the errors, TEST the scripts on vulnerable and non-vulnerable hosts, and then submit it here for SVN. That means for this contribution and for any other future contribution. Thanks in advance! Kost __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From kost at linux.hr Thu Sep 25 13:50:43 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 25 Sep 2008 13:50:43 +0200 Subject: [Openvas-plugins] 3 new NVT to commit In-Reply-To: <935126.5210.qm@web26003.mail.ukl.yahoo.com> References: <935126.5210.qm@web26003.mail.ukl.yahoo.com> Message-ID: <48DB7B13.1060906@linux.hr> > I know, > as I said yesterday, I've to make some minor fix in some of those scripts. > > all the scripts are tested, on vulnerable and non vulnerable host, in fact my workflow is: > download a trial version of the software > install client and server on different machines > forge the communication protocol using packet capture > implement a basic protocol in python and test it at low network level using sockets > implement the nasl script => and here I need your for debuging because I'm not very familar with this ! I would also add following (change script.nasl with your script): 1) change script to your script.nasl location, copy all dependencies needed (*.inc files). 1) openvas-nasl -X script.nasl -t vuln.ip 2) openvas-nasl -X script.nasl -t nonvuln.ip 3) it's not neccessary, but recommended to be sure, test with regular openvas server /client if it works on again vulnerable and non-vulnerable. > so anyone available to test over 30 nasl script right now ? You don't have openvas installed? Kost From c_edjenguele at yahoo.it Thu Sep 25 14:13:15 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 25 Sep 2008 12:13:15 +0000 (GMT) Subject: [Openvas-plugins] 3 new NVT to commit Message-ID: <594525.27661.qm@web26003.mail.ukl.yahoo.com> I've openvas installed in?my desktop in geneva, but now I'm in Trieste in Italy?to perform a PT for couple of week, and then I've access to several machines for testing. For this job I've the company notebook but I can't install openvas since it's not mine. I return in geneva on mid-october, and I'll have the possibility to do all the test on openvas platform to fix these syntax errors. ?--- Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com ----- Messaggio originale ----- Da: Vlatko Kosturjak A: Christian Eric EDJENGUELE Cc: openvas-plugins Inviato: Gioved? 25 settembre 2008, 13:50:43 Oggetto: Re: [Openvas-plugins] 3 new NVT to commit > I know, > as I said yesterday, I've to make some minor fix in some of those scripts. > > all the scripts are tested, on vulnerable and non vulnerable host, in fact my workflow is: > download a trial version of the software > install client and server on different machines > forge the communication protocol using packet capture > implement a basic protocol in python and test it at low network level using sockets > implement the nasl script => and here I need your for debuging because I'm not very familar with this ! I would also add following (change script.nasl with your script): 1) change script to your script.nasl location, copy all dependencies needed (*.inc files). 1) openvas-nasl -X script.nasl -t vuln.ip 2) openvas-nasl -X script.nasl -t nonvuln.ip 3) it's not neccessary, but recommended to be sure, test with regular openvas server /client if it works on again vulnerable and non-vulnerable. > so anyone available to test over 30 nasl script right now ? You don't have openvas installed? Kost __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From kost at linux.hr Fri Sep 26 00:54:57 2008 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 26 Sep 2008 00:54:57 +0200 Subject: [Openvas-plugins] Bunch of free nasl scripts Message-ID: <48DC16C1.3030400@linux.hr> Hello! I just got in contact with David Maciejak (old GPL nasl plugin writter). He told me we can use all the scripts authored/written by him in nessus feed under GNU GPL v2 license. I took the scripts from him and other free scripts and made compilation of the gpl feed what we can use on: http://www.linux.hr/openvas/feed/ Description of the directories there: gpl: these scripts are probably working and are GPL, there is few scripts by Arboi were he says "GPL..." after his copyright notice, so I guess it is released under GPL. arboi-blah-blah: not sure if they are GPL, because it says: GPL, blah, blah...anyone knows what that means? :) 4check: it should be checked if they work at all. For example there is gentoo checks which might not work - can someone who is doing gentoo stuff check it? depend-misc: these scripts depends on various nasl/inc files which are not free, but with relatively small effort they could be rewritten to not require commercial scripts, the scripts itself are free depend-rpc: these scripts depends on various RPC include scripts which are not free, but the scripts itself are free depend-smb: these scripts depends on various SMB include scripts which are not free, but the scripts itself are free Can you take a look at it and tell if it's okay to commit them to SVN? I mean gpl directory. For others let's see what we can do. Also, what we should do with the scripts for which we don't have right includes? should we start writting from the scratch copyrighted .inc files? BTW David also pointed me to stillsecure nasl archive at: http://arachnids.stillsecure.com/SAT/scripts/OSSSA/GPL/released/OSSSA/scripts/ I can get in contact with them also and commit it to SVN if we find some scripts useful. Let me know! Kost From jan-oliver.wagner at intevation.de Fri Sep 26 11:24:09 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 26 Sep 2008 11:24:09 +0200 Subject: [Openvas-plugins] SMB packet forgery In-Reply-To: <39079.19968.qm@web26004.mail.ukl.yahoo.com> References: <39079.19968.qm@web26004.mail.ukl.yahoo.com> Message-ID: <200809261124.13633.jan-oliver.wagner@intevation.de> Hello Christian, On Mittwoch, 24. September 2008, Christian Eric EDJENGUELE wrote: > I'm developing the following NVT for?OpenVAS, > * MS04-022 > * MS05-007 > * MS05-051 > * MS06-018? > they are smb related vulnerabilties, but now I want to set some values in the packet! > I've seen It works very well with?impacket from Core Security, using these python modules: dcerpc,uuid,transport > does?openvas libraries provides an alternate method to do that ? at a quick glance I did not find any such methods inside openvas-libraries or openvas-libnasl. I am currently not deep into the packet stuff. Hopefully someone else can answer here. However, it sound like a good idea to provide a API for further analysis of SMB packets. > if not did you consider?impacket integration into openvas ? it's under apache like license... Apart from the different license ... OpenVAS so far did not incorporate Python modules and I can not judge out of the box about the consequences. If such methods do indeed make sense, it is probably best to directly integrate them into -libraries and -libnasl. It might be an option to implement in NASL directly, but I can not judge out of the box here. > by?he way, I've about 30 plugins to commit in the svn repository, but first I've to make?minor fix in some of them. > you can follow my work progress, by viewing my diary at: http://wald.intevation.org/developer/diary.php?diary_id=7&diary_user=3930 this looks very nice. As discussed, you should find a way to test the scripts on your own before submitting. You just need the openvas-nasl command available on any system for you. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Fri Sep 26 11:27:48 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 26 Sep 2008 11:27:48 +0200 Subject: [Openvas-plugins] 3 new NVT to commit In-Reply-To: <594525.27661.qm@web26003.mail.ukl.yahoo.com> References: <594525.27661.qm@web26003.mail.ukl.yahoo.com> Message-ID: <200809261127.51148.jan-oliver.wagner@intevation.de> Christian, On Donnerstag, 25. September 2008, Christian Eric EDJENGUELE wrote: > I've openvas installed in?my desktop in geneva, but now I'm in Trieste in Italy?to perform a PT for couple of week, > and then I've access to several machines for testing. > For this job I've the company notebook but I can't install openvas since it's not mine. > I return in geneva on mid-october, and I'll have the possibility to do all the test on openvas platform to fix these syntax errors. if its a linux machine and you have a user account, then its no problem to get openvas-nasl running in your $(HOME) directory without any changes to the system. Just apply something like --prefix=$(HOME)/openvas for configuration and set your paths. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From michael.wiegand at intevation.de Fri Sep 26 11:36:57 2008 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Fri, 26 Sep 2008 11:36:57 +0200 Subject: [Openvas-plugins] SMB packet forgery In-Reply-To: <200809261124.13633.jan-oliver.wagner@intevation.de> References: <39079.19968.qm@web26004.mail.ukl.yahoo.com> <200809261124.13633.jan-oliver.wagner@intevation.de> Message-ID: <200809261136.57255.michael.wiegand@intevation.de> [Friday 26 September 2008 - 11:24:09] "Jan-Oliver Wagner" : > > they are smb related vulnerabilties, but now I want to set some values in > > the packet! I've seen It works very well with?impacket from Core > > Security, using these python modules: dcerpc,uuid,transport > > > > does?openvas libraries provides an alternate method to do that ? > > at a quick glance I did not find any such methods inside openvas-libraries > or openvas-libnasl. > > I am currently not deep into the packet stuff. Hopefully someone else can > answer here. However, it sound like a good idea to provide a API for > further analysis of SMB packets. I am not that deep into NASL either, but the forge_{ip,tcp,udp}_packet functions might be what you are looking for. Please refer to the documentation provided and existing NASL scripts for details. > > if not did you consider?impacket integration into openvas ? it's under > > apache like license... > > If such methods do indeed make sense, it is probably best to directly > integrate them into -libraries and -libnasl. It might be an option to > implement in NASL directly, but I can not judge out of the box here. IMHO it would make more sense to extend the functionality already provided by NASL if necessary rather then duplicate existing functionality with an outside module. Regards, Michael -- Michael Wiegand OpenPGP key: D7D049EC Intevation GmbH, Osnabr?ck http://www.intevation.de/ Amtsgericht Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Fri Sep 26 12:50:12 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 26 Sep 2008 12:50:12 +0200 Subject: [Openvas-plugins] Enhancement for openvas plugins development In-Reply-To: <501963.24839.qm@web26001.mail.ukl.yahoo.com> References: <501963.24839.qm@web26001.mail.ukl.yahoo.com> Message-ID: <200809261250.14510.jan-oliver.wagner@intevation.de> Hello Christian, On Mittwoch, 17. September 2008, Christian Eric EDJENGUELE wrote: > so?during the week, I've worked on enhancing the openvas plugins development, > I've also seen the way openvas grab?software banners, and according to me, it's > too "hard", and then I've developed a routine to make it more easy, here the explainations: > > Programming language: python > Modules? used: sax, sys, socket, os, re > > Advantages: > 1) software information are stored in xml format, that makes informations more portable > 2) only one script to parses all banner: http, ssh, telnet, pop3, smtp, etc... > 3) no need to write new script to detect a new software, only add the banner in the xml file, > I've already done with http.xml, ssh.xml, telnet.xml, pop3.xml, and more ... > 4) Well documented > 5) fast > > Disadvantages: > 1) It's seems openvas does not have a xml parser like sax, but all other modules exits, and then the code can be easly ported to nasl Since OpenVAS 2.0, the server is linked to glib. glib offers simple XML parsing which is already used for reading OVAL XML files: http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-server/openvasd/oval_plugins.c?rev=1434&root=openvas&view=markup I could image to get some xml capabilitis into libnasl. But my mind on this has not settled. Does this influence your conceptual ideas? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From meyer at strato-rz.de Fri Sep 26 13:26:56 2008 From: meyer at strato-rz.de (Michael Meyer) Date: Fri, 26 Sep 2008 13:26:56 +0200 Subject: [Openvas-plugins] secpod_proftpd_cmd_handling_sec_vuln_900133.nasl Message-ID: <20080926112656.GA468@strato-rz.de> Hello, today after a 'openvas-nvt-sync' i got the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl'. I installed 'Proftp 1.3.0' on my localhost and start a scan. 'FTP Server type and version" (1.3.6.1.4.1.25623.1.0.10092)' found the running Proftp but there is no result from the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' I look into the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' and found this: ,---[ secpod_proftpd_cmd_handling_sec_vuln_900133.nasl | 86 if("Linux" >!< get_kb_item("ssh/login/uname")){ | 87 exit(0); | 88 } `---| So, if i understand it right, a vulnerable Proftpd will only found if i configure a ssh-login for the OpenVAS-Scan so OpenVAs can execute 'uname'. But i will not and can not configure a ssh-login for every host i want to scan. So i think the code above makes no sense. Without this code snippets there is a result from the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' If i remove the three lines, the next 'openvas-nvt-sync' will overide the Plugin. Is there any reason for the 'if("Linux" >! References: <20080926112656.GA468@strato-rz.de> Message-ID: <00f501c91fcc$1df47800$0201a8c0@bchandra> Thanks for reporting. It is an extra unwanted check, got rid of it now. Please test it again and let me know. Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Friday, September 26, 2008 4:57 PM To: openvas-plugins at wald.intevation.org Subject: [Openvas-plugins] secpod_proftpd_cmd_handling_sec_vuln_900133.nasl Hello, today after a 'openvas-nvt-sync' i got the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl'. I installed 'Proftp 1.3.0' on my localhost and start a scan. 'FTP Server type and version" (1.3.6.1.4.1.25623.1.0.10092)' found the running Proftp but there is no result from the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' I look into the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' and found this: ,---[ secpod_proftpd_cmd_handling_sec_vuln_900133.nasl | 86 if("Linux" >!< get_kb_item("ssh/login/uname")){ | 87 exit(0); | 88 } `---| So, if i understand it right, a vulnerable Proftpd will only found if i configure a ssh-login for the OpenVAS-Scan so OpenVAs can execute 'uname'. But i will not and can not configure a ssh-login for every host i want to scan. So i think the code above makes no sense. Without this code snippets there is a result from the 'secpod_proftpd_cmd_handling_sec_vuln_900133.nasl' If i remove the three lines, the next 'openvas-nvt-sync' will overide the Plugin. Is there any reason for the 'if("Linux" >! I've seen the documentation http://developer.gimp.org/api/2.0/glib/glib-Simple-XML-Subset-Parser.html?, It's seems nice,?lightweight and looks event based like sax! so this does not influence my conceptual ideas... but why GMarupParser and not libxml2 ? libxml has a sax interface. http://www.jamesh.id.au/articles/libxml-sax/libxml-sax.html thanks. Since OpenVAS 2.0, the server is linked to glib. glib offers simple XML parsing which is already used for reading OVAL XML files: ? http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-server/openvasd/oval_plugins.c?rev=1434&root=openvas&view=markup I could image to get some xml capabilitis into libnasl. But my mind on this has not settled. Does this influence your conceptual ideas? Best Jan -- Dr. Jan-Oliver Wagner??????????????????????? Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998???????????? http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ?--- Christian Eric Edjenguele IT Security Software Developer & Researcher tel. +39 3408580513 View my linkedin profile: http://www.linkedin.com/in/edjenguele My blog: http://www.edjenguele.blogspot.com ----- Messaggio originale ----- Da: Jan-Oliver Wagner A: Christian Eric EDJENGUELE Cc: Tim Brown Inviato: Venerd? 19 settembre 2008, 21:10:26 Oggetto: Re: openvas plugins development enhancment Hello Christian, On Wednesday 17 September 2008 17:31, Christian Eric EDJENGUELE wrote: > what do you think about this ? > http://lists.wald.intevation.org/pipermail/openvas-plugins/2008-September/0 >00110.html === I've seen you post, but I am currently quite busy and need to think about it first. Will answer on the mailing list. Best ??? Jan -- Dr. Jan-Oliver Wagner? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Intevation GmbH Amtsgericht Osnabr?ck, HR B 18998? ? ? ? ? ? http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From meyer at strato-rz.de Fri Sep 26 14:30:06 2008 From: meyer at strato-rz.de (Michael Meyer) Date: Fri, 26 Sep 2008 14:30:06 +0200 Subject: [Openvas-plugins] secpod_proftpd_cmd_handling_sec_vuln_900133.nasl In-Reply-To: <00f501c91fcc$1df47800$0201a8c0@bchandra> References: <20080926112656.GA468@strato-rz.de> <00f501c91fcc$1df47800$0201a8c0@bchandra> Message-ID: <20080926123006.GA9533@strato-rz.de> *** Chandrashekhar B wrote: > Thanks for reporting. It is an extra unwanted check, got rid of it now. > Please test it again and let me know. Hmm ... ,---| | schlepp:/usr/lib/openvas/plugins # rm secpod_proftpd_cmd_handling_sec_vuln_900133.nasl* && | openvas-nvt-sync && | grep uname secpod_proftpd_cmd_handling_sec_vuln_900133.nasl | | OpenVAS NVT Sync $ | | Configured NVT Feed: rsync://rsync.openvas.org:/nvt-feed | Synchronized into: /usr/lib/openvas/plugins | | Searching for required system tools ... | Synchonizing NVTs via RSYNC ... | rsync server - Intevation GmbH, Germany | All transactions are logged. Mail problems to admin at intevation.de. | | Please look at /ftp/mirrors.txt for a list of download mirrors. | Please look at /kolab/RSYNC.txt before mirroring the kolab tree. | | receiving file list ... | 11354 files to consider | ./ | secpod_proftpd_cmd_handling_sec_vuln_900133.nasl 2894 100% 2.76MB/s 0:00:00 (xfer#1, to-check=821/11354) | secpod_proftpd_cmd_handling_sec_vuln_900133.nasl.asc 189 100% 5.43kB/s 0:00:00 (xfer#2, to-check=820/11354) | | sent 101 bytes received 167030 bytes 111420.67 bytes/sec | total size is 20236475 speedup is 121.08 | Synchronization successful. | | script_require_keys("ssh/login/uname"); | if("Linux" >!< get_kb_item("ssh/login/uname")){ `---| There are no changes in the Plugin. Many Greetings Michael From c_edjenguele at yahoo.it Fri Sep 26 15:11:10 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Fri, 26 Sep 2008 13:11:10 +0000 (GMT) Subject: [Openvas-plugins] SMB packet forgery (Michael Wiegand) Message-ID: <168917.15175.qm@web26001.mail.ukl.yahoo.com> Hi Michel, the forge_{ip,tcp,udp}_packet functions are not what I'm looking for... they don't provide an interface to modify smb headers, negociate SMB MailSlot protocol and manage smb transactions... It will be very nice to have those function on openvas. thanks. ? 3. Re: SMB packet forgery (Michael Wiegand) Message: 3 Date: Fri, 26 Sep 2008 11:36:57 +0200 From: Michael Wiegand Subject: Re: [Openvas-plugins] SMB packet forgery To: openvas-plugins at wald.intevation.org Message-ID: <200809261136.57255.michael.wiegand at intevation.de> Content-Type: text/plain;? charset="iso-8859-1" [Friday 26 September 2008 - 11:24:09] "Jan-Oliver Wagner" : > > they are smb related vulnerabilties, but now I want to set some values in > > the packet! I've seen It works very well with?impacket from Core > > Security, using these python modules: dcerpc,uuid,transport > > > > does?openvas libraries provides an alternate method to do that ? > > at a quick glance I did not find any such methods inside openvas-libraries > or openvas-libnasl. > > I am currently not deep into the packet stuff. Hopefully someone else can > answer here. However, it sound like a good idea to provide a API for > further analysis of SMB packets. I am not that deep into NASL either, but the forge_{ip,tcp,udp}_packet functions might be what you are looking for. Please refer to the documentation provided and existing NASL scripts for details. > > if not did you consider?impacket integration into openvas ? it's under > > apache like license... > > If such methods do indeed make sense, it is probably best to directly > integrate them into -libraries and -libnasl. It might be an option to > implement in NASL directly, but I can not judge out of the box here. IMHO it would make more sense to extend the functionality already provided by NASL if necessary rather then duplicate existing functionality with an outside module. Regards, Michael -- Michael Wiegand? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? OpenPGP key: D7D049EC Intevation GmbH, Osnabr?ck? ? ? ? ? ? ? ? ? ? http://www.intevation.de/ Amtsgericht Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ------------------------------ _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins End of Openvas-plugins Digest, Vol 10, Issue 21 *********************************************** __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it From meyer at strato-rz.de Sat Sep 27 13:56:34 2008 From: meyer at strato-rz.de (Michael Meyer) Date: Sat, 27 Sep 2008 13:56:34 +0200 Subject: [Openvas-plugins] secpod_proftpd_cmd_handling_sec_vuln_900133.nasl In-Reply-To: <00f501c91fcc$1df47800$0201a8c0@bchandra> References: <20080926112656.GA468@strato-rz.de> <00f501c91fcc$1df47800$0201a8c0@bchandra> Message-ID: <20080927115634.GA13611@strato-rz.de> Hi Chandra, *** Chandrashekhar B wrote: > Thanks for reporting. It is an extra unwanted check, got rid of it now. > Please test it again and let me know. i received the changed plugin today and now it works as expected. Thanks again. Michael From jan-oliver.wagner at intevation.de Mon Sep 29 11:41:29 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 29 Sep 2008 11:41:29 +0200 Subject: [Openvas-plugins] Bunch of free nasl scripts In-Reply-To: <48DC16C1.3030400@linux.hr> References: <48DC16C1.3030400@linux.hr> Message-ID: <200809291141.32323.jan-oliver.wagner@intevation.de> Kost, On Freitag, 26. September 2008, Vlatko Kosturjak wrote: > I just got in contact with David Maciejak (old GPL nasl plugin writter). > He told me we can use all the scripts authored/written by him in nessus > feed under GNU GPL v2 license. > > I took the scripts from him and other free scripts and made compilation > of the gpl feed what we can use on: > http://www.linux.hr/openvas/feed/ > > Description of the directories there: > > gpl: these scripts are probably working and are GPL, there is few > scripts by Arboi were he says "GPL..." after his copyright notice, so I > guess it is released under GPL. from the whole given context we can assume GNU General Public License v2 is meant. I'd say you check the scripts into SVN. > arboi-blah-blah: not sure if they are GPL, because it says: GPL, blah, > blah...anyone knows what that means? :) I've seen this in various places. Again we can assume GNU General Public License v2 from the given context. "blah" is probably a short version of the text as recommended for applying the GPL (adress of FSF etc). It just a (strange) habit of Michel. > 4check: it should be checked if they work at all. For example there is > gentoo checks which might not work - can someone who is doing gentoo > stuff check it? Thomas did care for gentoo recently. Probably he could answer best here. > depend-misc: these scripts depends on various nasl/inc files which are > not free, but with relatively small effort they could be rewritten to > not require commercial scripts, the scripts itself are free I'd say: check them in. We have already a lot of such scripts in there. > depend-rpc: these scripts depends on various RPC include scripts which > are not free, but the scripts itself are free same here. > depend-smb: these scripts depends on various SMB include scripts which > are not free, but the scripts itself are free again. > Can you take a look at it and tell if it's okay to commit them to SVN? > I mean gpl directory. For others let's see what we can do. > Also, what we should do with the scripts for which we don't have right > includes? should we start writting from the scratch copyrighted .inc files? See above. Yes, we shuld step by step fill all remaining gaps (where it makes sense). > BTW David also pointed me to stillsecure nasl archive at: > http://arachnids.stillsecure.com/SAT/scripts/OSSSA/GPL/released/OSSSA/scripts/ there was already some discussion about this repository in the OpenVAS project - I didn't found the emails at a quick glance though. Maybe it was at IRC or elsewhere discussed. > I can get in contact with them also and commit it to SVN if we find some > scripts useful. seems like a good idea to me :-) Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Mon Sep 29 11:43:28 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 29 Sep 2008 11:43:28 +0200 Subject: [Openvas-plugins] Bunch of free nasl scripts In-Reply-To: <200809291141.32323.jan-oliver.wagner@intevation.de> References: <48DC16C1.3030400@linux.hr> <200809291141.32323.jan-oliver.wagner@intevation.de> Message-ID: <200809291143.30799.jan-oliver.wagner@intevation.de> On Montag, 29. September 2008, Jan-Oliver Wagner wrote: > I'd say you check the scripts into SVN. I forgot to mention: please make sure the IDs don't conflict. Document the ranges in the file openvas-oids.htm4 in case. -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Mon Sep 29 11:56:01 2008 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 29 Sep 2008 11:56:01 +0200 Subject: [Openvas-plugins] openvas plugins development enhancment In-Reply-To: <885549.54508.qm@web26006.mail.ukl.yahoo.com> References: <885549.54508.qm@web26006.mail.ukl.yahoo.com> Message-ID: <200809291156.03797.jan-oliver.wagner@intevation.de> Christian, On Freitag, 26. September 2008, Christian Eric EDJENGUELE wrote: > I've seen the documentation http://developer.gimp.org/api/2.0/glib/glib-Simple-XML-Subset-Parser.html?, It's seems nice,?lightweight and looks event based like sax! so this does not influence my conceptual ideas... > but why GMarupParser and not libxml2 ? > libxml has a sax interface. > http://www.jamesh.id.au/articles/libxml-sax/libxml-sax.html We've been very careful with adding further dependencies to OpenVAS. On the one hand this is because of the portability and on the other hand it is about security (linking any additional library into OpenVAS means to inherit its security problems as well). So, if the parsing part is solvable with what the present dependencies offer, it is best to go with this. Whether it is indeed solvable, I can not judge. Do you think, GMarupParser is sufficient? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From c_edjenguele at yahoo.it Mon Sep 29 12:38:37 2008 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Mon, 29 Sep 2008 10:38:37 +0000 (GMT) Subject: [Openvas-plugins] openvas plugins development enhancment (Jan-Oliver Wagner) Message-ID: <59158.1015.qm@web26007.mail.ukl.yahoo.com> I only need to get an attribute and values from an xml entity? for example: I just want to get the "Microsoft SMTP" value froim name attribute the same for re attribute where re is the regexp pattern to be matches with the banner got from the SMTP server ... and according to the documention GMarkupParser does support * Elements * Attributes * 5 standard entities: & < > " ' * Character references * Sections marked as CDATA and so it's more than sufficient. best. 3. Re: openvas plugins development enhancment (Jan-Oliver Wagner) ------------------------------ Message: 3 Date: Mon, 29 Sep 2008 11:56:01 +0200 From: "Jan-Oliver Wagner" Subject: Re: [Openvas-plugins] openvas plugins development enhancment To: "openvas-plugins" Message-ID: <200809291156.03797.jan-oliver.wagner at intevation.de> Content-Type: text/plain;? charset="iso-8859-1" Christian, On Freitag, 26. September 2008, Christian Eric EDJENGUELE wrote: > I've seen the documentation http://developer.gimp.org/api/2.0/glib/glib-Simple-XML-Subset-Parser.html?, It's seems nice,?lightweight and looks event based like sax! so this does not influence my conceptual ideas... > but why GMarupParser and not libxml2 ? > libxml has a sax interface. > http://www.jamesh.id.au/articles/libxml-sax/libxml-sax.html We've been very careful with adding further dependencies to OpenVAS. On the one hand this is because of the portability and on the other hand it is about security (linking any additional library into OpenVAS means to inherit its security problems as well). So, if the parsing part is solvable with what the present dependencies offer, it is best to go with this. Whether it is indeed solvable, I can not judge. Do you think, GMarupParser is sufficient? Best ??? Jan -- Dr. Jan-Oliver Wagner? ? ? ? ? ? ? ? ? ? ? ? Intevation GmbH, Osnabr?ck Amtsgericht Osnabr?ck, HR B 18998? ? ? ? ? ? http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ------------------------------ _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins End of Openvas-plugins Digest, Vol 10, Issue 24 *********************************************** __________________________________________________ Do You Yahoo!? Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi http://mail.yahoo.it