Lucene search

K
openvasCopyright (C) 2017 Greenbone AGOPENVAS:1361412562310112137
HistoryNov 23, 2017 - 12:00 a.m.

Greenbone Security Manager (GSM) / Greenbone OS (GOS) Detection (HTTP)

2017-11-2300:00:00
Copyright (C) 2017 Greenbone AG
plugins.openvas.org
75
product detection
generate information
greenbone ag

AI Score

7.3

Confidence

Low

HTTP based detection of the Greenbone Security Manager (GSM) /
Greenbone OS (GOS).

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.112137");
  script_version("2024-06-11T05:05:40+0000");
  script_tag(name:"last_modification", value:"2024-06-11 05:05:40 +0000 (Tue, 11 Jun 2024)");
  script_tag(name:"creation_date", value:"2017-11-23 10:50:05 +0100 (Thu, 23 Nov 2017)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
  script_name("Greenbone Security Manager (GSM) / Greenbone OS (GOS) Detection (HTTP)");
  script_category(ACT_GATHER_INFO);
  script_family("Product detection");
  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 443);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"summary", value:"HTTP based detection of the Greenbone Security Manager (GSM) /
  Greenbone OS (GOS).");

  script_tag(name:"qod_type", value:"remote_banner");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");

port = http_get_port( default:443 );

# nb: On GOS 5.0+ the URL is just "/login" but GSA has a "catchall" login page so this URL works as well
url = "/login/login.html";
buf = http_get_cache( item:url, port:port );

if( buf =~ "^HTTP/1\.[01] 200" &&
    (
      # nb: GOS 4.3 and below
      ( "<title>Greenbone Security Assistant" >< buf && "Greenbone OS" >< buf ) ||
      # nb: GOS 5.0+
      '"title">Greenbone Security Manager</span>' >< buf || "<title>Greenbone Security Manager</title>" >< buf ||
      # nb: GOS 22.04+
      "<title>Greenbone Enterprise Appliance</title>" >< buf
    )
  ) {

  set_kb_item( name:"greenbone/gos/detected", value:TRUE );
  set_kb_item( name:"greenbone/gos/http/detected", value:TRUE );
  set_kb_item( name:"greenbone/gos/http/port", value:port );
  set_kb_item( name:"greenbone/gos/http/" + port + "/detected", value:TRUE );

  # nb: To tell http_can_host_asp and http_can_host_php from http_func.inc that the service is not
  # supporting these.
  replace_kb_item( name:"www/" + port + "/can_host_php", value:"no" );
  replace_kb_item( name:"www/" + port + "/can_host_asp", value:"no" );

  vers = "unknown";

  # <div class="gos_version">Greenbone OS 1.2.3</div>
  # <span class="version">Greenbone OS 1.2.3</span>
  # <span class="version">Version Greenbone OS 1.2.3</span>
  version = eregmatch( string:buf, pattern:'<(div|span) class="(gos_)?version">(Version )?Greenbone OS ([^<]+)</(div|span)>', icase:FALSE );
  if( ! isnull( version[4] ) ) {
    vers = version[4];
    concluded = version[0];
    conclurl  = http_report_vuln_url( port:port, url:url, url_only:TRUE );
  }

  # This is GOS 5.0+
  if( vers == "unknown" ) {
    url2 = "/config.js";
    req = http_get( item:url2, port:port );
    buf2 = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );

    # config = {
    #     vendorVersion: 'Greenbone OS 5.0.1',
    #     vendorLabel: 'gsm-one_label.svg',
    # }
    #
    # or:
    #
    # config = {
    #     vendorVersion: 'Greenbone OS 5.0.1',
    #     vendorLabel: 'gsm-600_label.svg',
    # }
    if( buf2 =~ "^HTTP/1\.[01] 200" && "Greenbone OS" >< buf2 ) {
      version = eregmatch( string:buf2, pattern:"vendorVersion: 'Greenbone OS ([^']+)',", icase:FALSE );
      if( ! isnull( version[1] ) ) {
        vers = version[1];
        concluded = version[0];
        conclurl  = http_report_vuln_url( port:port, url:"/login", url_only:TRUE ); # nb: See note about /login/login.html above...
      }
    }
  }

  type = "unknown";
  # e.g.:
  # <img src="/img/gsm-one_label.svg"></img>
  # <img src="/img/GSM_DEMO_logo_95x130.png" alt=""></td>
  # vendorLabel: 'gsm-one_label.svg',
  _type = eregmatch( string:buf, pattern:'<img src="/img/gsm-([^>]+)_label\\.svg"></img>', icase:FALSE );
  if( ! _type[1] ) {
    _type = eregmatch( string:buf, pattern:'<img src="/img/GSM_([^>]+)_logo_95x130\\.png" alt=""></td>', icase:FALSE );
  }

  if( ! _type[1] ) {
    _type = eregmatch( string:buf2, pattern:"vendorLabel: 'gsm-([^']+)_label\.svg',", icase:FALSE );
    if( _type[1] )
      conclurl += " and " + http_report_vuln_url( port:port, url:url2, url_only:TRUE );
  }

  if( _type[1] ) {
    # nb: Products are named uppercase
    type = toupper( _type[1] );
    concluded += '\n' + _type[0];
  }

  set_kb_item( name:"greenbone/gos/http/" + port + "/version", value:vers );
  set_kb_item( name:"greenbone/gsm/http/" + port + "/type", value:type );

  if( concluded ) {
    set_kb_item( name:"greenbone/gos/http/" + port + "/concluded", value:concluded );
    set_kb_item( name:"greenbone/gos/http/" + port + "/concludedUrl", value:conclurl );
  }
}

exit( 0 );

AI Score

7.3

Confidence

Low