Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Nessus not honoring nessusrc settings (Plugin 19762)

from [Jon Passki] Network Security [Permanent Link]
Subject: Nessus not honoring nessusrc settings (Plugin 19762)
Date: Fri, 23 Sep 2005 10:32:54 -0700 (PDT) 
Hello All,

I previously ran a handful of nessus sessions last night, saving
the knowledge base entries across a bunch of systems.  Using the
system with the oldest plugin feed, I copied all the kbs files into
the appropriate directory and was hoping to create one large HTML
file from the output.  nessus was ran as the following:

nessus -x -V -T html -c nessusrc -q somehost 1241 nessus god
hostfile all.html

I was making the assumption that nessusd shouldn't need to fire any
plugins since all of them were current in the kbs.  To be sure, I
kicked up tcpdump to watch traffic.  Here are my kb_* entries:

 save_knowledge_base = yes
 kb_restore = yes
 only_test_hosts_whose_kb_we_dont_have = no
 only_test_hosts_whose_kb_we_have = yes
 kb_dont_replay_scanners = yes
 kb_dont_replay_info_gathering = yes
 kb_dont_replay_attacks = yes
 kb_dont_replay_denials = yes
 kb_max_age = 864000

So, it would seem to me that if it's in the kbs file, no old
plugins would be reran.  This was not the case.  The TCP port
scanner, an snmp plugin, and one sending 23/tcp traffic were all
fired.

nessusd nicely made a backup of the kbs file, which I diffed. Most,
if not all, the Settings plugins [1] were reran it seems. The
original nessusrc file used had these enabled, which were
subsequently disabled (contact offline, too big for the list).  I 
also disabled such things as auto_enable_dependencies.

Once they were all explicitly disabled, I still had snmp traffic
going to the target network.  It seems plugin 19762 [2] caused
this.  The remaining plugins that still ran are here [3].  The big
issue is why nessusd is reruning a plugin that is explicitly
disabled and already has results. (Unless I missed something in the
nessusrc file which is totally within the realm of possibilities.)

Any ideas on how to not have nessus rerun these or disable them in
the nessusrc?

Jon

[1]
+1127488371 3 Launched/10180=1  ping            settings
-1127426573 3 Launched/10180=1
+1127488371 3 Launched/10308=1  cgibin in KB    settings
-1127426579 3 Launched/10308=1
+1127488371 3 Launched/10870=1  login conf      settings
-1127426579 3 Launched/10870=1
+1127488371 3 Launched/10889=1  nids eva        settings
-1127426579 3 Launched/10889=1
+1127488371 3 Launched/10890=1  http nids       settings
-1127426580 3 Launched/10890=1
+1127488371 3 Launched/10917=1  smb scope       settings
-1127426579 3 Launched/10917=1
+1127488371 3 Launched/11038=1  smtp settings   settings
-1127426579 3 Launched/11038=1
+1127488371 3 Launched/11933=1  don't sc prt    settings
-1127426579 3 Launched/11933=1
+1127488371 3 Launched/12241=1  don't prt       settings
-1127426579 3 Launched/12241=1
+1127488371 3 Launched/12288=1  glob vars       settings
-1127426579 3 Launched/12288=1
+1127488363 3 Launched/14273=1  ssh sett        settings
-1127488075 3 Launched/14273=1
+1127488371 3 Launched/17351=1  kerb sett       settings
-1127426579 3 Launched/17351=1
+1127488363 3 Launched/19762=1  snmp sett       settings
-1127488075 3 Launched/19762=1

[2] http://www.nessus.org/plugins/index.php?view=viewsrc&id=19762

[3]
+1127491324 3 Launched/10870=1
-1127426579 3 Launched/10870=1
+1127491325 3 Launched/10917=1
-1127426579 3 Launched/10917=1
+1127491325 3 Launched/11038=1
-1127426579 3 Launched/11038=1
+1127491324 3 Launched/12288=1
-1127426579 3 Launched/12288=1
+1127491325 3 Launched/14273=1
-1127426563 3 Launched/14273=1
+1127491325 3 Launched/17351=1
-1127426579 3 Launched/17351=1
+1127491324 3 Launched/19762=1
-1127426563 3 Launched/19762=1

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Bad UDP Checksum on Mac Mini running Linux Gentoo, Jon Passki
Next by Date:  Re: Bad UDP Checksum on Mac Mini running Linux Gentoo, Renaud Deraison
Previous by Thread:  Bad UDP Checksum on Mac Mini running Linux Gentoo, Jon Passki
Next by Thread:  Re: Nessus not honoring nessusrc settings (Plugin 19762), Renaud Deraison
Indexes:  [Date] [Thread] [Top] [All Lists]