nessus-plugins-2.0.10.tar.gz_NS-2_nessus plugi_nessus-_nessus-li

Nessus 0.99.0 C Plugins API Author : Renaud Deraison <deraison@nessus.org> Overview ----------------------------------------------------------------- The Nessus Security Scanner performs its security checks by launching external pieces of code called 'plugins'. One plugin is in charge of one security check against one host. There are, at this time, two languages to write security checks : NASL (the Nessus Attack Scripting Language) and C. NASL should be prefered as it makes plugins which are easily portable and shareable. C plugins should be avoided, except when NASL proves to not be powerful enough. This document teaches you how to write a C Nessus plugin. Once more : *** C Nessus plugins should be avoided, except when it is not possible to write them in NASL *** This document covers the following topics : 1. How to compile a C plugin 2. The plugins framework 2.1 The main .c file 2.2 The file includes.h 2.3 The file nessusraw.h 2.4 The plugin_init() function 2.5 The plugin_run() function 3. The Nessus library functions 3.1 plugin_init() related functions 3.1.1 plug_set_name() 3.1.2 plug_set_category() 3.1.3 plug_set_family() 3.1.4 plug_set_description() 3.1.5 plug_set_summary() 3.1.6 plug_set_copyright() 3.2 plugin additional functions 3.2.1 plug_set_timeout() 3.2.2 plug_set_dep() 3.2.3 add_plugin_preference() 3.2.4 get_plugin_preference() 3.3 target informations 3.3.1 plug_get_hostname() 3.3.2 plug_get_host_ip() 3.3.3 plug_get_host_open_port() 3.3.4 host_get_port_state() 3.4 network operations 3.4.1 open_sock_tcp() 3.4.2 recv_line() 3.4.3 ftp_log_in() 3.4.4 ftp_get_pasv_address() 3.4.5 is_cgi_installed() 3.4.6 ping_host() 3.4.7 tcp_ping_host() 3.4.8 tcp_timing() 3.5 plugins inter communication (PIIC) 3.5.1 Introduction 3.5.2 plug_set_key() 3.5.3 plug_get_key() 3.5.4 Standard keys 3.6 Reporting a problem to the Nessus server 3.6.1 post_hole() 3.6.2 post_info() 4. Interfacing a Nessus plugin with the libpcap library 4.1 Makefile changes 4.2 libpcap-related Nessus functions 4.2.1 routethrough() 4.2.2 get_datalink_size() 5. A sample plugin commented 1. How to compile a C plugin ----------------------------------------------------------------- C plugins must be compiled into shared libraries before they can be used by Nessus. Turning a C file into a shared library is a painful process, which is not portable. That is why nessus-0.99.0 comes with the utility 'nessus-build' which will build a .c plugin and turn it into a .nes file. Its usage is : nessus-build input.c output.nes This script will create the directory $TMP/nessus-build and will copy there the libtool which is appropriate to your system, as well as a generic Makefile. But you should not care anyway, except if your plugin contains several .c files. 2. The plugins framework ----------------------------------------------------------------- 2.1 The main .c file ---------------------------------------------------------------- The main .c file will contain the two critical functions that we will discuss right after this. 2.2 The file "includes.h" ---------------------------------------------------------------- The file "includes.h" contains all the includes necessary to write a plugin. 2.3 The file "nessusraw.h" ---------------------------------------------------------------- nessusraw.h contains all the includes to define the structs ip, tcphdr, udphdr and icmp (BSD style). If these structures are not defined in the system includes, then it redefines them. You should include this file if your plugin plays with raw sockets. 2.4 the plugin_init() function ---------------------------------------------------------------- Synopsis : int plugin_init(struct arglist * desc); Description : This function is called by the server so that the plugin declares who is it, what it performs and so on. It should be declared by your plugin, and must contain calls to the following functions : plug_set_name() (3.1.1) plug_set_category() (3.1.2) plug_set_family() (3.1.3) plug_set_description() (3.1.4) plug_set_summary() (3.1.5) plug_set_copyright() (3.1.6) It may also contain some calls to the function add_plugin_preference() We will define all these functions in section 3.1 (except add_plugin_preference which will be defined in another section) This function should return 0. Also, no initialization must be made during this function, since all the dynamically allocated variables will be destroyed right after the plugin exits from plugin_init() 2.5 the plugin_run() function ---------------------------------------------------------------- Synopsis : int plugin_run(struct arglist * desc); Description : This is the main plugin entry point. It may contain whatever you want. 3. The Nessus library functions ----------------------------------------------------------------- 3.0 Notes on the internationalization of Nessus ---------------------------------------------------------------- nessus-0.99.0 and newer support multilingual plugins. That is, each plugin may contain descriptions in any language. As a result of this, most of the functions have a 'language' argument which will tell nessusd in which language the data passed is. Those functions can be called several times, with a different 'language' argument each time. The 'language' argument must be NULL for english (default), or must contain the same name as in nessusd.conf. ("deutsch", "francais", and so on...) The NULL language must be called LAST ! Here is an exemple : plug_set_name(env, "Test FTP", "francais"); plug_set_name(env, "FTP check", NULL); 3.1 plugin_init() related functions ---------------------------------------------------------------- 3.1.1 plug_set_name() --------------------------------------------------------------- Synopsis : #include <includes.h> void plug_set_name(struct arglist * desc, const char * name, const char * language); Description : This function tells the server the full name of the plugin. The name may contain spaces. The argument 'desc' is the argument which is given to the function plugin_init(). This function must only be called during plugin_init(). See also explained here : languages (3.0) plugin_init(2.3) 3.1.2 plug_set_category --------------------------------------------------------------- Synopsis : #include <includes.h> void plug_set_category(struct arglist * desc, int category); Description : This function tells the server in which category the plugin is. The argument 'category' must be one of the following : ACT_GATHER_INFO : the plugin gathers informations about the remote host. No harm is made ACT_ATTACK : the plugin will attack the remote server and may steal sensitive data. However, no harm is made : the attacked services are still working after the plugin has done its job. ACT_DENIAL : the plugin performs a denial of service attack against the remote host. ACT_PASSIVE : the plugin will perform a passive attack. ACT_SCANNER : the plugin is actually a port scanner If a plugin is in one of the first three category, then it will be subject to a timeout watchdog on the server side, so even if there is an infinite loop i