nasl_guide.tex

大国补丁后的nessus2.2.8的源代码

\begin{verbatim}

	a = "Nessus";
	b = "I use Nessus";
	
	if(a >< b){
		# This will be executed since
		# a is in B
		display(a, " is contained in ", b, "\n");
		}
\end{verbatim}
	
\newpage
\section{The NASL Network related functions}


NASL will not let you open a socket to another host
than the host than nessusd wants to test. 

\subsection{Sockets manipulation}

A socket is a way to communicate with another host using TCP or
UDP. It is like a pipe, designed to send data on a given port
of a given protocol.

\subsubsection{How to open a socket}
The functions \verb+open_sock_tcp()+ and \verb+open_sock_udp()+ will
open a TCP or UDP socket. These two functions are using anonymous
arguments. You can currently open a socket on only one port at once,
but this will eventually change in the future.\\
\noindent Example :
\begin{verbatim}
# Open a socket on TCP port 80 :
soc1 = open_sock_tcp(80);
# Open a socket on UDP port 123 :
soc2 = open_sock_udp(123);
\end{verbatim}

The \verb+open_sock+ functions will return 0 if the connection could not
be established on the remote host. Usually, \verb+open_sock_udp()+ will
never fail, since there is no way to determine whether the remote
UDP port is open or not, whereas the \verb+open_sock_tcp()+ function
will return 0 if the remote port is closed.\\
A trivial TCP port scanner would be like this :
\begin{verbatim}
start = prompt("First port to scan ? ");
end  = prompt("Last port to scan ? ");

for(i=start;i<end;i=i+1)
{
 soc = open_sock_tcp(i);
 if(soc) {
  display("Port ", i, " is open\n");
  close(soc);
 }
}
\end{verbatim}

You may want your socket to be bound to a special port or to come from
a priviledged port (in the case you want your script to connect to
a r-service for instance). The functions \verb+open_priv_sock_tcp()+ and
\verb+open_priv_sock_udp()+ are here to do that.
Their syntax is :
\begin{verbatim}
 soc = open_priv_sock_tcp(sport:<sport>, dport:<dport>);
 soc = open_priv_sock_udp(sport:<sport>, dport:<dport>);
\end{verbatim}

\verb+sport+ is the source port, and \verb+dport+ is the destination
port of the socket. If \verb+sport+ is not specified, then a socket
with a source port < 1024 will be opened.



\subsubsection{Closing a socket}

The function \verb+close()+ is used to close a socket. It will internally
perform a \verb+shutdown()+ before actually closing the socket.


\subsubsection{Writing to a socket, and reading from it}

Reading and writing to a socket is done using one of these functions :
\begin{itemize}
\item \begin{verbatim}recv(socket:<socketname>, 
length:<length> 
[,timeout : <timeout>)\end{verbatim} 
Reads  \verb+<length>+ bytes from the socket \verb+<socketname>+. 
This function can be used for TCP and UDP. The \verb+timeout+ option is in
seconds.
 
\item \begin{verbatim}recv_line(socket:<socketname>, 
length:<length> 
[, timeout: <timeout>])\end{verbatim}
This function
works the same way as \verb+recv()+, except that it will stop reading data
as soon as the \verb+\n+ character is read. This function only works
with TCP sockets.


\item \verb+send(socket:<socket>, data:<data> [, length:<length>])+ : 
send the data \verb+<data>+ on the socket \verb+<socket>+. The optional
argument \verb+length+ tells the function to only send \verb+<length>+
bytes on the socket. If it is not set, then the data will be sent until
a NULL character is met.


\end{itemize}

The functions that are used to read data from a socket have an internal
timeout value of five seconds. If the timeout is reached, then they will
return~FALSE.\\
\noindent Example :
\begin{verbatim}

# This Example displays the FTP banner of the remote host :

soc = open_sock_tcp(21);
if(soc)
{
 data = recv_line(socket:soc, length:1024);
 if(data)
 {
  display("The remote FTP banner is : \n", data, "\n");
 }
 else
 {
  display("The remote FTP server seems to be tcp-wrapped\n");
 }
 close(soc);
}

\end{verbatim}

\subsubsection{Higher level operations}

NASL has a set of high level functions, regarding FTP and WWW.

\begin{itemize}
\item \verb+ftp_log_in(socket:<soc>, user:<login>, pass:<pass>)+ will
attempt to log into the FTP server connected to the freshly open socket
\verb+<soc>+. This function returns \verb+TRUE+ if it was possible to
log in as \verb+<login>+ with password \verb+<pass>+. It returns FALSE
if an error occured.

\item \verb+ftp_get_pasv_port(socket:<soc>)+ issues a \verb+PASV+
command on the FTP server, and returns the port to open a connection
onto. This allows NASL scripts to retrieve data via FTP.
This function returns \verb+FALSE+ if an error occurred.

\item \verb+is_cgi_installed(<name>)+ returns a non-zero value if the
cgi \verb+<name>+ is installed on the remote web server. This
function performs a \verb+GET+ request on the remote web server.
If \verb+<name>+ does not start by a slash (\verb+/+), then
\verb+/cgi-bin/+ is appended in the front of it. This function
can also be used to determine the existence of a given file.\\
The value returned is the port number of the web server that
runs the given CGI.

\item \verb+http_get()+, \verb+http_head()+ and \verb+http_post()+ generate
an HTTP/1.0 or HTTP/1.1 compliant request string. They all share the
same prototype :\\
\indent\verb+http_<operation>(item:<item>, port:<port>)+
where :
\begin{itemize}
\item \verb+item+ is the name of the page to get (ie: "/cgi-bin/mycgi")
\item \verb+port+ is the port of the web server to whom a request will be
made. This is necessary, so that NASL can forge a HTTP/1.0 or HTTP/1.1
request depending on what the remote server is speaking.
\end{itemize}
Exemple :
\begin{verbatim}
	port = get_kb_item("Services/www");
	soc = open_sock_tcp(port);
	req = http_get(item:"/", port:port);
	send(socket:soc, data:req);

	r = recv(socket:soc, length:8192); # <r> now contains the index.html
					   # file, plus the web server headers
\end{verbatim}

\item \verb+cgibin()+ returns one of the paths entered by the user to use
instead of cgi-bin. This function duplicates the run of the script, 
which means that if the user set the CGI path to be '/cgi-bin:/my-cgis'
then the script will be executed twice when cgibin() is called - the first
time, it will return '/cgi-bin', the second time it will return
'/my-cgis'.
\end{itemize}

\noindent Examples :
\begin{verbatim}

#
# WWW
#
 if(is_cgi_installed("/robots.txt")){
 	display("The file /robots.txt is present\n");
	}
 if(is_cgi_installed("php.cgi")){
 	display("The CGI php.cgi is installed in /cgi-bin\n");
	}
 if(!is_cgi_installed("/php.cgi")){
 	display("There is no 'php.cgi' in the remote web root\n");
	}

#
# FTP
#
  # open a connection to the remote host
 soc = open_sock_tcp(21);
 
 # Log in as the anonymous user
 if(ftp_log_in(socket:soc, user:"ftp", pass:"joe@"))
 {
  # Get a passive port
  port = ftp_get_pasv_port(socket:soc);
  if(port)
  {
   soc2 = open_sock_tcp(port);
   data = string("RETR /etc/passwd\r\n");
   send(socket:soc, data:data);
   password_file = recv(socket:soc2, length:10000);
   display(password_file);
   close(soc2);
  }
  close(soc);
 }

\end{verbatim}   

\subsection{Raw packets manipulation}

NASL allows you to forge your own IP packets, and will attempt
to behave in an intelligent way with the packet forged. For instance,
if you change a parameter in a TCP packet, then the TCP checksum will
be recomputed silently. If you append a layer to an IP packet, then
the \verb+ip_len+ element of the IP packet will be updated - unless
you deliberately say to not do it.

All the raw packets functions use non-anonymous arguments. Their
names comes straight from the BSD include files. So, the 'length'
element of an ip packet is called \verb+ip_len+ and not
'\verb+length+'.


