Bao Cao Nessus Finish

MC LC
TM TT NI DUNG TI .............................................................................6 LI M U ...........................................................................................................7 CHNG 1. TNG QUAN V NESSUS ............................................................8 1.1 LCH S HNH THNH V PHT TRIN CA NESSUS .....................8 1.2 CC THNH PHN CA NESSUS .............................................................8 1.2.1 Kin trc ca Nessus vi m hnh Client-Server ......................................8 1.2.2 M hnh Nessus Knowledge Base .............................................................9 1.2.3 M hnh Nessus Plugin ............................................................................10 CHNG 2. TM HIU V NGN NG NASL .............................................11 2.1 TNG QUAN V NGN NG NASL .......................................................11 2.1.1 Lch s ngn ng NASL ..........................................................................11 2.1.2 im khc bit gia NASL1 v NASL2 .................................................13 2.1.3 NASL2 ngn ng thng dch, ta C ........................................................14 2.2 CU TRC NGN NG NASL2................................................................15 2.2.1 S b v quy tc vit chng trnh ..........................................................15 2.2.2 C php ....................................................................................................15 2.2.3 Kiu d liu..............................................................................................20 2.2.4 Cc ton t ...............................................................................................20 2.2.4.1 Cc ton t thng thng.....................................................................20 2.2.4.2 Cc php ton s hc ...........................................................................21 2.2.4.3 Cc ton t ta C .................................................................................21 2.2.4.4 Ton t x l chui ..............................................................................21 2.2.4.5 Ton t so snh ....................................................................................22 2.2.4.6 Ton t lgic ........................................................................................22 2.2.4.7 Php ton x l bit ...............................................................................22 2.2.4.8 Cc php x l c bit ........................................................................23
Tm hiu xy dng Plugin cho Nessus s dng NASL
Trang 1
2.2.5 u tin cc php ton .........................................................................23 2.2.6 Vng lp v cc cu lnh iu khin .......................................................24 2.2.7 Khai bo bin, hm ..................................................................................25 2.2.7.1 Khai bo bin .......................................................................................25 2.2.7.2 Khai bo hm .......................................................................................25 2.2.7.3 Ly i s ca hm ..............................................................................25 2.2.7.4 Gi hm ................................................................................................26 2.3 TH VIN NASL2 ........................................................................................27 2.3.1 Cc hng s c nh ngha t trc .....................................................27 2.3.2 Cc hm tch hp sn ...............................................................................29 2.3.2.1 Cc hm c bn (Knowledge base functions) .....................................29 2.3.2.2 Cc hm bo co ..................................................................................30 2.3.2.3 Cc hm ch dn ...................................................................................31 2.3.2.4 Cc hm gn kt ...................................................................................33 2.3.2.5 Cc hm v mng .................................................................................34 2.3.2.6 Cc hm x l chui ............................................................................37 2.3.2.7 Cc hm HTTP ....................................................................................40 2.3.2.8 Cc hm Raw IP...................................................................................41 2.3.2.9 Cc hm mt m...................................................................................44 2.3.2.10 Cc hm khng an ton ....................................................................44 2.3.3 Cc file th vin NASL ...........................................................................45 2.3.3.1 dump.inc...............................................................................................47 2.3.3.2 ftp_func.inc ..........................................................................................47 2.3.3.3 http_func.inc ........................................................................................47 2.3.3.4 http_keepalive.inc ................................................................................48 2.3.3.5 nfs_func.inc ..........................................................................................49 2.3.3.6 smb_nt.inc ............................................................................................49 2.3.3.7 smtp_func.inc .......................................................................................51 2.3.3.8 Cc hm th vin khc .........................................................................51 2.4 XY DNG PLUGIN CHO NESSUS .........................................................53 2.4.1 Thng dch script t xy dng .................................................................53 2.4.2 Th nghim script ....................................................................................54
Trang 2
KT LUN .............................................................................................................56 TI LIU THAM KHO .....................................................................................57 PH LC ................................................................................................................58
Trang 3
DANH MC CC BNG Bng 2.1 u tin ca cc php ton. ..................................................................23 Bng 2.2 Mt s hm th vin ca Nessus. .............................................................51
Trang 4
DANH MC CC HNH Hnh 1.1 M hnh kin trc Nessus dng Client-Server. ...........................................9 Hnh 1.2 M hnh hot ng ca Nessus Plugin. ....................................................10 Hnh 2.1 a ch host FTP ca kmasecurity.net ......................................................55 Hnh 2.2 Kt qu banner tr v ca host FTP kmasecurity.net ...............................55
Trang 5
TM TT NI DUNG TI
ti thc hin 2 nhim v chnh: Tm hiu v hot ng ca Nessus: cch ci t, chy Nessus. Tm hiu v cc thnh phn c bn ca Nessus: Nessus Engine, Nessus Plugin, Nessus Knowledge Base. Tm hiu v ngn ng script NASL ca Nessus: cu trc ngn ng, cc hm c bn ca NASL, cc file nh ngha (.inc), cc file script (.nasl), cch vit v thc thi script nasl. Tin ti t xy dng mt plugin mi qut l hng.
Trang 6
LI M U
Trong qu trnh bo mt h thng mng cho mt cng ty hay t chc vic s dng cc cng c mnh kim tra hay pht hin cc li bo mt nhm nng cao tnh an ton ca h thng v ton mng l rt quan trng. Trong Nessus v GFI LanGuard l hai trong s cc chng trnh r sot l hng bo mt mng hng u hin nay. Nhng GFI LanGuard l mt phn mm thng mi, trong khi Nessus li l mt phn mm min ph hon ton cho ngi dng c nhn, vi c s d liu v cc l hng c th c rt phong ph cho c h thng chy Window hay Linux v c cp nht thng xuyn. Theo thng k ca trang sectools.org, Nessus l phn mm qut l hng bo mt ph bin nht trong cc nm 2000, 2003 v 2006. Hng Tenable c tnh rng n c s dng rng ri bi hn 75000 t chc trn ton th gii. Vic d tm cc l hng bo mt ng mt vai tr rt quan trng vi cc qun tr vin h thng, cc chuyn gia bo mt v.v nhm tm ra cc bin php tng cng bo mt cho h thng, v c nhng k mun tn cng thc s. Tuy nhin vic tm thm cc l hng mi tng i kh khn, mt phn do cc l hng c sau khi cng b mt thi gian, cc nh sn xut s tm cch v li nhng l hng , mt phn do nhng ngi tm ra nhng l hng mi khng mun cng khai rng ri. Vic d qut cc l hng ca Nessus c thc hin da trn hai thnh phn chnh l Nessus Engine v Nessus Plugin. Nessus Engine ng vai tr nh mt trnh bin dch thc hin cc cu lnh ca Nessus Plugin. Cng c xy dng cc plugin chnh l ngn ng kch bn NASL (Nessus Attrack Scripting Language). Ni dung ca bo co c chia lm 2 phn: Chng 1: Tm hiu v cc thnh phn, cch ci t v s dng Nessus. Chng 2: Tm hiu ngn ng NASL, tin ti t xy dng plugin cho Nessus. Do thi gian tm hiu ngn v kin thc cn hn ch, nn mt s ni dung nh Nessus Engine, nhm s khng i su vo nghin cu.
Trang 7
CHNG 1.
TNG QUAN V NESSUS
1.1 LCH S HNH THNH V PHT TRIN CA NESSUS Ban u, Nessus l mt da n ngun m Nessus Project, c xut bi Renaud Deraison vo nm 1998, m ngun ca cc thnh phn u c cng b cng khai (cc phin bn Nessus 2 tr v trc). T thng 10 nm 2005, Tenable Network Security, mt cng ty do Renaud Deraison ng sng lp, pht hnh Nessus 3 di dng m ngun ng. Thng 8 nm 2008, hng Tenable a ra phin bn cho php ngi dng c nhn c s dng y cc plugin. Thng 4 nm 2009, hng pht hnh Nessus 4.0.0, n thng 2 nm 2012 pht hnh Nessus 5.0. Nessus c th chy trn nhiu nn tng h iu hnh khc nhau, bao gm c UNIX, Linux, Mac OS X, Windows. Hin ti phin bn Nessus 5.0 chy trn giao din web, do c th d dng truy cp, s dng trn mi h iu hnh. 1.2 CC THNH PHN CA NESSUS Nessus c cc thnh phn chnh: - Nessus Engine: nhn, thc thi v tr li li cc yu cu qut ca ngi dng. Vic qut cc l hng c thc hin theo cc ch dn ca cc plugin (mt tp cc cu lnh script ca ngn ng kch bn NASL). - Nessus Plugin: h thng file ca ngn ng kch bn NASL, gm cc file nh ngha .inc v file kch bn .nasl. - Nessus Server (nessusd): thc hin nhn cc yu cu qut ca ngi dng, sau phn tch, tng hp, tr li kt qu cho Nessus client. - Nessus Client: hin th kt qu qut li cho ngi dng thng qua trnh duyt web. - Nessus Knowledge Base: C s d liu bit ca Nessus cho php cc plugin sau tn dng d liu kt qu ca Plugin trc . iu ny gip Nessus d dng m rng v tng tc thc thi. 1.2.1 Kin trc ca Nessus vi m hnh Client-Server Ban u, Server s tng hp tt c cc li bo mt hin nay. Khi mt my tnh Client yu cu c kim tra cc li c tn ti trn my tnh ca mnh hay khng,
Trang 8
u tin chng phi c kim tra xem c kt ni ti server hay khng, sau khi kim tra kt ni chng s c qut ty thuc vo cc mc yu cu khi qut. M hnh ny s da vo kt qu sau khi my Client yu cu kim tra, v da vo nhng li c xc nh c th a ra nhng nhng hng gii quyt mt cch nhanh nht.
Clents User v thit b yu cu kim tra Database Nessus Server Internet Firewall
Hnh 1.1 M hnh kin trc Nessus dng Client-Server. 1.2.2 M hnh Nessus Knowledge Base M hnh Nessus Knowledge Base l g? - M hnh ny kh n gin n thu thp danh sch cc li bo mt khc ang c th nghim. N cho php b sung, hoc chia s nhng thng tin v h thng ang c kim tra. Phng thc hot ng ca Nessus Knowledge Base: Gi s chng ta thc hin qut kim tra li bo mt trn trang Server at5akma.com, qu trnh kim tra hon tt v khng thy mt li bo mt no c trn . Lc ny Nessus Knowledge Base c to ra cho my ch ny (/usr/local/var/nessus/users/mh/ kbs/at5a.com) cho thy khong 1800 li, Ngi ta phi nh rng Nessus Knowledge Base cng ch c khong 1725 li c trusted. V nhng thng s c s dng cho nhng nghin cu sau ny m bo rng lin tc cp nht nhng li bo mt mi nht.
Trang 9
1.2.3 M hnh Nessus Plugin Nessus Plugin l g? - L mt chng trnh dng kim tra tnh bo mt ca mt trang web t xa, my tnh cc b hay nhng thit b bo v thng tin... Hot ng ca Nessus Plugin: M hnh hot ng ca Nessus Plugin kh n gin, ta c th dng gia din hoc dng command line qut. Bng vic s dng Plugin c sn sau khi ci kim tra tnh bo mt.
result request
Kim qua 1 trang web qua mng
request Nessus Plugin result
Web Server
Hnh 1.2 M hnh hot ng ca Nessus Plugin.
Trang 10
CHNG 2.
TM HIU V NGN NG NASL
2.1 TNG QUAN V NGN NG NASL 2.1.1 Lch s ngn ng NASL Vo nm 1998, phin bn u tin ca Nessus c pht hnh vi kh nng kim tra khong 50 li bo mt, n cn c bit nh cc plugin. Nhng plugin ny c ci t nh cc th vin dng chung, c vit bng ngn ng lp trnh C, vi phn m rng .nes. Mc ch ca phng php ny nhm phn tch ring module m nhn vic qut (engine scanning) vi cc module hng dn, ch th qut. iu ny gip cho Nessus c kin trc modul v d dng m rng. Vo thi im , vic dng cc th vin dng chung vit cc plugin c rt nhiu ngha, gip nhanh chng to cc plugin da trn nhng chng trnh C sn c. Tc gi vit mt script nh gi l "plugin-factory" gip bin dch cc plugin vit bng C sang cc th vin dng chung (.nes). tng l khi ngi dng mun update cc plugin, h s download cc plugin vit bng C mi nht trn web, sau bin dch v ci t chng. Qu trnh ny mang li nhiu nguy c khng an ton v bo mt, v th tng khng c pht trin. Sau khi tm kim cc ngn ng script hin ti, Perl c l l ngn ng tt nht vit cc plugin cho Nessus, tuy nhin vo thi im Perl c mt s hn ch: Chim dung lng b nh ln. Khng h tr tt qu trnh gi/nhn cc gi tin th (raw packet). Khng c cch no ng tin cy kim tra di cc my o c bn. im cui cng l quan trng nht. T mt gc nhn mc cao, mi mt qu trnh qut u ging nhau: n kt ni n mt s cng trn my khch t xa, thc hin mt s tc v, sau suy ra my khch t xa c d b tn thng vi mt s lut cho trc hay khng. Cch tt nht l iu chnh tt c cc tc v qut, khng phi iu chnh chng mt cch ring r, chuyn cho my o thc hin. V d, khi ta thm kh nng h tr SSL vo trong Nessus, ta khng phi sa tng plugin, ta ch cn chnh sa hm socket thc hin kt ni. Mt mi quan tm khc ti vic dng Perl lm ngn ng vit cc Plugin l cc hm b sung ch tn ti
Trang 11
qua cc plugin bn ngoi. Nhng module ny li yu cu nhng gi v hm th vin h thng ring. Tc gi quyt nh vit mt ngn ng Script mi gi l NASL dng ring cho Nessus (Nessus Attrack Scripting Language), vi cc mc tiu hng n: Mi script c cha trong mt file. D ci t vi ngi dng cui. D tm hiu cho cc nh phn phi, pht trin. Chim t dung lng b nh. Thit k ring cho qut l hng an ninh mng. bo mt cao. D chnh sa v m rng. H tr a ngn ng. Kt qu l ngn ng NASL1 c ra i, trong c mt s im cha c hon thin: n rt chm v qu lng lo v cc li c php, nhng tng th n lm tt cng vic ca mnh. Hn 1000 li kim tra bo mt c vit bi NASL1. Ban u tc khng phi l iu ng quan tm nht, bi thi gian thit lp mt phin kt ni TCP lun mt nhiu hn l thi gian trnh thng dch NASL x l, phn tch c php m plugin. Tuy nhin, khi s lng plugin tng ln, ngi dng bt u s dng Nessus qut nhiu host hn, NASL1 thc s tr nn chm cho nhng tc v ny. M ngun gc kh m rng, v quyt nh n gin l vit li NASL. Vo nm 2001, th vin libnasl c vit li bi Michel Arboi m rng ngn ng, v sa cha nhng khuyt im ca NASL1. Th vin vit li ny, c gi vi tn NASL2, tr thnh thnh phn ln nht trong Nessus 2.0. K t phin bn 3.0, ngn ng NASL2 c tch hp vo trong engine. Nhng u im ca NASL2: Script c gi gn: mi script NASL cha c code kim tra cc lut v cc ch dn cho plugin ca chnh n. Cc file script c phn m rng n gin l .nasl.
Trang 12
D ci t vi ngi dng cui: NASL c dng t ng gi, c th cu hnh s dng vi th vin OpenSSL. Ngi dng c th dng trnh bin dch GCC v GNI Bison (bison) d dng xy dng v ci t trnh thng dch NASL. D dng tm hiu vi cc nh phn phi, pht trin: NASL trng rt ging C, vi mt vi im ca Perl. Nu chng ta tng lp trnh vi nhng ngn ng trn, th vic hc NASL kh d. im khc bit ln nht gia NASL v C l n khng c phn con tr v qun l b nh. Chim t dung lng b nh: Thng thng, Nessus ch yu cu vi trm KB b nh, n c th load c nhiu plugin ng thi. Thit k dnh ring cho kim tra bo mt mng: NASL c thit k thit lp kt ni, gi nhn d liu, x l kt qu. N c s lng ln cc hm th vin ci t cho cc giao thc mc cao. V d nh cc giao thc SMB, NFS, RPC, SMTP, HTTP, v.v Tt c nhng th vin ny u c vit bng NASL. bo mt cao: NASL khng th truy cp vo h thng file cc b, thc hin cc cu lnh h thng, hoc kt ni ti mt my khch bn th 3 (n ch c th kt ni ti host ang thc hin kim tra). Vic khng c con tr v qun l b nh, gip n trnh c cc li nh trn b m. iu ny lm cho NASL tr thnh mt ngn ng rt an ton v gim thi gian thit k nhng plugin mi. D chnh sa v m rng: Phin bn ca trnh thng dch NASL c ngn ng rt trong sng, gip vic thm cc ton t v hm mi rt d, c kh nng tng thch ngc vi cc th vin c. H tr a ngn ng: NASL h tr a ngn ng, nhng gii hn cc ngn ng c th m ha vi bng k t ASCII. C nhiu ngn ng nh Nht Bn, khng th biu din bng bng m ASCII m rng. 2.1.2 im khc bit gia NASL1 v NASL2 NASL2 s dng trnh phn tch c php Bison, n cht ch hn v c th x l nhng kiu din t phc tp. NASL2 c nhiu hm xy dng sn (mc d hu ht nhng hm ny u c th chuyn tng thch vi NASL1).
Trang 13
NASL2 c nhiu ton t c tch hp. NASL2 nhanh hn (khon tm 16 ln). Hu ht script NASL2 khng th chy vi NASL1. Mt vi script NASL1 khng th chy vi NASL2 (nhng vic sa tng i d dng). NASL2 c hm chc nng x l mng. 2.1.3 NASL2 ngn ng thng dch, ta C Thng dch l c im chung cc ngn ng script. Nhng NASL2 c mt thun li ln cho nhng ngi mun tm hiu, l c php ca n gn ging ngn ng lp trnh C (t cch khai bo bin, cc ton t, vng lp, v.v). N khng c cc thnh phn phc tp nh trong C (bin con tr, qun l vng lp), khin cho ng php ca NASL2 tr nn n gin, d hiu hn. V d ni dung ca mt file script test-yahoo.nasl:
# This script was written by Noam Rathaus <noamr@securiteam.com> # if(description) { script_id(10326); script_version ("$Revision: 1.12 $"); script_cve_id("CAN-2000-0047"); name["english"] = "Yahoo Messenger Denial of Service attack"; script_name(english:name["english"]); desc["english"] = " It is possible to cause Yahoo Messenger to crash by sending a few bytes of garbage into its listening port TCP 5010. Solution: Block those ports from outside communication Risk factor : Low"; script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Denial of Service"; script_family(english:family["english"]); exit(0); } # # The script code starts here # if (get_port_state(5010)) { sock5010 = open_sock_tcp(5010); if (sock5010) {
Trang 14
send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010); if ( !sock5010_sec ) { security_hole(5010); } else close(sock5010_sec); } }
Ta c th chy th mt script NASL2 bng cu lnh n gin t command-line:

nasl t 192.168.1.100 test-yahoo.nasl
2.2 CU TRC NGN NG NASL2 2.2.1 S b v quy tc vit chng trnh Ch thch bt u tnh t du # u dng, khi n s c trnh thng dch b qua. C th thm cc khong trng ty gia 2 t, ton t. Khong trng y c th l du cch, tab. Chui c phn tch bi b phn tch t vng, sau tr li kt qu phn tch ng php. - B phn tch s tr li thng bo qu di, nu n gp kiu din t nh a+++++b, khi n s hiu thnh a++ ++ + b hoc (a++ ++) + b ging nh trong ANSI C. Khi ta nn vit a++ + ++b - Khng th thm khong trng vo gia chui a k t. V d x = a + +; s khng c chp nhn, nn vit x = a ++; 2.2.2 C php C php cc cu lnh ca NASL: [decl_list]instr_decl instr_decl instr_decl_list [instr_decl]instr func_decl; [func_decl]function identifier ( arg_decl ) block
Trang 15
[arg_decl]/*nothing*/ arg_decl_1 [arg_decl_1]identifier identifier , arg_decl_1 [block]{ instr_list } {} [instr_list]instr instr instr_list [instr]s_instr ; block if_block loop [s_instr]aff post_pre_incr rep func_call ret inc loc glob break continue /*nothing*/ [ret]return expr return [if_block]if ( expr ) instr if ( expr ) instr else instr [loop]for_loop while_loop repeat_loop foreach_loop [for_loop]for ( aff_func ; expr ; aff_func ) instr [while_loop]while ( expr ) instr
Trang 16
[repeat_loop]repeat instr until expr ; [foreach_loop]foreach identifier ( array ) instr [array]expr [aff_func]aff post_pre_incr func_call /*nothing */ [rep]func_call x expr [string]STRING1
STRING2
[inc]include ( string ) [func_call]identifier ( arg_list ) [arg_list]arg_list_1 /*nothing*/ [arg_list_1]arg arg , arg_list_1 [arg]expr identifier : expr [aff]lvalue = expr lvalue += expr lvalue -= expr lvalue *= expr lvalue /= expr lvalue %= expr lvalue >>= expr lvalue >>>= expr lvalue <<= expr [lvalue]identifier array_elem [identifier]IDENTIFIER x [array_elem]identifier [ array_index ] [array_index]expr
Trang 17
[post_pre_incr]++ lvalue - lvalue lvalue ++ lvalue [expr]( expr ) logic_expr arith_expr bit_expr post_pre_incr compar
INTEGER STRING2 STRING1
var aff cst_array ipaddr [logic_expr]expr and expr ! expr expr or expr [arith_expr]expr + expr expr - expr - expr expr * expr expr / expr expr % expr expr ** expr [bit_expr]~ expr expr & expr expr ^ expr expr | expr expr >> expr expr >>> expr expr <<expr
Trang 18
[compar]expr >< expr expr >!< expr expr =~ string expr !~ string expr < expr expr > expr expr == expr expr != expr expr >= expr expr <= expr [var]identifier num_arg array_elem func_call [ipaddr]INTEGER . INTEGER . INTEGER . INTEGER [num_arg]$INTEGER $* [cst_array][ l_array ] [l_array]array_data array_data , l_array [array_data]atom string => atom [atom]integer string [loc]local_var arg_decl [glob]global_var arg_decl [INTEGER] s nguyn - l mt chui s thp phn, hoc bt u bng 0 cho h c s 8, hoc 0x cho h c s 16. [IDENTIFIER] nh danh - l mt chui k t (ch hoa, ch thng, s, du gch di). [STRING1] l mt chui k t gia 2 du nhy n. [STRING2] l mt chui k t gia 2 du nhy kp.
Trang 19
2.2.3 Kiu d liu NASL2 c cc kiu d liu sau: 1. Kiu s nguyn: mi chui bao gm cc ch s, c th c thm du u (+,-) phn bit s dng, s m. NASL2 s dng c php ca C, h c s 8 bt u bng 0 v h 16 bt u bng 0x, v d: 0x10 = 020 = 16 2. Kiu chui: c 2 dng chui, chui khng th chuyn i v chui c th chuyn i. a) Chui khng th chuyn i: l chui c nhp vo gia 2 du nhy kp, v d abcde, khi mi k t ca chui u c gia nguyn, du gch cho ngc vn gi nguyn l du gch cho ngc. C th chuyn sang chui c th chuyn i bng cc hm x l chui. b) Chui c th chuyn i: l chui c nhp vo gia 2 du nhy n, v d abcd\n, khi mt vi k t ca chui s c t ng chuyn i. 3. Mng: H tr mng mt chiu, phn t u tin c nh th t l [0], c th dng mng cha d liu kiu s nguyn hoc kiu chui. 4. Kiu NULL: c gn cho cc bin cha khi to gi tr. 5. Kiu Boolean (kiu lgic): cho gi tr 0 FALSE, 1- TRUE. Mt vi gi tr c t ng gn: Gi tr khng c nh ngha hoc Null l FALSE. S nguyn l TRUE nu khng rng, 0 l FALSE. Chui l TRUE nu khng rng v khc 0. Mng lun mang gi tr TRUE, cho d c rng hay khng. 2.2.4 Cc ton t 2.2.4.1 Cc ton t thng thng = dng gn gi tr. V d: - x = 42; gn gi tr 42 vo bin x - x = y; gn gi tr y cho x [] dng nh ch s mng
Trang 20
- Mt bin khng th va mang gi tr kiu nguyn t (nh integer, string, null) va mang gi tr kiu mng cng mt thi im. Nu ta chuyn i kiu, gi tr trc s b mt. - C th dng tch gi tr ca mt chui. V d: s = abcde , khi s[2] = c - y[1]=42; to mt mng y, v gn gi tr 42 cho phn t th hai ca mng. Nu y khng phi l mt mng, l gi tr u tin khng c nh ngha. 2.2.4.2 Cc php ton s hc NASL2 khng c quy nh cht ch v kiu s nguyn. Trnh thng dch ci t vi kiu int nguyn mu ca C, l kiu 32 bit trn hu ht cc h thng, hoc 64 bit trn mt s h thng khc. Khng c c ch bo v chng trn s. + php cng 2 s nguyn. - php tr 2 s nguyn. * php nhn 2 s nguyn. / php chia ly phn nguyn. Ch rng NASL2 khng c kiu s thc. Php chia cho 0 s tr li 0 hoc gy li trnh thng dch. % php chia ly phn d. ** php m, ly tha. 2.2.4.3 Cc ton t ta C NASL2 ci t mt s php ton ging C. ++ php tng gi tr bin ln 1 n v, v d: (++x) hoc (x++) . ngha tng t nh trong C. - gim gi tr bin i 1 n v, v d: (-x) hoc (x-). Trong C php ton ny l (--x) hoc (x--). += -= *= %= c ngha tng t nh trong C. <<= v >>= , c thm >>>= 2.2.4.4 Ton t x l chui + php cng chui, tuy nhin nn s dng vi cc hm x l chui.
Trang 21
- php tr chui, n loi b cc chui u tin m n tm thy trong chui cn tr. V d: abcd bc s c ad. [] dng tch k t t chui. V d s = abcde, khi s[2] = c. >< so snh chui trng khp, nu mt trong 2 chui c cha chui cn li s cho kt qu l TRUE, ngc li l FALSE. abcde >< bc l TRUE, abcde >< xxxx l FALSE >!< so snh chui khng trng khp, n s tr v kt qu TRUE nu chui ny khng cha chui kia, ngc li l FALSE. abcde >!< xxxx l TRUE, abcde >!< bc l FALSE. =~ (regex match) tng t nh khi gi hm trong ereg nhng nhanh hn, bi v kiu din t thng thng c bin dch mt ln khi script c phn tch. s =~ [ab]*x+ tng ng vi ereg(string:s, pattern:"[ab]*x+", icase:1) !~ (regex dont match) tng t nh trn. 2.2.4.5 Ton t so snh == mang gi tr TRUE nu 2 gi tr so snh bng nhau, ngc li l FALSE. != mang gi tr TRUE nu 2 gi tr so snh khc nhau, ngc li l FALSE. > so snh ln hn. >= so snh ln hn hoc bng. < so snh nh hn. <= so snh nh hn hoc bng. 2.2.4.6 Ton t lgic ! php not lgic. V d: !x=TRUE, nu x=FALSE. && php and lgic. || php or lgic. 2.2.4.7 Php ton x l bit ~ php not bit. V d: ~0=1, ~1=0 & php and bit. V d: 1 &1 =1, 1 & 0 =0. | php or bit. ^ php xor bit.
Trang 22
<< php dch tri bit. >> php dch phi bit. >>> php chuyn bit du sang phi, thay bng 0.
2.2.4.8 Cc php x l c bit break c th (nhng khng nn s dng) dng thot khi hm trong script. Nu cc i s khc kiu, php + s tin hnh chuyn i kiu t ng. - Vi chui c th chuyn i: AB\n + de s c AB\\nde (trong AB\n l chui khng chuyn i, de l chui c th chuyn i). - Nu mt trong 2 i s l kiu chui khng chuyn i, i s cn li s c t ng chuyn thnh kiu chui khng chuyn i: ABC + 2 s c ABC2. - Nu mt trong cc i s l kiu nguyn, i s cn li s c chuyn sang kiu nguyn, kt qu cui cng l kiu nguyn. - Trong cc trng hp khc, gi tr NULL c tr v. Php tr c cng kiu chuyn i nh i vi php cng. Khng nn s dng cc bin cha c khi to. Tuy nhin cc script c c th hot ng, gi tr NULL c nh ngha thnh 0 hoc (kiu integer hoc chui). l l do ti sao ta nn s dng isnull kim tra xem bin c nh ngha v khi to hay cha. 2.2.5 u tin cc php ton u tin t cao xung thp: Bng 2.1 u tin ca cc php ton. STT 1. 2. 3. 4. Php ton
++ -** ~ !
Trnh t kt hp Khng Phi qua tri Tri qua phi Tri qua phi
Trang 23
5. 6. 7. 8. 9. 10. 11. 12. 13. 14.
% + -
<< >> >>> & ^ | < <= > >= == != <> =~ !~ >!< >< && || = += -= *= /= %= <<= >>= >>>=
Tri qua phi Tri qua phi Tri qua phi Tri qua phi Tri qua phi Tri qua phi Khng Tri qua phi Tri qua phi Phi qua tri
2.2.6 Vng lp v cc cu lnh iu khin

