find_service.c

漏洞扫描源码,可以扫描linux,windows,交换机路由器

	/* Do NOT use plug_replace_key! */
	plug_set_key(desc, "Services/wrapped", ARG_INT, (void *) port);
}
#endif

static const char *
port_to_name(int port)
{
	/* Note: only includes services that are recognized by this plugin! */
	switch (port) {
		case 7:return "Echo";
	case 19:
		return "Chargen";
	case 21:
		return "FTP";
	case 22:
		return "SSH";
	case 23:
		return "Telnet";
	case 25:
		return "SMTP";
	case 37:
		return "Time";
	case 70:
		return "Gopher";
	case 79:
		return "Finger";
	case 80:
		return "HTTP";
	case 98:
		return "Linuxconf";
	case 109:
		return "POP2";
	case 110:
		return "POP3";
	case 113:
		return "AUTH";
	case 119:
		return "NNTP";
	case 143:
		return "IMAP";
	case 220:
		return "IMAP3";
	case 443:
		return "HTTPS";
	case 465:
		return "SMTPS";
	case 563:
		return "NNTPS";
	case 593:
		return "Http-Rpc-Epmap";
	case 873:
		return "Rsyncd";
	case 901:
		return "SWAT";
	case 993:
		return "IMAPS";
	case 995:
		return "POP3S";
#if 0
	case 1080:
		return "SOCKS";
#endif
	case 1109:
		return "KPOP";	/* ? */
	case 2309:
		return "Compaq Management Server";
	case 2401:
		return "CVSpserver";
	case 3128:
		return "Squid";
	case 3306:
		return "MySQL";
	case 5000:
		return "VTUN";
	case 5432:
		return "Postgres";
	case 8080:
		return "HTTP-Alt";
	}
	return NULL;
}

static void
mark_unknown_svc(desc, port, banner, trp)
	struct arglist *desc;
	int             port, trp;
	const unsigned char *banner;
{
	char            tmp[1600], *norm = NULL;

	/* Do NOT use plug_replace_key! */
	plug_set_key(desc, "Services/unknown", ARG_INT, (void *) port);
	snprintf(tmp, sizeof(tmp), "unknown/banner/%d", port);
	plug_replace_key(desc, tmp, ARG_STRING, (char *) banner);
}

static void
mark_gnuserv(desc, port)
	struct arglist *desc;
	int             port;
{
	register_service(desc, port, "gnuserv");
	post_note(desc, port, "gnuserv is running on this port");
}

static void
mark_iss_realsecure(desc, port)
	struct arglist *desc;
	int             port;
{
	register_service(desc, port, "issrealsecure");
	post_note(desc, port, "ISS RealSecure is running on this port");
}

static void
mark_vmware_auth(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];


	register_service(desc, port, "vmware_auth");

	snprintf(ban, sizeof(ban), "A VMWare authentication daemon is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);

}

static void
mark_interscan_viruswall(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "interscan_viruswall");

	snprintf(ban, sizeof(ban), "An interscan viruswall is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);
}

static void
mark_ppp_daemon(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "pppd");

	snprintf(ban, sizeof(ban), "A PPP daemon is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

static void
mark_zebra_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "zebra");
	snprintf(ban, sizeof(ban), "zebra/banner/%d", port);
	plug_replace_key(desc, ban, ARG_STRING, buffer);
	snprintf(ban, sizeof(ban), "A zebra daemon (bgpd or zebrad) is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

static void
mark_ircxpro_admin_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "ircxpro_admin");

	snprintf(ban, sizeof(ban), "An IRCXPro administrative server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}


static void
mark_gnocatan_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "gnocatan");

	snprintf(ban, sizeof(ban), "A gnocatan game server is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

/* Thanks to Owell Crow */
static void
mark_pbmaster_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "power-broker-master");

	snprintf(ban, sizeof(ban), "A PowerBroker master server is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);
}

/* Thanks to Paulo Jorge */
static void
mark_dictd_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "dicts");

	snprintf(ban, sizeof(ban), "A dictd server is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);
}


/* Thanks to Tony van Lingen */
static void
mark_pnsclient(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "pNSClient");

	snprintf(ban, sizeof(ban), "A Nagios plugin (pNSClient.exe) is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

/* Thanks to Jesus D. Munoz */
static void
mark_veritas_backup(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];
	register_service(desc, port, "VeritasNetBackup");

	snprintf(ban, sizeof(ban), "VeritasNetBackup is running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}

static void
mark_pblocald_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "power-broker-master");

	snprintf(ban, sizeof(ban), "A PowerBroker locald server is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);
}

void
mark_jabber_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[255];
	register_service(desc, port, "jabber");
	snprintf(ban, sizeof(ban), "jabber daemon seems to be running on this port%s",
		 get_encaps_through(trp));
	post_note(desc, port, ban);
}



static void
mark_avotus_mm_server(desc, port, buffer, trp)
	struct arglist *desc;
	int             port, trp;
	char           *buffer;
{
	char            ban[512];

	register_service(desc, port, "avotus_mm");

	snprintf(ban, sizeof(ban), "An avotus 'mm' server is running on this port%s:\n%s",
		 get_encaps_through(trp), buffer);
	post_note(desc, port, ban);
}

static void
mark_socks_proxy(desc, port, ver)
	struct arglist *desc;
	int             port, ver;
{
	char            str[256];

	snprintf(str, sizeof(str), "socks%d", ver);
	register_service(desc, port, str);
	snprintf(str, sizeof(str), "A SOCKS%d proxy is running on this port. ", ver);
	post_note(desc, port, str);
}

static void
mark_direct_connect_hub(desc, port, trp)
	struct arglist *desc;
	int             port, trp;
{
	char            str[256];

	register_service(desc, port, "DirectConnectHub");
	snprintf(str, sizeof(str), "A Direct Connect Hub is running on this port%s", get_encaps_through(trp));
	post_note(desc, port, str);
}

/*
 * We determine if the 4 bytes we received look like a date. We
 * accept clocks desynched up to 3 years;
 *
 * MA 2002-09-09 : time protocol (RFC 738) returns number of seconds since
 * 1900-01-01, while time() returns nb of sec since 1970-01-01.
 * The difference is 2208988800 seconds.
 * By the way, although the RFC is imprecise, it seems that the returned
 * integer is in "network byte order" (i.e. big endian)
 */
#define MAX_SHIFT	(3*365*86400)
#define DIFF_1970_1900	2208988800U

static int
may_be_time(time_t * rtime)
{
#ifndef ABS
#define ABS(x) (((x) < 0) ? -(x):(x))
#endif
	time_t          now = time(NULL);
	int             rt70 = ntohl(*rtime) - DIFF_1970_1900;

	if (ABS(now - rt70) < MAX_SHIFT)
		return 1;
	else
		return 0;
}

/*
 * References:
 * IANA assigned number
 *
 * http://www.tivoli.com/support/public/Prodman/public_manuals/td/ITAME/GC32-0848-00/en_US/HTML/amwebmst09.htm
 * http://java.sun.com/webservices/docs/1.0/tutorial/doc/WebAppSecurity6.html
 * http://support.dell.com/support/edocs/software/smsom/4.4/en/ug/security.htm
 */

static int
known_ssl_port(int port)
{
	switch (port) {
		case 261:	/* Nsiiops = IIOP name service over tls/ssl */
		case 443:	/* HTTPS */
		case 448:	/* ddm-ssl */
		case 465:	/* SMTPS */
		case 563:	/* NNTPS */
		case 585:	/* imap4-ssl (not recommended) */
		case 614:	/* SSLshell */
		case 636:	/* LDAPS */
		case 684:	/* Corba IIOP SSL */
		case 902:	/* VMWare auth daemon */
		case 989:	/* FTPS data */
		case 990:	/* FTPS control */
		case 992:	/* telnets */
		case 993:	/* IMAPS */
		case 994:	/* IRCS */
		case 995:	/* POP3S */
		case 1241:	/* Nessus */
	        case 1311:	/* Dell OpenManage */
		case 2050:	/* Domino */
		case 2381:	/* Compaq Web Management (HTTPS) */
		case 2478:	/* SecurSight Authentication Server (SSL) */
		case 2479:	/* SecurSight Event Logging Server (SSL) */
		case 2482:	/* Oracle GIOP SSL */
		case 2484:	/* Oracle TTC SSL */
		case 2679:	/* Sync Server SSL */
		case 3077:	/* Orbix 2000 Locator SSL */
		case 3078:	/* Orbix 2000 Locator SSL */
		case 3269:	/* Microsoft Global Catalog w/ LDAP/SSL */
		case 3471:	/* jt400 SSL */
		case 5007:	/* WSM Server SSL */
		case 7002:	/* WebLogic */
		case 7135:	/* IBM Tivoli Access Manager runtime
				 * environment - SSL Server Port */
		case 8443:	/* Tomcat */
		case 9443:	/* Websphere internal secure server */
		case 10000:	/* WebMin+SSL */
		case 19201:	/* SilkPerformer agent (secure connection) */
		return 1;
	default:
		return 0;
	}
	/* NOTREACHED */
}

#ifndef MSG_DONTWAIT
/* From http://www.kegel.com/dkftpbench/nonblocking.html */
static int
setNonblocking(int fd)
{
	int             flags;

	/* If they have O_NONBLOCK, use the Posix way to do it */
#if defined(O_NONBLOCK)
	/*
	 * Fixme: O_NONBLOCK is defined but broken on SunOS 4.1.x and AIX
	 * 3.2.5.
	 */
	if (-1 == (flags = fcntl(fd, F_GETFL, 0)))
		flags = 0;
	return fcntl(fd, F_SETFL, flags | O_NONBLOCK);
#else
	/* Otherwise, use the old way of doing it */
	flags = 1;
	return ioctl(fd, FIONBIO, &flags);
#endif
}
#endif


static int 
plugin_do_run(desc, h, test_ssl)
	struct arglist *desc;
	struct arglist *h;
	int             test_ssl;
{
	char           *head = "Ports/tcp/";
	u_short         unknown[65535];