Re: no404

From: H D Moore (hdmat_private)
Date: Tue May 07 2002 - 05:37:35 PDT

  • Next message: John Lampe: "(no subject)"

    On Sunday 05 May 2002 03:40 pm, Noam Rathaus wrote:
    > Hi,
    >
    > (This is long, but please bare with me)
    >
    > I am sorry to bring this up, but it seems that there are too many "trickle
    > though" cases where Nessus will cause false positives when trying to access
    > pages that are not answering a "404 File not found" response.
    
    Had a similar issue, here is a modified version (not complete) which seems to 
    work around most of these problems:
    
    #
    # The script code starts here
    #
    
    function check(url, port)
    {
        req = http_get(item:url, port:port);
    
        soc = open_sock_tcp(port:port);
        if (!soc) { return (0); }
    
        send(socket:soc, data:req);
        result = recv(socket:soc, length:8192, timeout:20);
        close(soc);
        return(result);
    }
    
    function find_err_msg(buffer)
    {
        cmsg = 0;
        for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
        {
            cpat = errmsg[cmsg];
            if (ereg(pattern:cpat, string:buffer, icase:TRUE))
            {
                return(cpat);
            }
        }
    
        return (0);
    }
    
    # build list of test urls
    
    badurl[0] = string("/NESS_no404.html");
    badurl[1] = string("/NESS_no404.cgi");
    badurl[2] = string("/NESS_no404.sh");
    badurl[3] = string("/NESS_no404.pl");
    badurl[4] = string("/cgi-bin/NESS_no404.html");
    badurl[5] = string("/cgi-bin/NESS_no404.cgi");
    badurl[6] = string("/cgi-bin/NESS_no404.sh");
    badurl[7] = string("/cgi-bin/NESS_no404.pl");
    
    errmsg[0] = "not found";
    errmsg[1] = "404";
    errmsg[2] = "error has occurred";
    errmsg[3] = "firewall-1 message";
    errmsg[4] = "Reload acp_userinfo database";
    errmsg[5] = "IMail Server Web Messaging";
    
    
    
    debug = 1;
    
    port = get_kb_item("Services/www");
    if(!port)port = 80;
    
    for (c = 0; badurl[c]; c = c + 1)
    {
        url = badurl[c];
    
        if(debug) display("Checking URL ", url, "\n");
    
        ret = check(url,port);
        if (ret != 0)
        {
    
            raw_http_line = egrep(pattern:"^HTTP/", string:ret);
    
            # check for a 200 OK
            if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
            {
                 # look for common "not found": indications
                 not_found = find_err_msg(buffer:ret);
                 if (not_found != 0)
                 {
                    found = string("www/no404/", port);
                    set_kb_item(name:found, value:not_found);
                    security_note(port:port, data:not_found);
                    if(debug) display("200: Using string: ", not_found, "\n");
                    exit(0);
                 }
            }
    
            # check for a 302 Moved
            if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
            {
                 # put the first line of the response as no404 msg ;)
                 found = string("www/no404/", port);
                 set_kb_item(name:found, value:raw_http_line);
                 security_note(port:port, data:raw_http_line);
                 if(debug) display("302: Using ", raw_http_line, "\n");
                 exit(0);
            }
    
        } else {
            if(debug) display("An error occurred when trying to request: ", url, 
    "\n");
        }
    }
    



    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 21:56:20 PDT