rip_poison.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

# This plugin was written from scratch by Michel Arboi <arboi@alussinan.org>
# with help from Pavel Kankovsky.
#
# It is released under the GNU Public Licence (GPLv2)
#
# References:
# RFC 1058	Routing Information Protocol
# RFC 2453	RIP Version 2
#
# Notes:
# routed from OpenBSD or Linux rejects routes that are not sent by a neighbour
# 

if(description)
{
  script_id(11829);
  script_version ("$Revision: 38 $");

  name["english"] = "RIP poisoning";
  script_name(english:name["english"]);
 
  desc["english"] = "
It was possible to poison the remote host routing tables through
the RIP protocol.
An attacker may use this to hijack network connections.

Solution : use RIP-2 and implement authentication, 
	or use another routing protocol,
	or disable the RIP listener if you don't need it.

Risk factor : Low";

  script_description(english:desc["english"]);
 
  summary["english"] = "Poison routing tables through RIP";
  script_summary(english:summary["english"]);
# This plugin is not supposed to be dabgerous but it was released as 
# ACT_DESTRUCTIVE_ATTACK because we could not be 100% sure that there 
# were no really broken RIP implementation somewhere in the cyberspace. 
# Looks OK now.
  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi");
  family["english"] = "Misc.";
  family["francais"] = "Divers";
  script_family(english:family["english"], francais:family["francais"]);
  script_dependencie("rip_detect.nasl");
  script_require_keys("Services/udp/rip");
  exit(0);
}

##include("dump.inc");

port = get_kb_item("Services/udp/rip");
if (! port) port = 520;

#if (! get_udp_port_state(port)) exit(0); # Not very efficient with UDP!

a1 = 192; a2 = 0; a3 = 34; a4 =  166;	# example.com

function check_example_com()
{
  local_var	r, l, ver, i, soc, broken; 
  
  broken = get_kb_item("/rip/" + port + "/broken_source_port");
  if (broken)
    soc = open_priv_sock_udp(dport:port, sport:port);
  else
    soc = open_sock_udp(port);
  if (!soc) return(0);

  # Special request - See