netop.inc

来自「漏洞扫描源码,可以扫描linux,windows,交换机路由器」· INC 代码 · 共 487 行

#
# This NASL script has been produced as a collaboration between:
#
# - Martin O'Neal of Corsaire (http://www.corsaire.com)  
# - Jakob Bohm of Danware (http://www.danware.dk)
# 
# The original script produced by Martin O'Neal has been heavily modified 
# by Jakob Bohm to provide additional product detail, plus also to limit 
# any unnecessary information leakage caused by the scanning process itself. 
# Jakob has also rewritten the test set as a whole to use the minimum of 
# network traffic and make the process as efficient as possible. All together 
# a jolly good show.
# 
# DISCLAIMER
# The information contained within this script is supplied "as-is" with 
# no warranties or guarantees of fitness of use or otherwise. Neither Corsaire 
# or Danware accept any responsibility for any damage caused by the use or misuse 
# of this information.
#  

include("misc_func.inc");

############## Meta-information recorded in the name of the KB entry ################

local_var port;
local_var addr;
local_var proto_nam;


############## HELO packets in NetOps native format ################

local_var helo_pkt_udp;
local_var helo_pkt_gen;
local_var quit_pkt_stream;

############## Received reply in NetOps native format ##################

local_var banner_pkt; 

############## General derived strings ##################

local_var netop_kb_key;
local_var netop_kb_val;

local_var netop_svcidstr;
local_var netop_prod_typ;
local_var netop_prod_nam;
local_var netop_prod_dsc;

################### HELO packet for UDP only ##################

helo_pkt_udp=
	hex2raw(
		s:'d6818106010000f70e5301044e657373'+
		  '757301436f7273616972ff0100008701') + # 0-31
	crap(length:32 , data: raw_string(0x20))      + # 32-63
	crap(length:224, data: raw_string(0x00));       # 64-288

################### Generic HELO packet ##################

helo_pkt_gen=
	hex2raw(
		s:'d6818106010000f73e4e010400000000'+
		  '000001436f7273616972ff0100008701') + # 0-31
	crap(length:32 , data: raw_string(0x20))      + # 32-63
	crap(length:224, data: raw_string(0x00));       # 64-288
			
################### QUIT packet for stream transports (tcp etc.)  ##################

quit_pkt_stream=
	hex2raw(
		s:'d681810000f900f9eee3')             + # 0-9
	crap(length:16, data: raw_string(0x00));        # 10-25
			

################### utility functions ##################

function netop_zeropad(str, len)
{
	local_var res;
	res = crap(length: len, data: raw_string(0));
	if (!isnull(str))
	{
		res = substr(str + res, 0, len - 1);
	}
	return res;
}

function netop_spacepad(str, len)
{
	local_var res;
	res = crap(length: len, data: ' ');
	if (!isnull(str))
	{
		res = substr(str + res, 0, len - 1);
	}
	return res;
}

function ip_dot2raw(ip_dot)
{
	# initialise variables
	local_var int32;
	local_var octet;
	ip_dot=split(ip_dot,sep:".",keep:0);
	int32 = '';

	# step through octets
	for(octet=0;octet<4;octet++)
	{
		int32=raw_string(int(ip_dot[octet]),int32);
	}
	
	return(int32);
}



# declare function
function ip_raw2dot(int32)
{
	# initialise variables
	local_var ip_dot;

	ip_dot=int(ord(int32[3]))+"."+int(ord(int32[2]))+"."+int(ord(int32[1]))+"."+int(ord(int32[0]));
	
	return(ip_dot);
}


################### extract info items from banner ###################

function netop_banner_items(typ)
{
	local_var res;
	local_var i;
	local_var v1;
	res = '';
	for (i = 64; i < 320; i += 32)
	{
		v1 = substr(netop_kb_val, i, i + 31);
		if (typ == 0 && ord(v1) >= 32 ||
		    typ != 0 && typ == ord(v1))
		{
			if (typ > 2)
				v1 = substr(v1, 1, 31);
			if (typ == 2)
				v1 = ip_raw2dot(int32: substr(v1, 1, 4));
			if (typ == 1)
				v1 = hexstr(substr(v1, 1, 6));
			if (res != '')
				res += ', ';
			res += '"' + chomp(v1) + '"';
		}
	}
	return res;
}

################### derive product type from banner etc. ###################

function netop_product_ident()
{
	local_var school_phrase1;
	local_var school_stud_dsc;
	local_var rc_also_host;
	local_var rc_host_dsc;
	
	school_phrase1 = 
		'During the session, the Teacher' +
		' has extensive control over the users computer,' +
		' with very few restrictions, as is appropriate' +
		' when the teacher can be assumed to be a higher' +
		' authority than the student.';
	
	school_stud_dsc =
		'NetOp School Student (client) allows its user to' +
		' participate in live online education or training' +
		' sessions broadcast from a computer running NetOp' +
		' School Teacher.\n\n' +
		school_phrase1;
	
	rc_also_host =
		' is also a fully' +
		' featured NetOp Remote Control Host, which allows' +
		' its computer to be remotely controlled and/or' +
		' managed from any NetOp Remote Control Guest' +
		' subject to a seperate set of configurable' +
		' security restrictions.';
	
	rc_host_dsc =
		'NetOp Remote Control Host is a service / agent,' +
		' which allows the computer on which it is running' +
		' to be remotely controlled and/or managed from any' +
		' NetOp Remote Control Guest program, subject to a' +
		' wide selection of configurable security and' +
		' authentication restrictions.';
	
	
	if (     (ord(netop_kb_val[63]) & 0x08) != 0  ||
	         netop_banner_items(typ:17)     != '' )
	{
		netop_svcidstr = 'netop-sch';
		netop_prod_typ = 'SSTD';
		netop_prod_nam = 'NetOp School Student';
		netop_prod_dsc = school_stud_dsc;
	}
	else if ((ord(netop_kb_val[63]) & 0x10) != 0  ||
	         netop_banner_items(typ:8)      != '' )
	{
		netop_svcidstr = 'netop-teacher';
		netop_prod_typ = 'STCH';
		netop_prod_nam = 'NetOp School Teacher';
		netop_prod_dsc =
			'NetOp School Teacher (console) allows its user to' +
			' conduct live online education or training' +
			' sessions broadcast to computers running NetOp' +
			' School Student.\n\n' +
			school_phrase1;
	}
	else if ((ord(netop_kb_val[63]) & 0x04) != 0  ||
	         netop_banner_items(typ:6)      != '' ||
	         netop_banner_items(typ:7)      != '' )
	{
		netop_svcidstr = 'netop-guest';
		netop_prod_typ = 'RGST';
		netop_prod_nam = 'NetOp Remote Control Guest';
		netop_prod_dsc =
			'NetOp Remote Control Guest (client) allows its' +
			' user to remotely control and/or manage any' +
			' computer running NetOp Remote Control Host' +
			' modules on a variety of operating systems,' +
			' subject of cause to the security restrictions' +
			' configured on that Host.';
	}
	else if ((ord(netop_kb_val[62]) & 0x01) != 0)
	{
		netop_svcidstr = 'netop-rc';
		netop_prod_typ = 'RGWS';
		netop_prod_nam = 'NetOp Remote Control Gateway';
		netop_prod_dsc =
			'NetOp Remote Control Gateway is an application' +
			' layer proxy allowing programs from the NetOp' +
			' Remote Control and NetOp School families to' +
			' communicate across proxy-style firewalls,' +
			' disjoint networks, dissimilar network protocols' +
			' (e.g. modems, shared memory, TCP and UDP) etc.' +
			' subject to configurable access restrictions.' +
			'\n\n' +
			netop_prod_nam + rc_also_host;
	}
	else if ((ord(netop_kb_val[62]) & 0x08) != 0)
	{
		netop_svcidstr = 'netop-rc';
		netop_prod_typ = 'RNMS';
		netop_prod_nam = 'NetOp Remote Control Name Server';
		netop_prod_dsc =
			'NetOp Name Server is a dynamic' +
			' naming service allowing programs from the NetOp' +
			' Remote Control and NetOp School families to' +
			' locate each other even when general facilities' +
			' such as dynamic DNS are not available to all' +
			' participating computers, or when ports etc. need' +
			' to be included in the naming information' +
			' published.\n\n' +
			netop_prod_nam + rc_also_host;
	}
	else if (netop_banner_items(typ:5)      != '' ||
		 netop_banner_items(typ:14)     != '' )
	{
		netop_svcidstr = 'netop-rc';
		netop_prod_typ = 'RSES';
		netop_prod_nam = 'NetOp Remote Control Security Server';
		netop_prod_dsc =
			'NetOp Remote Control Security Server is a central' +
			' authentication and authorization server allowing' +
			' centralized login validation, permission' +
			' management and security event logging for' +
			' programs from the NetOp Remote Control family.' +
			'\n\n' +
			netop_prod_nam + rc_also_host;
	}
	else if ((ord(netop_kb_val[63]) & 0x02) != 0)
	{
		netop_svcidstr = 'netop-rc';
		netop_prod_typ = 'RHST';
		netop_prod_nam = 'NetOp Remote Control Host';
		netop_prod_dsc = rc_host_dsc;
	}
	else if (port == 1971)
	{
		netop_svcidstr = 'netop-sch';
		netop_prod_typ = 'SCH?';
		netop_prod_nam = 'NetOp School Student or Teacher';
		netop_prod_dsc = school_stud_dsc;
	}
	else
	{
		netop_svcidstr = 'netop-rc';
		netop_prod_typ = 'NRC?';
		netop_prod_nam = 'NetOp Remote Control Host or Guest';
		netop_prod_dsc = rc_host_dsc;
	}
	
	netop_prod_dsc += '\n\nSee http://www.netop.com for more info.\n';

}


################ Log that a NetOp program has been detected ################

function netop_log_detected()
{
	local_var msg;
	local_var info_only;

	info_only = 0;

	msg = '\nDanware ' + netop_prod_nam +
		' is listening on this port\n\n' +
		netop_prod_dsc +
		'\nSolution:  ';

	if (netop_prod_typ == 'RGST')
	{
		info_only = 1;
		msg += 'Make sure the user of this machine is' +
			' authorized to remotely manage other computers' +
			' or has been permitted to use this computer as' +
			' a terminal to access other computers.\n\n' +
			'Risk factor: Low\n';
	}
	else if (netop_prod_typ == 'STCH')
	{
		info_only = 1;
		msg += 'Make sure the user of this machine is a teacher' +
			' or is acting as a group leader for some' +
			' teamwork\n\n' +
			'Risk factor: Low\n';
	}
	else if (netop_prod_typ == 'SSTD' || netop_prod_typ == 'SCH?')
	{
		info_only = 1;
		msg += 'Make sure the user of this machine is currently' +
			' participating in online training using NetOp' +
			' School, and that a teacher password has been' +
			' set on the Student.\n\n' +
			'Outside dedicated teaching environments, NetOp' +
			' School should not be running when the user is' +
			' not actively participating in a class\n\n' +
			'Risk factor: Medium\n';
	}
	else if (netop_prod_typ == 'RHST' || netop_prod_typ == 'NRC?')
	{
		msg += 'If this program is required, make sure' +
			' appropriate security settings are used (on the' +
			' Options menu), including strong passwords on' +
			' permitted accounts and an effective action on' +
			' too many bad password attempts\n\n' +
			'If this program is unused, disable load at' +
			' system startup from the programs option menu or' +
			' uninstall the software.\n\n' +
			'Risk factor: Low\n';
	}
	else
	{
		msg += 'If this service is running deliberately, make' +
			' sure it is configured with strong security' +
			' settings on the options menu, including strong' +
			' passwords on any enabled accounts and an' +
			' effective action on too many failed logins\n\n' +
			'If this service is not supposed to be running,' +
			' uninstall it and investigate why and how it was' +
			' installed.\n\n' +
			'Risk factor: Medium\n';
	}
	
	security_warning(proto:proto_nam, port:port, data:msg);
	
}

################ Extract information from KB value and key ################

function netop_kb_derive()
{
	netop_kb_val = netop_zeropad(str: netop_kb_val, len: 320);
	if (ord(netop_kb_val[0]) >  32 )
	{
		netop_kb_key = substr(netop_kb_val, 0, 31);
	}
	netop_kb_key = netop_zeropad(str: netop_kb_key, len: 32);
	insstr(netop_kb_val, netop_kb_key, 0, 31);

	proto_nam = chomp(substr(netop_kb_key, 0, 7));
	port      = ord(netop_kb_key[9]) * 256 + ord(netop_kb_key[8]);
	addr      = ip_raw2dot(int32: substr(netop_kb_key, 16, 31));
	
	netop_product_ident();
}

########### Check if any NetOp programs found and fork for each ###########

function netop_each_found()
{
	netop_kb_val = get_kb_item('NetOp/allbanners');
	if (isnull(netop_kb_val))
	{
		return 0;
	}
	else
	{
		netop_kb_val = hex2raw(s:netop_kb_val);
		netop_kb_derive();
		return 1;
	}
}

######### validate banner to see if it is from NetOp, then add to KB ########

function netop_check_and_add_banner()
{
	local_var blen;
	local_var s1;
	local_var s2;

	netop_kb_key = netop_spacepad(str: proto_nam, len: 8)
	             + netop_zeropad( str:
	                  raw_string((port & 255), ((port & 65280) >> 8)),
	                  len: 8)
	             + netop_zeropad( str: ip_dot2raw(ip_dot:addr), len: 16);

	# check response contains correct contents
	if (isnull(banner_pkt))
	{
		banner_pkt = '';
	}

	blen = strlen(banner_pkt);
	if(blen > 23                    && 
	   ord(banner_pkt[0])==0xd6     && 
	   banner_pkt[1]==banner_pkt[2] &&
	   ((ord(banner_pkt[7])==0xf8 &&
	     blen >= 32 &&
	     substr(banner_pkt, 11, 17) == 'Corsair') ||
	    (ord(banner_pkt[7])==0xf9 && ord(banner_pkt[5])==0xf9)))
	{
		if (ord(banner_pkt[7])==0xf9 && blen > 27)
		{
			banner_pkt = substr(banner_pkt, 0, 26);
		}
		
		
		# Force packet size before adding to knowledge base
		netop_kb_val =
		   netop_zeropad(str: (netop_kb_key + banner_pkt), len: 320);

		netop_kb_derive();

		# update knowledge base
		s2 = 'NetOp/' + hexstr(netop_kb_key) + '/banner';
		set_kb_item(name:s2, value:hexstr(netop_kb_val));
		set_kb_item(
			name:'NetOp/allbanners',
			value:hexstr(netop_kb_val));
		
		s1 = proto_nam + '/';
		if (s1 == 'tcp/') s1 ='';
		
		s2 = 'Known/' + proto_nam + '/' + port;
		set_kb_item(name:s2, value:netop_svcidstr);
		s2 = 'Services/' + s1 + netop_svcidstr;
		set_kb_item(name:s2, value:port);
		s2 = 'Services/' + s1 + 'netop-any';
		set_kb_item(name:s2, value:port);

		netop_log_detected();
	}
	else
	{
		netop_kb_val = crap(length: 320, data: raw_string(0x00));
	}
}



################### end of netop.inc ##################