Juniper NSM GUI Server Detection

🗓️ 13 Sep 2013 00:00:00Reported by TenableType
The remote host is running the Juniper NSM GUI Server. The NSM GUI accepts connections from users using the NSM GUI Client, allowing for administration of the NSM server
Source	Link
nessus	www.nessus.org/u
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69870);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/03");
  script_xref(name:"IAVT", value:"0001-T-0640");

  script_name(english:"Juniper NSM GUI Server Detection");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a remote administration service.");
  script_set_attribute(attribute:"description", value:
"The remote host is running the Juniper NSM GUI Server.  The NSM GUI
accepts connections from users using the NSM GUI Client, which allows
for administration of the NSM servers.");
  # https://support.juniper.net/support/eol/#software
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4f268744");
  script_set_attribute(attribute:"solution", value:
"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:netscreen-security_manager");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Service detection");

  script_copyright(english:"This script is Copyright (C) 2013-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service2.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/unknown", 7808);

  exit(0);
}

include('audit.inc');
include('byte_func.inc');
include('global_settings.inc');
include('misc_func.inc');

set_byte_order(BYTE_ORDER_BIG_ENDIAN);

# This plugin gets the version information by making a bogus login
# attempt. It can cause an IP to be blocked for an hour if several
# unsuccessful attempts are made (10 by default).
if(supplied_logins_only)
  audit(AUDIT_SUPPLIED_LOGINS_ONLY);

# Unless paranoid, before making any requests, make sure
# the host is not running Windows. NSM only runs on Solaris
# or RHEL
if(report_paranoia < 2 && os = get_kb_item('Host/OS'))
{
  if('Linux' >!< os && 'Solaris' >!< os)
    audit(AUDIT_HOST_NOT, 'Unix/Linux');
}

if(thorough_tests && ! get_kb_item("global_settings/disable_service_discovery") )
{
  port = get_unknown_svc(port);

  if(!port)
    audit(AUDIT_SVC_KNOWN);
}
else
{
  port = 7808;
  if(!service_is_unknown(port:7808))
    audit(AUDIT_SVC_KNOWN);;
}

if(known_service(port:port))
  audit(AUDIT_SVC_KNOWN);
if(!get_tcp_port_state(port))
  audit(AUDIT_PORT_CLOSED, port);

if(!get_port_state(port))
  audit(AUDIT_NOT_LISTEN, "Junipers NSM GUI Server", port);

soc = open_sock_tcp(port);
if(!soc)
  audit(AUDIT_SOCK_FAIL, port);

encaps = get_port_transport(port);

login_req =
'\x03\x00\x00\x00' + # constant
'\x00\x00\x00\x01' + # seq
'\x01' + # start of data
'authManager' + # module
'\x00' +
# command string
'(authManager\n' +
  ':command (authenticate):request (\n' +
  ':userName (nessus):password (bad_password):domainName (global):protocolVersion (bogus_protocol)))' +
'\x00'; # end of data

# prepend length
login_req = mkdword(strlen(login_req)) + login_req;

send(socket:soc, data:login_req);

temp = recv(socket:soc, length:4);

data_len = getdword(blob:temp, pos:0);

# sanity check
if (data_len > 10 * 1024 || data_len <= 16)
{
  close(soc);
  audit(AUDIT_NOT_INST, "Juniper NSM GUI Server");
}

data = recv(socket:soc, length:data_len);
if (strlen(data) != data_len)
{
  close(soc);
  audit(AUDIT_NOT_INST, "Juniper NSM GUI Server");
}

if (
   # blocked notification
   ("guiNotification" >!< data || "SYSTEM.blockedIPList" >!< data) &&
   # general auth response
   (":authStatus (" >!< data || "(authManager" >!< data ||
    ":status (" >!< data || ":response (" >!< data)
)
{
  close(soc);
  audit(AUDIT_NOT_INST, "Juniper NSM GUI Server");
}

register_service(port:port, ipproto:"tcp", proto:"juniper_nsm_gui_svr");

disp_version = "unknown";

response = substr(data,12,strlen(data)-4);

# save the response
set_kb_item(name:"Juniper_NSM_GuiSvr/" + port + "/auth_response",
            value:response);

# unless we are blocked, we should get a helpful
# response which tells us what client version we
# *should* be using, and even where we may go to
# download it
ver_item = eregmatch(pattern: 'server version:[ ]*([^"]+)"',
                     string: response);
build_item = eregmatch(pattern: "guiSvrBuild[ ]*\(([^\)]+)\)",
                       string: response);

if (!isnull(ver_item) && !isnull(build_item))
{
  set_kb_item(name:"Juniper_NSM_GuiSvr/" + port + "/version",
              value:ver_item[1]);
  set_kb_item(name:"Juniper_NSM_GuiSvr/" + port + "/build",
              value:build_item[1]);
  replace_kb_item(name:"Juniper_NSM_VerDetected", value:TRUE);

  disp_version = ver_item[1] + " (Build: " + build_item[1] + ")";
}

report = '\n  Version : ' + disp_version;

if (report_verbosity > 1)
  report += '\n  Server response :\n\n' +
            crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n'+
            chomp(response) + '\n' +
            crap(data:"-", length:30)+" snip "+crap(data:"-", length:30);

report += '\n';

if (report_verbosity > 0) security_note(extra:report, port:port);
else security_note(port);
03 Nov 2025 00:00Current
5.5Medium risk
Vulners AI Score5.5