Well I wanted to get a bit more familiar with NASL (Nessus Attack Scripting Language). I’ve modified nessus plugins in the past but never really did much with it. I have to say I do like it, pretty easy to do testing with.

I needed a way to check a lot of webservers for their versions, and fast. So figured what the heck let me throw something together with NASL. Now this is just a stand-alone script, it will not work within the nessus framework.
(More docs to work with nessus framework are below)

This just sends a HEAD request to the webserver and greps for the server string.

This also could be easly modified to read from the socket and grab other banners. I found this would work for telnet, ftp ,ssh, etc. but for some reason I could not grab the banner from the webservers I was testing. Hence sending
“HEAD / HTTP/1.0\r\n\r\n”

If you wanted to read right from the socket without sending the HEAD command you could just comment that out and replace name w/ server.

I will be looking into this more, but this was just a quick script to get my feet wet.

 
#####################################################################
# Name: webserv-naslgrab.nasl					    #
# Description: A non-intrusive way to grab the web server version   #
#              by sending opening a socket to 80 and sending a      #
#	       HEAD Request. This can be modified to use other      #
#	       ports.                                               #
# Version: .1                                                       #
# Author : Devin Ertel                                              #
# Usage	 : nasl -t 192.168.1-155 webserv-naslgrab.nasl              #
#####################################################################
 
#Create tcp socket to port 80
soc = open_sock_tcp(80);
 
#grab host ip of current box with socket open
hostip=get_host_ip();
 
#if socket was created
if (soc) {
 
#create string and send
str = string("HEAD / HTTP/1.0\r\n\r\n");
send(socket:soc, data:str);
 
#grab data from the socket
name = recv(socket:soc, length:1024);
 
#grep for the line with server in it
server = egrep(pattern:"Server.*", string : name);
 
#if grep returns value
if(server){
display(server," On IP ",hostip,"\n");
}
 
#close socket
close(soc);
}

Links:
http://michel.arboi.free.fr/nasl2ref/
http://www.oreillynet.com/pub/a/security/2004/06/03/nessus_plugins.html
http://www.virtualblueness.net/nasl.html

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation