Nessus safety test plugin writing tutorial

zhaozj2021-02-17 82

Author: Renaud Deraison (Nessus most important writers, French)

Translation: NiXe0n

Version: 1.0.0pre2

1 Introduction

1.1. What is NASL?

NASL is a scripting language developed for the network security scan tool NESSUS. By it, anyone can easily and quickly prepare a test plugin for new vulnerabilities, which is also easy to share test scripts for users of different operating systems. In addition, NASL also guarantees that the script written can only be used for testing of the destination host, so that the writer is difficult to use for malicious purposes.

With NASL, you can easily create IP packets, or send usually messages. There are also some special functions in NASL to send data to the FTP and web servers. In addition, NASL can also guarantee:

In addition to the target host, the packet is not sent to any host.

Any command is not allowed to execute in the local system.

1.2.what NASL IS Not

NASL is not a very powerful scripting language. Its purpose is to be used for security testing. Therefore, don't expect to use this scripting language to write the third generation of web servers or file conversion tools. To write such software or using Perl, Python or other scripting languages. Use them to prepare 100 times faster than using NASL.

In addition, since NASL's design is some rush, there are some places that need to be improved on grammar.

1.3. Why not use Perl, Python, TCL, or other scripting languages in Nessus

I know there are very strong scripting languages that have a very powerful feature, and they have a lot of NASL features. However, although these languages are very powerful, they are not safe. Using these languages, you can easily write the Trojan detection plugin, leaked your information, let the third party know that you are a NESSUS user, and even some sensitive information (such as: password file) is sent to the third party host.

There is another problem with these languages that consume a lot of system resources, especially memory. This is very headache. Take Perl as an example, Perl is very good, and very beautiful. However, if you want to use it to write the NESSUS test plugin, you need to consume a lot of time to install the module, Net :: Rawip is one of them.

In contrast, NASL does not consume a large amount of memory. Therefore, even if there is no 256M memory, you can also start 20 NESSUSD threads at the same time. Moreover, for writing detection plugins, NASL itself is sufficient, you don't have to install a large number of packages in order to write new security detection plugins.

1.4. Why do you write a security test plugin yourself?

You may be able to study if you write a NESSUS security test plug-in to learn if a scripting language is worth it? But you have to know:

* NASL has done specialized optimization for NASSUS, so the security test plug-in efficiency written in NASL is high.

* In many ways, NASL and C are very similar, so you don't have to worry hard.

* NASL is ideal for writing security test plugins.

* NASL's portability is very good. After the M $ version of the NESSUS release, all security test plugins can be used at all, you can use it.

1.5. This tutorial teaches you something

The purpose of this tutorial is to teach you how to write your own NASSUS security test plugin.

1.6.NASL limitations

I have told it that NASL is not a powerful scripting language. Its biggest limit is:

Structure. At present, NASL does not support structures and may be supported in the near future.

A debugger. NASL has no suitable Debug program. However, there is a separate explanation program NASL to be temporarily used for troubleshooting.

1.7. Thank

The following people have made noble comments for NASL design, the author acknowledges here: Denis Ducamp (Denis@hsc.fr)

Fyodor (fyodor@dhp.com)

NOAM RATHAUS (NOMR@securiteam.com)

2.NASL foundation: grammar

On the grammar, NASL is very similar to C, just removes some annoying things. Don't take care of objects, nor do you use them and release memory; you don't have to declare prior declaration before using variables. This way, you can only work on the preparation of the security test plugin.

If you don't understand the C language before, read this tutorial may have a good fortune, if you are very proficient in C language, reading the tutorial will be very easy.

2.1. Note

In NASL, the comment is #. It is only valid for the current row, for example:

Effective comment:

a = 1; # loading a = 1

#set b to 2

B = 2;

Invalid comments:

Set a to 1

a = 1;

A = # set a to 1 # 1;

2.2. Variable, Variable Type, Memory Allocation, and Include

Unlike C language, you don't have to claim in advance before using variables, nor cares about their types. If your operation error (for example: adds an IP message and an integer), NASL will remind you. You don't have to care about the memory allocation and include issues such as memory in C language, and there is no include in NASL, and the memory is automatically assigned when needed.

2.3. Digital and string

The numbers in NASL can use three kinds of credits: decimal, hexadecimal and binary. E.g:

A = 1204;

B = 0x0a;

C = 0B001010110110;

D = 123 0xFF;

The array must use quotation marks. Note: Unless the C language is used, the NASL interpreter will not interpret special characters (for example: / n) unless you use the String () function. E.g:

A = "Hello / Ni'm Renaud"; #a is equal to Hello / Ni'm Renaud, / N does not have special meaning

A = string ("Hello / Ni'm Renaud"); # b is equal to "Hello

# I'm renaud

C = string (a); #c equals B

The String () function will be discussed in detail in "String Processing".

2.4. Anonymous / non-anonymous parameters

Non-anonymous function

NASL's processing of function parameters is also different in C language. In the C language, the programmer must only the location of the parameter.

If the parameter of a function exceeds 10, it is very distressed. For example, a function of constructing an IP message may have many parameters. If you need this function, you have to remember the exact order of the parameters, which is very wasting time.

This should be avoided in NASL.

In NASL, when the parameter order of the function is more important, and when the parameters of this function are different types, this function is a non-anonymous function. That is, you must give the element name. If you have forgotten some elements, NASL will give you a wrong prompt at runtime. E.g:

The Forge_ip_packet () function has many parameters. The following two modes are valid and perform the same operations:

Forge_ip_packet (ip_hl: 5, IP_V: 4, IP_P: IPPROTO_TCP);

Forge_in_packet (IP_P: IPPROTO_TCP, IP_V: 4, IP_HL: 5); When running, the user will be prompted missing parameters (IP_LEN, etc.).

Anonymous function (Anonymous Function)

If the function is only one parameter, or the type of all parameters is the same, this function is called anonymous function. E.g:

Send_packet (My_PACKET);

Send_packet (packet1, packet2, packet3);

These functions can have options. For example: When using the send_packet () function, you can decide if you wait for a response. If you feel that there is no need to receive the target response, you can use the following call form to accelerate the safety test speed:

Send_packet (Packet, USE_PCAP: FALSE);

2.5.for and while

There are also two loop controls in NASL, and the same is almost identical to the C language. The syntax formats are as follows:

For (instruct_start; condition; end_loop_instruction)

{

# Requires the code

}

For (instruction_start; condition; end_loop_instruction) fuction ();

WHILE format:

WHILE (CONDition)

{

# Execute the code

}

or:

While (condition) function ();

E.g:

# Show from 1 to 0

For (i = 1; i <= 10; i = i 1) Display ("i:", i, "/ n");

# Show from 1 to 9 and they are odd or even

For (j = 1; j <= 10; j = j 1)

{

IF (J & 1) Display (J, "IS ODD / N");

Else Display (J, "Is Even / N");

}

# Use while

i = 0;

While (i <10)

{

i = i 1;

}

2.6. User-defined functions

NASL allows users to define their own functions. Users can use the following syntax to define their own functions:

Function my_func (argument1, argment2, ....)

User-defined functions must use non-anonymous parameters, NASL can process recursive calls. E.g:

Function Fact ()

{

IF ((n == 0) ││ (n == 1)))

Return (N);

Else

Return (N * FACT (N: N-1));

}

Display ("B! IS", FACT (N: 5), "/ N);

In addition, the user's own defined function cannot call other user-defined functions (actually possible but encountered this, the NASL interpreter will issue a warning).

Note: If you need to return your function to a value, you need to use the return () function. Because return () is a function, there is a need to have parentheses, which is wrong below:

Function func ()

{

Return 1; # This kind of writing is ok in the C language, but in NASL

}

2.7. Operator

Some standard C language operators can also be used for NASL, including: , -, *, / and%. Currently, NASL does not support the priority of operators, but later versions will support the priority of operators. In addition, NASL also supports C-language binary operators │ and &.

In addition, NASL has two unique operators: X operator

For some simple cycles, it is very inconvenient to use for or while, and each cycle needs to check the condition, resulting in a decrease in efficiency. Therefore, NASL introduces an X operator to simplify certain loop code. For example: If you need to send 10 UDP packets, use the X operator, just below the code:

Send_packet (udp) x10;

A = "NESSUS" '

B = "i like nets";

IF (a>

{

# 结果为

Display (a "is contained in", b, "/ n");

}

3. Network related functions

3.1. Socket processing

Sockets are routes that use TCP or UDP protocols and other host communication. Do not allow you to open a socket with the test target communication in NASL, so you can only open the socket using the function provided by NASL.

3.1.1. How to open a socket

In NASL, functions open_sock_tcp () and open_sock_udp () are used to open a TCP or UDP socket, respectively. These two functions use an anonymous parameters. Currently, you open a port every time, the future version will solve this problem. For example: You can use the following code to open a TCP and UDP socket, respectively:

# Open a TCP socket at the 80 port

SOC1 = Open_SOCK_TCP (80);

# Open a UDP socket on the 123 port

SOC2 = Open_SOCK_UDP (123);

These two functions return 0 if they cannot establish a connection with the remote host. However, Open_Sock_UDP () will not fail because there is no way to determine if the UDP port of the remote host is open, for open_sock_tcp (), if the port of the remote host is turned off, it will return 0.

Open_sock_tcp () can be used to scan the TCP port, for example:

START = PROMPT ("First Port To Scan?"); # 发开始端端

END = PROMPT ("Last Port to Scan?"); # Enter the end of the port

For (i = start; i

{

SOC = Open_SOCK_TCP (i);

IF (SOC)

{

Display ("Port", I, "IS Open / N");

Close (SoC);

}

3.1.2. Close a port

Turn off a port using a close () function, before closing, close the port, first call the shutdown () function first.

3.1.3. Read and write socket

Depending on the type of socket read and written, you can choose to use the following functions to complete these two operations:

Ren (socket: , length: [, timeout: ])

From the socket read bytes, this function can be used for TCP and UDP. Timeout parameters are optional, in seconds.

RECV_LINE (Socket: , length: [, Timeout: ])

This function is similar to the RECV () function, just if there is a change in the wrap (/ N) operation. This function can only be used for TCP sockets.

Send (socket: , Data: [, length: ]) Send data from the socket . Optional parameters Length tells the function to send bytes. If you do not set longens, the sending operation is terminated when NULL is encountered.

If the timeout parameter is not set, the read function (RECV () and RECV_LINE ()) use the default timeout time 5 seconds. If time, they return false. E.g:

# The following code is used to display the Banner information of the remote host.

SOC = Open_SOCK_TCP (21);

IF (SOC)

{

Data = RECV_LINE (Socket: SoC, Length: 1024);

IF (DATA)

{

Display ("The Remote FTP Banner IS: / N", DATA, "/ N");

}

Else

{

Display ("The Remote FTP Server Seems To BE TCP-Wrapper / N");

}

Close (SoC);

}

3.1.4. High-level operation

NASL has some functions for FTP and WWW protocols to simplify certain operations of these two application layer protocols.

FTP_LOG_IN (Socket: , User: , pass: )

Try to log in to the remote FP host via socket. If the username and password are correct, returns true, otherwise returns false.

FTP_GET_PASV_PORT (Socket: )

Send a PASV command to the remote FTP server to get the port. NASL scripts can download data from the FTP server via this port. If the error function occurs, false will be returned.

IS_CGI_INSTALLED ()

Test whether the remote web server has installed the CGI program called . This function issues this purpose to the remote web server. If is not starting with a slash (/), it is considered to be relative to / cgi-bin /.

This function can also be used to determine if a file exists.

Example script:

# Test for WWW servers

IF (IS_CGI_INSTALLED ("/ robots.txt")))

{

Display ("The file / Robots.txt Is Present / N"); 0000-00-00 DISPLAY

}

IF (IS_CGI_INSTALLED ("php.cgi")))

{

Display ("The cgi php.cgi is installed in / cgi-bin // n");

}

IF (! is_cgi_installed ("/ php.cgi")))

{

Display ("there is no php.cgi in the remote web root / n");

}

# Test for FTP servers

# Open a connection

SOC = Open_SOCK_TCP (21);

# Anonymous login to remote FTP host

IF (FTP_LOG_IN (Socket: SoC, User: "Anonymous", Pass: "Joe @"))

{

# Open a port of a passive transmission mode

Port = ftp_get_pasv_port (socket: SOC);

IF (port)

{

SOC2 = Open_SOCK_TCP (Port);

# Try to get a remote system / etc / passwd file

Data = String ("Retr / etc / passwd / r / n");

Send (Socket: SoC, Data: DATA);

Password_file = Recv (socket: SoC2, Length: 10000); Display (password_file);

Close (SOC2);

}

Close (SoC);

}

3.2. Original packet processing

NASL allows users to construct their IP packets, and the customization of packets is carried out in a smart manner. For example, if you change a parameter of a TCP packet, it will cause its TCP check and change, but you don't have to pay for this, NASL will be completed.

