Mailing List Archive

On Wed, Jul 19, 2006 at 02:29:57PM -0400, Shawn Duffy wrote:

> I need to write a plugin that will detect a proprietary service that
> may be listening on any port. I can write the code that I need in
> order to check if the service is listening on a given port but I'm not
> sure of the best way to write it so that it checks any open port for
> that service.

For a TCP-based service, I tend to declare a script dependency on
find_service.nes and then do something like :

include("global_settings.inc");

if (thorough_tests)
{
port = get_kb_item("Services/unknown");
if (!port) port = 123;
}
else port = 123;
if (!get_tcp_port_state(port)) exit(0);


Essentially, this causes the plugin to iterate over ports with unknown
services if thorough_tests is enabled or the default port (123 in this
case) otherwise. Since get_kb_item() spawns a new instance of the plugin
for each port returned, you don't have to worry about explicitly
iterating over each port.

If the service doesn't have a well-known port, then just do something like :

port = get_kb_item("Services/unknown");
if (!get_tcp_port_state(port)) exit(0);


George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Thanks! I'll give it a shot.

Shawn

On 7/19/06, George A. Theall <theall@tenablesecurity.com> wrote:
> On Wed, Jul 19, 2006 at 02:29:57PM -0400, Shawn Duffy wrote:
>
> > I need to write a plugin that will detect a proprietary service that
> > may be listening on any port. I can write the code that I need in
> > order to check if the service is listening on a given port but I'm not
> > sure of the best way to write it so that it checks any open port for
> > that service.
>
> For a TCP-based service, I tend to declare a script dependency on
> find_service.nes and then do something like :
>
> include("global_settings.inc");
>
> if (thorough_tests)
> {
> port = get_kb_item("Services/unknown");
> if (!port) port = 123;
> }
> else port = 123;
> if (!get_tcp_port_state(port)) exit(0);
>
>
> Essentially, this causes the plugin to iterate over ports with unknown
> services if thorough_tests is enabled or the default port (123 in this
> case) otherwise. Since get_kb_item() spawns a new instance of the plugin
> for each port returned, you don't have to worry about explicitly
> iterating over each port.
>
> If the service doesn't have a well-known port, then just do something like :
>
> port = get_kb_item("Services/unknown");
> if (!get_tcp_port_state(port)) exit(0);
>
>
> George
> --
> theall@tenablesecurity.com
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
>
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

So I started messing with the tips you gave me from my initial
question and I am still running into difficulty...

Below is a segment of code from the plugin... it should send a string
of data to any "unknown" port and check the response for an indication
that a proprietary service is running. When I look at a pcap of the
exchange, it only appears to be connecting to each port but is not
actually sending the request to any of the ports:

script_dependencies("find_service.nes");
script_require_ports("Services/unknown");

}

include("global_settings.inc");

port = get_kb_item("Services/unknown");
if (!get_tcp_port_state(port))
exit(0);

open_port = open_sock_tcp(port);
if (!open_port)
exit(0);

req1 = string("string to send\r\n");

send(socket: open_port, data: req1);
response1 = recv(socket:open_port, length:500);

Am I missing something obvious?

Thanks again!

Shawn

On 7/19/06, George A. Theall <theall@tenablesecurity.com> wrote:
> On Wed, Jul 19, 2006 at 02:29:57PM -0400, Shawn Duffy wrote:
>
> > I need to write a plugin that will detect a proprietary service that
> > may be listening on any port. I can write the code that I need in
> > order to check if the service is listening on a given port but I'm not
> > sure of the best way to write it so that it checks any open port for
> > that service.
>
> For a TCP-based service, I tend to declare a script dependency on
> find_service.nes and then do something like :
>
> include("global_settings.inc");
>
> if (thorough_tests)
> {
> port = get_kb_item("Services/unknown");
> if (!port) port = 123;
> }
> else port = 123;
> if (!get_tcp_port_state(port)) exit(0);
>
>
> Essentially, this causes the plugin to iterate over ports with unknown
> services if thorough_tests is enabled or the default port (123 in this
> case) otherwise. Since get_kb_item() spawns a new instance of the plugin
> for each port returned, you don't have to worry about explicitly
> iterating over each port.
>
> If the service doesn't have a well-known port, then just do something like :
>
> port = get_kb_item("Services/unknown");
> if (!get_tcp_port_state(port)) exit(0);
>
>
> George
> --
> theall@tenablesecurity.com
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
>
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

On Thu, Jul 27, 2006 at 02:41:39PM -0400, Shawn Duffy wrote:

> So I started messing with the tips you gave me from my initial
> question and I am still running into difficulty...
>
> Below is a segment of code from the plugin... it should send a string
> of data to any "unknown" port and check the response for an indication
> that a proprietary service is running.

The code looks ok. You may want to add some debugging statements, for
example, to show you what ports are being probed.

> When I look at a pcap of the
> exchange, it only appears to be connecting to each port but is not
> actually sending the request to any of the ports:

Are you sure Nessus is marking those ports as unknown services? Grep the
appropriate KB for "Services/unknown="; the values will be port numbers.


George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

I think a good way to do that could be:

i = 0;
while (port = scanner_get_port(i++)) {
open_port = open_sock_tcp(port);
if (!open-port)
exit (0);
req1 = string("string to send\r\n");

send(socket: open_port, data: req1);
response1 = recv(socket:open_port, length:500);
}

This tests all the open ports for the current scan.

My 2 cents.

- J
George A. Theall wrote:
> On Thu, Jul 27, 2006 at 02:41:39PM -0400, Shawn Duffy wrote:
>
>
>> So I started messing with the tips you gave me from my initial
>> question and I am still running into difficulty...
>>
>> Below is a segment of code from the plugin... it should send a string
>> of data to any "unknown" port and check the response for an indication
>> that a proprietary service is running.
>>
>
> The code looks ok. You may want to add some debugging statements, for
> example, to show you what ports are being probed.
>
>
>> When I look at a pcap of the
>> exchange, it only appears to be connecting to each port but is not
>> actually sending the request to any of the ports:
>>
>
> Are you sure Nessus is marking those ports as unknown services? Grep the
> appropriate KB for "Services/unknown="; the values will be port numbers.
>
>
> George
>
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers