[Openvas-plugins] find_service.c

Sun, 19 Oct 2008 05:08:28 -0700 

Hello,

OpenVAS (openvas_tcp_scanner.nes) found port 3306 open but does not report what 
is behind port 3306.

,---|
| [EMAIL PROTECTED]:~> telnet 81.169.179.226 3306
| Trying 81.169.179.226...
| Connected to 81.169.179.226.
| Escape character is '^]'.
| QHost 'nat.monitoring.rz-ip.net' is not allowed to connect to this MySQL 
serverConnection closed by foreign host.  
`---|

,---[ dump.log ]
| find_service(81.169.179.226): found hex banner in KB for port 3306. len=0
| find_service(81.169.179.226): found banner in KB for port 3306. len=1
| find_service(81.169.179.226): banner is known on port 3306 - will not open a 
new connection
| find_service(81.169.179.226): Port 3306 is open. "Transport" is 1
`---

,---[ find_service.c ]
| 2219  else if (line[0] != '\0' && (strncmp(line + 1, "host '", 6) == 0) && 
strstr(line, "mysql") != NULL)
| 2220  mark_mysql(desc, port, origline, trp);
`---|

at this point, 'line' contains only 'q' (The first character of the 'not 
allowded' string. The 'Q' was lowercased in line 2105.

,---[ find_service.c ]
| 2103 
| 2104   for (i = 0; i < len; i++)
| 2105     buffer[i] = tolower(buffer[i]);
| 2106
| 2107     line = estrdup(buffer);
| 2108
`---|

Because 'line' contains only 'q', find_service.c can not detect that there is a 
MySQL behind port 3306. 

There is a function for unknown services but it is commented out.

,---[ find_service.c ]
| 1450 #if 0
| 1451 static void
| 1452 mark_unknown_svc(desc, port, banner, trp)
| 1453         struct arglist *desc;
| 1454         int             port, trp;
| 1455         const unsigned char *banner;
| 1456 {
| 1457         char            tmp[1600], *norm = NULL;
| 1458 
| 1459         /* Do NOT use plug_replace_key! */
| 1460         plug_set_key(desc, "Services/unknown", ARG_INT, (void *) port);
| 1461         snprintf(tmp, sizeof(tmp), "unknown/banner/%d", port);
| 1462         plug_replace_key(desc, tmp, ARG_STRING, (char *) banner);
| 1463 
| 1464         norm = (char *) port_to_name(port);
| 1465         *tmp = '\0';
| 1466         if (norm != NULL) {
| 1467                 snprintf(tmp, sizeof(tmp), "An unknown service is 
running on this por
| 1468 It is usually reserved for %s",
| 1469                          get_encaps_through(trp), norm);
| 1470         }
| 1471         if (*tmp != '\0')
| 1472                 post_note(desc, port, tmp);
| 1473 }
| 1474 #endif 
|
| [... ]
|
| 2579 #if 0
| 2580                                         /*
| 2581                                          * find_service_3digits will run
| 2582                                          * after us
| 2583                                          */
| 2584                                         if (!three_digits)
| 2585                                                 mark_unknown_svc(desc, 
port, banner, 
| 2586 #endif 
`---|

If i reactivate this funktion, port 3306 will marked as a unknown service and 
then *find_service1.nasl*
detects that there is a MySQL behind port 3306.

Why is 'mark_unknown_svc' commented out? Why 'line' contains only the first 
character of the whole 'not allowed' string? 

Greetings 

Michael
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins

Reply via email to