for (expr1; cond; expr2) block;tng t nh trong C, tng ng
vi expr1; while(condition) block; expr2; V d in cc gi tr t 1 n 10:

for(i=1;i<=10;i++) display(i,'{\n'); foreach var (array) block;lp vi tt c cc phn t trong mng. Ch
bin vng lp var c gi tr c lu tr trong mng, khng phi ch s ca mng. Nu ta mun dng ch s, dng lnh: foreach var (keys(array))
block; while(cond) block; thc hin khi lnh khi iu kin kim tra l TRUE,
dng vic thc hin nu iu kin kim tra l FALSE. repeat block; until (cond); thc hin khi lnh cho n khi iu kin kim tra l TRUE. Khi lnh c thc hin t nht mt ln (khc vi while, c th khi lnh cha c thc hin ln no). break dng thot khi vng lp hin ti, nu ta khng trong vng lp, kt qu l khng xc nh. continue b qua iu kin kim tra, nhy n vng lp tip theo. Nu khng trong vng lp, kt qu l khng xc nh. return tr v kt qu ca hm hin ti.
Trang 24
2.2.7 Khai bo bin, hm 2.2.7.1 Khai bo bin NASL1 ch c bin ton cc. NASL2 s dng bin ton cc v bin cc b. Bin cc b c to bn trong hm, v c gii phng khi hm tr v kt qu. Khi trnh thng dch kim tra bin no , n s kim tra trong hm hin ti trc, sau kim tra cc hm bao trm bn ngoi khc, cho ti khi n hm cha bin ton cc. Thng thng ta khng cn phi khai bo bin: hoc l do n tn ti, hoc ta s dng n trong hm hin ti, hoc n ang c gi bi mt hm khc. Tuy nhin, iu ny tr nn nguy him trong mt vi trng hp: Nu bn mun thay i ti bin cc b t bn trong mt hm m khng th chc chn bin c to hm ngoi cng, hoc c to nh bin cc b trong hm gi n. Nu bn mun chc chc rng mnh ang to mt bin cc b m khng ghi ln bin ton cc trng tn. thc hin, ta c th khai bo bin nh sau:
local_var var; global_var var;
Nu bin tn ti trong hm ch nh, ta s nhn c thng ip bo li, nhng n vn hot ng c. 2.2.7.2 Khai bo hm
function_name (argname1, argname2) block;
Ch danh sch i s c th trng, nhng phi c tn hm. Cc i s c th dng trc tip m khng cn phi khai bo. 2.2.7.3 Ly i s ca hm Trong mt hm NASL, cc i s c nh tn, c th truy cp bi mi bin cc b. Cc i s khng c nh tn, c ci t thng qua mng c bit _FCT_ANON_ARGS. Nhng bin ny s mang gi tr NULL vi cc trnh thng
Trang 25
dch di NASL_LEVEL 2190. Ta nn khai bo u script nu cn dng hm ny:

if (NASL_LEVEL < 2190) exit(0); # _FCT_ANON_ARGS is not implemented
1. Thit lp ti gi tr _FCT_ANON_ARGS cha c nh ngha. Lc ny, b nh b lng ph, m khng th c li gi tr. 2. S dng _FCT_ANON_ARGS c cc i s c nh tn cng khng tt. Lc ny, c s bo v, gi tr NULL c tr li. 2.2.7.4 Gi hm Sau y l v d v hm c i s c nh tn:
function fact(x) # x ng vai tr lm i s { local_var i, f; f = 1; for (i = 1; i <= n; i ++) f *= i; return f; } display("3 ! = ", fact(x: 3), "\n");
V d v hm c i s khng c nh tn:
function fact() #hm khng c i s { local_var i, f; f = 1; for (i = 1; i <= _FCT_ANON_ARGS[0]; i ++) f *= i; return f; } display("3 ! = ", fact(3), "\n");
V d khc, trn 2 kiu:

function fact(prompt) { local_var i, f;
Trang 26
f = 1; for (i = 1; i <= _FCT_ANON_ARGS[0]; i ++) { f *= i; display(prompt, i, '! = ', f, '\n'); } return f; } n = fact(3, prompt: '> ');
2.3 TH VIN NASL2 2.3.1 Cc hng s c nh ngha t trc Hng thc ra l cc bin, ta c th chnh sa li gi tr trong script. Sau y l mt s hng c nh ngha trc: Hng lgic o FALSE=0 o TRUE=1 Cc loi plugin o ACT_INIT: plugin ch thit lp vi KB cc mc (cc loi bin ton cc cho tt c cc plugin). o ACT_SCANNER: plugin ny lm nhim v qut cng hoc mt vi tc v tng t (nh ping). o ACT_SETTINGS: ging ACT_INIT nhng chy sau khi b qut thc hin, khi chng ta chc chn rng my host vn ang hot ng. o ACT_GATHER_INFO: plugin nh danh dch v, thu thp d liu, x l banner, v.v o ACT_ATTACK: plugin khi ng phn mm tn cng, v d phn mm qut cc th mc web. o ACT_MIXED_ATTACK: plugin khi ng tn cng m c th gy ra cc tc dng nguy him khc (gy ra hng hu ht cc dch v thi gian).
Trang 27
o ACT_DESTRUCTIVE_ATTACK: plugin c gng tiu hy d liu hoc khi ng tn cng nguy him (v d vic kim tra li trn b m c th gy ra hng hc vi cc dch v d b tn thng). o ACT_DENIAL: plugin c gng gy ra hng hc dch v. o ACT_KILL_HOST: plugin c gng gy ra hng hc cho my ch, hoc v hiu mt vi dch v quan trng. o ACT_FLOOD: plugin c gng gy ra hng hc cho my ch, hoc v hiu ha bng cch gy ngp lt vi cc gi tin hoc request khng xc nh. N c th nh hng ti mng, gy hng hc cho thit b nh tuyn, chuyn mch hoc lc gi trn ng i. Hng Network o Nessus encapsulation (ng gi) ENCAPS_IP = 1; y l gi tr transport cho TCP socket. ENCAPS_SSLv23 = 2; y l gi tr transport cho kt ni SSL trong ch tng thch. Ch plugin find_service s khng bao gi khai bo cng vi loi ng gi ny, tuy nhin ta vn c th dng n trong script. ENCAPS_SSLv2 = 3; phin bn SSL c ch h tr chng ch pha my ch. ENCAPS_SSLv3 = 4; phin bn SSL mi, h tr chng ch pha my ch v my client, h tr nhiu phng php m ha. ENCAPS_TLSv1 = 5; TLSv1 c nh ngha trong RFC 2246, i khi ngi ta gi n l SSL v3.1. o Sockets options MSG_OOB; ty chn socket, dng gi d liu. o Raw sockets IPPROTO_ICMP; c nh ngha nh trong file header ca C. IPPROTO_IGMP IPPROTO_IP IPPROTO_TCP IPPROTO_UDP pcap_timeout = 5
Trang 28
TH_ACK = 0x10; C TCP xc nh gi tin hp l. TH_FIN = 0x01; C TCP xc nh gi tin bo kt thc phin kt ni. TH_PUSH = 0x08 TH_RST = 0x04; C TCP xc nh kt ni b t chi hoc reset li. TH_SYN = 0x02; Khi to qu trnh bt tay 3 bc. TH_URG = 0x20; C TCP xc nh gi tin cha d liu quan trng. Cc hng khc o NULL gi tr khng c nh ngha. Nessusd glue o Description c thit lp thnh 1 khi nessusd phn tch script ln u (ly tn, ch dn, tm tt, v.v), thnh 0 khi n chy. o COMMAND_LINE c thit lp thnh 0 khi script c chy bi nessusd hoc thnh 1 khi n chy bi trnh thng dch nasl. 2.3.2 Cc hm tch hp sn Cc hm c tch hp sn bao gm hm c i s v hm khng c i s. Mt vi hm kt hp c hai. 2.3.2.1 Cc hm c bn (Knowledge base functions) Cc hm ny c dng cho cc plugin tng tc. set_kb_item to danh mc mi trong KB (Knowledge base). N nhn 2 chui i s: tn v gi tr. Thc hin khon mc vi ln to ra mt danh sch. get_kb_item nhn khon mc t KB. N nhn i s khng c nh tn (tn ca khon mc KB). Nu khon mc l mt danh sch, plugin s chia nh cho cc tin trnh con, v s dng gi tr khc. Nessus s ghi nh tin trnh con nhn gi tr no: c mt khon mc trng tn, n s khng chia nh ln na. Ta khng nn s dng hm ny khi c vi kt ni ang m, trnh din ra tnh trng c nhiu tin trnh cng c gng c ghi vo cng mt socket.
Trang 29
get_kb_list nhn nhiu khon mc t KB. N nhn i s khng c nh danh, c th tn danh mc KB hoc mt n. Gi tr tr v l mt kt qu tm lc, v d mt mng vi kh nng c 2 ch s, v vy ta cn chuyn i n vi make_list() hoc s dng foreach truy cp mi phn t (hm make_array cho php to ra nhng bng bm nh vy). V d s dng hm get_kb_list:
# Retrieves the list of all the web servers webservers = get_kb_list("Services/www"); # Retrieves the list of all the services services = get_kb_list("Services/*"); # Retrieves the whole KB services = get_kb_list("*");
replace_kb_item thm khon mc mi vo trong KB hoc thay th gi tr c. N nhn 2 i s c nh danh: tn v gi tr. Thc hin khon mc mt vi ln khng to ra danh sch, n ch ghi gi tr c. Hm ny khng c nh ngha li trong mi phin bn ca Nessus, an ton ta cn kim tra gi tr c nh ngha trc bng cch gi n hm ny hoc s dng hm replace_or_set_kb_item ca NASL. 2.3.2.2 Cc hm bo co Nhng hm ny gi li thng tin cho Nessus deamon. scanner_status bo co qu trnh qut cng (nu plugin l plugin qut cng). N nhn 2 i s nguyn: o current, s cng ang qut. o total, tng s cng cn qut. security_note gi kt qu cc thng tin khc. N nhn i s l mt s nguyn (s hiu cng), hoc vi i s c nh danh khc: o data l d liu bo co dng text. o port l s hiu cng TCP hoc UDP ca dch v
Trang 30
o proto (hoc protocol) tn giao thc (mc nh l tcp, gi tr khc l udp). security_hole bo co v cc l hng nghim trng. N c th nhn mt i s khng c nh danh l mt s nguyn (s hiu cng), hoc mt vi i s c nh danh khc: o data l d liu bo co dng text. o port l s hiu cng TCP hoc UDP ca dch v o proto (hoc protocol) tn giao thc (mc nh l tcp, gi tr khc l udp). security_warning bo co v cc l hng nh. o N c th nhn mt i s khng c nh danh l mt s nguyn (s hiu cng), hoc mt vi i s c nh danh khc: o data l d liu bo co dng text. o port l s hiu cng TCP hoc UDP ca dch v o proto (hoc protocol) tn giao thc (mc nh l tcp, gi tr khc l udp). 2.3.2.3 Cc hm ch dn Vi tt c cc hm, ngoi tr hm script_get_preference ch c s dng trong phn ch dn ca plugin, v d mt khi lnh c chy khi bin description mang gi tr 1. N ch c ngha trong mi trng Nessus, khng c tc dng khi plugin ch chy vi trnh thng dch nasl. script_add_preference thm cc la chn vo plugin. N nhn 3 i s c nh danh: o name l tn ty chn o type kiu ty chn, c th l: checkbox entry password radio o value l gi tr mc nh (yes hoc no cho hp chn checkbox, chui k t cho khon mc hoc mt khu). V d:
Trang 31
script_add_preference (name:"Reverse traversal", type:"radio", value:"none; Basic; Long URL");
script_bugtraq_id n nhn mt hoc nhiu i s nguyn khng c nh danh. script_category thit lp loi plugin. Thng thng n nhn i s nguyn khng c nh danh l mt trong cc hng c nh ngha trc (ACT_xxx): o ACT_INIT o ACT_SCANNER o ACT_SETTINGS o ACT_GATHER_INFO o ACT_ATTACK o ACT_MIXED_ATTACK o ACT_DESTRUCTIVE_ATTACK o ACT_DENIAL o ACT_KILL_HOST script_copyright thit lp chui bn quyn ca plugin (thng l tn tc gi). N nhn i s kiu chui bt k, hoc mt vi chui c nh danh khc: english, francais, deutsch, portuguese. script_cve_id thit lp CVE IDs cho cc l hng kim tra bi script. N c th nhn bt k i s l s hoc chui khng nh danh. N thng c dng nh CVE-2002-042 hoc CAN-2003-666. script_dependencie thit lp danh sch script cn chy trc khi chy script ny. N c th nhn bt k i s l s hoc chui khng nh danh. script_dependencies c ngha ging nh script_dependencie. script_description thit lp ch dn ca plugin. N nhn chui bt k lm i s, hoc mt trong cc chui c xc nh trc: english, francais, deutsch, portuguese. Gi tr mc nh l english. script_exclude_keys thit lp danh sch KB item khng c chy script ny trong ch ti u ha. script_family thit lp cc plugin cng h.
Trang 32
script_get_preference c cc ty chn. N nhn chui bt k lm i s. N c th tr v kt qu l chui rng, nu ta ch chy script vi trnh thng dch nasl. script_get_preference_file_content c cc ty chn v file. N nhn chui bt k lm i s, kt qu tr v l ni dung file c chuyn t my trm Nessus ti my ch. Ch : script script_get_preference_file_content v script_get_preference_file_location c gii hn ch chy vi cc plugin tin cy. script_get_preference_file_location n ch c tc dng nu kiu x l l kiu file. N s tr v ng dn ca file copy. Hm script_get_preference s lun tr v ng dn ca file trn my trm, iu ny cng khng thc s cn thit. script_id thit lp s nguyn nh danh script. script_name thit lp tn ca plugin. script_require_keys thit lp danh sch trong KB item cn phi chy khi chy script ny ch ti u. script_require_ports thit lp danh sch cc cng TCP cn m khi chy script ny ch ti u. script_require_udp_ports thit lp danh sch cng UDP cn m khi chy script ny ch ti u. script_summary thit lp ch dn tm tt ca plugin. script_timeout thit lp thi gian thot ca plugin. N nhn s nguyn bt k lm i s. Nu gi tr ny c thit lp thnh 0 hoc -1, thi gian timeout bng v cng. script_version thit lp phin bn ca plugin. N nhn chui bt k lm i s. 2.3.2.4 Cc hm gn kt get_preference nhn chui bt k lm i s, v tr li gi tr c u tin. Hm ny cn thit khi cn nhn vi ty chn t server. V d:
p = get_preference('port_range'); # returns something like 1-65535
Trang 33
2.3.2.5 Cc hm v mng Ch kiu d liu socket c s dng trong cc hm ny thc ra l s nguyn. Trong trng hp c li, tt c cc hm tr v mt gi tr c th thng dch l FALSE. close ng socket. end_denial khng cn i s, tr v TRUE nu my host vn ang hot ng (alive), FALSE nu n cht. Ta cn gi hm start_denial trc khi kim tra. ftp_get_pasv_port gi cu lnh PASV ti socket ang m. Phn tch d liu nhn c, tr li s hiu cng th ng chn. N nhn mt i s nh danh: socket. get_host_name khng cn i s, tr li tn my host ang qut. get_host_ip khng cn i s, tr li a ch IP my ch. get_host_open_port khng cn i s, tr li tn s hiu cc cng TCP ang m trn my ch. get_port_transport nhn s nguyn bt k (socket) lm i s, tr li gi tr ng gi (encapsulation). get_port_state nhn s nguyn bt k (s hiu cng TCP), tr li TRUE nu cng ang m, FALSE ngc li. Mt vi cng TCP s khng bit c trng thi, do khng th qut c. Cch ng x ca hm ny c th chnh sa li, coi cc cng khng qut c nh ng, vi ty chn ton cc. Khi ty chn ny c thit lp li (default), hm s tr v gi tr TRUE vi cc cng khng bit trng thi, FALSE khi ta t thit lp nh trn. get_source_port nhn s nguyn bt k lm i s (TCP socket), tr li s hiu cng ngun (v d cng server Nessus). get_tcp_port_state tng t nh get_port_state. get_udp_port_state tr li gi tr TRUE nu cng UDP ang m, FALSE ngc li. Ch vic qut cng UDP c th khng ng tin cy. islocalhost khng cn i s, tr li TRUE nu my ch l chnh my local, ngc li FALSE.
Trang 34
islocalnet khng cn i s, tr li TRUE nu my ch cng mng vi my local, ngc li FALSE. join_multicast_group nhn chui lm i s (a ch IP multicast), tr li TRUE nu c th tham gia vo cng nhm a ch multicast, nu sn trong nhm, hm tng bin m s ln tham gia. leave_multicast_group nhn chui lm i s (a ch IP multicast). Nu hm join_multicast_group c gi vi ln, mi ln gi hm leave_multicast_group n s gim bin m, thot khi nhm khi bin m bng 0. open_priv_sock_tcp m socket TCP c quyn ti my ch. N nhn 2 i s nguyn: o dport l cng my ch. o sport l cng ngun, thng nh hn 1024. open_priv_sock_udp m socket UDP c quyn ti my ch. N nhn 2 i s nguyn: o dport l cng my ch. o sport l cng ngun, thng nh hn 1024. open_sock_tcp m socket TCP ti my ch. N nhn i s nguyn bt k (s hiu cng) v 2 i s nguyn b sung: o bufsz nu mun ty chnh kch c b m In/Output (mc nh b v hiu ha). Tham s ny c thm vo t sau phin bn Nessus 2.0.10. o timeout, nu mun thay i gi tr timeout mc nh. o transport, yu cu Nessus chuyn sang ch transport ch nh. Cc gi tr c th l: ENCAPS_IP ENCAPS_SSLv23 ENCAPS_SSLv2
Trang 35
ENCAPS_SSLv3 ENCAPS_TLSv1 open_sock_udp m socket UDP ti my ch. N nhn i s nguyn bt k (s hiu cng). recv nhn d liu t socket TCP hoc UDP. Vi socket UDP, nu khng th c d liu, NASL s gi s rng datagram gi cui cng b mt, n s gi li sau mt khong thi gian. N nhn t nht 2 i s trong cc i s sau: o socket c tr v bi hm nh open_sock_tcp o length s byte m ta mun nhn. o min l lng d liu nh nht phi c c, mc nh l 0. o timeout c th thay i khc vi gi tr default. recv_line nhn d liu t socket, v dng ngay khi nhn c k hiu xung dng. di byte d liu v thi gian timeout cn phi nh trc. send gi d liu ti socket. Cc i s l: o socket o data khi d liu, bt buc phi kiu chui (nm gia hai du nhy n hoc nhy kp). o length ty chn di d liu cn gi, nu khng thit lp, n s gi ton b. o option c khi gi hm send(), khng nn s dng kiu s, tt nht nn dng hng MSG_OOB. scanner_add_port khai bo m cng vi tin trnh ch nessusd. N nhn 2 i s c nh danh, v khng c d liu tr v: port l s hiu cng. proto l tcp hoc udp. scanner_get_port nhn danh sch cng ang m bi nessusd. N nhn mt i s nguyn, mt ch s, tr li s hiu cng hoc gi tr 0 khi kt thc danh sch. V d:
i = 0; while (port = scanner_get_port(i++)) { do_something_with_port;
Trang 36
tcp_ping thc hin lnh ping TCP n my ch, v d n th m mt kt ni TCP v xem c bt c th g phn hi li (gi SYNACK hoc RST). Nhn mt i s nguyn (s hiu cng), nu khng ch nh, n s s dng cc cng thng thng trong danh sch. telnet_init khi to kt ni telnet trn socket ang m. Hm ny nhn i s bt k (socket ang m), tr li d liu nhn c (nhiu hay t ph thuc vo telnet banner nhn c). this_host khng cn i s, tr v kt qu a ch IP ca my local. this_host_name khng cn i s, tr v tn my local. ftp_log_in thc hin nh danh/xc thc FTP trn socket ang m. Tr li TRUE nu c th login thnh cng, FALSE ngc li. N nhn 3 i s: o user l tn username, nu khng c, gi tr mc nh l anonymous hoc ftp. o pass l mt khu truy cp, nu khng c, gi tr mc nh l email. o socket start_denial khi to mt s cu trc d liu ni b cho end_denial. 2.3.2.6 Cc hm x l chui chomp nhn i s kiu chui bt k, loi b mi khong trng cui. Khong trng y c th l du cch, tab, Enter, xung dng. crap tr v b m chiu di yu cu. Hm ny ch yu c dng kim tra li trn b m. Cc i s ca n: o length kch c b m. o data d liu mun lp li lp y b m, mc nh l k t X. display nhn khng gii hn s cc i s, n gi chui, sau hin th. N tr v s lng k t hin th. Nhng k t khng th hin th, c thay bng .. egrep tm kim mt on mu trong chui, tng dng mt, tr v kt qu cc dng cha mu k t cn kim tra. Cc i s: o icase o pattern o string
Trang 37
ereg so snh chui lp li trng khp, n tr v chui u tin tm c. Cc i s: o string, o multiline, mc nh mang gi tr FALSE, c th thit lp thnh TRUE tm kim trn nhiu dng. o pattern o icase, mc nh mang gi tr FALSE, sa li thnh TRUE nu mun tm kim phn bit ch hoa/ch thng. ereg_replace tm kim v thay th tt c cc mu xut hin trong chui. Tr v kt qu chui c sa i, hoc chui gc nu khng c mu trng. Cc i s: o string, chui gc ban u. o pattern, mu cn so khp. o replace, mu cn thay th. o icase, c xc nh tm kim phn bit cha hoa/ch thng. eregmatch tm kim mu trong chui, tr v NULL nu khng trng, hoc tr v mng cha tt c mu con tm thy. Cc i s: o icase o pattern o string hex chuyn i s nguyn sang dng hexa. Kt qu tr v l mt chui. hexstr chuyn d liu kiu chui ASCII sang dng chui hexa cho mi k t. V d: hexstr('aA\n') tr v '61410a'. insstr nhn 3 hoc 4 i s: chui th nht, chui th 2, ch s bt u, ch s kt thc. Ch s c bt u t 0. Hm ny s tin hnh thay th bt u t ch s th nht n ch s kt thc trong chui th nht bng chui th 2. V d: insstr('abcdefgh','xyz',3,5)s c 'abcxyzgh'. int chuyn i chui sang dng s nguyn, nu i s khng phi dng chui, n s tr v 0. match so snh chui vi mu kim tra n gin, kt qu tr v TRUE hoc FALSE. Hm ny khng mnh bng hm ereg nhng nhanh hn do n gin. Cc i s: o icase nu phn bit ch hoa/ch thng.
Trang 38
o string chui u vo. o pattern chui cn tm kim, c th dng cc k t i din nh *(cho mi k t), ?(cho mt k t bt k). ord tr v m ASCII ca k t. raw_string str_replace thay th mi chui con trong chui ln hn, tr v chui sa. Cc i s: o string l chui ban u. o find l chui con cn tm. o replace l chui cn thay th. o count ty chn, nu c thit lp, hm s dng sau khi t n s ln ca bin count. string nhn mi i s bt k, tr v chui c th chuyn i. strcat nhn mi s lm i s, tr v chui c th chuyn i, l kt qu ca cc php ton: o S nguyn c chuyn sang dng ASCII. o Bin cha nh ngha c b qua. o Mng c chuyn sang dng ASCII. o Cc chui cn li c gi nguyn. stridx nhn 2 hoc 3 tham s bt k, tm kim chui con trong chui ln, bt u t v tr ty chn, tr li kt qu ch s ca n (hoc -1 nu khng tm thy). Cc i s: o string chui ban u (chui cha). o substring chui con cn tm. o position v tr bt u tm, mc nh l 0. strstr nhn 2 chui bt k lm i s, tr li kt qu t phn ging nhau cho n ht ca chui di hn, nu khng trng n tr v kt qu NULL. V d: strstr('zabadz', 'ad') tr v 'adz'. split tch chui thnh cc chui nh hn hoc mng cc dng. strlen tr v di ca chui, nu i s khng phi chui, kt qu nhn c khng xc nh. substr nhn 2 hoc 3 i s: chui k t, ch s u, ch s cui. V d: substr('abcde', 2) tr v 'cde' v substr('abcde', 1, 3) tr v 'bcd'.
Trang 39
tolower chuyn chui bt k sang dng ch thng. toupper chuyn chui bt k sang dng ch hoa. 2.3.2.7 Cc hm HTTP s dng cc hm HTTP, ta nn khai bo include(http_function.inc); v include(http_keepalive.inc); trong script. Cc hm th vin ny cung cp cc chc nng n gin, hiu qu truy cp ti giao thc HTTP. Khi vit script s dng nhng hm ny, ta nn thit lp http_version.nasl nh mt plugin c lp. Cc hm HTTP gm c: cgibin khng c i s, tr v kt qu ng dn cgi-bin ca trang web. Ta c th s dng hm cgi_dirs() thay th. http_delete gi request http_delete ti cng ang m trn server. N t ng x l HTTP_version v cookie xc thc. Nhn i s l port v item (the URL). Tr v kt qu l chui request c nh dng. http_get gi request http_get ti server. Nhn i s l port v item (the URL). Tr v kt qu l chui request c nh dng. http_close_socket ng socket ang m. http_head gi request http_head ti server. Nhn i s l port v item (the URL). Tr v kt qu l chui request c nh dng. http_open_socket m mt socket trn cng yu cu. n phin bn Nessus 2.0.10, hm ny ging nh hm open_sock_tcp, sau n thit lp 64KB b nh cho vic truyn nhn d liu. http_recv_headers nhn tt c d liu http_header trn socket yu cu (s nguyn bt k lm i s). N dng khi gp dng trng u tin, v tr li chui cha tt c headers v m tr li HTTP. http_post gi request http_post ti server. Nhn i s l port v item (the URL). Tr v kt qu l chui request c nh dng. http_put gi request http_put ti server. Nhn i s l port v item (the URL). Tr v kt qu l chui request c nh dng. is_cgi_installed kim tra xem CGI c c ci t khng, n tm kim trong ng dn cgi-bin. Hm tr v cng ca web server nu tm thy. N nhn 2 i s: o item, cho ng dn CGI
Tm hiu xy dng Plugin cho Nessus s dng NASL Trang 40
o port, mc nh n s tm trn tt c web server (c t danh mc KB Services/www). V d:

