隨著愈來愈多的安全弱點出現以及網際網路的普及，使用者在網路上面臨的環境也愈來愈危險，因此隨時瞭解自己系統的風險是刻不容緩的。弱點掃描器則提供了讓使用者瞭解自己的系統安全的功能和需求，將系統主機的風險程式降至最小。
在 Nessus 這套弱點掃描器中，提供了可讓使用者自定安全掃描測試的功能。使用者可利用 Nessus 所提供的一個攻擊程式語言 NASL，來撰寫安全掃描測試。而在撰寫掃描測試之前，使用者需先了解 Nessus 掃描器的運作架構，以及學習 NASL 這套攻擊程式語言的語法。並且在不同的安全弱點的掃描方式，也會有不同的偵測方式以及通訊運作。使用者如果未擁有以上條件的知識，便無法撰寫弱點的掃描測試。
本研究主要是針對使用者的安全需求，發展一套針對 Nessus 弱點掃描器，自動化產生攻擊程式碼，並產生系統安全弱點的掃描測試。在此研究中我們提供兩種產生攻擊程式的機制，一種是以模組化的方式，將每個小功能的程式碼組合成一個模組。然後結合每個小功能的模組成一個完整的掃描測試。另外一種方式則是以套件的方式來產生掃描測試，使用者不需要牽涉到攻擊程式碼的使用，只需填入套件所需的參數，便可產生一個安全測試。
本研究提出此以上之設計並實地建置出自動化產生攻擊程式碼系統，試圖減少使用者對於撰寫安全測試的知識需求，並減少人為因素產生的錯誤，以及提昇撰寫安全測試的效率性及正確性。

With enormous vulnerability discovered and Internet prevailing in the word, users confront with the more dangerous environment. As a result, the users have to understand the system risk necessarily. The vulnerability scanner provides the functionality that could check if the system is vulnerable.
Nessus is a vulnerability scanner. It provides the customization capability that users could defined the security check. It develops a attack language called NASL. By use of NASL, users could write the security check by themselves. But before writing the security check, the users must know the architecture of Nessus and study how to write the security check by NASL.
Different vulnerabilities have different the detection approach and communications method. If users don't know about above knowledge, they couldn’t write the security check.
In this research, we develop a automatic mechanism of generating code for the Nessus scanner and produce a security check. And we also provide two approaches to produce the security check. The one is the modularization. It takes part of function codes into a module, and combines the modules into a security check. The other one is package. The users can't involve the attack code and just only fill in some of parameters to produce the security check.
This research proposes the design above and actually implements a system to generate attack codes. It attempts to decrease the needs of knowledge to users about security check, reduce the error rates by human typos, and enhance the efficiency and correctness for writing the security check

Chapter 1 Introduction 1
1.1 Insecure Networks 1
1.2 Research Motivation 3
1.3 Research Process 4
1.4 Synopsis 7
Chapter 2 Related Studies 8
2.1 Vulnerability Scanners 8
2.2 The Nessus scanner 11
2.3 The Attack Language 14
2.4 NASL-Nessus Attack Script Language 15
Chapter 3 Research Design 19
3.1 Plugin Analysis and Attack Code Modularization 19
3.2 Plugin by Package 25
3.3 Database Design for Code Generator 26
Chapter 4 System Implementation 28
4.1 System Architecture 28
4.1.1 The Maintenance Interface 29
4.1.2 The code generator 34
4.2 Statistic Data of Research Analysis 37
Chapter 5 System Prototype 40
5.1 NASL function operation 40
5.2 Knowledge base operation 42
5.3 Module operation 43
5.4 Package operation. 44
5.5 Generating Plugin Operation 45
Chapter 6 Evaluation 51
6.1 The worms of experiment 51
6.2 Experiment for package 59
Chapter 7 Conclusions 62
7.1 The contribution of the research 62
7.2. The future work 63
References 64
Appendix 66

[1] Ivan Krsul, Eugene Spafford, and Mahesh Tripunitara. “Computer vulnerability analysis.” Technical Report COAST TR98-07, COAST Laboratory, Purdue University, West Lafayette, IN, May 1998. ftp://coast.cs.purdue.edu/pub/COAST/papers/ivan-krsul/krsul9807.ps.
[2] Matt Bishop. “Vulnerabilities Analysis.” Department of Computer Science University of California at Davis One shields Ave. Davis, CA 95616-8562
[3] Greg Brooks. “Nessus-Get on Board.” SANS Information Security Reading Room. http://rr.sans.org/audit/nessus2.php ,February 15,2001
[4] Partricia Payne. “A Model for Peer Vulnerability Assessment.” SANS Information Security Reading Room. http://rr.sans.org/penetration/model.php. , December 17,2001
[5] Renaud Deraison. “The Nessus Attack Scripting Language Reference Guide.” URL http://www.nessus.org
[6] Charles Hornat. “The Meaning of Secrurity.” SecurltyWriters http://www.securitywriters.org/texts.php?op=display&id=17 , May 9,2002
[7] Giovanni Vigna, Steven Eckmannn, Richard Kemmerer. “Attack Langauges.” Reliable Software Group Department of Computer Science University of California Santa Barbara, CA 93106
[8] Adrien de Beaupre. “Know yourself: Vulnerability Assessments.”, SANS Information Security Reading Room. http://rr.sans.org/audit/know.php
[9] Renaud Deraison, Jordan Hrycaj. “Nessus: the free network security scanner . Novemeber 2000.
[10] Mick Bauer. “Checking Your Work with Scanners, Part II: Nessus.”
[11] CERT/CC, “CERT/CC Statistics 1988-2002” http://www.cert.org/stats/cert_stats.html
[12] Robert A. Martin. ”Managing Vulnerabilities in Networked Systems.“ The MITRE Corp. November 2002.
[13] Ed Skoudis. “Vulnerability-Scanning Tools” , Prentice Hall PTR, September 2001.
[14] SARA, http://www-arc.com/sara/
[15] SAINT, http://www.saintcorporation.com/about.html
[16] Retina, http://www.eeye.com/html/
[17] Nessus, http://www.nessus.org/
[18] Matthew Murphy ,”Analysis of Sapphire SQL Worm”, http://www.techie.hopto.org/sqlworm.html, January 2003.
[19] KLC Consulting, Inc., “DeLoder Worm/Trojan Analysis (DeLoder-A)”, http://www.klcconsulting.net/deloder_worm.htm, April 2003.
[20] Whitehats, “Lion Internet Worm Analysis”, http://www.whitehats.com/library/worms/lion/#history, 2001.
[21] Eugene J. Aronne, “The Nimda Worm: An Overview”, SANS Information Security Reading Room, October 8, 2001.