All raw packet constructors use non-anonymous parameters. The names of the parameters are included with the BSD. So the length domain of an IP message is called ip_len instead of Length.

3.2.1. Construct IP Packet

In NASL, you can use the forge_ip_packet () function to construct a new IP packet; use the set_ip_element () function to get the value of a domain for a message; use the set_ip_element () function to change the value of an existing IP 跋跋. The principle of the forge_ip_packet function is as follows:

= forge_ip_packet

IP_hl: ,

IP_V: ,

IP_tos: ,

IP_LEN: ,

IP_ID: ,

IP_off: ,

IP_TTL: ,

IP_P: ,

IP_src: ,

IP_DST: ,

[ip_sum: ]);

Where IP_SUM parameters are optional, if not used, NASL automatically calculates the verification of the packets. The IP_P parameter can be an integer value or an ipProto_TCP, IPPROTO_UDP, IPPROTO_ICMP, IPPROTO_IGMP, or IPPROTO_IP, etc..

The prototype of the GET_IP_EEMENT () function is as follows:

= GET_IP_EETINT (

IP: ,

ELEMENT: "IP_HL" │ "IP_V" │IP_TOS "│" ip_len "│

"IP_ID" │ "IP_OFF" │ "IP_TTL" │ "IP_P" │

"IP_SUM" │ "IP_SRC" │ "IP_DST");

GET_IP_ELEMENT () will return the value of a domain in the packet. The ELEMENT parameter must be "IP_HL", "IP_V", IP_TOS "," IP_LEN "," IP_ID "," IP_OFF "," IP_TTL "," IP_P "," IP_SUM "," IP_SRC "," IP_DST ", And quotes are essential.

The prototype of the SET_IP_ELEMENTS () function is as follows:

SET_IP_ELEMENTS

IP: ,

[ip_hl: ,]

[ip_v: ,]

[ip_tos: ,]

[ip_len: ,]

[ip_id: ,]

[ip_off: ,]

[ip_ttl: ,]

[ip_p: ,]

[ip_src: ,]

[IP_DST: ,]

[ip_sum: ]

);

This function can change the value of IP packet if you do not modify the value of the IP_SUM domain, it will be automatically recalculated. This function does not construct the ability to construct the message, so you need to put it behind the Forge_ip_packet () function. Finally, there is a function dump_ip_packet () requires that this function can output the contents of the IP packet to the screen in a readable manner. This function should only be used for debugging purposes.

3.2.2. Construct a TCP message

Forge_tcp_packet () is used to construct TCP packets. The function prototype is as follows:

TCPCKET = forge_tcp_packet

IP: ,

TH_SPORT: ,

TH_DPORT: ,

TH_FLAGS: ,

TH_SEQ: ,

[TH_X2: ],

TH_OFF: ,

TH_WIN: ,

TH_URP: ,

TH_SUM: ,

[DATA: ]);

Where, the flag parameter th_flags must be TH_SYN, TH_ACK, TH_RST, which can be combined with the │ operator to a piece. TH_FLAGS can also use a integer value. IP_packet must first be generated by the forge_ip_packet () function or using the returning value obtained using the seund_packet () and the PCAP_NEXT () function.

Function set_tcp_elements () can modify the contents of TCP packets, whose prototype is as follows:

SET_TCP_ELEMENTS

TCP: ,

[TH_SPORT: ,]

[TH_DPORT: ,]

[TH_FLAGS: ,]

[TH_SEQ: ,]

[TH_ACK: ,]

[TH_X2: ,]

[TH_OFF: ,]

[TH_WIN: ,]

[TH_URP: ,]

[TH_SUM: ,]

[DATA: ]);

Unless you set the TH_SUM parameters yourself, the function will automatically calculate the verification of the packet.

The function get_tcp_element () is used to set the contents of the TCP packet, and its prototype is as follows:

ELEMENT = GET_TCP_EEMENTS

TCP: ,

ELEMENT: );

ELEMENT_NAME must be "TCP_SPORT", "TH_DPORT", "TH_FLAGS", "TH_SEQ", "TH_ACK", "TH_X2", "TH_OFF", "TH_WIN", "TH_URP", "TH_SUM" one of them. Note: Quotation marks are indispensable.

3.2.3. Construct UDP Packet

The UDP packet constructor forge_udp_packet () and TCP constructors are extremely similar, and their prototype is as follows:

UDP = forge_udp_packet

IP: ,

UH_SPORT: ,

UH_DPORT: ,

UH_ULEN: ,

[uh_sum: ,]

[DATA: ]);

The SET_UDP_ELEMENTS () and get_UDP_ELEMENTS () functions and the TCP packets correspondence. 3.2.4. Construct ICMP Packet

3.2.5. Construct IGMP Packet

3.2.6. Send a message

After the operation of constructing the message is completed, you can send them out using the send_packet () function, whose prototype is as follows:

Reply = send_packet (packet1, packet2, ...., packetn,

PCAP_ACTIVE: ,

PCAP_FILTER: );

If the PCAP_ACTIVE parameter is TRUE, this function will wait for the target response. PCAP_FILTER is used to set the type of message you need. For details, please refer to the PCAP or TCPDUMP man page.

3.2.7. Read the message

You can read a message using the PCAP_NEXT () function, whose prototype is as follows:

Reply = PCAP_NEXT ();

This function will read a message from the last interface you use, the type of packet depends on the final setup PCAP type.

3.3. Tool function

NASL also provides some tool functions to simplify your programming.

THIS_HOST ()

Get the host IP address of the run script, no parameters.

GET_HOST_NAME ()

Returns the host name of the currently tested host, no parameters.

GET_HOST_IP ()

Returns the IP address of the currently tested host, no parameters.

GET_HOST_OPEN_PORT ()

Get the first port number opened by the remote host, no parameters. This function is very useful for some scripts (for example: LAND), and some TCP serial number analyzers need to get a remote host with a remote host.

GET_PORT_STAT ()

Returns true if the TCP port is open or its status is unknown.

Telnet_init ()

Initialize a Telnet session on an open socket and return the first line of Telnet data. E.g:

SOC = Open_SOCK_TCP (23);

Buffer = telnet_init (soc);

Display ("The Remote Telnet Banner IS", Buffer, "/ N");

TCP_PING ()

If the remote host answers the TCP PING request (send a TCP message for setting an ACK flag), this function returns TRUE, no parameters.

Getrpcport ()

Get the RPC port number of the remote host, the prototype is:

Result = Gtrpcport (Program:

Protocol:

[Version: ]);

If the program of the remote host does not register in the RPC Portmap monitoring process.

4. String handler

NASL allows you to process strings like processing numbers. Therefore, you can safely use ==, and other operators.

E.g:

A = "Version 1.2.3";

B = "Version 1.4.1";

IF (a

{

# Because Version 1.2.3 is lower than Version 1.4.1

# 因此, start the code here

}

C = "Version 1.2.3";

IF (a == c)

{

# Two strings equal

# 因此执行执行执行代

}

In NASL, a character of a string can also be obtained, and the C language is identical, for example: a = "test";

B = a [1]; #b is equal to "e"

You can also add a string in a string, such as:

A = "Version 1.2.3";

B = a - "Version"; #b is equal to "1.2.3"

A = "this is a test";

B = "is a";

C = a - b; #c is equal to "this test"

a = "test";

C = "is a";

C = a - b; #a is equal to "testtest"

Other than this,>

4.1. EREG () function to handle regular expressions

In NASL, mode match is done by an EREG () function. The prototype is as follows:

Result = EREG (Pattern: )

The syntax of the regular expression is EGREP style. Please refer to the EGREP man page for details. E.g:

IF (EREG (Pattern: "*", String: "Test")))

{

Display ("Always Execute / N");

}

MyString = Recv (Socket: SoC, Length: 1024);

IF (EREG (Pattern: "SSH -. * - 1 /....", string: mySTING))

{

Display ("SSH 1.x is Running On this Host);

}

4.2.EGREP () function

The EGREP () function returns a multi-line text that matches the first line of . If this function is used for a single line, it is equivalent to EREG (). If there is no match, it returns false. The prototype is as follows:

Str = EGREP (pattern: , string: )

Example:

SOC = Open_SOC_TCP (80);

Str = String ("HEAD / HTTP / 1.0 / R / N / R / N");

Sen (Socket: SoC, Data: STR);

R = Recv (socket: SoC, Length: 1024);

Server = EGREP (Pattern: "^ Server. *", String: r);

IF (Server) Display (Server) DISPLAY

4.3.crap () function

The Crap () function is very easy to test the buffer overflow, there are two prototypes:

CRAP ()

A string of the length of

CRAP (Length: , Data: )

High a string of the length of and use the fill strings. E.g:

a = crap (5); # a = "xxxxx"

B = crap (4096); # b = "xxx ... xxx" (4096 x)

C = CRAP (Length: 12, Data: "Hello"); # c = "Hellohellohe"

4.4.String () function

This function is used to customize strings. Its prototype is:

String (, [, ..., ]); it can explain special characters such as / n, / t in the string. E.g:

Name = "renand";

A = String ("Hello, I am", name, "/ n" _; #A is equal to "Hello, I am Renaud"

# 回回

B = String (1, "and" m ", 2," make ", 1 2); #b is equal to" 1 and 2 make 3 "

C = String ("MKD", CRAP (4096), "/ R / N"); #c is equal to "MKD XXX ... XXXXX" (4096 x)

# Back is a carriage return and a back

4.5.Strlen () function

The strlen () function returns a length of a string, for example:

A == Strlen ("abcd"); #A is equal to 4

4.6.Raw_String () function

This function can convert numbers to the corresponding characters, for example:

A = Raw_String (80, 81, 82); # 80, 81, 82 respectively corresponds to the PQR of the ASCII character, respectively

4.7.STRTOINT () function

This function converts an NASL integer to a binary integer. The prototype is:

Value = STRTOLEN (Number: , SIZE: );

This function is more suitable for use with the Raw_String () function. The Size parameter is the number of bytes of NASL integers, which can be: 1, 2, 4.

4.8.tolower () function

This function can convert all uppercase characters in a string to lowercase characters. The prototype is:

String2 = TOLOWER ();

E.g:

A = "Hello, World"

B = Tolower (a); #b is equal to "Hello, World"

5. Summary

This is the first part of NASL Reference Guide, mainly introduces various functions of NASL. In the next section we will systematically describe how to write a NESSUS security test plugin. '

1. How to write an efficient NESSUS security test plugin

In the NESSUS security test system, all security tests are launched by the NESSUSD process. During the test, a good test plugin must be able to effectively utilize the test results of other test plugins. For example: a test plugin needs to open a connection to the FTP server, and before this should first check the result of the port scan test plugin, determine if the FTP port is opened. In general, this will only save a little time, but if the test host is located in the firewall, this will save the long wait time caused by the firewall to discard the TCP packets of the 21-port.

1.1. Determine if the port is opened

The GET_PORT_STATE () function is used to obtain the status of the port. If the port is open, this function returns true; then, returns false; if this port is not scanned, it is unknown, the function will return TRUE. This function consumes little CPU resources, so you can use it as much as possible to improve the efficiency of the test plugin.

1.2. Basic information (KNOWLEDGE BASE, KB)

During the test, Nessus will maintain a basic information obtained by the scan test plugin (Knowledge base, this word should be the basics of the basic knowledge, but it seems that the basic information is more appropriate] . Various other test plugins should use this as much as possible to improve test efficiency. In fact, the status of the port is saved here. KB is divided into several categories. The Service class contains each known service and the port number assigned to it. For example, in most cases, the value of Server / SMTP is 25. However, if the SMTP service of the remote host is hidden on the 2500 port, this value is changed to 2500.

For details on the basic information, please refer to Appendix B.

In NASL, there are two functions related to section information (KB). Use the GET_KB_ITEM () function to get the value of the item of the basic information, this function is anonymous function; and the function set_kb_item (name: , value: ) can put the value of the item Set to .

Note: You cannot get the value of the basic information entry just added. For example, the following code will not be able to perform as you expect:

SET_KB_ITEM (Name: "Attack", Value: True);

IF (GET_KB_ITEM ("attack"))

{

# The code here is impossible to execute

# Because the Attack Basic Information item is not updated

}

This will be, which is considered for security and code stability. During the safety test, the NESSUS server maintains a basic information (KB) copy for each security test plugin, and the security test plugin is just from its own basic information (KB) copy. The SET_KB_ITEM () function updates only the original basic information (KB) copy, does not update the copy of the current security test plugin.

2.NASL script structure

Each security test plugin needs to be registered with the NESSUS server to use. Registration information includes name, description, author, etc. Each NASL script requires the following structure:

#NASL basic basic structure

IF (Description)

{

# This is the registration information

# This can be called the registration section (Register Section)

exit (0);

}

# This is a script code. We can be called an attack section (Attack Section)

Description is a global variable, the value can be True or False, depending on whether the script needs to be registered.

2.1. Registration section

At the registration section of the script, the following functions must be called:

Script_name (Language1: , [...])

Set the name displayed in the NESSUS client window.

Script_description (Language1: , [...])

Set the description information displayed in the NESSUS client.

Script_summary (language1:

, [...])

Setting the summary information must summarize the contents of the information in one line.

Script_category ()

Set the category of the script. Must be one of ACT_ATTACK, ACT_GATHER_INFO, ACT_DENIAL, and ACT_SCANER.

ACT_GATHER_INFO

Information acquisition class script. This script is first started and will not harm the remote host.

ACT_ATTACK

This type of script will try some permissions of the remote host, which may endanger the remote host (for example, if the buffer overflow test plugin)

ACT_DENIAL

This script will initiate denial of service attacks, trying to cause remote host downtime.

ACT_SCANNER

Port scan script.

Script_copyright (Language1: , [...])

Set the copyright information of the script.

Script_family (Language1: , [...])

Set the family to which the script belongs. NASL does not have a clear provision, you can arbitrarily define the families belonging to the script, such as NIXE0N's PowerTools, but I don't recommend this. The ranks currently used are:

Backdooors

CGI Abuses

Denial of Service

Ftp

Finger Abuses

Firewalls

Gain a shell remotely

Gain root Remotely

MISC

NIS

RPC

Remote File Access

SMTP Problems

Useless services

You may notice that all the above functions have a parameter called Language1. This parameter is used to provide multi-language support. Scripts written using NASL need to support English, so the exact syntax of these functions is:

Script_Fuction (English: english_text, [francais: french_text, deutsch: german_text, ...]);

In addition to the above functions, there is a function script for solving the dependencies of the security test plugin dependencies (). It tells the NESSUSD server to launch the current script after some script. This function needs to be used if the current script requires the results obtained by other scripts. Its prototype is:

Script_dependencies (filename1 [, filename2, ..., filenamen]);

The filename parameter is the script file name.

2.2. Attack part

The attack section of the script can include all the code used to attack the test. Once the attack is completed, you can use the security_warning () and security_hole () function to report whether such security issues exist. The use of these two functions is basically the same, and security_warning () is used to attack success, but the problem is not big. The prototypes are as follows:

Security_warning ( [, protocol: ]);

Security_hole ( [, Protocol: ]);

Security_warning (port: , data: [, protocol: ]);

Security_hole (port: , data: [, protocol: ]);

In the first case above, the content displayed by the client program is provided by the script_description () function when the script is registered. It is very convenient because you can support multi-language.

In the second case, the client will display the contents of the DATA parameter. This form must be used if you need to display dynamically obtained data.

2.3.CVE compatibility

CVE is a database maintained by the Massachusetts Institute, mainly providing a general description of security related issues.

For details, please refer to http://cve.mitre.org.

Nessus and CVE are fully compatible. If you want to test a CVE defined security issue, you can call the Script_cve_id () function in the description section of the plugin script. The prototype is as follows:

Script_cve_id (string);

E.g:

Script_cve_id ("CVE-1999-0991");

If this function is used, the NESSUS client will automatically reference the relevant CVE record when generating a report.

2.4. Example

In addition to security tests, NASL can also be used to write some scripts for maintenance. Below is an example, users can use this script to check those hosts are providing SSH services.

# Check SSH

IF (Description)

{

Script_name (English: "EnSure the Presence of SSH"); Script_Description (English: "This Script makess sure what ssh is running");

Script_summary (English: "Connects ONT Remote TCP Port 22);

Script_category (ACT_GATHER_INFO);

Script_family (English: "AdmimInstration Toolbox");

Script_copyright (English: "This Script Was Writtern By Joe U.");

exit (0);

}

#Sssh service may hide other ports

# So we need to rely on the results obtained by the Find_Service plugin

Port = get_kb_item ("Services / SSH");

IF (! port) port = 22;

# First, declare that SSH is not installed

OK = 0;

IF (GET_PORT_STATE (Port))

{

SOC = Open_SOCK_TCP (port);

IF (SOC)

{

# Check if the port is encapsulated by TCP_Wrapper.

Data = Recv (Socket: SoC, Length: 200);

IF ("SSH">

}

Close (SoC);

}

# Report does not provide a host of SSH service

IF (! ok)

{

Report = "ssh is not running on this host!";

Security_Warning (port: 22, data: report);

}

3. Script optimization

During the safety test, the NESSUSD server will start more than 200 scripts. If all scripts are written, this test will waste a lot of time. Therefore, you must try to improve the efficiency of the script.

3.1. Only run when necessary

For optimized scripts, the most effective way is to tell the NESSUSD server to do not start it. For example, suppose your script needs to be established to the remote host 123 / TCP port, if Nessus knows that this port has been closed, there is no need to start your script. Script_require_ports (), script_require_keys () and script_exclude_keys () are used to implement the above purposes. These scripts need to be called in the description:

Script_require_ports (, , ...)

At least one of the ports in the parameter is open to start the script. The parameter can be a number or a symbol defined in the basic information (KB), such as "Services / WWW". Note: If the status of the port is unknown (eg, this script is also executed.

Script_require_keys (, , ...)

Only the script is executed when the keywords in the parameter are defined in basic information (KB). E.g:

Script_require_keys ("ftp / annous", "ftp / writeable_dir");

The current script is only launched only if the remote FTP host supports anonymous users and a writable directory.

Script_exclude_keys (, , ...)

The keyword representation of the parameter indicates that there is at least one of the basic information (KB) to execute the current script.

3.2. Look with the results of other scripts

Make full use of information in basic information copies, you can make the script more efficient. For example, if you call the open_stck_tcp () function, you can first invoke the time of time due to the target port is closed. 4. How to share your new script

If you want others to share your results, follow the following principles when writing test scripts:

Your script does not have any operation with user interaction

The NASL security test script is running on the server side, so the user does not see any output information.

One script can only test a vulnerability

If you know how to test several vulnerabilities, write your own test script for each vulnerability.

Your script is best classified into existing types

If you plan to share your own results, it is best to avoid new plug-in categories such as Joe's Power Tools, try to spread plugins into existing plugins.

Query if there is a definition of related vulnerabilities in CVE

If you can pay attention to the compatibility of scripts, you can save a lot of time for NESSUS maintaines.

Send out the results to the NESSUS maintainer

The NESSUS maintainer is the author of this article. If you are not exclusive to your own results, you send it to the Nessus defender. If your script is used, it will be assigned a unique ID.

5 Conclusion

I hope you can like this tutorial. Learning this language will not take up too much time, you need to practice. In the process of use, you will find some BUGS of the NASL interpreter, I hope you can report these BUGS to me in time.

Appendix A. Basic Information (KNOWLEDGE BASE)

The so-called basic information is some keywords, which contain information obtained by other test plugins. Use script_dependencies (), get_kb_item (), and set_kb_item () functions, you can help you avoid unnecessary repetition tests. Appendix A will list these keywords.

In Basic Information (KB), each item can have several values. For example, a remote host runs two FTP services: one at the port 21, and the other at the port 2100. Such keywords / ftp are equal to 21 and 2100 ports. In this case, the test script will perform twice: the first, the get_kb_item ("service / ftp") function will return 21, and the second function will return 2100. However, this is automatic, no manual intervention. For scripting writers, it is equivalent to each basic information keyword with only one value. Some key words are currently not used, and I have never used it, but there is no problem.

Host / OS

Definition file: queso.nasl, nmap_wrapper.nasl

Type: String

Meaning: Type of Remote Operating System

Host / dead

Definition file: ping_host.nasl and all DOS plugins

Type: boolean

Meaning: Remote host is closed. If this item is set, the NESSUSD will terminate all the tests for this host.

Services / WWW