find_service.c

漏洞扫描源码,可以扫描linux,windows,交换机路由器

/*
 * Find service
 *
 * This plugin is released under the GPL
 */


#define DETECT_WRAPPED_SVC
#define SMART_TCP_RW
/* #define DEBUG  */

#include <includes.h>
#include "nasl.h"

#if NASL_LEVEL >= 3203 
int 
plugin_init( struct arglist *desc )
{
 return -1;
}

int plugin_run( struct arglist *desc )
{
 return -1;
}

#else

 

#define EN_NAME "Services"
#define FR_NAME "Services"

#define EN_FAMILY "Service detection"

#define EN_DESC "This plugin attempts to guess which\n\
service is running on the remote ports. For instance,\n\
it searches for a web server which could listen on\n\
another port than 80 and set the results in the plugins\n\
knowledge base.\n\n\
Risk factor : None"

#define FR_DESC "Ce plugin tente de deviner quels\n\
services tournent sur quels ports.\n\
Par exemple, il cherche si un serveur\n\
web tourne sur un port autre que le 80\n\
et il stocke ses r閟ultats dans la\n\
base de connaissance des plugins.\n\n\
Facteur de risque : Aucun"

#define EN_COPY "Written by Renaud Deraison <deraison@cvs.nessus.org>"
#define FR_COPY "Ecrit par Renaud Deraison <deraison@cvs.nessus.org>"

#define EN_SUMM "Find what is listening on which port"
#define FR_SUMM "D閠ermine ce qui 閏oute sur quel port"


#ifdef HAVE_SSL
#define CERT_FILE "SSL certificate : "
#define KEY_FILE  "SSL private key : "
#define PEM_PASS "PEM password : "
#define CA_FILE	"CA file : "
#endif
#define CNX_TIMEOUT_PREF	"Network connection timeout : "
#define RW_TIMEOUT_PREF		"Network read/write timeout : "
#ifdef DETECT_WRAPPED_SVC
#define WRAP_TIMEOUT_PREF	"Wrapped service read timeout : "
#endif


#define NUM_CHILDREN		"Number of connections done in parallel : "


int 
plugin_init(desc)
	struct arglist *desc;
{

	plug_set_id(desc, 10330);
	plug_set_version(desc, "$Revision: 1.261 $");

	plug_set_name(desc, FR_NAME, "francais");
	plug_set_name(desc, EN_NAME, NULL);


	plug_set_category(desc, ACT_GATHER_INFO);


#ifdef FR_FAMILY
	plug_set_family(desc, FR_FAMILY, "francais");
#endif
	plug_set_family(desc, EN_FAMILY, NULL);

	plug_set_description(desc, FR_DESC, "francais");
	plug_set_description(desc, EN_DESC, NULL);

	plug_set_summary(desc, FR_SUMM, "francais");
	plug_set_summary(desc, EN_SUMM, NULL);

	plug_set_copyright(desc, FR_COPY, "francais");
	plug_set_copyright(desc, EN_COPY, NULL);
	add_plugin_preference(desc, NUM_CHILDREN, PREF_ENTRY, "6");
	add_plugin_preference(desc, CNX_TIMEOUT_PREF, PREF_ENTRY, "5");
	add_plugin_preference(desc, RW_TIMEOUT_PREF, PREF_ENTRY, "5");
#ifdef DETECT_WRAPPED_SVC
	add_plugin_preference(desc, WRAP_TIMEOUT_PREF, PREF_ENTRY, "2");
#endif

#ifdef HAVE_SSL
	add_plugin_preference(desc, CERT_FILE, PREF_FILE, "");
	add_plugin_preference(desc, KEY_FILE, PREF_FILE, "");
	add_plugin_preference(desc, PEM_PASS, PREF_PASSWORD, "");
	add_plugin_preference(desc, CA_FILE, PREF_FILE, "");

#define TEST_SSL_PREF	"Test SSL based services"
	add_plugin_preference(desc, TEST_SSL_PREF, PREF_RADIO, "Known SSL ports;All;None");
#endif
	plug_set_timeout(desc, PLUGIN_TIMEOUT * 4);
	return (0);
}




static void
register_service(desc, port, proto)
	struct arglist *desc;
	int             port;
	const char     *proto;
{
	char            k[96];

#ifdef DEBUG
	int             l;
	if (port < 0 || proto == NULL ||
	    (l = strlen(proto)) == 0 || l > sizeof(k) - 10) {
		fprintf(stderr, "find_service->register_service: invalid value - port=%d, proto=%s\n",
			port, proto == NULL ? "(null)" : proto);
		return;
	}
#endif
	/* Old "magical" key set */
	snprintf(k, sizeof(k), "Services/%s", proto);
	/* Do NOT use plug_replace_key! */
	plug_set_key(desc, k, ARG_INT, (void *) port);

