Mailing List Archive: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx)

New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx)

Nov 5, 2002, 7:38 AM

Post #1 of 11 (1751 views)

1st, I added a NASL_LEVEL constant, currently at 1000. It will be
incremented when we add new features to NASL.
e.g. to avoid nasty errors if a script needs a new function that was
introduced in "level" 2222, it should start with:
if (NASL_LEVEL < 2222) exit(0);

2nd, I added two new categories:
ACT_INIT is just like ACT_SETTINGS but those scripts are run before
ACT_SCANNER scripts.
ACT_KILL_HOST is for scripts that may crash the machine or the IP
stack. AC_DENIAL should be reserver for scripts that just crash a
service, a userland program, etc.
So the full list of categories is:
ACT_INIT Run before anything else. Should just set KB
items
ACT_SCANNER Port scanners & ping
ACT_SETTINGS Should just set KB items. Run only if the host
is alive.
ACT_GATHER_INFO Just look for information, e.g. a banner.
ACT_ATTACK Try some soft attack.
ACT_MIXED_ATTACK An attack that may have bad consequences,
although its goel is not to crash anything.
ACT_DESTRUCTIVE_ATTACK An attack that really tries to destroy
something.
ACT_DENIAL A denial of service against a userland
program.
ACT_KILL_HOST A denial of service that crashes the machine
or make it unusable in some way (unstable...)

Note that this feature is not compatible with old clients (e.g. enable
all but dangerous plugins will not work)

If you want to add a denial of service and be portable,
you might write:
if (NASL_LEVEL < 1000) script_category(ACT_DENIAL);
else script_category(ACT_KILL_HOST);

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

georges.dagousset at orange

Nov 6, 2002, 10:08 AM

Post #2 of 11 (1741 views)

----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>

> 1st, I added a NASL_LEVEL constant, currently at 1000. It will be
> incremented when we add new features to NASL.
> e.g. to avoid nasty errors if a script needs a new function that was
> introduced in "level" 2222, it should start with:
> if (NASL_LEVEL < 2222) exit(0);
>
> 2nd, I added two new categories:
> ACT_INIT is just like ACT_SETTINGS but those scripts are run before
[...]

It should be nice to add 1 other category:
ACT_END Run after anything else. plugings to verify that the host, ports...
are still OK.

check_ports.nasl could be added in this category.

Georges

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

Nov 6, 2002, 12:47 PM

Post #3 of 11 (1733 views)

"Georges Dagousset" <georges.dagousset@orange.fr> writes:

> It should be nice to add 1 other category:
> ACT_END Run after anything else. plugings to verify that the host, ports...
> are still OK.

OK, why not.

> check_ports.nasl could be added in this category.

IMHO, no. check_ports was designed to find what was killed by port
scanners and find_service, not by attacks.
Anyway, we could add a second check_ports... The problem is that it is
really slow.

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

deraison at nessus

Nov 6, 2002, 1:06 PM

Post #4 of 11 (1733 views)

On Wed, Nov 06, 2002 at 08:47:03PM +0100, Michel Arboi wrote:
> "Georges Dagousset" <georges.dagousset@orange.fr> writes:
>
> > It should be nice to add 1 other category:
> > ACT_END Run after anything else. plugings to verify that the host, ports...
> > are still OK.
>
> OK, why not.
>
> > check_ports.nasl could be added in this category.
>
> IMHO, no. check_ports was designed to find what was killed by port
> scanners and find_service, not by attacks.
> Anyway, we could add a second check_ports... The problem is that it is
> really slow.

Then finish your work on NASL2 and it may be faster ;)

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

georges.dagousset at orange

Nov 6, 2002, 1:40 PM

Post #5 of 11 (1743 views)

----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>
To: "Georges Dagousset" <georges.dagousset@orange.fr>
Cc: <nessus-devel@list.nessus.org>
Sent: Wednesday, November 06, 2002 8:47 PM
Subject: Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx)

> "Georges Dagousset" <georges.dagousset@orange.fr> writes:
>
> > It should be nice to add 1 other category:
> > ACT_END Run after anything else. plugings to verify that the host,
ports...
> > are still OK.
>
> OK, why not.
>
> > check_ports.nasl could be added in this category.
>
> IMHO, no. check_ports was designed to find what was killed by port
> scanners and find_service, not by attacks.

So, I think that check_ports.nasl should be added in ACT_SCANNER and not in
ACT_GATHER_INFO

Georges

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

Nov 6, 2002, 2:04 PM

Post #6 of 11 (1731 views)

"Georges Dagousset" <georges.dagousset@orange.fr> writes:

> So, I think that check_ports.nasl should be added in ACT_SCANNER and not in
> ACT_GATHER_INFO

We put it in ACT_GATHER_INFO so that it can run after find_service
The goal was to detect the really fragile (= Broken As Designed)
services that was killed by a simple portscan or by find_service probe
(i.e. up to three SSL connections + one HTTP/1.0 GET request)

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

georges.dagousset at orange

Nov 6, 2002, 2:13 PM

Post #7 of 11 (1731 views)

"Michel Arboi" <arboi@noos.fr> writes:
> "Georges Dagousset" <georges.dagousset@orange.fr> writes:
>
> > So, I think that check_ports.nasl should be added in ACT_SCANNER and not
in
> > ACT_GATHER_INFO
>
> We put it in ACT_GATHER_INFO so that it can run after find_service
> The goal was to detect the really fragile (= Broken As Designed)
> services that was killed by a simple portscan or by find_service probe
> (i.e. up to three SSL connections + one HTTP/1.0 GET request)
>

With the script_dependencie("find_service.nes"); you are sure that it runs
after find_service.
But if you put this plugin in ACT_SCANNER, you are sure that no attack was
made.

So, I think that ACT_SCANNER is safer if you want verify the ports just
after find_service.

Georges

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

Nov 6, 2002, 2:37 PM

Post #8 of 11 (1733 views)

"Georges Dagousset" <georges.dagousset@orange.fr> writes:

> With the script_dependencie("find_service.nes"); you are sure that it runs
> after find_service.

Well, I don't know how Nessus will solve the problem, "run after
find_service which is an ACT_GATHER_INFO but run all ACT_SCANNER
before any ACT_GATHER_INFO"...

More, if we put it into ACT_SCANNER, it will appear in the scanner
section of the GUI. This may confuse users.

> But if you put this plugin in ACT_SCANNER, you are sure that no
> attack was made.

In fact, we do not want to be sure. Of course, that would be better,
but as this script is really slow, we do not want to stop all the other
tests until this one finishes.

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

jfernandez at germinus

Nov 7, 2002, 1:05 AM

Post #9 of 11 (1737 views)

Michel Arboi wrote:

>"Georges Dagousset" <georges.dagousset@orange.fr> writes:
>
>>It should be nice to add 1 other category:
>>ACT_END Run after anything else. plugings to verify that the host, ports...
>>are still OK.
>>
>
>OK, why not.
>
I agree completely, this would provide for some "intelligent tests" that
try to determine the host/OS based on the information on the KB. We
don't have that kind of tests but I think they would not be difficult to
code. I'm thinking on the line of a "kind-of" rule-based expert-system
such as:

if (open_port(135) and banner_web_contains("IIS")) then host_is(windows)
if (open_port(256) and banner_mail("CheckPoint")) the
hosts_is("CheckPoint Firewall-1")

This make more sense to do it once the run is finished so that all
information is interpreted properly. It's kind of a guess, of course it
has drawbacks, but it's the kind of things you have to do manually with
the results anyway...

Regards

Javi

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

Nov 7, 2002, 7:18 AM

Post #10 of 11 (1742 views)

Quoting Javier Fernández-Sanguino Peña <jfernandez@germinus.com>:
> if (open_port(135) and banner_web_contains("IIS")) then host_is(windows)
> if (open_port(256) and banner_mail("CheckPoint")) the
> hosts_is("CheckPoint Firewall-1")

The potential problem here is that, for example, the web server banner has been
changed and you're suddently executing the wrong set of tests (and at worst,
missing things). There would have to be an "ignore host identification" option
to compensate. However, it could really speed up tests where you know the admin
hasn't done that much modification.

-Sullo

Re: New features in Nessus 1.3.0 (NASL_LEVEL+ACT_xxx) [ In reply to ]

jfernandez at germinus

Nov 7, 2002, 8:22 AM

Post #11 of 11 (1733 views)

sullo@cirt.net wrote:

>Quoting Javier Fernández-Sanguino Peña <jfernandez@germinus.com>:
>
>>if (open_port(135) and banner_web_contains("IIS")) then host_is(windows)
>>if (open_port(256) and banner_mail("CheckPoint")) the
>>hosts_is("CheckPoint Firewall-1")
>>
>
>The potential problem here is that, for example, the web server banner has been
>changed and you're suddently executing the wrong set of tests (and at worst,
>missing things). There would have to be an "ignore host identification" option
>to compensate. However, it could really speed up tests where you know the admin
>hasn't done that much modification.
>
I'm aware of the problems using banners, there are also issues regarding
port-redirection, NAT, etc. that might taint the view. However, you
misinterpreted me. This would not be a test to run others, it would be a
"do_it_when_all_tests_are_done" and would just try to determine what's
behind a given IP address. No need for an "ignore host" since I'm not
talking about a test that uses this information (at the moment :) and if
there was then this test should not run in the ACT_END phase.

Regards

Javi