[Plugins-writers] Windows registry and filesize checks slow in NASL script

From: John Mummer (jinglespur@private)
Date: Sun Jan 25 2004 - 08:38:10 PST

  • Next message: Renaud Deraison: "Re: [Plugins-writers] Windows registry and filesize checks slow in NASL script"

    Dear all
    
    I'm trying to write my first NASL script.  The aim is
    simply to test for the existence of a file on a
    windows box and report back the file size. (Eventually
    I'd like to run it against multiple workstations
    belonging to a single domain.)  Rather than begin from
    scratch, I've taken the code from
    smb_nt_ms02-013.nasl, which has all the functionality
    I need, and trivially modified it to return after
    obtaining the file size.
    
    The script works fine (the administrator username and
    password are specified in advance via Preferences),
    but what surprises me is that execution takes
    approximately 100 seconds against a single Windows NT
    4 target, even though all other plugin checks are
    disabled.  I do, however, enable dependencies at
    runtime.
    
    I've tried looking at the exchange of packets using
    Ethereal, but I'm a bit of a novice with this.  I can
    see the portscan over in the first second (which
    corresponds with Nessus' progress bar), but I'm not
    clear what's going on in the remaining 99 seconds.
    It's NetBIOS / SMB stuff (resulting, presumably, from
    some of the other scripts on which mine depends), and
    there are a number of 'Session Setup AndX Request'
    packets generated for different usernames.  Some
    appear redundant, given that the admin username and
    password are known.
    
    The script is below.  Ethereal shows that the
    transactions corresponding to the overt registry query
    and the file size check occur in the last 2 seconds of
    the checks.  
    
    Can anyone suggest how I can bring down the run time
    for this simple test?  You can see my effort below.
    
    Thanks in advance for any advice.
    
    John Mummer
    
    P.S.  I have a TCPDUMP of the session if anyone would
    like to see it, but I hesitate to post it to the list
    in the first instance.
    
    --- script begins ---
    
    if(description)
    {
     script_id(55555);
     script_version("$Revision: 1.0 $");
    
     name["english"] = "Check registry and filesize";
     script_name(english:name["english"]);
     
     desc["english"] = "
    This script checks the presence of a file and its size
    Risk factor : High";
    
     script_description(english:desc["english"]);
     summary["english"] = "Checks registry and file size";
     script_summary(english:summary["english"]);
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright
    (C) 2003 Renaud Deraison");
     family["english"] = "Private";
     script_family(english:family["english"]);
     
     script_dependencies("netbios_name_get.nasl",
     		     "smb_login.nasl","smb_registry_access.nasl");
     script_require_keys("SMB/name", "SMB/login",
    "SMB/password",
    		     "SMB/registry_access");
    
     script_require_ports(139, 445);
     exit(0);
    }
    
    include("smb_nt.inc");
    
    rootfile =
    registry_get_sz(key:"SOFTWARE\Microsoft\Windows
    NT\CurrentVersion", 
    
    item:"SystemRoot");
    if(!rootfile)
    {
     exit(0);
    }
    else
    {
     share = ereg_replace(pattern:"([A-Z]):.*",
    replace:"\1$", string:rootfile);
     file =  ereg_replace(pattern:"[A-Z]:(.*)",
    replace:"\1\System32\calc.exe", 
    
    string:rootfile);
    }
    
    name 	=  kb_smb_name();
    login	=  kb_smb_login();
    pass  	=  kb_smb_password();
    domain 	=  kb_smb_domain();
    port    =  kb_smb_transport();
    if(!port) port = 139;
    
    if(!get_port_state(port))exit(0);
    
    soc = open_sock_tcp(port);
    if(!soc)exit(0);
    
    r = smb_session_request(soc:soc, remote:name);
    if(!r)exit(0);
    
    prot = smb_neg_prot(soc:soc);
    if(!prot)exit(0);
    
    r = smb_session_setup(soc:soc, login:login,
    password:pass, domain:domain, prot:prot);
    if(!r)exit(0);
    
    uid = session_extract_uid(reply:r);
    
    r = smb_tconx(soc:soc, name:name, uid:uid,
    share:share);
    tid = tconx_extract_tid(reply:r);
    if(!tid)exit(0);
    
    fid = OpenAndX(socket:soc, uid:uid, tid:tid,
    file:file);
    if(!fid)exit(0);
    
    fsize = smb_get_file_size(socket:soc, uid:uid,
    tid:tid, fid:fid);
    
    if (fsize == 97552)
    {
      mymsg = string("CALC found, host IP = ");
      mymsg = mymsg + get_host_ip();
    
      security_hole(port:99999, data:mymsg);
    }
    else
    {
      mymsg = string("Probable CALC found, host IP = ");
      mymsg = mymsg + get_host_ip();
      mymsg = mymsg + string(", file size = ") + fsize;
    
      security_hole(port:99999, data:mymsg);
    }
    
    --- script ends ---
    
    ________________________________________________________________________
    Yahoo! Messenger - Communicate instantly..."Ping" 
    your friends today! Download Messenger Now 
    http://uk.messenger.yahoo.com/download/index.html
    _______________________________________________
    Plugins-writers mailing list
    Plugins-writers@private
    http://mail.nessus.org/mailman/listinfo/plugins-writers
    



    This archive was generated by hypermail 2b30 : Sun Jan 25 2004 - 08:39:51 PST