\subsubsection{Forging an IP packet}
The function \verb+forge_ip_packet()+ will forge a new IP packet. The function 
\verb+get_ip_element()+ will return an element of a packet, whereas the
function \verb+set_ip_elements()+ will change the elements of an existing IP
packet.

\begin{verbatim}
 <return_value> = forge_ip_packet(
		ip_hl    : <ip_hl>,
		ip_v     : <ip_v>,
		ip_tos   : <ip_tos>,
		ip_len   : <ip_len>,
		ip_id    : <ip_id>,
		ip_off   : <ip_off>,
		ip_ttl   : <ip_ttl>,
		ip_p     : <ip_p>,
		ip_src   : <ip_src>,
		ip_dst   : <ip_dst>,
		[ip_sum  : <ip_sum>] );
	      
\end{verbatim}

The \verb+ip_sum+ argument of this function is optional. If it is not set, it
will be automatically computed. The field \verb+ip_p+ may be a numeric value, or
one of the constants \verb+IPPROTO_TCP+, \verb+IPPROTO_UDP+,
\verb+IPPROTO_ICMP+, \verb+IPPROTO_IGMP+ or \verb+IPPROTO_IP+.


\begin{verbatim}
  <element> = get_ip_element(
 		ip      : <ip_variable>,
 		element : "ip_hl"|"ip_v"|"ip_tos"|"ip_len"|
 		          "ip_id"|"ip_off"|"ip_ttl"|"ip_p"|
 		          "ip_sum"|"ip_src"|"ip_dst");
\end{verbatim}

The function \verb+get_ip_element()+ will return one element 
of a packet. The element must be one of \verb+"ip_hl"+, \verb+"ip_v"+,
 \verb+"ip_tos"+, \verb+"ip_len"+,
 \verb+"ip_id"+, \verb+"ip_off"+, \verb+"ip_ttl"+, \verb+"ip_p"+,  \verb+"ip_sum"+,
  \verb+"ip_src"+ or \verb+"ip_dst"+. Note that the quotes have their importance.

\begin{verbatim}
  set_ip_elements( ip	: <ip_variable>,
		  [ip_hl    : <ip_hl>, ]
		  [ip_v     : <ip_v>,  ]
		  [ip_tos   : <ip_tos>,]
		  [ip_len   : <ip_len>,]
		  [ip_id    : <ip_id>, ]
		  [ip_off   : <ip_off>,]
		  [ip_ttl   : <ip_ttl>,]
		  [ip_p     : <ip_p>,  ]
		  [ip_src   : <ip_src>,]
		  [ip_dst   : <ip_dst>,]
		  [ip_sum  : <ip_sum>  ] 
		);
		
\end{verbatim}

The function \verb+set_ip_elements()+ change the value of the IP packet
\verb+<ip_variable>+ and recomputes the checksum if the element
\verb+ip_sum+ is not altered.
Since this function will not create a new packet in memory, you
should prefer it to \verb+forge_ip_packet()+ when you have to send
multiple, nearly similar, IP packets.


Last but not least, there is a function \verb+dump_ip_packet(<packet>)+ which
will print the IP packet in human readable form on screen. You should only
use this for debugging purpose.


\subsubsection{Forging a TCP packet}

The function \verb+forge_tcp_packet()+ is used to forge a TCP packet.
Its syntax is :
\begin{verbatim}
 tcppacket = forge_tcp_packet(ip : <ip_packet>,
                              th_sport : <source_port>,
			      th_dport : <destination_port>,
			      th_flags : <tcp_flags>,
			      th_seq   : <sequence_number>,
			      th_ack   : <acknowledgement_number>,
			      [th_x2   : <unused>],
			      th_off   : <offset>,
			      th_win   : <window>,
			      th_urp   : <urgent_pointer>,
			      [th_sum  : <checkum>],
			      [data    : <data>]);
			      
\end{verbatim}

The option \verb+th_flags+ must be one of \verb+TH_SYN+, \verb+TH_ACK+,
\verb+TH_FIN+, \verb+TH_PUSH+ or \verb+TH_RST+. Flags can be
combined using the \verb+|+ operator. \verb+th_flags+ may also
be a numeric value. \verb+ip_packet+ must have been generated with
\verb+forge_ip_packet()+ or must have be a packet read using
\verb+send_packet()+ or \verb+pcap_next()+.

The function used to change TCP elements is \verb+set_tcp_elements()+.
It's syntax is similar to \verb+forge_tcp_packet()+ :

\begin{verbatim}
  set_tcp_elements(tcp : <tcp_packet>,
                              [th_sport : <source_port>,]
			      [th_dport : <destination_port>,]
			      [th_flags : <tcp_flags>,]
			      [th_seq   : <sequence_number>,]
			      [th_ack   : <acknowledgement_number>,]
			      [th_x2    : <unused>,]
			      [th_off   : <offset>,]
			      [th_win   : <window>,]
			      [th_urp   : <urgent_pointer>,]
			      [th_sum   : <checkum>],
			      [data     : <data>] );
			      
\end{verbatim}
    
This function will automatically recompute the checksum of the packet, unless
you explicitly set the \verb+th_sum+ element.

The function used to get one element of a TCP packet is
\verb+get_tcp_element()+. Its syntax is :
\begin{verbatim}
element = get_tcp_elements(tcp: <tcp_packet>,
                  element: <element_name>);
\end{verbatim}

\verb+element_name+ must be one of \verb+"tcp_sport"+, "\verb+"th_dport"+,
\verb+"th_flags"+, \verb+"th_seq"+, \verb+"th_ack"+, \verb+"th_x2"+,
\verb+"th_off"+, \verb+"th_win"+, \verb+"th_urp"+, \verb+"th_sum"+. Note the
quotes !

\subsubsection{Forging a UDP packet}

The UDP functions are nearly the same as for TCP functions :
\begin{verbatim}
 udp = forge_udp_packet(ip:<ip_packet>,
                        uh_sport : <source_port>,
			uh_dport : <destination_port>,
			uh_ulen  : <length>,
			[uh_sum  : <checksum>],
			[data    : <data>]);
\end{verbatim}

The functions \verb+set_udp_elements()+ and \verb+get_udp_elements()+ work
the same way as for the TCP functions.

\subsubsection{Forging an ICMP packet}
NASL is quite limited when it comes to forging an ICMP packet. Basically,
the function accepts the following arguments :
\begin{verbatim}
 icmp = forge_icmp_packet(	ip:<ip_packet>,
				icmp_code:<icmp_code>,
				icmp_type:<icmp_type>,
				icmp_seq:<icmp_seq>,
				icmp_id:<icmp_id>,
				[data:<data>]
			);
\end{verbatim}

The functions \verb+get_icmp_element()+ and \verb+set_icmp_elements()+ work the same way as they does for TCP and ICMP, but can only change these fields.

It should be possible to forge more complicated ICMP paquets by continuing
the header in the \verb+data+ parameter, although this has never been tested.

\subsubsection{Forging an IGMP packet}
As for ICMP, forging an IGMP packet could be implemented in a better way in NASL. The function \verb+forge_igmp_packet()+ accepts the following arguments :
\begin{verbatim}
 igmp = forge_igmp_packet(	ip:<ip_packet>,
				code:<igmp_code>,
				type:<igmp_type>,
				group:<igmp_group>,
				[data:<data>]
			);
\end{verbatim}
 
\subsubsection{Sending a raw packet}

Once you have set up a packet using \verb+forge_*_packet()+, you
can send it using the \verb+send_packet()+ function.

This function syntax is :
\begin{verbatim}
 reply = send_packet(packet1, packet2, ...., packetN,
                     pcap_active: <TRUE|FALSE>,
                     pcap_filter: <pcap_filter>);
\end{verbatim}

If the argument \verb+pcap_active+ is set to \verb+TRUE+ (the default),
then this function will wait for a reply from the host the packet was
sent to. You can set up the argument \verb+pcap_filter+ to define
what kind of packet you want. See the pcap (or tcpdump) manual to learn more from
pcap filters.		  

\subsubsection{Reading raw packets}

You can read a packet using the \verb+pcap_next()+ function, the syntax
of which is :
\begin{verbatim}
 reply = pcap_next();
\end{verbatim}

This function will read a packet from the last interface you used, with