if (port = cgi_installed("vuln.cgi")) security_warning(port);
2.3.2.8 Cc hm Raw IP dump_ip_packet dumps IP datagram. dump_tcp_packet dumps the TCP datagrams. dump_udp_packet dumps UDP datagrams. forge_icmp_packet in y d liu IP datagrams vi d liu ICMP. Trng ip_p khng c cp nht t ng. Cc i s: o data l phn payload. o icmp_cksum l m kim tra, c tnh t ng. o icmp_code o icmp_id o icmp_seq l ICMP sequence number. o icmp_type o ip l IP datagram c cp nht. o update_ip_len c, mc nh l TRUE. NASL s tnh ton li kch thc trng IP datagram. forge_igmp_packet in y d liu IP datagrams vi d liu IGMP. Trng ip_p khng c cp nht t ng. Cc i s: o code o data o group o ip l IP datagram c cp nht. M kim tra IGMP c tnh t ng. o type o update_ip_len c, mc nh l TRUE. NASL s tnh ton li kch thc trng IP datagram. forge_ip_packet tr li kt qu IP datagram trong gi tin. Cc i s: o data l phn payload. o ip_hl l di IP header, kiu s nguyn 32bit, gi tr mc nh l 5.
Trang 41
o ip_id IP datagram ID, mc nh l gi tr ngu nhin. o ip_len chiu di ca datagram, mc nh l 20. o ip_off a ch offset ca fragment, dng s nguyn 64bit, mc nh l 0. o ip_p IP Protocol, mc nh l 0. o ip_src a ch IP ngun dng ASCII. NASL s t ng chuyn n sang dng s nguyn. o ip_sum m kim tra packet header. c tnh t ng. o ip_tos IP type of service (kiu dch v IP), mc nh l 0. o ip_ttl trng time to live, mc nh l 64. o ip_v IP version, mc nh l 4. forge_tcp_packet in y IP datagram vi d liu TCP. Trng ip_p khng c cp nht t ng. Cc i s: o data l d liu phn TCP payload. o ip l IP datagram cn in y d liu. o th_ack ACK number. o th_dport cng ch. o th_flags c TCP. o th_off kch c trng TCP header dng s nguyn 32bit, mc nh l 5. o th_seq TCP sequence number. o th_sport cng ngun. o th_sum m kim tra TCP, c tnh t ng. o th_urp urgent pointer, mc nh l 0. o th_win kch thc ca s trt, mc nh l 0. o th_x2 trng d tr. o update_ip_len c, mc nh l TRUE. NASL s tnh ton li kch thc trng IP datagram. forge_udp_packet in y IP datagram vi d liu UDP. Trng ip_p khng c cp nht t ng. Cc i s: o data l d liu phn payload. o ip l datagram c. o uh_dport cng ch.
Trang 42
uh_sport cng ngun. uh_sum UDP checksum. uh_ulen di d liu. update_ip_len c, mc nh l TRUE. NASL s tnh ton li kch thc trng IP datagram. get_icmp_element ly thng tin v trng ICMP trong datagram. Cc i s: o element tn trng TCP. o icmp ICMP datagram. get_ip_element ly thng tin v trng no trong datagram. Cc i s: o element l tn trng, v d: ip_src, ip_len. o ip l datagram hoc fragment. get_tcp_element ly thng tin v TCP trong IP datagram. Cc i s: o element l tn trng TCP. o tcp l IP datagram. get_udp_element ly thng tin v UDP trong IP datagram. Cc i s: o element l tn trng TCP. o udp l IP datagram. insert_ip_options thm ty chn IP trong datagram, tr li datagram c chnh sa. Cc i s: o code s cho ty chn. o length ty chn di d liu. o ip l datagram c. o value l d liu ty chn. pcap_next lng nghe, ghi li packet. Cc i s: o interface tn giao din mng. o pcap_filter b lc BPF filter. Mc nh n s lng nghe mi th. o timeout mc nh l 5 giy. set_ip_elements chnh sa mt s trng ca datagram. set_tcp_elements chnh sa trng TCP ca datagram. set_udp_elements chnh sa trng UDP ca datagram. send_packet gi cc packet, sau lng nghe v phn hi. Cc i s: o length di packet.
o o o o
Trang 43
o pcap_active mc nh l TRUE. o pcap_filter b lc BPF. o pcap_timeout mc nh l 5 giy. 2.3.2.9 Cc hm mt m Cc hm ny ch c ci t nu Nessus c lin kt vi th vin OpenSSL. HMAC_DSS(data, key): tr li kt qu chui xc thc thng bo. HMAC_MD2(data, key): tr li kt qu chui xc thc thng bo. HMAC_MD4(data, key): tr li kt qu chui xc thc thng bo. HMAC_MD5(data, key): tr li kt qu chui xc thc thng bo. HMAC_RIPEMD160(data, key): tr li kt qu chui xc thc thng bo. HMAC_SHA(data, key): tr li kt qu chui xc thc thng bo. HMAC_SHA1(data, key): tr li kt qu chui xc thc thng bo. MD2(String): tr li kt qu chui tm lc. MD4(String): tr li kt qu chui tm lc. MD5(String): tr li kt qu chui tm lc. RIPEMD160(String): tr li kt qu chui tm lc. SHA(String): tr li kt qu chui tm lc. SHA1(String): tr li kt qu chui tm lc. 2.3.2.10 Cc hm khng an ton Cc hm ny ch c php thc thi t nhng script c nh du l tin cy. find_in_path tm kim cu lnh trong ng dn $PATH, tr li TRUE nu tm thy, FALSE ngc li. pread khi ng mt tin trnh, cc i s: o cmd tn chng trnh, c th dng tuyt i, nu dng tng i, n s tm kim trong $PATH. o argv danh sch i s, argv[0] l tn chng trnh, argv[1] l i s th nht... o cd bin lgic, mc nh l FALSE. o nice xc nh u tin ca tin trnh.
Trang 44
file_close ng file ang m, tr li 0 nu thnh cng, NULL nu c li xy ra. file_open m file. C cc i s: o mode ch m file. V d: r(read), w(write) o name tn file. file_read c ni dung file. C cc i s: o fp bin file cn c. o length di d liu cn c. file_seek c file bt u t v tr ch nh. o fp bin file cn c. o offset a ch offset tuyt i (tnh t v tr bt u ca file). file_stat nhn thng tin v trng thi ca file. file_write ghi d liu vo file. C cc i s: o fp bin file cn ghi. o data l d liu cn ghi. fread c file t Nessus server. Nhn i s l chui tn file. Tr v ni dung file nu thnh cng, NULL nu c li. fwrite ghi file ln Nessus server. Nu thnh cng n s tr v cc byte ghi c, nu c li tr v NULL. Nhn 2 i s: o data l d liu cn ghi ln. o file l tn file cn ghi. get_tmp_dir tr v ng dn cha cc file tm thi. unlink loi b file trn Nessus server. Nhn i s l tn file.
2.3.3 Cc file th vin NASL Cc file th vin ca NASL c ngha tng t nh vi cc file header ca C, n c phn m rng .inc, c khai bo u cc file script .nasl vi cu lnh nh include(http_func.inc). Trong cc file th vin, ci t cc hm tch hp sn (built-in function). V d mt phn ni dung file http_func.inc:
# -*- Fundamental -*-
Trang 45
# # (C) Tenable Network Security, Inc. # get_http_port (C) Georges Dagousset # $Revision: 1.115 $ function get_http_banner(port) { local_var soc, sb, banner, req, body; if ( get_kb_item("Services/www/" + port + "/broken") ) return NULL; if (! get_port_state(port)) return (0); sb = strcat("www/real_banner/", port); banner = get_kb_item(sb); if(banner) return(banner); sb = strcat("www/banner/", port); banner = get_kb_list(sb); if ( !isnull(banner) ) { banner = make_list(banner); return banner[0]; } soc = http_open_socket(port); if(!soc) return (NULL); req = http_get(item:"/", port:port); send(socket:soc, data:req); banner = http_recv_headers2(socket:soc); #body = http_recv_body(socket:soc, headers: banner); http_close_socket(soc); if(banner) replace_kb_item(name: sb, value: banner);
Trang 46
return(banner); }
2.3.3.1 dump.inc dump(ddata, dtitle): In ton b d liu, tiu ra knh xut chun. Thng dng ch g ri. hexdump(ddata): In d liu di dng hexa. 2.3.3.2 ftp_func.inc Cung cp cc hm th vin tng tc vi giao thc FTP. ftpclose(socket): tin hnh ng kt kt FTP bng cch gi request QUIT, sau i tr li v ng kt ni. get_ftp_banner(port): ly FTP banner, i s l tn cng. ftp_recv_line(socket): ly d liu trn dng t socket, cho n khi nhn c k t th 4 khc -. Dng khi mun dng nhn banner qu di. 2.3.3.3 http_func.inc Cung cp cc hm x l giao thc HTTP. check_win_dir_trav(port, url, quickcheck): kim tra ng dn th mc Window trn URL ch nh. get_cgi_path(port): ly ng dn cgi-bin trn server. get_http_banner(port): ly HTTP banner trn port ang kt ni. get_http_port(default): ly s hiu cng HTTP. http_40x(port,code): tr li gi tr TRUE nu m HTTP tr li trong khon 400 409, ngc li l FALSE. http_is_dead(port, retry): C gng kim tra xem http server c cn hot ng hay khng. Kt qu tr li l TRUE nu thuc mt trong cc trng hp sau: o Kt ni b t chi. o Khng nhn c phn hi HTTP hp l. o Li 502 (bad gateway), 503(service unavailable). http_recv_body(socket, headers, length): c N byte t socket. N c nh ngha nh sau:
Trang 47
Nu header l trng khng c nh ngha, n s gi hm http_recv_headers; trng Content-Length c ly t header. o Nu trng length c thit lp: Nu content_length c th ly t header, N = max(length, content_length) Nu khng N=length. o Nu content_length c th ly t header, N= content_length o Nu khc, mc nh N= 8192 bytes. http_recv(socket, code): ly HTTP header v d liu t socket. Code l tham s ty chn. http_recv_length(socket, bodylength): ly HTTP header, sau gi hm http_recv_body vi length=bodylength, sau tr li header v ni dung. locate_cgi(port, item): tm kim ng dng chy CGI trn webserver. php_ver_match(banner, pattern): kim tra phin bn PHP trn server. Nu trng tr v TRUE, ngc li FALSE. V d:
if (php_ver_match(banner:banner, pattern:".*PHP/((3.*)|(4\.0.*)|(4\.1\.[01].*))")) security_hole(port);
cgi_dirs(): tr v tt c ng dn CGI (thng l /cgi-bin v /scripts). 2.3.3.4 http_keepalive.inc T phin bn Nessus 2.0.1 bt u h tr kt ni HTTP keep-alive, trnh vic phi ng m li socket sau mi phin kt ni. Gip tit kim bng thng, CPU v c bit l kt ni SSL/TLS. cc hm hot ng tt, ta nn khai bo include(http_func.inc); vo trong chng trnh. http_keepalive_send_recv(port, req): gi request req ti server t xa trn port ang kt ni. req l mt HTTP request, tng t nh http_get(). is_cgi_installed_ka(port, item): tng t nh is_cgi_installed() nhng vi kt ni kept-alive. check_win_dir_traversal_ka(port, url, quickcheck): tng t nh check_win_dir_traversal() nhng vi kt ni kept-alive.
Trang 48
