Writing SMBclient-based WLSC NASL ScriptsTest and debugging proceduresTesting a local vulnerabilityTesting a network vulnerability

Testing a network vulnerability

Here is an example using the openvas-nasl tool to perform a test:

First test if your script written in NASL is syntactically correct. This could be done by using the openvas-nasl tool with the -p option, e.g.:

# openvas-nasl -p broken-example.nasl
syntax error, unexpected IDENT, expecting ')'
Parse error at or near line 17

This is telling us that this script has a syntax error. Test the functionality of your script after making sure that your script contains only correct NASL.

The test on the network is a bit more complicated. To test if the right packet was sent, you can use TCPDUMP to capture the communication between the host and the client, e.g.:

# tcpdump -i lo -w debug.pcap -s 1450
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1450 bytes
10 packets captured
20 packets received by filter
0 packets dropped by kernel

Now it is possible to decode the content of the network communication.

 # tcpdump -vvvv -n -r debug.pcap
reading from file debug.pcap, link-type EN10MB (Ethernet)
15:45:52.474613 IP (tos 0x0, ttl 64, id 60969, offset 0, flags [DF], proto TCP
(6), length 60) 127.0.0.1.53655 > 127.0.0.1.24: S, cksum 0x80c9 (correct),
1315997236:1315997236(0) win 32792 <mss 16396,sackOK,timestamp 5466141
0,nop,wscale 6>
15:45:52.474618 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6),
length 60) 127.0.0.1.24 > 127.0.0.1.53655: S, cksum 0x64b5 (correct),
1311860089:1311860089(0) ack 1315997237 win 32768 <mss 16396,sackOK,timestamp
5466141 5466141,nop,wscale 6>
15:45:52.474638 IP (tos 0x0, ttl 64, id 60970, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x4bd8 (correct),
1:1(0) ack 1 win 513 <nop,nop,timestamp 5466141 5466141>
15:45:52.474797 IP (tos 0x0, ttl 64, id 3431, offset 0, flags [DF], proto TCP
(6), length 72) 127.0.0.1.24 > 127.0.0.1.53655: P, cksum 0xfe3c (incorrect (->
0x941e), 1:21(20) ack 1 win 512 <nop,nop,timestamp 5466141 5466141>
15:45:52.474829 IP (tos 0x0, ttl 64, id 60971, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x4bc3 (correct),
1:1(0) ack 21 win 513 <nop,nop,timestamp 5466142 5466141>
15:45:52.475572 IP (tos 0x0, ttl 64, id 60972, offset 0, flags [DF], proto TCP
(6), length 68) 127.0.0.1.53655 > 127.0.0.1.24: P, cksum 0xfe38 (incorrect (->
0xefa4), 1:17(16) ack 21 win 513 <nop,nop,timestamp 5466142 5466141>
15:45:52.475586 IP (tos 0x0, ttl 64, id 3432, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.24 > 127.0.0.1.53655: ., cksum 0x4bb3 (correct),
21:21(0) ack 17 win 512 <nop,nop,timestamp 5466142 5466142>
15:45:57.479223 IP (tos 0x0, ttl 64, id 60973, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: F, cksum 0x46ce (correct),
17:17(0) ack 21 win 513 <nop,nop,timestamp 5467393 5466142>
15:45:57.479279 IP (tos 0x0, ttl 64, id 3433, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.24 > 127.0.0.1.53655: F, cksum 0x41eb (correct),
21:21(0) ack 18 win 512 <nop,nop,timestamp 5467393 5467393>
15:45:57.479296 IP (tos 0x0, ttl 64, id 60974, offset 0, flags [DF], proto TCP
(6), length 52) 127.0.0.1.53655 > 127.0.0.1.24: ., cksum 0x41ea (correct),
18:18(0) ack 22 win 513 <nop,nop,timestamp 5467393 5467393>

If a deeper packet analysis is needed, tools like wireshark are able to read such files in pcap format, and perform a close analysis of all type of network communication packets.

The openvas-nasl interpreter also provides us with a logfile at /tmp/debug-nvt.txt. This file helps us to debug NASL based NVTs:

[...]
NASL:0277> register_int_in_kb(...)
[9905](ssh_detect24.nasl) NASL> [0811e310] -> 0
[9905]() NASL> [08120328] <- 0
[9905]() NASL> [08120358] <- "Secret/SSH/bugged_sshd"
[9905](ssh_detect24.nasl) NASL> Call register_int_in_kb(int: 0, name:
"Secret/SSH/bugged_sshd")
NASL:0055> if ((! (defined_func(...))) || (! (_reuse_connection))) { ... }
NASL:0054> defined_func(...)
[9905]() NASL> [081203a8] <- "replace_kb_item"
[9905](ssh_detect24.nasl) NASL> Call defined_func(1: "replace_kb_item")
[9905](ssh_detect24.nasl) NASL> Return defined_func: 1
[9905](ssh_detect24.nasl) NASL> [0811e2d8] -> undef
NASL:0054> return 0;
[9905](ssh_detect24.nasl) NASL> Return register_int_in_kb: 0
[9905](ssh_detect24.nasl) NASL> Return init: FAKE
NASL:1771> server_version=ssh_exchange_identification(...);
NASL:1771> ssh_exchange_identification(...)
[9905](ssh_detect24.nasl) NASL> [0811fde0] -> 1000000
[9905]() NASL> [08120688] <- 1000000
[9905](ssh_detect24.nasl) NASL> Call ssh_exchange_identification(socket:
1000000)
NASL:0377> local_var ...
NASL:0379> buf=recv_line(...);
NASL:0379> recv_line(...)
[9905](ssh_detect24.nasl) NASL> [08120688] -> 1000000
[9905]() NASL> [081207b0] <- 1000000
[9905]() NASL> [081207d0] <- 1024
[9905](ssh_detect24.nasl) NASL> Call recv_line(socket: 1000000, length: 1024)
[9905](ssh_detect24.nasl) NASL> Return recv_line: "SSH-2.0-FreeSSH_9.9
"
[9905]() NASL> [081202d0] <- "SSH-2.0-FreeSSH_9.9
"
NASL:0388> if (! (buf)) { ... }
[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
"
NASL:0394> if (! (ereg(...))) { ... }
NASL:0388> ereg(...)
[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
"
[9905]() NASL> [081206a8] <- "SSH-2.0-FreeSSH_9.9
"
[9905]() NASL> [081207b0] <- "^SSH-*[0-9]\.*[0-9]-*[^\n]"
[9905](ssh_detect24.nasl) NASL> Call ereg(string: "SSH-2.0-FreeSSH_9.9
", pattern: "^SSH-*[0-9]\.*[0-9]-*[^\n]")
[9905](ssh_detect24.nasl) NASL> Return ereg: 1
NASL:0394> sshversion=split(...);
NASL:0394> split(...)
[9905](ssh_detect24.nasl) NASL> [081202d0] -> "SSH-2.0-FreeSSH_9.9
"
[9905]() NASL> [08120638] <- "SSH-2.0-FreeSSH_9.9
"
[9905]() NASL> [081207b0] <- "-"
[9905]() NASL> [0811fff8] <- 0
[9905](ssh_detect24.nasl) NASL> Call split(1: "SSH-2.0-FreeSSH_9.9
", sep: "-", keep: 0)
[9905](ssh_detect24.nasl) NASL> Return split: ???? (DYN_ARRAY (64))
[9905]() NASL> [081202f0] <- (VAR2_ARRAY)
NASL:0395> num=split(...);
NASL:0395> split(...)
[...]

This information should be sufficient to solve the problem. If not, it might be an OpenVAS bug in the script engine. To detect this, compile OpenVAS NASL with debug symbols and use GDB. More information on GBD can be found at:

http://www.gnu.org/software/gdb/gdb.html
.


Writing SMBclient-based WLSC NASL ScriptsTest and debugging proceduresTesting a local vulnerabilityTesting a network vulnerability