	/*
	 * 2002-08-24 - MA - My new key set There is a problem: if
	 * register_service is called twice for a port, e.g. first with HTTP
	 * and then with SWAT, the plug_get_key function will fork. This
	 * would not happen if we registered a boolean (i.e. "known") instead
	 * of the name of the protocol. However, we *need* this name for some
	 * scripts. We'll just have to keep in mind that a fork is
	 * possible...
	 * 
	 * 2005-06-01 - MA - with plug_replace_key the problem is solved, but I
	 * wonder if this is so great...
	 */
	snprintf(k, sizeof(k), "Known/tcp/%d", port);
	plug_replace_key(desc, k, ARG_STRING, (char *) proto);
}

void 
mark_chargen_server(desc, port)
	struct arglist *desc;
	int             port;
{
	register_service(desc, port, "chargen");
	post_note(desc, port, "Chargen is running on this port");
}

void 
mark_echo_server(desc, port)
	struct arglist *desc;
	int             port;
{
	register_service(desc, port, "echo");
	post_note(desc, port, "An echo server is running on this port");
}

void 
mark_ncacn_http_server(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	char            ban[256];
	if (port == 593) {
		register_service(desc, port, "http-rpc-epmap");
		snprintf(ban, sizeof(ban), "http-rpc-epmap/banner/%d", port);
		plug_replace_key(desc, ban, ARG_STRING, buffer);
	} else {
		register_service(desc, port, "ncacn_http");
		snprintf(ban, sizeof(ban), "ncacn_http/banner/%d", port);
		plug_replace_key(desc, ban, ARG_STRING, buffer);
	}
}

void 
mark_vnc_server(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "vnc");
	snprintf(ban, sizeof(ban), "vnc/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
}

void 
mark_nntp_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "nntp");
	snprintf(ban, sizeof(ban), "nntp/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
	snprintf(ban, sizeof(ban), "An NNTP server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}


void 
mark_swat_server(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	register_service(desc, port, "swat");
}

void 
mark_vqserver(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	register_service(desc, port, "vqServer-admin");
}


void 
mark_mldonkey(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "mldonkey");
	snprintf(ban, sizeof(ban), "A mldonkey server is running on this port");
	post_note(desc, port, ban);
}



void 
mark_http_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "www");
	snprintf(ban, sizeof(ban), "www/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
	snprintf(ban, sizeof(ban), "A web server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}


void 
mark_locked_adsubtract_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "AdSubtract");
	snprintf(ban, sizeof(ban), "AdSubtract/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
	snprintf(ban, sizeof(ban), "A (locked) AdSubtract server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

static void
mark_gopher_server(struct arglist * desc, int port)
{
	register_service(desc, port, "gopher");
	post_note(desc, port, "A gopher server is running on this port");
}

#if 0
static void
mark_gnutella_servent(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[256];

	register_service(desc, port, "gnutella");
	snprintf(ban, sizeof(ban), "www/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
	snprintf(ban, sizeof(ban), "A Gnutella servent is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}
#endif

void 
mark_rmserver(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "realserver");
	snprintf(ban, sizeof(ban), "realserver/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);

	snprintf(ban, sizeof(ban), "A RealMedia server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

void 
mark_smtp_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "smtp");
	snprintf(ban, sizeof(ban), "smtp/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);

	if (strstr(buffer, " postfix"))
		plug_replace_key(desc, "smtp/postfix", ARG_INT, (void *) 1);

	{
		char           *report = emalloc(255 + strlen(buffer));
		char           *t = strchr(buffer, '\n');
		if (t)
			t[0] = 0;
		snprintf(report, 255 + strlen(buffer), "An SMTP server is running on this port%s\n\
Here is its banner : \n%s",
			 get_encaps_through(trp), buffer);
		post_note(desc, port, report);
		efree(&report);
	}
}

void
mark_snpp_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512], *report, *t;
	register_service(desc, port, "snpp");
	snprintf(ban, sizeof(ban), "snpp/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);

	report = emalloc(255 + strlen(buffer));
	t = strchr(buffer, '\n');
	if (t != NULL)
		*t = '\0';
	snprintf(report, 255 + strlen(buffer),
		 "An SNPP server is running on this port%s\n\
Here is its banner : \n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, report);
	efree(&report);
}

void 
mark_ftp_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	register_service(desc, port, "ftp");

	if (buffer != NULL) {
		char            ban[255];

		snprintf(ban, sizeof(ban), "ftp/banner/%d", port);
		plug_replace_key(desc, ban, ARG_STRING, buffer);
	}
	if (buffer != NULL) {
		char           *report = emalloc(255 + strlen(buffer));
		char           *t = strchr(buffer, '\n');
		if (t != NULL)
			t[0] = '\0';
		snprintf(report, 255 + strlen(buffer), "An FTP server is running on this port%s.\n\
Here is its banner : \n%s",
			 get_encaps_through(trp), buffer);
		post_note(desc, port, report);
		efree(&report);
	} else {
		char            report[255];
		snprintf(report, sizeof(report), "An FTP server is running on this port%s.",
			 get_encaps_through(trp));
		post_note(desc, port, report);
	}
}

void
mark_ssh_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port;
	char           *buffer;
	int             trp;
{
	register_service(desc, port, "ssh");
	post_note(desc, port, "An ssh server is running on this port");
}

void
mark_http_proxy(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	/* the banner is in www/banner/port */
	register_service(desc, port, "http_proxy");
	snprintf(ban, sizeof(ban), "An HTTP proxy is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

void
mark_pop_server(desc, port, buffer)
	struct arglist *desc;
	int             port;
	char           *buffer;
{
	char           *c = strchr(buffer, '\n');
	char            ban[512];
	char           *buffer2;
	int             i;
	if (c)
		c[0] = 0;
	buffer2 = estrdup(buffer);
	for (i = 0; i < strlen(buffer2); i++)
		buffer2[i] = tolower(buffer2[i]);
	if (!strcmp(buffer2, "+ok")) {
		register_service(desc, port, "pop1");
		snprintf(ban, sizeof(ban), "pop1/banner/%d", port);
		plug_replace_key(desc, ban, ARG_STRING, buffer);
	} else if (strstr(buffer2, "pop2")) {
		register_service(desc, port, "pop2");
		snprintf(ban, sizeof(ban), "pop2/banner/%d", port);
		plug_replace_key(desc, ban, ARG_STRING, buffer);