In the previous article, we discussed installing and using Nlog. In this article, we will discuss using add-ons and writing your own Nlog extensions.
Nlog Add-Ons
As mentioned earlier, Nlog is easily extensible and you can write add-ons to do other tests or functions on any protocols or ports found. In fact, there are several included with the program. If there is an add-on available, there will be a hypertext line next to the port and you can click on it to run the subprogram.
Nlog Built-in Extensions
| Extensions | Descriptions |
|---|---|
| Nlog-rpc.pl | This add-on takes any RPC services that are found and attemps to find out if there are any current RPC attachments and exports for that service |
| Nlog-smb.pl | For any nodes running NetBIOS, this script tries to retrieve shares, user lists, and any other domain information it can get. It uses the user name and login specified in the nlog-config.ph file. |
| Nlog-dns.pl | This script runs a standard nslookup command on the IP address. |
| Nlog-finger.pl | This runs a query against any finger service found running to see what information is sent. |
If you examine these add-on scripts, you will observe that they are all just basic Perl programs. If you are experienced with Perl, you can write your own extensions to execute just about any function against your scanned hosts. For example, you can retrieve and display the HTTP header for any web servers found so you can more easily idenfiy it. You don’t need to go overboard with this, because programs like Nessus can do much more comprehensive testing, but if you just need a banner or some small bit of information, then using Nlog is a good solution.
Nlog comes with a sample custom add-on called nlog-bind.pl. This scrupt is designed to poll a DNS server and tell you what version of BIND (the Berkeley Internet Naming Domain) it is running. However, this script is not finished; it is provided as an exercise to create your own add-ons. The sample script is in /nlog*/extras/bind/. The following procedure guides you through finishing the script. You can use that format to create any custom script of your own.
- Compile the script using the Gcc compiler with the following command from that directory:
gcc -o bindinfo binfo-wdp.c
This creates a binary file called bindinfo in that directory.
- Copy this binary file to the directory where you are keeping your nlog scripts.
- Change the permissions on it to make it executable (remember that you have to be root to issue this command):
chmod 700 bindinfo
- Open your nlog-config.ph file in a text editor.
- Add this line:
$bindinfo = "/path/to/bindinfo";
Replace path/to/bindinfo with the location where you put the binary file.
- Save this file.
- Now edit nlog-search.pl. This is te Perl script that creates your search results page.
- Find the section that looks like this:
1: # here we place each cgi-handler into a temp var for readability. 2: 3: $cgiSunRPC = "sunrpc+$cgidir/nlog-rpc.pl+SunRPc"; 4: $cgiSMB = "netbios-ssn+$cgidir/nlog-smb.pl+NetBIOS"; 5: $cgiFinger = "finger+$cgidir/nlog-finger.pl+Finger"; 6: 7: $qcgilinks = "$cgiSunRPc $cgiSMB $cgifinger";
- Between lines 5 and 6, add a line that looks like:
$cgiBIND = "domain+cgidir/nlog-bind.pl+BIND";
- Edit line 7 to look like this:
$qcgilinks = "$cgiSunRPC $cgiSMB $cgiFinger $cgiBIND";
Line 7 is also where you would add, in a similar fashion, links to any other scripts you had created.
- Copy the nlog-bind.pl file from this directory into your cgi-bin directory (/var/www/cgi on Mandriva), and change the permissions (chmod0 so the application can read it.
Now when your Nmap scans find port 53 open (which is generally a DNS server), you can click on the link that Nlog creates and find out what version of BIND is running. You can write additional scripts to extend Nlog by following the logic in this example.
External Links:
Download Nlog at packetstormsecurity.com
2003 archive of secureaustin.com (the former official site of H.D. Moore, creator of Nlog)
The post Nlog Add-Ons and Extensions appeared first on pfSense Setup HQ.