What Nessus port scanners are you using and what ports are you scanning for?
You might try setting specific ports (i.e. 139, 445) for the port scanner(s)
to make sure Nessus sees the necessary ports.
Are you running your Nessus scan from a Windows client? Or from a *nix/BSD
command line?
Chad
-----Original Message-----
From: Mark Natoli [mailto:natoli@syrres.com]
Sent: Wednesday, August 24, 2005 1:26 PM
To: nessus@list.nessus.org
Cc: Chad I. Uretsky
Subject: RE: plugin 19402
Hi,
I have setup a test W2K server machine with no service packs or patches.
Eeye retina UMPN scanner shows it vulnerable.
I ran a nessus report for only 19408 with auto_enable_dependencies=yes. It
returned this:
SUMMARY
- Number of hosts which were alive during the test : 0
- Number of security holes found : 0
- Number of security warnings found : 0
- Number of security notes found : 0
From the log:
[Wed Aug 24 14:26:06 2005][12400] user nessususer : testing
hostname.ourdomain.com (192.168.21.154) [12409] [Wed Aug 24 14:26:06
2005][12409] user nessususer : launching find_service.nes against
hostname.ourdomain.com [12410] [Wed Aug 24 14:26:06 2005][12409]
find_service.nes (process 12410) finished its job in 0.117 seconds [Wed Aug
24 14:26:06 2005][12409] user nessususer : launching cifs445.nasl against
hostname.ourdomain.com [12411] [Wed Aug 24 14:26:06 2005][12409]
cifs445.nasl (process 12411) finished its job in 0.143 seconds [Wed Aug 24
14:26:06 2005][12409] user nessususer : launching netbios_name_get.nasl
against hostname.ourdomain.com [12412] [Wed Aug 24 14:26:11 2005][12409]
netbios_name_get.nasl (process 12412) finished its job in 5.023 seconds [Wed
Aug 24 14:26:11 2005][12409] user nessususer : launching
smb_nativelanman.nasl against hostname.ourdomain.com [12413] [Wed Aug 24
14:26:11 2005][12409] smb_nativelanman.nasl (process 12413) finished its job
in 0.079 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer :
launching smb_kb899588.nasl against hostname.ourdomain.com [12414] [Wed Aug
24 14:26:11 2005][12409] smb_kb899588.nasl (process 12414) finished its job
in 0.007 seconds [Wed Aug 24 14:26:11 2005][12409] Finished testing
hostname.ourdomain.com.
Time: 5.47 secs
[Wed Aug 24 14:26:11 2005][12400] user nessususer : test complete
On Wed, 24 Aug 2005, Chad I. Uretsky wrote:
Hi Mark,
What is the OS on the machine that is "known to be vulnerable"?
MS05-039 is not exploitable without credentials on any Win OS except
2000. Also, since you don't normally use auto_enable_dependencies,
you may not be getting the other SMB scripts that need to run in order
for 19408 to work (I haven't tested 19402 - it requires administrative
priveleges on the machine it is run against).
As far as the nessusrc, it gets multiple yes'es added if if has not
yet been updated for new plugins which have been downloaded, as it
adds the numbers for those plugins to the rc file and then turns them
on. You can write a very simple perl script to turn on only the
plugins you want. What I do (right now) is update my plugins, then
launch a scan against a single host and wait for the rc file to get
updated. Then, I break the scan and run my perl script against the rc
file to turn on only those plugins that I want. Of course, you could
just backup your rc file, run a scan against a single host, then
replace the new rc with your backed-up copy. There are obviously
several ways around this problem.
With the dependencies, just to be sure, you might try manually
enabling plugin 13855 (smb_hotfixes.nasl), which 19402 is dependent on
to set the SMB/Registry/Enumerated key. You might try turning on
"log_whole_attack" and see if you notice Nessus launching 13855
(smb_hotfixes.nasl) and if it appears to complete successfully. It
also is dependent upon several plugins (another reason to use
auto_enable dependencies). These dependencies are:
netbios_name_get.nasl
smb_login.nasl
smb_registry_full_access.nasl
smb_reg_service_pack.nasl
smb_reg_service_pack_W2K.nasl
smb_reg_service_pack_XP.nasl
So you might want to make sure they are enabled, as well as any of
their dependencies (if you do not wish to use
auto_enable_dependencies).
Regards,
Chad Uretsky
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org]
On Behalf Of Mark Natoli
Sent: Wednesday, August 24, 2005 9:29 AM
To: nessus@list.nessus.org
Subject: plugin 19402
Hi All,
Using a combination of update-nessusrc and scripts run from cron, I
have automated the daily scanning of multiple networks for
vulnerabilites that have known worms. However I cannot get the new
19402 (nor 19408) to test positive for a machine known to be vulerbable to
MS05-039.
Here is a line from the log:
[Wed Aug 24 10:15:09 2005][9628] user nessususer : Not launching
smb_kb899588.nasl against hostname1.ourdomain.com because the key
SMB/Registry/Enumerated is missing (this is not an error)
Does anyone have a plugin that works?
Also, after upgrading to 2.2.5 from 2.0.x, I had to make the
.nessusrc read only to the owner of the script running cron. Without
doing this, the .nessusrc is opened when the script is run and
multiple yes'es are added to plugin's slowing down the report even
though I don't have any dependencies
specified: auto_enable_dependencies = no silent_dependencies = no
Any help?
btw, I also tried enabling dependencies to get 19402 to work but
this made no difference to me.
Thanks,
-Mark
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
