2009-07-18 03:35:41
By Tim Brown
One of the things that keeps me interested in OpenVAS, apart from the beer is writing new NASLs. I write them for several reasons, either to check for a vulnerability myself or a colleague has found, for interesting vulnerabilities others have reported or in many cases to check for issues where an advisory isn't appropriate but where a trivial issue may exist for which the manual check might be forgotten.
Recently, nmap reported an open port as being related to Nagios but neither OpenVAS nor indeed Nessus picked it up. Googling for the banner returned by nmap returned 2 results. Turns out that it was the NSClient service which when installed on Windows systems allows Nagios and other such NMS to remotely gather information about the health of the system. The first hit told me that I could query it using the check_nt binary that comes with Nagios and a quick search on Debian's package search engine indicated it was included in nagios-plugins-basic.
Grabbing this package and its associated source I began to enumerate the exposed functionality. As I noted in my paper on working with Fuzzled, I fired up a packet sniffer to capture my results. It turns out that by default this service is configured with an authentication string of None and in this case, this was how it had been left. I found a number of useful commands could be called including:
There are also a bunch of other commands which will tell me about the CPU, memory and disk usage which might be useful and which the NASL I intend to write will check. The next couple of entries in this blog will document this process. I hope you enjoy...
Mood: Knowledgable
Music: Nothing playing right now
You are unknown, comment