Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Traces in Logs Activity

from [Mara Fernandez] Network Security [Permanent Link]
Subject: Traces in Logs Activity
Date: Wed, 15 Feb 2006 14:58:22 +0100 (MET) 
Hello,

We've found some traces in our logs showing some kind of scanning activity
that looks like coming from Nessus. But as it does not match much with the
log traces that our own scannings generate, we'd like to know if the
following is a feasible log pattern for a nessus scan (these relate to
Windows logs), and if possible the particulars of it (version, plugins
used...):

Many anonymous network sessions are initiated, all with a 576 event, no
username, no domain and no workstation. These do not begin with a login
event (528, 540) but directly with a privilege asignation event (576).

In the following, each line is a events related by the same user session ID.

- One network login failure for user "administrator"
- Followed by one network login failure for a user named "nessusN(X)" where
"N(X)" means X random-like decimal digits where X has been 26 one time and
29 some others.
- 8 anonymous sessions (no username, no domain, no workstation) immediately
closed.
- Another anoymous session that looks up IDs and reads password parameters
on the local machine's SAM
- One anonymous session immediately closed
- Anonymous session that reads the members of local group 00000227
- 4 more anonymous sessions that close immediately
- Anonymous enumeration of services in the system
- 1 immediately closed anonymous session
- Anonymous read of members of local group 00000220
- Login failure for user "xN(9)", no domain and no workstation
- Login failure for user "x", no domain and no workstation
- Login failure for user "eN(9)", no domain and no workstation
- Login failure for user "e", no domain and no workstation
- 5 anonymous sessions immediately closed
- Anonymous lookup of IDs followed by read of data for user 000001F4
(administrator)
- Anonymous lookup of user 000001F5 (Guest)
- Anoymous read of members in group 000003E8
- Anoymous read of data for user 000003EA
- Anoymous read of data for user 000003EE
- 2 Anonymous lookup of IDs followed by read of data for user 000003ED,
followed by 42 lookups of IDs
- Anonymous read of data for users 000001F5 (Guest), 000003E8 and 000003EA,
followed by one ID lookup and another read of data for user 000003ED and
000003EE.
- One anonymous session immediately closed
- 3 ID lookups followed by read of data for user 000003ED followed by 42 ID
lookups
- Read of data for user 000001F5 (Guest) again, followed by one ID lookup
- 6 anonymous sessions immediately closed

Our own nessus scannings appart from performing different actions, show
other significant diferences:

- The user nessusN(X) in our scans has much fewer digits appended (15)
- Our scans test users with common names and both in the domain of the
target and in "WORKGROUP" but not in an empty domain, or names like "x" or
"e". Also, the only user that gets digits appended is "nessus".
- They initiate anonymous network sessions with 540 events.
- They include in the session opening event the workstation IP.
- There are not so many anonymous sessions initiated and closed immediately
without further actions logged.

Timings and the fact that the exact same pattern appears in several systems
lead us to think in some automated tool, and possibly nessus as it's one of
the user names tested, but those differences leave us in doubt.

Thanks in advance.

Mara "Luna"

-- 
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse f|r Mail, Message, More +++
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Traces in Logs Activity, Mara Fernandez <=
Previous by Date:  Re: How can i know the status of UDP port, Josh Zlatin-Amishav
Next by Date:  plugin 11052, Dave King
Previous by Thread:  How can i know the status of UDP port, KrishnaMohan
Next by Thread:  plugin 11052, Dave King
Indexes:  [Date] [Thread] [Top] [All Lists]