Simple NASL GET with Cookie and SSL

Hey,

I am trying to make a simple NASL script to replicate this simple curl and act on the result:

curl -v -k --silent --cookie “fooCookie” https://fooIP/bar.js

Which works without a problem.
I tried putting up a very simple NASL with:

(...)
include("http_func.inc");
include("port_service_func.inc");

display("Starting up");

port = 443; 
host = http_host_name( port:port );
cookie = "fooCookie";
url = "/bar.js";

req = string( "GET ", url, " HTTP/1.1\r\n",
              "Host: ", host, "\r\n",
              "Cookie: ", cookie, "\r\n",
              "\r\n" );

display("Request: " + req);

res = http_send_recv( port:port, data:req );
display("Result: "+ res);
(...)

Then run it with:

openvas-nasl -t fooIP -i pathToPlugins thisCustom.nasl -X -T out.log -d --kb=“Ports/tcp/443=1”

And the result is:

:: Starting up
:: Request: GET /bar.js HTTP/1.1
Host: fooHost
Cookie: fooCookie
:: set key nvt_debug_misc/ → #-#http_send_recv(): Using a HTTP/1.1 request without a ‘User-Agent:’ header passed in ‘data’ variable. Adding it automatically to the request.
:: Result:
:: set key HostDetails → EXIT_CODE
:: set key HostDetails/NVT/(null)/EXIT_CODE → EXIT_NOTVULN

The result from http_send_recv is always empty. I have tried some different functions but to the same outcome. Couldn’t get much out of the out.log file.

As I have never worked with NASLs I guess this might be a newbie problem.

Thanks in advance

Hi,

In general there are already some pretty handy functions available for HTTP based tasks. E.g. http_get_port() http_get_req() etc. for tasks like in your example. So best to have a look at http_func.inc and http_keepalive.inc and already available VTs from the feed how to use them.

However the main problem here is the call over openvas-nasl. As this is over HTTPS the scanner needs to know what protocol it has to use. So you either use something like

openvas-nasl -X -B -d find_service.nasl thisCustom.nasl --kb="Ports/tcp/443=1" -t $target

which will try to find the service and protocol for itself or explicitly tell what protocol to use e.g. by

openvas-nasl -X -B -d thisCustom.nasl --kb "Transports/TCP/443=7" --kb "Services/www=443" -t $target

Hope this helps.
Chris

3 Likes

It was exactly it, calling by explicitly telling which protocol works. I guess when it is openvas running it, it sees the required scripts, runs them first, understands that ssl is on 443 and only then runs this script.

–kb “Transports/TCP/443=7”

I had to use “port=443” because “port = http_get_port( default:443 );” was not working. Still trying to figure out why.

Thank you for your time @ckuerste!

2 Likes

The reason for this is the unscanned_closed = yes default of the scanner. Some additional info can be found here:

2 Likes

@cfi
hi,
I have the same problem, did you solve it?
http_get_port ,is 0. but I used nmap,port is open。
I don’t know where unscanned_closed is set? I read some information some say in openvassd.conf settings, I can’t find this (openvassd.conf) file,
Info: kali, GSA 21.4.3, openvas-nasl 21.4.3

it is /etc/openvas/openvas.conf

2 Likes