Dear all
I'm trying to write my first NASL script. The aim is
simply to test for the existence of a file on a
windows box and report back the file size. (Eventually
I'd like to run it against multiple workstations
belonging to a single domain.) Rather than begin from
scratch, I've taken the code from
smb_nt_ms02-013.nasl, which has all the functionality
I need, and trivially modified it to return after
obtaining the file size.
The script works fine (the administrator username and
password are specified in advance via Preferences),
but what surprises me is that execution takes
approximately 100 seconds against a single Windows NT
4 target, even though all other plugin checks are
disabled. I do, however, enable dependencies at
runtime.
I've tried looking at the exchange of packets using
Ethereal, but I'm a bit of a novice with this. I can
see the portscan over in the first second (which
corresponds with Nessus' progress bar), but I'm not
clear what's going on in the remaining 99 seconds.
It's NetBIOS / SMB stuff (resulting, presumably, from
some of the other scripts on which mine depends), and
there are a number of 'Session Setup AndX Request'
packets generated for different usernames. Some
appear redundant, given that the admin username and
password are known.
The script is below. Ethereal shows that the
transactions corresponding to the overt registry query
and the file size check occur in the last 2 seconds of
the checks.
Can anyone suggest how I can bring down the run time
for this simple test? You can see my effort below.
Thanks in advance for any advice.
John Mummer
P.S. I have a TCPDUMP of the session if anyone would
like to see it, but I hesitate to post it to the list
in the first instance.
--- script begins ---
if(description)
{
script_id(55555);
script_version("$Revision: 1.0 $");
name["english"] = "Check registry and filesize";
script_name(english:name["english"]);
desc["english"] = "
This script checks the presence of a file and its size
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks registry and file size";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright
(C) 2003 Renaud Deraison");
family["english"] = "Private";
script_family(english:family["english"]);
script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_access.nasl");
script_require_keys("SMB/name", "SMB/login",
"SMB/password",
"SMB/registry_access");
script_require_ports(139, 445);
exit(0);
}
include("smb_nt.inc");
rootfile =
registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion",
item:"SystemRoot");
if(!rootfile)
{
exit(0);
}
else
{
share = ereg_replace(pattern:"([A-Z]):.*",
replace:"\1$", string:rootfile);
file = ereg_replace(pattern:"[A-Z]:(.*)",
replace:"\1\System32\calc.exe",
string:rootfile);
}
name = kb_smb_name();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
port = kb_smb_transport();
if(!port) port = 139;
if(!get_port_state(port))exit(0);
soc = open_sock_tcp(port);
if(!soc)exit(0);
r = smb_session_request(soc:soc, remote:name);
if(!r)exit(0);
prot = smb_neg_prot(soc:soc);
if(!prot)exit(0);
r = smb_session_setup(soc:soc, login:login,
password:pass, domain:domain, prot:prot);
if(!r)exit(0);
uid = session_extract_uid(reply:r);
r = smb_tconx(soc:soc, name:name, uid:uid,
share:share);
tid = tconx_extract_tid(reply:r);
if(!tid)exit(0);
fid = OpenAndX(socket:soc, uid:uid, tid:tid,
file:file);
if(!fid)exit(0);
fsize = smb_get_file_size(socket:soc, uid:uid,
tid:tid, fid:fid);
if (fsize == 97552)
{
mymsg = string("CALC found, host IP = ");
mymsg = mymsg + get_host_ip();
security_hole(port:99999, data:mymsg);
}
else
{
mymsg = string("Probable CALC found, host IP = ");
mymsg = mymsg + get_host_ip();
mymsg = mymsg + string(", file size = ") + fsize;
security_hole(port:99999, data:mymsg);
}
--- script ends ---
________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Sun Jan 25 2004 - 08:39:51 PST