Mailing List Archive: Nessus: plugins

Stop scan when can't login

Index | Next | Previous | View Threaded

nessus at the-jedi

Jan 5, 2009, 3:41 PM

Post #1 of 5 (3833 views)
Permalink

Stop scan when can't login

I've written a few plugins that check if they can successfully login via
SSH - checks return value of ssh_open_connection(), empty
username/password/sudo knowledgebase items etc.

Anyway, rather than having a security note for each plugin that fails,
is there a way I can stop the scan (or just skip my plugins but continue
vulns/ports) after one plugin failure?

I guess I could set a kb_item and check it in every plugin and silently
fail after the first one.

The Nessus built-in plugins seem to have this facility, as you get the
"local security checks have failed, cannot login with the supplied
credentials" message, which appears to come from
hostlevel_check_failed.nasl but how do I call that from my own plugin,
or is there a knowledgebase item I have to set
(HostLevelChecks/failure?) as it doesn't seem to do it automatically if
I only have my plugins enabled.

I dunno, I just don't want to go re-inventing the wheel my own way when
there appears to be this kind of functionality already.

Is there a NASL "best practice" guide at all - or just the NASL2 reference?

Regards.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

deraison at nessus

Jan 6, 2009, 6:17 AM

Post #2 of 5 (3632 views)
Permalink

Re: Stop scan when can't login [In reply to]

On Jan 6, 2009, at 12:41 AM, Simon John wrote:

> I've written a few plugins that check if they can successfully login
> via
> SSH - checks return value of ssh_open_connection(), empty
> username/password/sudo knowledgebase items etc.
>
> Anyway, rather than having a security note for each plugin that fails,
> is there a way I can stop the scan (or just skip my plugins but
> continue
> vulns/ports) after one plugin failure?
>
> I guess I could set a kb_item and check it in every plugin and
> silently
> fail after the first one.

Basically, the way you'd do this would be by using the
script_require_keys() functions / script_exclude_keys() in your plugins.

With the first one, your scripts will only run if a given KB item is
set, with the second one they will be skipped if a given kb item is
present.

So adding script_exclude_keys("HostLevelChecks/failure") would do the
trick.

(do not forget to use script_dependencie() to add dependencies between
the scripts themselves).

-- Renaud

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

nessus at the-jedi

Jan 6, 2009, 7:25 AM

Post #3 of 5 (3642 views)
Permalink

Re: Stop scan when can't login [In reply to]

Renaud Deraison wrote:
> On Jan 6, 2009, at 12:41 AM, Simon John wrote:

[snip]
>> Anyway, rather than having a security note for each plugin that fails,
>> is there a way I can stop the scan (or just skip my plugins but
>> continue vulns/ports) after one plugin failure?
>>
>> I guess I could set a kb_item and check it in every plugin and
>> silently fail after the first one.

> Basically, the way you'd do this would be by using the
> script_require_keys() functions / script_exclude_keys() in your plugins.
>
> With the first one, your scripts will only run if a given KB item is
> set, with the second one they will be skipped if a given kb item is
> present.
>
> So adding script_exclude_keys("HostLevelChecks/failure") would do the
> trick.

Lovely thanks, I thought there had to be a way.

So I've just got to set that key and produce a security_note for the
first occurance, then check for it and silently fail the rest.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

deraison at nessus

Jan 6, 2009, 8:00 AM

Post #4 of 5 (3636 views)
Permalink

Re: Stop scan when can't login [In reply to]

On Jan 6, 2009, at 4:25 PM, Simon John wrote:
>>
>> With the first one, your scripts will only run if a given KB item is
>> set, with the second one they will be skipped if a given kb item is
>> present.
>>
>> So adding script_exclude_keys("HostLevelChecks/failure") would do the
>> trick.
>
> Lovely thanks, I thought there had to be a way.
>
> So I've just got to set that key and produce a security_note for the
> first occurance, then check for it and silently fail the rest.

If you set it in script_exclude_keys() or script_require_keys() then
you do not need to check for it in the script code, your plugins won't
even be launched.

-- Renaud

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

nessus at the-jedi

Jan 7, 2009, 1:08 PM

Post #5 of 5 (3615 views)
Permalink

Re: Stop scan when can't login [In reply to]

Renaud Deraison wrote:

[snip]
> If you set it in script_exclude_keys() or script_require_keys() then
> you do not need to check for it in the script code, your plugins won't
> even be launched.

I tried script_exclude_keys("HostLevelChecks/failure"); but the plugin
still ran.

Then I read the NASL2 reference and it said it only works when
"optimized mode" is on, but I can't seem to find the tickbox to
"Optimize test" anymore in 3.2.1.1/Fedora9 of the client, it used to be
on the Options tab I'm sure.....?

Is there an method that works without that enabled, as even if I can
find how/where to enable it, its not guaranteed to be enabled.

The quick'n'dirty way I can think is reading the HostLevelChecks/failure
KB item in every script, if its set, then exit, but thats not great.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads