Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: FW: SMB credentials and Administrator lockouts

from [Danesh] Network Security [Permanent Link]
Subject: Re: FW: SMB credentials and Administrator lockouts
Date: Tue, 23 Aug 2005 23:36:08 -0400 
Hi Net,

If you look at the script 10902 (smb_group_admin.nasl) it does have
the following in it..

 script_dependencies("netbios_name_get.nasl", 
                   "smb_login.nasl");

So the plugin 10394 is probably being run.

To make sure you could always check
/usr/local/var/nessus/logs/nessusd.messages (by default). It should
list all the plugin's as they are run.

One incorrect password shouldn't lockout the account so make sure you
aren't running some other nasl files which check the smb passwords for
the admin account (like the W32/Deloder check). Once again check the
logs to see which nasl files are actually being run.

Consider the bone thrown :)

Regards,
~Danesh.

On 8/23/05, net sec <netsec9@hotmail.com> wrote:

Thanks Danesh!!

I agree that particular plugin may be the culprit and when I saw the nasl
script I had a brief AH-HAH moment.  However, in doing some testing I don't
think this is the plugin responsible for the behavior.  I do have safe
checks enabled and when I enable just a single plugin for a session (example
10902 = check members of Admin) with dependencies enabled I find that an
attempt is still made to authenticate to the target using 'administrator'.
My bet at that point was that the plugin smb_login (ID 10394) was simply a
dependency of 10902 and that's why it triggered.  However, when I look at my
.nessusrc after initiating the scan and grep for 10394 I get the result
"10394=no".

Is my logic incorrect here in terms of checking which plugins are running at
execution time?
Is the basic logic of any Windows plugin going to check for a blank
administrator account?
I can do workarounds but I would really like to understand the mechanism
here.


----Original Message Follows----
From: Danesh <danesh.i@gmail.com>
To: nessus@list.nessus.org
CC: netsec9@hotmail.com
Subject: FW: SMB credentials and Administrator lockouts
Date: Tue, 23 Aug 2005 20:14:56 -0400

Didn't copy the mailing list.
Net, please reply directly to the mailing list.

Regards,
~Danesh

---------- Forwarded message ----------
From: Danesh <danesh.i@gmail.com>
Date: Aug 23, 2005 8:13 PM
Subject: Re: FW: SMB credentials and Administrator lockouts
To: net sec <netsec9@hotmail.com>


Hi Net,

If you look at smb_login.nasl (usually in
/usr/local/lib/nessus/plugins/) you will see it try logging in using
the administrator, and rand_lg (= string ( "nessus", rand() ... );). I
think your problem lies there. I don't think that though will disable
the account, as that only tries one admin password and 1 user password
(to check if the admin password is null, and to see if the guest
account is enabled).

On the other hand if you are testing using SMB log in with W32/Deloder
passwords (smb_login_deloder.nasl) then thats a different issue. Read
the description for more info but from what I gather if it doesn't
have a localuser login it tries various password for the Admin
account.

A few notes though..
a) Using safe checks, or disabling dangerous plugins should stop such
things from happening. Have you checked that option or is there a
plugin you want run which is 'dangerous'?
b) Admin accounts can get locked out but even so, only local services
which try to start using the account on reboot will fail. The user
will still be able to login without any problems.
c) There is no c, aren't a and b enough?

Please correct me if I'm wrong. netsec, I don't recommend editing the
nasl files, doing so is a violation of the terms (I believe).

Regards,
~Danesh


On 8/23/05, net sec <netsec9@hotmail.com> wrote:
 > My supplied credentials are actually working fine and producing results.
 > It's just the side effect that each machine I hit gets it's Administrator
 > account locked out if I run multiple scans.  I can't figure out why
nessus
 > is attempting to authenticate each target PC as Administrator in addition
to
 > my supplied credentials.
 >
 >
 > ----Original Message Follows----
 > From: "Scott Champine" <SChampine@peoriaud.k12.az.us>
 > To: <nessus@list.nessus.org>
 > Subject: FW: SMB credentials and Administrator lockouts
 > Date: Tue, 23 Aug 2005 15:10:54 -0700
 >
 > Just out of curiosity are you putting in your actual username?
 >
 > For example: localmachinename or domainuser
 >
 >
 > If you're logging in from a network onto a system you normally have to
 > add the localmachinename\localmachineusername or Domainname\domainuser
 > if you want to log into a machine. I'm just trying to throw a bone maybe
 > it will help you, maybe you've already tried it. Thanks.
 >
 >
 > So try:      Localmachinename\localmachineusername or
 > Domainname\domainuser
 >
 >
 > Scott Champine
 > Lan Tech II
 > Peoria Unified School District
 > "Make things as simple as possible, but no simpler."  - Albert Einstein
 >
 > -----Original Message-----
 > From: nessus-bounces@list.nessus.org
 > [mailto:nessus-bounces@list.nessus.org] On Behalf Of net sec
 > Sent: Tuesday, August 23, 2005 2:47 PM
 > To: nessus@list.nessus.org
 > Subject: RE: SMB credentials and Administrator lockouts
 >
 > Still searching....I can see how I can disable default *nix logins but
 > not
 > Windows.
 >
 > We have changed our server Administrator to an alternative name but I
 > don't
 > want to lock out 300 local workstation administrators.
 >
 > Can someone throw me a bone?  I'm stuck.
 >
 >
 > ----Original Message Follows----
 > From: "net sec" <netsec9@hotmail.com>
 > To: nessus@list.nessus.org
 > Subject: SMB credentials and Administrator lockouts
 > Date: Tue, 23 Aug 2005 02:22:22 +0000
 >
 > I am running scans on a primarily Windows 2000/2003 subnet using my own
 > credentials (NOT Administrator) as provided in the SMB login section of
 > the
 > client(both GTK and NessusWX).  Despite having supplied credentials, I
 > am
 > continuously locking out all Administrator(local and Domain) accounts on
 > all
 > the devices I target.  We restrict users to 5 failed password attempts
 > before locking out the account per domain policy.
 >
 > After doing some additional digging via Windows Event Logs and tcpdump,
 > it
 > is apparent that nessus is attempting to do an authentication using the
 > name
 > 'administrator' despite the supplied SMB credentials.  It appears (from
 > event logs) that nessus attempts 'administrator, nessus..random_number,
 > supplied SMB credentials.
 >
 > Below is output from the event log of a targeted system in chronological
 >
 > order:
 >
 > Logon Failure:
 >         Reason:         Unknown user name or bad password
 >         User Name:      administrator
 >
 > Logon Failure:
 >         Reason:         Unknown user name or bad password
 >         User Name:      nessus48095321612101650981206322540
 >
 > Successful Network Logon:
 >         User Name:      SMBlogin
 >         Domain:         SMBDomain
 >
 > Why is this, can I turn it off, anyone else run into this?
 >
 > My Admins are NOT happy with me!
 >
 >
 > _______________________________________________
 > Nessus mailing list
 > Nessus@list.nessus.org
 > http://mail.nessus.org/mailman/listinfo/nessus
 >
 >
 > _______________________________________________
 > Nessus mailing list
 > Nessus@list.nessus.org
 > http://mail.nessus.org/mailman/listinfo/nessus
 >
 > _______________________________________________
 > Nessus mailing list
 > Nessus@list.nessus.org
 > http://mail.nessus.org/mailman/listinfo/nessus
 >
 >
 > _______________________________________________
 > Nessus mailing list
 > Nessus@list.nessus.org
 > http://mail.nessus.org/mailman/listinfo/nessus
 >


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: FW: SMB credentials and Administrator lockouts, net sec
Next by Date:  Re: Error using update-nessusrc, George A. Theall
Previous by Thread:  RE: FW: SMB credentials and Administrator lockouts, net sec
Next by Thread:  another plugins questions, Malcolm Nicol
Indexes:  [Date] [Thread] [Top] [All Lists]