One of the biggest problems with "standard" CGI scanners is that they only
check a couple directories for each script they are looking for. With the
exception of a couple, none of them will actually try to guess
directories or crawl the web site to find possible locations for the
scripts. Nessus currently only checks the /scripts and /cgi-bin
directories by default, although it does give an option to specify your
own CGI path.
A while back I submitted a plugin which checks for common directories in
the web root, these directory names are stored in the knowledge base but
not presently used.
I mangled Renaud's webmirror.nasl (web crawler that finds CGIs) to also
record the directory paths of the pages it vists as well as look for a
variety of other security problems (FrontPage forms, PHP errors, etc).
The directories found by this plugin are appended to the list stored in
the knowledge base by the directory scanner.
A small change to the nessus-libraries code allows the is_cgi_installed
function automatically search each discovered directory for the target
CGI script. This should _greatly_ improve the accuracy of the CGI checks
and allow for an entire new class of plugins to be written which look for
common sensitive files in the web root (WS_FTP.LOG, passwd.txt, etc).
The only drawback is that the is_cgi_installed function doesn't have a way
to tell the calling code which directory the CGI was found in, so for now
you would have to hunt through the web root manually to actually locate
the detected CGI.
Every CGI plugin would also need to be modified to add "webmirror.nasl" to
its dependencies for it to work. The script timeout value of
webmirror.nasl and DDI_Directory_Scanner.nasl need to be something
generous as well (600-1200 seconds), since the actual data isnt returned
to the KB until the plugin has finished running. This behavior could be
changed to report it as it goes, but I really don't like the idea of
variable results based on the how long it takes to run the plugin.
If you want to play with it, you need to patch the www_funcs.c file in
/nessus-libraries/libnessus, replace the current
DDI_Directory_Scanner.nasl and webmirror.nasl with the attached plugins,
and then modify the CGI scripts to depend on webmirror.nasl (an example
of a modified webgais.nasl is attached).
$ tar -zpxvf nessus-libraries-1.2.6.tar.gz
$ cd nessus-libraries-1.2.6/libnessus
$ patch < /path/to/www_funcs.c.patch
$ cd ../
$ ./configure && make
$ su
# make install
# cp /path/to/DDI_Directory_Scanner.nasl\
/path/to/webmirror.nasl\
/path/to/webgais.nasl\
/where/you/installed/nessus/lib/plugins/
# kill -9 `cat /where/you/installed/nessus/var/nessus/nessusd.pid`
# nessusd -D
Your next scan will check for the "webgais" CGI in every directory it
found via brute forcing and crawling...
This email and all the attached files can be found at:
http://www.digitaloffense.net/index.html?ret=0x080861c8
top link, experimental perl plugin support is also there :)
-HD
check a couple directories for each script they are looking for. With the
exception of a couple, none of them will actually try to guess
directories or crawl the web site to find possible locations for the
scripts. Nessus currently only checks the /scripts and /cgi-bin
directories by default, although it does give an option to specify your
own CGI path.
A while back I submitted a plugin which checks for common directories in
the web root, these directory names are stored in the knowledge base but
not presently used.
I mangled Renaud's webmirror.nasl (web crawler that finds CGIs) to also
record the directory paths of the pages it vists as well as look for a
variety of other security problems (FrontPage forms, PHP errors, etc).
The directories found by this plugin are appended to the list stored in
the knowledge base by the directory scanner.
A small change to the nessus-libraries code allows the is_cgi_installed
function automatically search each discovered directory for the target
CGI script. This should _greatly_ improve the accuracy of the CGI checks
and allow for an entire new class of plugins to be written which look for
common sensitive files in the web root (WS_FTP.LOG, passwd.txt, etc).
The only drawback is that the is_cgi_installed function doesn't have a way
to tell the calling code which directory the CGI was found in, so for now
you would have to hunt through the web root manually to actually locate
the detected CGI.
Every CGI plugin would also need to be modified to add "webmirror.nasl" to
its dependencies for it to work. The script timeout value of
webmirror.nasl and DDI_Directory_Scanner.nasl need to be something
generous as well (600-1200 seconds), since the actual data isnt returned
to the KB until the plugin has finished running. This behavior could be
changed to report it as it goes, but I really don't like the idea of
variable results based on the how long it takes to run the plugin.
If you want to play with it, you need to patch the www_funcs.c file in
/nessus-libraries/libnessus, replace the current
DDI_Directory_Scanner.nasl and webmirror.nasl with the attached plugins,
and then modify the CGI scripts to depend on webmirror.nasl (an example
of a modified webgais.nasl is attached).
$ tar -zpxvf nessus-libraries-1.2.6.tar.gz
$ cd nessus-libraries-1.2.6/libnessus
$ patch < /path/to/www_funcs.c.patch
$ cd ../
$ ./configure && make
$ su
# make install
# cp /path/to/DDI_Directory_Scanner.nasl\
/path/to/webmirror.nasl\
/path/to/webgais.nasl\
/where/you/installed/nessus/lib/plugins/
# kill -9 `cat /where/you/installed/nessus/var/nessus/nessusd.pid`
# nessusd -D
Your next scan will check for the "webgais" CGI in every directory it
found via brute forcing and crawling...
This email and all the attached files can be found at:
http://www.digitaloffense.net/index.html?ret=0x080861c8
top link, experimental perl plugin support is also there :)
-HD
Attached Files:
-
DDI_Directory_Scanner.nasl (24.9 KB)
-
webgais.nasl (1.72 KB)
-
webmirror.nasl (26.6 KB)
-
www_funcs.c.patch (1.79 KB)