1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
|
#
# This script was written by Noam Rathaus <noamr@securiteam.com>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10175);
script_version ("$Revision: 1.16 $");
name["english"] = "Detect presence of PGPNet server and its version";
script_name(english:name["english"]);
desc["english"] = "
It is possible to detect the existing of PGPNet, by connecting to its
open UDP port (500) and sending it a session init packet, the PGPNet daemon
would respond (making it possible to know that PGPNet is installed on the
computer) with the version of the OpenPGP package it uses.
Solution: Block those ports from outside communication
Risk factor : Medium";
script_description(english:desc["english"]);
summary["english"] = "Detect presence of PGPNet server and its version";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
script_family(english:"Service detection");
exit(0);
}
#
# The script code starts here
#
if(islocalhost())exit(0);
srcaddr = this_host();
dstaddr = get_host_ip();
magic_num = rand();
r1 = rand() % 255;
r2 = rand() % 255;
raw_data = raw_string(
r1, r2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x0D, 0x00, 0x00, 0x5C, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x01, 0x01, 0x00,
0x02, 0x03, 0x00, 0x00, 0x24, 0x01, 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x06,
0x80, 0x02, 0x00, 0x02, 0x80, 0x03, 0x00, 0x03, 0x80, 0x04, 0x00, 0x05, 0x80,
0x0B, 0x00, 0x01, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x01, 0x51, 0x80, 0x00, 0x00,
0x00, 0x24, 0x02, 0x01, 0x00, 0x00, 0x80, 0x01, 0x00, 0x05, 0x80, 0x02, 0x00,
0x01, 0x80, 0x03, 0x00, 0x03, 0x80, 0x04, 0x00, 0x02, 0x80, 0x0B, 0x00, 0x01,
0x00, 0x0C, 0x00, 0x04, 0x00, 0x01, 0x51, 0x80, 0x00, 0x00, 0x00, 0x10);
raw_data = raw_data + "OpenPGPdetect";
IPH = 20;
UDPH = 8;
PGPNET_BASE = 137;
UDP_LEN = UDPH + PGPNET_BASE;
IP_LEN = IPH + UDP_LEN;
ip = forge_ip_packet(ip_v : 4,
ip_hl : 5,
ip_tos : 0,
ip_len : IP_LEN,
ip_id : 0xABBA,
ip_p : IPPROTO_UDP,
ip_ttl : 255,
ip_off : 0,
ip_src : srcaddr,
ip_dst : dstaddr);
dstport = 500;
srcport = 500;
udpip = forge_udp_packet(ip : ip,
uh_sport : srcport,
uh_dport : dstport,
uh_ulen : UDP_LEN, #udp = 8
data : raw_data);
filter = string("((udp and dst port ", srcport, ") or (icmp)) and src host ", dstaddr, " and dst host ", srcaddr);
result_suc = send_packet(udpip, pcap_active:TRUE, pcap_filter:filter);
if (result_suc)
{
protocol_type = get_ip_element(ip:result_suc, element:"ip_p");
if (protocol_type == IPPROTO_UDP)
{
result = get_udp_element(udp:result_suc, element:"data");
if(strlen(result) < 88) exit(0);
if ((result[2] == raw_string(0x00)) && (result[3] == raw_string(0x00)) &&
(result[4] == raw_string(0x00)) && (result[5] == raw_string(0x00)) &&
(result[6] == raw_string(0x00)) && (result[7] == raw_string(0x00)))
{
if (
(result[16] == raw_string(0x01)) && (result[17] == raw_string(0x10)) &&
(result[18] == raw_string(0x02)))
{
OpenPGP = "";
for (i = 0; i < 1000; i = i + 1)
{
if (result[88+i] == raw_string(0x00))
{
i = 1000;
}
else
{
OpenPGP = OpenPGP + result[88+i];
}
}
if (i == 1000)
{
warning_text = "PGPNet uses OpenPGP build version: ";
warning_text = warning_text + OpenPGP;
security_note(port:500, data:warning_text);
}
}
}
}
}
|