This plugin runs pnscan to find open ports.
Pnscan is a lite multi-threaded port scanner.
##############################################################################
# OpenVAS Vulnerability Test
#
# NASL wrapper around pnscan portscanner
#
# Author:
# Vlatko Kosturjak <[email protected]>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
#
# TODO:
# - report back banners grabbed
#
tag_summary = "This plugin runs pnscan to find open ports.
Pnscan is a lite multi-threaded port scanner.";
if(description)
{
script_id(80001);
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_version("$Revision: 8023 $");
script_tag(name:"last_modification", value:"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $");
script_tag(name:"creation_date", value:"2008-08-31 23:34:05 +0200 (Sun, 31 Aug 2008)");
script_tag(name:"cvss_base", value:"0.0");
name = "pnscan (NASL wrapper)";
script_name(name);
script_category(ACT_SCANNER);
script_tag(name:"qod_type", value:"remote_banner");
script_copyright("This script is Copyright (C) 2008-2010 Vlatko Kosturjak");
family = "Port scanners";
script_family(family);
script_add_preference(name:"Pnscan Timeout", type:"entry", value: "");
script_add_preference(name:"Pnscan Concurrent worker threads", type:"entry", value: "");
script_dependencies("toolcheck.nasl", "ping_host.nasl");
script_mandatory_keys("Tools/Present/pnscan");
script_tag(name : "summary" , value : tag_summary);
exit(0);
}
ip = get_host_ip();
esc_ip = ""; l = strlen(ip);
for (i = 0; i < l; i ++)
if (ip[i] == '.')
esc_ip = strcat(esc_ip, "\.");
else
esc_ip = strcat(esc_ip, ip[i]);
prange = get_preference("port_range");
if (! prange) prange = "1-65535";
portrangelist=split(prange,sep:",",keep:FALSE);
size=max_index(portrangelist);
# Remove UDP elements. Strip leading "T:" off TCP elements.
i=0; j=0;
new_portrangelist = make_array ();
tcp = 1;
for (i=0; i<size; i++) {
if (substr (portrangelist[i], 0, 1) == "U:") {
# Skip UDP elements.
tcp = 0;
} else if (substr (portrangelist[i], 0, 1) == "T:") {
# Strip off leading "T:".
new_portrangelist[j] = substr (portrangelist[i], 2);
j++;
tcp = 1;
} else if (tcp == 1) {
new_portrangelist[j] = portrangelist[i];
j++;
}
}
portrangelist = new_portrangelist;
# optimize list of ports; assumes sorted array
i=0; j=0; l=0;
for (i=0; i<size; i++) {
beg = split (portrangelist[i],sep:"-",keep:FALSE);
if (isnull(beg[1])) {
portrangelist[i]=beg[0];
} else {
if (int(beg[0])>int(beg[1])) {
tmpvar=beg[0];
beg[0]=beg[1];
beg[1]=tmpvar;
}
portrangelist[i]=beg[0] + "-" + beg[1];
}
for (j=i;j<size; j++) {
prs = split (portrangelist[j],sep:"-",keep:FALSE);
prsnext = split (portrangelist[j+1],sep:"-",keep:FALSE);
if (isnull(prs[1]) && isnull(prsnext[1])) {
if (prsnext[0] == (int(prs[0])+1)) {
beg[1]=prsnext[0];
i++;
} else {
break;
}
}
if (isnull(prs[1]) && (!isnull(prsnext[1]))) {
if (prsnext[0] == int(prs[0]+1)) {
beg[1]=prsnext[1];
i++;
} else {
break;
}
}
if ((!isnull(prs[1])) && isnull(prsnext[1])) {
if (prsnext[0] == int(prs[1]+1)) {
beg[1]=prsnext[0];
i++;
} else {
break;
}
}
if ((!isnull(prs[1])) && (!isnull(prsnext[1]))) {
if (prsnext[0] == int(prs[1]+1)) {
beg[1]=prsnext[1];
i++;
} else {
break;
}
}
}
if (isnull(beg[1])) {
prlist[l]=beg[0];
} else {
prlist[l]=beg[0] + "-" + beg[1];
}
l++;
}
n_ports = 0;
oports[0]=0;
foreach pr (prlist) {
i = 0;
argv[i++] = "pnscan";
argv[i++] = "-l";
p = script_get_preference("Pnscan Timeout");
if ( p) argv[i++] = "-t "+p;
p = script_get_preference("Pnscan Concurrent worker threads");
if ( p) argv[i++] = "-n "+p;
argv[i++] = ip;
# replace patterns like 1-65535 to 1:65535
pr2 = ereg_replace (string:pr, pattern:"-",replace:":",icase:FALSE);
argv[i++] = pr2;
res = pread(cmd: "pnscan", argv: argv, cd: 1, nice: 5);
# IP_ADDRESS:PORT:TYPE:FULL_BANNER
# 127.0.0.1 : 22 : TXT : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
# 127.0.0.1 : 3306 : HEX : 40 00 00 00 0a 35 2e 30 2e 35 31 61 2d 33 75 62 75 6e 74 75 35 2e 31 00 30 00 00 00 2f 26 6f 21 50 50 22 58 00 2c a2 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 56 39 5a 39 4b 50 2d 32
foreach line(split(res))
{
v = eregmatch(string: line, pattern: '^'+esc_ip+' *: *([0-9]+) *:([^:]*): *(.*)$');
if (! isnull(v))
{
port = v[1];
if (isnull(oports[port])) {
n_ports++;
oports[port]=port;
proto = "tcp";
scanner_add_port(proto: proto, port: port);
}
}
}
}
if (n_ports == 0) {
log_message(port:0,proto:"tcp",data:"Host does not have any TCP port open which is specified in port range");
}
set_kb_item(name: "Host/scanned", value: TRUE);
set_kb_item(name: 'Host/scanners/pnscan', value: TRUE);
if (pr2 == '1:65535')
set_kb_item(name: "Host/full_scan", value: TRUE);
scanner_status(current: 65535, total: 65535);
exit (0);