Re: [Plugins-writers] Subject: Nasl to detect Netware RConsole

From: Nicolas Pouvesle (npouvesle@private)
Date: Mon Jan 17 2005 - 19:40:18 PST


Jaco van Heerden wrote:
> Hi guys.
> 
> This NASL will identify Netware Rconsole running on remote servers.
> It has only been tested against the few servers I aimed at, so might
> not work for different language packs?
> 
> Please feel free to shout if its very broken or to use at will..
> 

I have made some small changes to your plugin, but it's still too prone 
to false positives because it is not impossible to find "0x00, 0x04, 
0x00, 0x01, 0x00, 0x00, 0x00, 0x00" in the first 1024 bytes of some 
server data.

Where are the 8 bytes you are looking for in the server packet ? at the 
beginning ? in this case I will extract them and compare to the hex  data.


Thanks,


Nicolas


#####


if (description)
{
  script_id (90001);
  script_version("$Revision: 1.1 $");
  script_name (english:"Netware Rconsole test");

  desc["english"] = "The RConsole service is running on this host.
RConsole allows an administrator to remotely admin the server
(Novell Netware) and could provide an attacker with unauthorized
access to the host.

Solution: Disable this service if not used.
Filter incomming connections to this host:port especially from the Internet.

Risk factor: Low";

  script_description (english:desc["english"]);
  script_summary (english:"Test for Rconsole");
  script_category (ACT_GATHER_INFO);
  script_family (english:"Misc.");
  script_copyright (english:"This script is Copyright (C) 2005 
SensePost, Jaco van Heerden");
  script_require_ports(2034);
  exit(0);
}

#
# Script code starts here
#
data = raw_string(0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00);

port = 2034;

if (!get_port_state(port))
   exit (0);

soc = open_sock_tcp(port);
if (! soc) exit(0);

getresponse = recv(socket:soc, length:1024);


if (data >< getresponse)
{
  banner = NULL;

  len = strlen(getresponse);

  if (len >= 20)
    banner = substr(getresponse,20,len-1);

   description = "The RConsole service is running on this host. RConsole
allows an administrator to remotely admin the server (Novell Netware) and
could provide an attacker with unauthorized access to the host.
";

  if (banner)
    description += "The host name is: " + banner;

  description += "

Solution: Disable this service if not used. Filter incomming connections to
this host:port especially from the Internet.

Risk factor: Low
";

  security_note(port:port, data:description);
}

close (soc);
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Mon Jan 17 2005 - 19:45:36 PST