2.3.3.5 nfs_func.inc Cha cc hm h tr x l vi h thng file mng. Ta nn khai bo include(misc.inc); v include(nfs_func.inc); trnh li. Khi lm vic vi giao thc NFS, ta cn 2 socket UDP c quyn (cng 1024 hoc thp hn); mt tng tc vi nfsd deamon (RPC 100003), v mt truy cp ti mountd deamon (RPC 100005). Sau y l v d:
nfsd_port = get_rpc_port(program:100003, proto:IPPROTO_UDP); if (! nfsd_port) exit(0); nfsd_socket = open_priv_sock_udp(dport:nfsd_port); mountd_port = get_rpc_port(program:100005, proto:IPPROTO_UDP); if (! mountd_port) exit(0); mountd_socket = open_priv_sock_udp(dport:mountd_port);
Cc hm c ci t vi giao thc NFS: mount(soc, share): tin hnh gn kt th mc chia s. soc y l socket UDP ang kt ni ti my chia s. Tr v NULL nu c li, hoc danh sch file nu thnh cng. umount(soc, share): dng gn kt th mc chia s. readdir(soc, fid): c ni dung th mc tr bi fid. soc y l socket UDP ang kt ni ti my chia s. cwd(soc, fid, dir): lnh chuyn th mc. soc y l socket UDP ang kt ni ti my chia s, fid l th mc hin ti, dir l th mc mun chuyn sang. 2.3.3.6 smb_nt.inc Th vin SMB cung cp cc hm tng tc vi h thng file chia s ca Windows s dng giao thc SMB, qua cng 139 hoc 445. Do hu ht cc giao thc ca Microsoft khng c ti liu miu t y , nn cc hm c thit k nh vo qu trnh phn tch gi tin. Cc hm thit lp phin kt ni SMB: o smb_session_request(soc, remote)
Tm hiu xy dng Plugin cho Nessus s dng NASL Trang 49
o smb_neg_prot(soc) o smb_session_setup(soc, login, password, domain, prot) o session_extract_uid(reply) Hm kt ni v c cc d liu chia s: o smb_tconx(soc, name, uid, share) o tconx_extract_tid(reply) o OpenAndX(socket, uid, tid, file) o ReadAndX(socket, uid, tid, count, off) o smb_get_file_size(socket, uid, tid, fid) Truy cp registry t xa o smbntcreatex(soc, uid, tid) o smbntcreatex_extract_pipe(reply) o pipe_accessible_registry(soc, uid, tid, pipe) o registry_access_step_1(soc, uid, tid, pipe) o registry_get_key(soc, uid, tid, pipe, key, reply) o registry_get_item_sz(soc, uid, tid, pipe, item, reply) o registry_decode_sz(data) o registry_get_item_dword(soc, uid, tid, pipe, item, reply) o registry_decode_dword(data) o registry_get_key_security(soc, uid, tid, pipe, reply) o registry_key_writeable_by_non_admin(security_descriptor) Truy cp SAM o OpenPipeToSamr(soc, uid, tid) o SamrConnect2(soc, tid, uid, pipe, name) o _SamrEnumDomains(soc, uid, tid, pipe, samrhdl) o SamrDom2Sid(soc, tid, uid, pipe, samrhdl, dom) o SamrOpenDomain(soc, tid, uid, pipe, samrhdl, sid) o SamrOpenBuiltin(soc, tid, uid, pipe, samrhdl) o SamrLookupNames(soc, uid, tid, pipe, name, domhdl) o SamrOpenUser(soc, uid, tid, pipe, samrhdl, rid) o SamrQueryUserGroups(soc, uid, tid, pipe, usrhdl) o SamrQueryUserInfo(soc, uid, tid, pipe, usrhdl) o SamrQueryUserAliases(soc, uid, tid, pipe, usrhdl, sid, rid)
Trang 50
2.3.3.7 smtp_func.inc Cha cc hm gip lm vic vi giao thc gi mail SMTP. smtp_send_socket(socket, from, to, body): gi thng ip SMTP ti socket ang m. Tr li TRUE nu thng bo c chp nhn hoc chuyn i, FALSE nu c li. smtp_send_port(port, from, to, body): m socket trn cng ch nh, gi thng bo SMTP , sau ng socket. Tr li TRUE nu thng bo c chp nhn hoc chuyn i, FALSE nu c li. smtp_from_header(): ly gi tr trng From t header. Nu khon mc SMTP/headers/from trong KB khng c thit lp, gi tr mc nh l nessus@example.com. smtp_to_header(): ly gi tr trn To t header. Nu khon mc SMTP/headers/from trong KB khng c thit lp, gi tr mc nh l postmaster@[1.2.3.4] , trong 1.2.3.4 l a ch IP cn gi n. get_smtp_banner(port): ly banner SMTP. smtp_recv_banner(socket): c d liu theo tng dng t socket, tr li dng u tin khng bt u bng 220-. 2.3.3.8 Cc hm th vin khc Trn Windows, cc hm th vin (.inc) c lu tr cng vi cc script (.nasl) ti ng dn: C:\Program Files\Tenable\Nessus\nessus\plugins Bng 2.2 Mt s hm th vin ca Nessus. Tn th vin aix.inc backport.inc byte_func.inc charset_func.inc cisco_func.inc Giao thc N/A N/A N/A N/A Cisco Ch dn Th vin qut cc my chy h thng AIX. Kim tra bn v mi nht ca mt phin bn h iu hnh. Hm x l byte. Chuyn i gia cc kiu bng m ASCII/EBCDIC. Ly thng tin t cc thit b ca hng Cisco.
Trang 51
Cc hm th vin m ha nh MD5, MD4, NTLM, DES, RC4, dns_func.inc DNS Hm th vin x l truy vn DNS. ftp_func.inc FTP Hm thao tc vi giao thc FTP. hostlevel_func.inc RHm th vin cho cc giao thc truy cp t xa PROTOCOL nh rmote, rlogin, rexec, hpux.inc N/A Th vin qut cc h thng HPUX. http_func.inc HTTP Th vin tng tc vi HTTP. imap_func.inc IMAP Th vin tng tc vi giao thc IMAP. ip.inc/ip6.inc IPv4, IPv6 Th vin IPv4, IPv6. kerberos_func.inc KRB Th vin tng tc vi giao thc Kerberos. ldap.inc LDAP Th vin tng tc vi LDAP. misc_func.inc N/A Th vin Knowledge Base function. mysql_func.inc MYSQL Th vin tng tc vi CSDL MySQL. nfs_func.inc NFS Th vin tng tc h thng file mng NFS. nntp_func.inc NNTP Th vin tng tc vi giao thc NNTP (Network New Transport Protocol). pop3_func.inc POP3 Th vin tng tc vi giao thc POP3. raw.inc N/A Th vin x l gi tin raw packet. smb_file_funcs.inc SMB Th vin nhn file chia s. smb_func.inc SMB Th vin SMB. smtp_func.inc SMTP Th vin tng tc vi giao thc SMTP. smnp_func.inc SMNP Th vin tng tc vi giao thc SNMP (Simple Network Managent Protocol). solaris.inc N/A Th vin qut cc h thng chy Solaris. ssh_func.inc SSH Th vin tng tc vi SSH (Secure Shell). ssl_funcs.inc SSL Th vin tng tc vi SSL, HTTPS. tcp.inc TCP Th vin tng tc vi TCP (IPv4, IPv6). telnet_func.inc Telnet Th vin tng tc vi Telnet. tftp.inc TFTP Th vin tng tc vi TFTP. udp.inc UDP Th vin tng tc vi UDP. crypto_func.inc
Devices N/A
Trang 52
url_func.inc
N/A
Th vin encode, decode URL theo RFC 2396/RFC2732.
2.4 XY DNG PLUGIN CHO NESSUS 2.4.1 Thng dch script t xy dng Khi t vit script NASL, thng thng kim tra ta dng trnh thng dch command-line nasl . Tin ch nasl c ci t sn trong qu trnh ci Nessus, n nhn cc tham s sau:
nasl [options] script1.nasl [script2.nasl ]
Cc ty chn ca trnh thng dch gm c: Bo mt: o -S: To ch k cho file script .nasl ang chy. Qu trnh to ch k ny cho php script c th c c nhiu quyn truy cp vo Nessus Engine. Khi k yu cu phi c cp kha cng khai/b mt RSA. o -X: Chy script ch c xc thc, cho php cc script c k c nhiu quyn truy cp vo ti nguyn ca Nessus Engine. Cng c phn tch ng php: o -L: Thc hin kim tra b sung cho li ng php v phn tch c php. N s kim tra mi thnh phn ca script. Trc khi pht hnh mt plugin, ta nn kim tra vi ty chn ny. o -V: Hin th thng tin v script nh script ID, script name, o -T <tracefile>: Ln vt thc hin ca script. Ty chn ny yu cu trnh thng dch ghi cc thng tin g ri ra mt file c th. Mi trng thc thi: o -t target: Thc hin script li mt ln na vi my ch. a ch my ch y c th l a ch IP, tn my m ta mun kim tra script. Cc hm th vin mng NASL khng cho php ch nh a ch ch khc khi ang thc hin kt ni hoc gi cc gi raw packet. Nu ty chn ny khng c ch nh c th, tt c kt ni s c thc hin trn a ch loopback 127.0.0.1 (localhost). o -k <file>: ti KB file t file ch nh.
Trang 53
o -D: Ch chy phn ch dn ca plugin. o -s: ch nh script chy ch kim tra an ton. Tt c cc plugin c nh du ACT_DESTRUCTIVE_ATTACK, ACT_KILL_HOST, ACT_DENIAL, hoc ACT_FLOOD s khng c thc thi. Ty chn khc: o -h: Hin th tr gip. o -v: Hin th tn phin bn ca trnh thng dch nasl. 2.4.2 Th nghim script V d mt script n gin, thc hin kt ni n cng FTP (21), c banner, sau hin th ln mn hnh. on script sau thc hin tc v trn:
soc = open_sock_tcp(21); if ( ! soc ) exit(0); banner = recv_line(socket:soc, length:4096); display(banner);
Lu script vi tn test.nasl chng hn, sau thc hin t dng lnh. Nu trn Linux, nasl c ng dn y l /usr/local/bin/nasl, cn trn Windows, n nm trong th mc C:\Program Files\Tenable\Nessus\nasl.exe:
$ /usr/local/bin/nasl t ftp.nessus.org test.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root 220 ftp.nessus.org Ready
trnh b li, ta nn chy nasl vi quyn qun tr, trn Linux l root (hoc ti khon c quyn sudo), trn Windows l Administrator. Nhm th dng on script trn ly banner host FTP ca trang http://kmasecurity.net: Tm a ch host FTP ca trang web: Ta c th s dng cng c nh http://www.whoishostingthis.com
Trang 54
Hnh 2.1 a ch host FTP ca kmasecurity.net Ping v ly th banner ca host FTP:
Hnh 2.2 Kt qu banner tr v ca host FTP kmasecurity.net
Trang 55
KT LUN
Qua qu trnh tm hiu, thc hin nhm t c mt s kt qu sau: - tm hiu c cu trc, cc thnh phn c bn ca Nessus. - Bit cch s dng Nessus qut cc l hng. - tin hnh tm hiu v cu trc ca ngn ng scipt NASL, th nghim mt s script n gin. Vi yu cu ca ti, vic thit k mt plugin ring, hon ton mi qut li bo mt, nhm chng em gp phi mt s kh khn nh: - Nhm khng th tin hnh kim tra mt lng rt ln cc Plugin c sn ca nh cung cp (vi phin bn 5.0 hin ti c khong 130 file .inc v 48460 file .nasl) kim tra xem Plugin nh xy dng liu c trng vi Plugin c sn hay khng. - Vic thit k Plugin ring i hi phi c hiu bit su sc v mt lnh vc bo mt nht nh. T kt qu nghin cu ca ti, v t nhng hn ch trn, nhm t ra vn v nh hng mi trong tng lai, l: - Tip tc nghin cu, tm hiu su thm v ngn ng NASL. ng thi tng cng vic th nghim cc script NASL c th thc hin nhun nhuyn cc tc v qut l hng bo mt c bn. - Tm hiu su thm v cc li bo mt, cch kim tra v khai thc li bo mt.
Trang 56
TI LIU THAM KHO

