Home > Security Tips > Network Security Tactics > Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

NETWORK SECURITY TACTICS

Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities


Mike Chapple
07.01.2008
Rating: -3.33- (out of 5)


Network Security Tactics
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


In earlier parts of the Nessus 3 Tutorial, topics included how to install and configure Nessus, and how to run a basic security scan. Up until this point, however, signatures have come from the large database provided by Tenable Network Security's subscription feed. The signatures are definitely a great source of up-to-date vulnerability information, and they provide protection against most threats known to exist in the wild. There's one scenario, however, that isn't addressed by the database approach: custom applications that have been written within your own organization and have known vulnerabilities.

Starting with an example
As a hypothetical, suppose you have a custom Web-monitoring application called KillerApp that contains a known vulnerability in a file named "killerapp.asp." This application ran on every Web server in the environment until you discovered that it contains a critical vulnerability allowing an anonymous user to shut down the servers. The application has since been removed, but you suspect that some servers may still have it installed. Fortunately, the Nessus Attack Scripting Language (NASL) can be used to write a custom Nessus "attack," or a check that can find "killerapp.asp."

First, I'll show you the entire NASL script for this type of scenario. Then we'll dissect it to explore the NASL structure. Here's the whole script:


#
# KillerApp check
#

if (description)
{
script_id(50000);
script_name(english:"Check for KillerApp");
script_description(english:"KillerApp is a high-risk application and should be removed.");
script_summary(english:"Checks for KillerApp");
script_copyright(english:"Copyright 2008, Mike Chapple");
script_category(ACT_ATTACK);
script_family(english:"Denial of Service");
script_require_ports("Services/www",80);
}

include("http_func.inc");
include("http_keepalive.inc");

port = g



et_http_port(default:80);

if (get_port_state(port))
{
if (is_cgi_installed_ka(item:"/killerapp.asp",port:port))
{
security_hole(port);
}
}


NASL script structure
Notice that the NASL script has two distinct sections: a description of the plan, and a layout of the attack contents. The description section begins with the "if (description)" statement and includes all of the statements contained within the curly braces ("{…}") following it. Many of the items in that section are self-descriptive. Some notable ones:

The remaining portion of the script defines the attack itself. Let's take it line-by-line:

Using a custom script
There are two ways to execute a custom script: running the nasl.exe standalone tool from the command line, or including it in Nessus scans.

The syntax for running it at the command line is:

nasl.exe -t <script>

For example, if you wanted to run the killerapp.nasl script against a Web server located at 192.168.1.1, you would execute:

nasl.exe -t 192.168.1.1 "C:\Program Files\Tenable\Nessus\plugins\killerapp.nasl"

If the script returns a hole, it outputs a status of "Success," as shown below:

[Wed Jun 11 19:08:58 2008][5832] Only Ethernet is supported for now (type of {07 061642-1076-44D2-9D72-6C7BC3022BCF} = 71)
C:\Program Files\Tenable\Nessus\plugins\killerapp.nasl: Success

Alternatively, the NASL check can be included in a standard Nessus scan by simply including the file in your Nessus folder's 'plug-ins' directory. You'll then find it among the checks available to you when configuring a Nessus scan.

Learning more about NASL
NASL is a fairly simple scripting language, but it does contain a number of built-in functions to help customize your own scripts. For the definitive reference on NASL, view the NASL Reference Guide on the main Nessus site.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.


Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Network Security Tactics,   Application and Platform Security,   Securing Productivity Applications,   Open Source Security Tools and Applications,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Network Security Tactics
Screencast: Samurai offers pen-testing nirvana
Firewall rule management best practices
Chained Exploits: How to prevent phishing attacks from corporate spies
Rootkit Hunter demo: Detect and remove Linux rootkits
Enterprise UTM security: The best threat management solution?
Making the case for network security configuration management
An inside look at security log management forensics investigations
How to find sensitive information on the endpoint
How to perform Microsoft Baseline Security Analyzer (MBSA) scans
How to spot attacks through Apache Web server log analysis

Securing Productivity Applications
Adobe fixes critical Shockwave Flash Player flaw
Adobe issues first quarterly patch release fixing 13 flaws
Adobe shifts to Microsoft patching process, incident response plan
Balancing security and performance: Protecting layer 7 on the network
Software Piracy pandemic needs government role, better vendor antipiracy plans
McAfee to acquire Solidcore Systems for whitelisting
Adobe issues Reader update fixing zero-day flaw
Microsoft to patch critical PowerPoint zero-day flaw
PCI DSS: Best practices for compliance
Adobe working on patch to correct new zero-day flaw

Open Source Security Tools and Applications
Screencast: Samurai offers pen-testing nirvana
Rootkit Hunter demo: Detect and remove Linux rootkits
When to use open source security tools over commercial products
Screencasts: On-screen demonstrations of today's IT tools
Maltego demo: Identifying a website's trust relationships
Free HP SWFScan tool detects Adobe Flash flaws
L0phtCrack returns
How to use (almost) free tools to find sensitive data
Should open source disk-encryption software be used?
Open source security concerns can trump cost savings

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
sheepdip  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
More Security Resources for Resellers, VARs and OEMs
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts