FW: SMB credentials and Administrator lockouts

Didn't copy the mailing list.
Net, please reply directly to the mailing list.

Regards,
~Danesh

---------- Forwarded message ----------
From: Danesh <danesh.i@gmail.com>
Date: Aug 23, 2005 8:13 PM
Subject: Re: FW: SMB credentials and Administrator lockouts
To: net sec <netsec9@hotmail.com>


Hi Net,

If you look at smb_login.nasl (usually in
/usr/local/lib/nessus/plugins/) you will see it try logging in using
the administrator, and rand_lg (= string ( "nessus", rand() ... );). I
think your problem lies there. I don't think that though will disable
the account, as that only tries one admin password and 1 user password
(to check if the admin password is null, and to see if the guest
account is enabled).

On the other hand if you are testing using SMB log in with W32/Deloder
passwords (smb_login_deloder.nasl) then thats a different issue. Read
the description for more info but from what I gather if it doesn't
have a localuser login it tries various password for the Admin
account.

A few notes though..
a) Using safe checks, or disabling dangerous plugins should stop such
things from happening. Have you checked that option or is there a
plugin you want run which is 'dangerous'?
b) Admin accounts can get locked out but even so, only local services
which try to start using the account on reboot will fail. The user
will still be able to login without any problems.
c) There is no c, aren't a and b enough?

Please correct me if I'm wrong. netsec, I don't recommend editing the
nasl files, doing so is a violation of the terms (I believe).

Regards,
~Danesh


On 8/23/05, net sec <netsec9@hotmail.com> wrote:
> My supplied credentials are actually working fine and producing results.
> It's just the side effect that each machine I hit gets it's Administrator
> account locked out if I run multiple scans.  I can't figure out why nessus
> is attempting to authenticate each target PC as Administrator in addition to
> my supplied credentials.
>
>
> ----Original Message Follows----
> From: "Scott Champine" <SChampine@peoriaud.k12.az.us>
> To: <nessus@list.nessus.org>
> Subject: FW: SMB credentials and Administrator lockouts
> Date: Tue, 23 Aug 2005 15:10:54 -0700
>
> Just out of curiosity are you putting in your actual username?
>
> For example: localmachinename or domainuser
>
>
> If you're logging in from a network onto a system you normally have to
> add the localmachinename\localmachineusername or Domainname\domainuser
> if you want to log into a machine. I'm just trying to throw a bone maybe
> it will help you, maybe you've already tried it. Thanks.
>
>
> So try:      Localmachinename\localmachineusername or
> Domainname\domainuser
>
>
> Scott Champine
> Lan Tech II
> Peoria Unified School District
> "Make things as simple as possible, but no simpler."  - Albert Einstein
>
> -----Original Message-----
> From: nessus-bounces@list.nessus.org
> [mailto:nessus-bounces@list.nessus.org] On Behalf Of net sec
> Sent: Tuesday, August 23, 2005 2:47 PM
> To: nessus@list.nessus.org
> Subject: RE: SMB credentials and Administrator lockouts
>
> Still searching....I can see how I can disable default *nix logins but
> not
> Windows.
>
> We have changed our server Administrator to an alternative name but I
> don't
> want to lock out 300 local workstation administrators.
>
> Can someone throw me a bone?  I'm stuck.
>
>
> ----Original Message Follows----
> From: "net sec" <netsec9@hotmail.com>
> To: nessus@list.nessus.org
> Subject: SMB credentials and Administrator lockouts
> Date: Tue, 23 Aug 2005 02:22:22 +0000
>
> I am running scans on a primarily Windows 2000/2003 subnet using my own
> credentials (NOT Administrator) as provided in the SMB login section of
> the
> client(both GTK and NessusWX).  Despite having supplied credentials, I
> am
> continuously locking out all Administrator(local and Domain) accounts on
> all
> the devices I target.  We restrict users to 5 failed password attempts
> before locking out the account per domain policy.
>
> After doing some additional digging via Windows Event Logs and tcpdump,
> it
> is apparent that nessus is attempting to do an authentication using the
> name
> 'administrator' despite the supplied SMB credentials.  It appears (from
> event logs) that nessus attempts 'administrator, nessus..random_number,
> supplied SMB credentials.
>
> Below is output from the event log of a targeted system in chronological
>
> order:
>
> Logon Failure:
>         Reason:         Unknown user name or bad password
>         User Name:      administrator
>
> Logon Failure:
>         Reason:         Unknown user name or bad password
>         User Name:      nessus48095321612101650981206322540
>
> Successful Network Logon:
>         User Name:      SMBlogin
>         Domain:         SMBDomain
>
> Why is this, can I turn it off, anyone else run into this?
>
> My Admins are NOT happy with me!
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus