Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Patch to detect TCP wrapped services
arboi at noos
Aug 24, 2002, 8:53 AM
Post #1 of 3 (561 views)
Permalink
Hello list,

This is a patch to detect TCP wrapped. They are not put in
Services/unknown so that we don't lose time on them.
(Note: the "new key set" defined by register_service is not used yet.
Ignore this)

Current problems with this feature:
- slows down find_service (should be parallel)
- May declare as "wrapped" services that just close the connection if
no command is sent quickly (a dirty hack is supposed to avoid this,
but I am not sure it works in all cases)

There are probably other bugs or design fault.

Any comments, test results?

The algorithm to detect the wrapped port looks like this:
find_service sends "GET / HTTP/1.0". if it gets no answer and the
service does not run on top of SSL, then the connection is opened
again, and we wait for "wrap_timeout". If the connection does not
close before the end of the timeout, we try to send one byte. If we
get EPIPE, the connection was broekn in fact.
If the connection was broken (timeout or EPIPE) in not too much time
(see code :) then we consider the service as wrapped.

Attached Files:

Re: Patch to detect TCP wrapped services [ In reply to ]
hdm at digitaloffense
Aug 24, 2002, 12:18 PM
Post #2 of 3 (545 views)
Permalink
On Saturday 24 August 2002 10:53, Michel Arboi wrote:
> Hello list,
>
> This is a patch to detect TCP wrapped. They are not put in
> Services/unknown so that we don't lose time on them.
> (Note: the "new key set" defined by register_service is not used yet.
> Ignore this)

With so many long-running plugins becoming part of Nessus, maybe the
default Plugin timeout value shoud be increased? The directory scanner
plugins usually takes a long time to run, as do the webmirror and
torturecgis scripts.
Re: Patch to detect TCP wrapped services [ In reply to ]
arboi at noos
Nov 12, 2002, 3:20 AM
Post #3 of 3 (540 views)
Permalink
H D Moore <hdm@digitaloffense.net> writes:

> With so many long-running plugins becoming part of Nessus, maybe the
> default Plugin timeout value shoud be increased? The directory scanner
> plugins usually takes a long time to run, as do the webmirror and
> torturecgis scripts.

We can always increase the timeout for thos specific plugins, can't
we?

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal