My supplied credentials are actually working fine and producing results.
It's just the side effect that each machine I hit gets it's Administrator
account locked out if I run multiple scans. I can't figure out why nessus
is attempting to authenticate each target PC as Administrator in addition to
my supplied credentials.
----Original Message Follows----
From: "Scott Champine" <SChampine@peoriaud.k12.az.us>
To: <nessus@list.nessus.org>
Subject: FW: SMB credentials and Administrator lockouts
Date: Tue, 23 Aug 2005 15:10:54 -0700
Just out of curiosity are you putting in your actual username?
For example: localmachinename or domainuser
If you're logging in from a network onto a system you normally have to
add the localmachinename\localmachineusername or Domainname\domainuser
if you want to log into a machine. I'm just trying to throw a bone maybe
it will help you, maybe you've already tried it. Thanks.
So try: Localmachinename\localmachineusername or
Domainname\domainuser
Scott Champine
Lan Tech II
Peoria Unified School District
"Make things as simple as possible, but no simpler." - Albert Einstein
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of net sec
Sent: Tuesday, August 23, 2005 2:47 PM
To: nessus@list.nessus.org
Subject: RE: SMB credentials and Administrator lockouts
Still searching....I can see how I can disable default *nix logins but
not
Windows.
We have changed our server Administrator to an alternative name but I
don't
want to lock out 300 local workstation administrators.
Can someone throw me a bone? I'm stuck.
----Original Message Follows----
From: "net sec" <netsec9@hotmail.com>
To: nessus@list.nessus.org
Subject: SMB credentials and Administrator lockouts
Date: Tue, 23 Aug 2005 02:22:22 +0000
I am running scans on a primarily Windows 2000/2003 subnet using my own
credentials (NOT Administrator) as provided in the SMB login section of
the
client(both GTK and NessusWX). Despite having supplied credentials, I
am
continuously locking out all Administrator(local and Domain) accounts on
all
the devices I target. We restrict users to 5 failed password attempts
before locking out the account per domain policy.
After doing some additional digging via Windows Event Logs and tcpdump,
it
is apparent that nessus is attempting to do an authentication using the
name
'administrator' despite the supplied SMB credentials. It appears (from
event logs) that nessus attempts 'administrator, nessus..random_number,
supplied SMB credentials.
Below is output from the event log of a targeted system in chronological
order:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Logon Failure:
Reason: Unknown user name or bad password
User Name: nessus48095321612101650981206322540
Successful Network Logon:
User Name: SMBlogin
Domain: SMBDomain
Why is this, can I turn it off, anyone else run into this?
My Admins are NOT happy with me!
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