[1] Michel Arboi, The NASL2 reference manual, Revision 1.65, 2005. [2] Russ Rogers, Mark Carey, Paul Criscuolo, Mike Petruzzi, Nessus Network Auditing, Second Edition, Syngress Publishing, Inc. ISBN 13: 978-1-59749-2089, 2008. [3] Nessus 5.0 User Guide, Tenable Network Security, Inc. Revision 6, 2012.
Trang 57
PH LC
A. Hng dn ci t v s dng Nessus 5.0 trn Windows: 1. Download nessus: - u tin ta vo trang http://www.nessus.org/products/nessus/nessusdownload-agreement v chp nhn iu khon ca Tenable Network Security.Sau khi chp nhn iu khon chng ta s c a n trang download v ty chn cho cc phin bn v cc h iu hnh. y chng ta ci t trn Windows ta s ti gi Nessus-5.0.1-i386.msi( 32 bit), hoc Nessus-5.0.1-x86_64.msi(64 bit). 2. Ci t: - u tin phi m bo rng user ang s dng phi c quyn thc thi v ci t cc chng trnh.
Trong qu trnh ci t Nessus s nhc nh mt s thng tin c bn trc khi bt u bn phi ng vo bc tip theo.
Trang 58
thc hin cc bc ci t tip theo phi chp nhn license.
Trang 59
Chn ng dn lu tr file ci t.
Trang 60
La chn Complete sau chn Install tin hnh ci t Nessus ln my.
Chn Finish hon tt ci t. Nessus Home Nessus Sub-Directoris Directory Program \conf Files\Tenable\Nessus \nessus\plugin \nessus\user\<username>kbs \nessus\logs Purpose file cu hnh nessus plugin User knowledgebase saved on disk nessus log file
chy c nessus bn phi thc hin cc bc cu hnh sau y: - ng k cho nessus bng cch truy cp vo trang nessus.org nhn c nhng bn cp nht. - Thc hin mt bn cp nht plugin. - Cu hnh la chn l my ch Nessus hoc Client. - Qun l ngi dng Nessus. - Khi ng hoc dng Nessus.
Trang 61
Chuyn n Nessus manager bn chuyn n Star menu v thc tin hnh truy cp bng cch sau: Start -> Programs -> Tenable Network Security -> Nessus(64) -> Nessus web Client.
Bn phi Click vo Continue to this website.
Trang 62
Sau bn Click v trang http://www.nessus.org/register ng k thng tin.
Ti y c 2 mc la chn lm vic ti nh hoc cho cng ty no . y mnh chn lm vic ti nh.
Trang 63
Sau ta c chuyn n 1 trang v phi chp nhn cc iu khon ca cng ty.
Tip theo tin hnh ng k thng tin ly code active cho Nessus.
Trang 64
Hon tt qu trnh ng k. Sau truy cp vo mail ng k ly code active.
Sau quay tr li trang register v chn Get started.
Trang 65
Ti trang ny cn thit lp user v pasword, user ny l quyn root(cao nht c th phn quyn, thm chnh sa v xa user mi, thc thi nessus).
Bc tip theo tin hnh nhp code active. sau chn Next. bn phi chc rng c kt ni internet th mi hon tt c qu trnh ng k.
Trang 66
Qu trnh ng k xong v chn Next: Download plugins cp nht.
y l qu trnh cp nht Plugins.
Trang 67
Qu trnh ci t hon tt v chuyn n trang xc thc user v ng nhp vo Nessus. Tm hiu v cc chnh sch ca Nessus Sau khi tin hnh xc thc user xong, chng ta c chuyn n trang c giao din nh sau.
Trang 68
Trong phn User lit k tt c cc user c khi to, ti y bn c th tin hnh thm bt, chnh sa cc quyn hn vi mi user. Tng quan v cc chnh sch trong Nessus
Trang 69
Mt chnh sch ca Nessus bao gm cc cu hnh ty chn thc thi trong qu trnh kim tra li bo mt. Cc ty chn ny bao gm, nhng chng khng gii hn cc thng s kim sot cc kha cnh k thut qut nh thi gian tm ngng, s lng my ch, cc loi cng my qut v nhiu hn na. Cp quyn cho php qut ti local (v d: Window, SSH), phi xc thc qut c s d liu Oracle, HTTP, FTP, POP, IMAP, hoc xc thc da trn Kerberos. Da trn cc thng s qut Granular family hoc plugin based. C s d liu phi tun th cc chnh sch kim tra, di ca bo co, thit lp cc service pht hin khi qut, Unix tun th kim tra... Cc chnh sch mc nh ca Nessus
Nessus c mt s chnh sch mc nh c cung cp bi cng ty Tenable Network Security.H cung cp mt s cc chnh sch mu h tr bn trong vic to ra cc chnh sch ty chn cho cc n v hoc s dng qut cc ti nguyn ca bn.Chc chn rng bn phi hiu c c cc chnh sch ty chnh t bn s to ra c cc chnh sch mi trong vic kim tra h thng ca bn. Policy Name Description
Trang 70
External Network Scan
Internal Network Scan
Web App Tests
Prepare for PCI DSS audits
Ty chnh ny dng qut cc my bn ngoi. Plugin s lin kt vi cc ng dng l hng web bit(CGI Abuses and CGI Abuses: XSS plugin families). Ngoi ra, tt c cc 65536 cng (Port 0 thng qua cng cm ring bit) th c qut qua tng target. Chnh sch ny c iu chnh cho hiu sut tt hn, c tnh n ti khon m n c th c s ng qut cc mng ni b vi nhiu my ch, mt vi cc dch v ang c s dng, v mt vi thit b c gn vo h thng nh l my in. CGI Abuse plugins khng c kt ni v mt b chun ci t cho cc cng c qut, khng phi tt c 65536 port. Nu bn mun qut cho h thng ca bn v Nessus c t la chn bit v khng bit nhng li bo mt trong ng dng web ca bn. y chnh l chnh sch dng cho bn qut. Nhng mt xch lin kt trong chnh sch ca Nessus c kt ni, N c dng pht hin nhng web site v tm cc li bo mt trong mi thng s nh : XSS, SQL, command injection.... Chnh sch ny cho php xy dng trong kim tra tun th PCI DSS, so snh kt qu vi cc Standards v
Trang 71
Produces v a ra mt bn ghi chi tit cho vic xy dng mt h thng ph ca bn. N rt quan trng trong vic nh gi v xy dng h thng theo chun PCI DSS.
Kim th: tin hnh thc hin kim tra li bo mt ta chuyn n mc Scans
Tip theo ta chn Add
Trang 72
Ti giao din ny trong phn: - Name :tn ca trang web bn mun scan, y mnh scan trang at4akma.com. - Type: Kiu thc hin, ty chn lc ny l Run Now thc hin ngay by gi. - Polocy: Trong phn ny c 4 mc la chn, y l polocy mc mc ca Nessus, v kim tra web ln ta chn l Web App Test. - Scan Target: trong mc ny bn phi in tn min hoc tn a ch ca trang web, y mnh s in tn min. Tin hnh in y thng tin:
Trang 73
Sau khi in y thng tin ta chn Launch Scan.
Giao din sau khi chn Launch Scan.
Trang 74
tin hnh kim tra xem qua trnh Scan c pht hin l hng g hay khng ta click p vo v s hin ra mt bng kt qu trong qu trnh kim tra.
y l kt qu kim tra trang at4akma.com v vn cn ang tip tc kim tra. xem thng tin thm v li ny ta click tip vo li .
Trang 75
B. Phn cng cng vic trong nhm: STT 1. Ni dung cng vic - Vit bo co chng 1: tm hiu v tng quan, cc thnh phn c bn ca Nessus. - Thc hin ci t, s dng Nessus trn Windows. - Vit bo co chng 2: tm hiu v ngn ng NASL, cu trc ng php, cc hm, tin hnh thng dch, th nghim script. - Ci t, ng k, chy th Nessus. - Kim tra th cc thnh phn trong Nessus. - Chp cc hnh ci t, quay video mn hnh. - Chnh sa li ng php, cch trnh by vn bn. Thnh vin ph trch H Vn Khnh
2.
Nguyn Vn Lun
3.
ng Vn Cng
4.
Trn Cn
Trang 76

Bao Cao Nessus Finish

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bao Cao Nessus Finish

Uploaded by

Copyright:

Available Formats

MC LC

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

TNG QUAN V NESSUS

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

request Nessus Plugin result

Hnh 1.2 M hnh hot ng ca Nessus Plugin.

Tm hiu xy dng Plugin cho Nessus s dng NASL

TM HIU V NGN NG NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010); if ( !sock5010_sec ) { security_hole(5010); } else close(sock5010_sec); } }

Ta c th chy th mt script NASL2 bng cu lnh n gin t command-line:

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

5. 6. 7. 8. 9. 10. 11. 12. 13. 14.

2.2.6 Vng lp v cc cu lnh iu khin

vi expr1; while(condition) block; expr2; V d in cc gi tr t 1 n 10:

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

dch di NASL_LEVEL 2190. Ta nn khai bo u script nu cn dng hm ny:

V d khc, trn 2 kiu:

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

script_add_preference (name:"Reverse traversal", type:"radio", value:"none; Basic; Long URL");

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

o port, mc nh n s tm trn tt c web server (c t danh mc KB Services/www). V d:

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL

Tm hiu xy dng Plugin cho Nessus s dng NASL