nasl_guide.tex

大国补丁后的nessus2.2.8的源代码

the last pcap filter you used on this interface, or your default networking interface if you did not send any packet before. \\
This function has optional arguments. Its complete declaration is :
\begin{verbatim}
 reply = pcap_next([pcap_filter: <filter>,]
	 	   [interface: <iface>,]
	 	   [timeout: <timeout>]);
\end{verbatim}

\begin{itemize}
\item \verb+pcap_filter+ is a standard pcap filter (man pcap or man tcpdump for details)
\item \verb+interface+ is the networking interface you want to use
\item \verb+timeout+ is the number of seconds you want to wait for a packet. Set this to zero if you do not want any timeout
\end{itemize}

\subsection{Utilities}

NASL provides several handy functions that usually makes your coding easier.
\begin{itemize}
\item The function \verb+this_host()+ takes no argument an returns the IP address
of the host the script is running on.

\item The function \verb+get_host_name()+ takes no argument and returns the
name of the currently tested host.

\item The function \verb+get_host_ip()+ takes no argument and returns the
IP adress of the currently tested host.

\item The function \verb+get_host_open_port()+ takes no argument and returns the
number of the first open TCP port of the remote host. This is useful for some
scripts such as land or a TCP sequence analyzing program which need to work
against an open port.


\item The function \verb+get_port_state(<portnum>)+ returns \verb+TRUE+ if the TCP port
\verb+<portnum>+ is open, or if its state is unknown (for instance, if it was not scanned,
or if it is outside the scanned range).


\item The function \verb+telnet_init(<soc>)+ initialize a telnet session
on the freshly opened socket \verb+<soc>+ and returns the first line of telnet
data. 

Example :

\begin{verbatim}
	soc = open_sock_tcp(23);
	buffer = telnet_init(soc);
	display("The remote telnet banner is : ", buffer, "\n");
\end{verbatim}

\item The function \verb+tcp_ping()+ takes no argument and returns
\verb+TRUE+ if the remote host answered to a TCP ping request (send a TCP packet
with the ACK flag set).


\item The function \verb+getrpcport()+ is the same as the standard function of
the same name. Its syntax is :
\begin{verbatim}
 result = getrpcport(program : <program_number>,
                     protocol: IPPROTO_TCP|IPPROTO_UDP,
                     [version: <version>]);
\end{verbatim}

This function returns 0 if an error occured (if the program \verb+<program_number>+ is not
registered in the remote rpc portmapper for instance).

\end{itemize}		    
	
		

	


\newpage
\section{String manipulation functions}

NASL handles strings as numbers. So, you can play with the \verb+==+,
\verb+<+, and \verb+>+ operators safely.

Example :
\begin{verbatim}
 a = "version 1.2.3";
 b = "version 1.4.1";
 
 if(a < b){
 	#
	# Will be executed, since version 1.2.3 is lower
	# than version 1.4.1
       }
       
 c = "version 1.2.3";
 
 if(a==c) {
       # Will also be evaluated
       }
\end{verbatim}

It is also possible to get the n-th character of a string, the same way as 
in C~:
\begin{verbatim}
 a = "test";
 b = a[1];  # b equals to "e"
\end{verbatim}

You can also add and substract strings :
\begin{verbatim}
 a = "version 1.2.3";
 b = a - "version ";   # b equals "1.2.3"
 
 a = "this is a test";
 b = " is a ";
 c = a - b;            # c equals to "this test"
 
 a = "test";
 a = a+a;              # a equals to "testtest"
\end{verbatim}
In addition to this and to the \verb+><+ operator defined above, NASL has a set of
functions dedicated to forge or modify strings :

\subsection{The ereg() function for regular expressions}

Pattern-matching operations are done through the \verb+ereg()+ function. Its
syntax is :
\begin{verbatim}
	result = ereg(pattern:<pattern>, string:<string>)
\end{verbatim}

The \verb+pattern+ syntax is egrep-style. Please refer to man 1 egrep
for more details about it.

Example :
\begin{verbatim}
	if(ereg(pattern:".*", string:"test"))
	{
	  display("Always executed\n");
	}
	
	mystring = recv(socket:soc, length:1024);
	if(ereg(pattern: "SSH-.*-1\..*", 
		string : mystring
		))
	{
	 display("SSH 1.x is running on this host");
	}
	
	
\end{verbatim}

\subsection{ereg\_replace()}

The function \verb+ereg_replace()+ gives you the power to change a string
in a very flexible way, thanks to the regular expressions. It works
the same way as many other regexps tools, so the description will
be short.

Its syntax is :
\begin{verbatim}
 newstr = ereg_replace(pattern:<pattern>, 
                       replace:<replace>,
                       string:<string>);
 \end{verbatim}

 Here are some examples :

\begin{verbatim}

# extract the server type from the following string : 
str = "Server : Apache 1.3.2";
server_type = ereg_replace(pattern:"^Server : (.*)$", replace:"\1", string:str);


# Another example
str = "life is great";
newstr = ereg_replace(pattern:"(.*) (.*) (.*)", replace:"\2 \1", string:str);

# 'newstr' is now equal to 'great life'


\end{verbatim}




 

\subsection{The egrep() function}

\verb+egrep()+ returns the first line that matches the pattern
\verb+<pattern>+ in a multi-lined text. When it is used against
a one-line text, then it is similar to \verb+ereg()+.
If no line in the text matches, then it returns \verb+FALSE+.
Syntax :
\begin{verbatim}
	str = egrep(pattern : <pattern>, string: <string>)
\end{verbatim}

Example :
\begin{verbatim}

	soc = open_soc_tcp(80);
	str = string("HEAD / HTTP/1.0\r\n\r\n");
	send(socket:soc, data:str);
	
	r = recv(socket:soc, length:1024);
	server = egrep(pattern:"^Server.*", string : r);
	
	if(server)display(server);
	
\end{verbatim}

\subsection{The crap() function}

 The function \verb+crap()+ is very convenient to test for buffer overflows.
 It has two syntaxes :
 \begin{itemize}
 \item \verb+crap(<length>)+ : Will return a string of length \verb+<length>+ 
containing the character \verb+'X'+

 \item \verb+crap(length:<length>, data:<data>)+ : Will return a string of length
 \verb+<length>+, containing the data \verb+<data>+
 
 Example :
\begin{verbatim}
  a = crap(5);         # a = "XXXXX";
  b = crap(4096);      # b = "XXXX...XXXX" (4096 X's)
  c = crap(length:12,  # c = "hellohellohe" (length: 12);
          data:"hello");           
\end{verbatim}

\end{itemize}
\subsection{The string() function}

 This function is used to make strings of chars or of other strings.
 It syntax is : \verb+string(<string1>, [<string2>, ..., <stringN>])+
 
 This function will interpolate the backslashed characters such as \verb+\n+ or
 \verb+\t+.
 
 Example :
\begin{verbatim}

  name = "Renaud";
    
  a = string("Hello, I am ", name, "\n");       # a equals to "Hello, I am Renaud" 
                                                # (with a new line at the end)
  b = string(1, " and ", 2, " makes ", 1+2);    # b equals to "1 and 2 makes 3"
  c = string("MKD ", crap(4096), "\r\n");       # c equals to "MKD XXXXX.....XXXX"
                                                # (4096 X's) followed by a carriage
                                                # return and a new line

\end{verbatim}

\subsection{The strlen() function}

\verb+strlen()+ returns the length of a string :
\begin{verbatim}

a = strlen("abcd"); # a is equal to 4 

\end{verbatim}

\subsection{The raw\_string() function}

Example : 
\begin{verbatim}
 a = raw_string(80, 81, 82); # a equals to 'PQR'
\end{verbatim}

\subsection{The tolower() function}
 
 This function is used to convert a string to lower case. Its syntax is
 \verb+tolower(<string>)+. This function will actually return the string
 \verb+<string>+ in lowered letters.
 
Example :

\begin{verbatim}

 a = "Hello";
 b = tolower(a); # b equals to "hello"

\end{verbatim}

 
\newpage
\section{Writing a Nessus Security test}

\subsection{How to write an efficient Nessus test}

All the security test are launched by nessusd, in a very short
period of time, so a well written test must use the results of the
other security test. For instance, a test which wants to open
a connection to a FTP server should first check that the 
remote port is open, before opening a connection on port 21. 
This saves little time and bandwidth against a given host,
but this dramatically speeds up the test against a firewalled host
which would silently drop TCP packets going to port 21.

\subsubsection{Determining whether a port is open}
The function \verb+get_port_state(<portnum>)+ returns
TRUE if the port is open, and FALSE if it is not.
\textit{This function will return true if the port has not been
scanned, that is, if its status is unknown}.

This function uses very little CPU, so you should call it as
much as you want.

\subsubsection{The Knowledge Base (KB)}
Each host is associated to an internal knowledge base, which contains
all the information gathered by the tests during the scan. The security
tests are encouraged to read it and to contribute to it. The status
of the ports, for instance, is in fact written somewhere in the
knowledge base.

The KB is divided into categories. The ``Services'' category contains
the port numbers associated to each known service. For instance, the element
\verb+Services/smtp+ is very likely to have the value \verb+25+. However,
if the remote host has a hidden SMTP server on port 2500, and none
on port 25, then this item will have the value 2500.

See Annex B for details about the knowledge base elements.

Basically, there are two functions regarding the knowledge base. The
\verb+get_kb_item(<name>)+ function will return the value of the knowledge
base item \verb+<name>+. This function is anonymous. The function
\verb+set_kb_item(name:<name>, value:<value>)+ will mark the new item 
\verb+<name>+ of value \verb+<value>+ in the knowledge base.

\textbf{Note : } You can not read back a knowledge base item you have added.
For instance, the following piece of code will not work and never execute
what it should :

\begin{verbatim}

set_kb_item(name:"attack", value:TRUE);
if(get_kb_item("attack"))
{
 # Perform the attack - will not be executed
 # because our local KB has not been updated
}
\end{verbatim}

This is due to the fact that for some security and code stability reason, 
the Nessus server will in fact start each new security test with a copy
of the knowledge base, not the original one, and the function
\verb+set_kb_item()+ will in fact add an element into the orginal knowledge
base, within nessusd, but will not update the current security test knowledge
base.

\subsection{NASL script structure}

Each NASL script must register itself to the Nessus server. That is,
it must tell nessusd its name, its description, the name of its author, and
more. Thus, each NASL script that will be run with nessusd must have the
following structure :
\begin{verbatim}

#
# Nasl script to be used with nessusd
#

if(description)
{
 # register information here...
 
 #
 # I will call this section the 'register' 
 # section
 #
 
 exit(0);
}

#
# Script code here. I will call this section the
# 'attack' section.
#

\end{verbatim}


The variable \verb+description+ is a global variable that will be set to
\verb+TRUE+ or \verb+FALSE+ depending on whether the script must register or
not.

\subsubsection{The register section}

The \textit{register} section \textbf{must} call the following functions :
\begin{itemize}
 \item \verb+script_id(<id>)+ which sets the script id. A script id is a unique number referencing the script. If you plan to distribute your nasl script, then the nessus.org folks will attribute one for you. If you plan to keep your set of scripts private (booo!), then you can use any ID number between 90000 and 99000.

\item \verb+script_version(<version>)+ sets the version of a script. This is usually the \verb+Revision\verb+ tag of the CVS tree.


 \item \verb+script_name(language1:<name>, [...])+ which sets the script name as
it will appear in the Nessus client window.
 
 \item \verb+script_description(language1:<desc>, [...])+ which sets the script
description as it will appear in the client when the user clicks on the name.

\item \verb+script_summary(language1:<summary>, [...])+ sets the script summary
as it appears in the tooltips. It must be a sum up of the description that fits
on one line.

\item \verb+script_category(<category>)+ sets the script category. It must be
one of \verb+ACT_ATTACK+, \verb+ACT_GATHER_INFO+, \verb+ACT_DENIAL+ or
\verb+ACT_SCANNER+. 
	\begin{itemize}
	\item \verb+ACT_GATHER_INFO+ : the script will be launched among the
	first. You know it will not harm the remote computer.
	
	\item \verb+ACT_ATTACK+ : the script will attempt to gain some
	priviledges on the remote host. It may harm the remote system
	(if it tests a buffer overflow for instance)
	
	\item \verb+ACT_DENIAL+ : the script will attempt to crash the remote
	host
	
	\item \verb+ACT_SCANNER+ : the script is a port scanner
	\end{itemize}
\item \verb+script_copyright(language1:<copyright>, [...])+ sets the copyright
of the script. It may be your name, a legal notice or whatever.

\item \verb+script_family(language1:<family>, [...])+ sets the script family.
There are no clearly defined families, so you may choose to register
the script in the family ``Joe's PowerTools'', altough I do not recommand it.
The currently used families are : 
	\begin{itemize}
	\item Backdoors
	\item CGI abuses
	\item Denial of Service
	\item FTP
	\item Finger abuses
	\item Firewalls
	\item Gain a shell remotely
	\item Gain root remotely
	\item Misc.
	\item NIS
	\item RPC
	\item Remote file access
	\item SMTP problems
	\item Useless services
	\end{itemize}
\end{itemize}

As you may have noticed, most of these functions take a \verb+language1+
argument. In fact, this is not how they work. 

NASL provides Nessus multilingual support. Each script must support the 
\verb+english+ language, and the exact syntax for all these functions