RE: plugin 19402

I got it to work by adding a SMB login/password to the NessusWX client plugin 
configuration. Until I did that I did not see if the machine was not patched.

Hope this helps -
Glenn


-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org]On Behalf Of Mark Natoli
Sent: Wednesday, August 24, 2005 3:24 PM
To: nessus@list.nessus.org
Subject: RE: plugin 19402 


Hi,

  I added the port scanner nmap.nasl (14259) but this only appended a tcp
scan to the report, it didn't find the vulnerability.
  I also tried recreating the .nessusrc by launching the gui and then
deleting all but 19408 rather then relying on the file that was created
update-nessusrc and modified manually. This also failed it identify the
vulnerability.
  I'm using the a linux server and client on same machine and I
successfully scan for sasser, dcom, etc. using this method but I can't
get PNP (19408 or 19402) to work.
  Is anyone else successful in getting the same results from Retina's
scanner as they are from nessus for MS05-039? If so can you please share
your .nessusrc file.

Thanks,
-Mark

On Wed, 24 Aug 2005, Chad I. Uretsky wrote:

> What Nessus port scanners are you using and what ports are you scanning for?
> You might try setting specific ports (i.e. 139, 445) for the port scanner(s)
> to make sure Nessus sees the necessary ports.
>
> Are you running your Nessus scan from a Windows client?  Or from a *nix/BSD
> command line?
>
> Chad
>
>
> -----Original Message-----
> From: Mark Natoli [mailto:natoli@syrres.com]
> Sent: Wednesday, August 24, 2005 1:26 PM
> To: nessus@list.nessus.org
> Cc: Chad I. Uretsky
> Subject: RE: plugin 19402
>
>
> Hi,
>
>   I have setup a test W2K server machine with no service packs or patches.
> Eeye retina UMPN scanner shows it vulnerable.
>   I ran a nessus report for only 19408 with auto_enable_dependencies=yes. It
> returned this:
>
> SUMMARY
>
>  - Number of hosts which were alive during the test : 0
>  - Number of security holes found : 0
>  - Number of security warnings found : 0
>  - Number of security notes found : 0
>
> > From the log:
> [Wed Aug 24 14:26:06 2005][12400] user nessususer : testing
> hostname.ourdomain.com (192.168.21.154) [12409] [Wed Aug 24 14:26:06
> 2005][12409] user nessususer : launching find_service.nes against
> hostname.ourdomain.com [12410] [Wed Aug 24 14:26:06 2005][12409]
> find_service.nes (process 12410) finished its job in 0.117 seconds [Wed Aug
> 24 14:26:06 2005][12409] user nessususer : launching cifs445.nasl against
> hostname.ourdomain.com [12411] [Wed Aug 24 14:26:06 2005][12409]
> cifs445.nasl (process 12411) finished its job in 0.143 seconds [Wed Aug 24
> 14:26:06 2005][12409] user nessususer : launching netbios_name_get.nasl
> against hostname.ourdomain.com [12412] [Wed Aug 24 14:26:11 2005][12409]
> netbios_name_get.nasl (process 12412) finished its job in 5.023 seconds [Wed
> Aug 24 14:26:11 2005][12409] user nessususer : launching
> smb_nativelanman.nasl against hostname.ourdomain.com [12413] [Wed Aug 24
> 14:26:11 2005][12409] smb_nativelanman.nasl (process 12413) finished its job
> in 0.079 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer :
> launching smb_kb899588.nasl against hostname.ourdomain.com [12414] [Wed Aug
> 24 14:26:11 2005][12409] smb_kb899588.nasl (process 12414) finished its job
> in 0.007 seconds [Wed Aug 24 14:26:11 2005][12409] Finished testing
> hostname.ourdomain.com.
> Time: 5.47 secs
> [Wed Aug 24 14:26:11 2005][12400] user nessususer : test complete
>
>
> On Wed, 24 Aug 2005, Chad I. Uretsky wrote:
>
> > Hi Mark,
> >
> > What is the OS on the machine that is "known to be vulnerable"?
> > MS05-039 is not exploitable without credentials on any Win OS except
> > 2000.  Also, since you don't normally use auto_enable_dependencies,
> > you may not be getting the other SMB scripts that need to run in order
> > for 19408 to work (I haven't tested 19402 - it requires administrative
> > priveleges on the machine it is run against).
> >
> > As far as the nessusrc, it gets multiple yes'es added if if has not
> > yet been updated for new plugins which have been downloaded, as it
> > adds the numbers for those plugins to the rc file and then turns them
> > on.  You can write a very simple perl script to turn on only the
> > plugins you want.  What I do (right now) is update my plugins, then
> > launch a scan against a single host and wait for the rc file to get
> > updated.  Then, I break the scan and run my perl script against the rc
> > file to turn on only those plugins that I want. Of course, you could
> > just backup your rc file, run a scan against a single host, then
> > replace the new rc with your backed-up copy.  There are obviously
> > several ways around this problem.
> >
> > With the dependencies, just to be sure, you might try manually
> > enabling plugin 13855 (smb_hotfixes.nasl), which 19402 is dependent on
> > to set the SMB/Registry/Enumerated key.  You might try turning on
> > "log_whole_attack" and see if you notice Nessus launching 13855
> > (smb_hotfixes.nasl) and if it appears to complete successfully.  It
> > also is dependent upon several plugins (another reason to use
> > auto_enable dependencies).  These dependencies are:
> >
> > netbios_name_get.nasl
> > smb_login.nasl
> > smb_registry_full_access.nasl
> > smb_reg_service_pack.nasl
> > smb_reg_service_pack_W2K.nasl
> > smb_reg_service_pack_XP.nasl
> >
> > So you might want to make sure they are enabled, as well as any of
> > their dependencies (if you do not wish to use
> > auto_enable_dependencies).
> >
> > Regards,
> > Chad Uretsky
> >
> >
> >
> > -----Original Message-----
> > From: nessus-bounces@list.nessus.org
> > [mailto:nessus-bounces@list.nessus.org]
> > On Behalf Of Mark Natoli
> > Sent: Wednesday, August 24, 2005 9:29 AM
> > To: nessus@list.nessus.org
> > Subject: plugin 19402
> >
> >
> > Hi All,
> >
> >   Using a combination of update-nessusrc and scripts run from cron, I
> > have automated the daily scanning of multiple networks for
> > vulnerabilites that have known worms. However I cannot get the new
> > 19402 (nor 19408) to test positive for a machine known to be vulerbable to
> MS05-039.
> >   Here is a line from the log:
> > [Wed Aug 24 10:15:09 2005][9628] user nessususer : Not launching
> > smb_kb899588.nasl against hostname1.ourdomain.com because the key
> > SMB/Registry/Enumerated is missing (this is not an error)
> >
> >   Does anyone have a plugin that works?
> >
> >   Also, after upgrading to 2.2.5 from 2.0.x, I had to make the
> > .nessusrc read only to the owner of the script running cron. Without
> > doing this, the .nessusrc is opened when the script is run and
> > multiple yes'es are added to plugin's slowing down the report even
> > though I don't have any dependencies
> > specified:  auto_enable_dependencies = no  silent_dependencies = no
> >
> >   Any help?
> >
> >   btw, I also tried enabling dependencies to get 19402 to work but
> > this made no difference to me.
> >
> > Thanks,
> > -Mark
> >
> >
> > _______________________________________________
> > Nessus mailing list
> > Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus