Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Nessus plugins update failure

from [Shingari, Nitin V.] Network Security [Permanent Link]
Subject: Re: Nessus plugins update failure
Date: Thu, 23 Nov 2006 15:41:52 +0530 
Hi,

Looking at [..path]/nessus/logs/nessusd.messages is sometimes better than 
verbose option.

Warm Regards
Nitin Shingari
nvshingari@ipolicynetworks.com

-----Original Message-----
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org] On 
Behalf Of nessus-request@list.nessus.org
Sent: Monday, November 20, 2006 10:30 PM
To: nessus@list.nessus.org
Subject: Nessus Digest, Vol 37, Issue 18

Send Nessus mailing list submissions to
        nessus@list.nessus.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://mail.nessus.org/mailman/listinfo/nessus
or, via email, send a message with subject or body 'help' to
        nessus-request@list.nessus.org

You can reach the person managing the list at
        nessus-owner@list.nessus.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Nessus digest..."


Today's Topics:

   1. Re: Nessus plugins update failure (Ferdy Riphagen)
   2. Nessus Scans host without any plugins and port scanners
      selected. (tech tech)
   3. Application Fingerprinting & Reporting (Asthana, Vishal)
   4. Re: Relating CVE IDs in Nessus Plugins  (Shingari, Nitin V.)
   5. Re: Need assistance in testing Nessus (George A. Theall)
   6. Plugin ID : 10930 Question (jfvanmeter@comcast.net)
   7. Re: Export/Import Policies with Nessus Windows (George A. Theall)
   8. Re: losing configuration (listening interface) when updating
      Nessus3 (Renaud Deraison)
   9. Re: Nessusd 3.0.3 not updating every 24 hours (George A. Theall)
  10. Re: Application Fingerprinting & Reporting (Doug Nordwall)
  11. Re: Nessus plugins update failure (George A. Theall)


----------------------------------------------------------------------

Message: 1
Date: Sun, 19 Nov 2006 18:51:11 +0100
From: Ferdy Riphagen <f.riphagen@nsec.nl>
Subject: Re: Nessus plugins update failure
To: nessus@list.nessus.org
Message-ID: <4560998F.4070702@nsec.nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

try running it as ./nessus-update-plugins -vv (or sh -x 
nessus-update-plugins)
too see more info on possible errors.

--Ferdy--


BCC wrote:

Currently running Nessus 2.2.8

Whenever I try updating the plugins by running
sh nessus-update-plugins

I get the error error
Something went wrong when installing the plugins - uncompressing the 
plugins archive failed.

Is there a solution to this problem which seems to prevalent with 
users other than those who have the 3.0 subscription version of nessus?

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus







------------------------------

Message: 2
Date: Mon, 20 Nov 2006 04:48:09 +0000 (GMT)
From: tech tech <techgroupmails@yahoo.com>
Subject: Nessus Scans host without any plugins and port scanners
        selected.
To: nessus@list.nessus.org
Message-ID: <20061120044809.51779.qmail@web58616.mail.re3.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

hi..

Nessus: Version 3.0.3
OS: linux
Nessus Client: NessusWX 1.4.5

The problem is that nessus scans host even if any of
the plugins.. port scanners are not selected..
i disabled all the options, disabled all port scanners
as well as pluging. even then scan gets complete and
showing all the vulnerabilities.

What could be the problem..

Thanks

Send instant messages to your online friends http://uk.messenger.yahoo.com 


------------------------------

Message: 3
Date: Mon, 20 Nov 2006 11:51:54 +0530
From: "Asthana, Vishal" <vasthana@ipolicynetworks.com>
Subject: Application Fingerprinting & Reporting
To: <nessus@list.nessus.org>
Message-ID:
        
<D269C7CBDF116A48982D4DC51F111BE3026D9E62@nsezhpmail01.india.ipolicynet.com>
        
Content-Type: text/plain; charset="us-ascii"

Hi,

 

Is there any Nessus plugin that helps report Application names and
versions e.g. Internet Explorer, Yahoo, Firefox etc? There are
Application DETECTION plugins for the same but the post-scan operation
does not report the specific Application installed. It only reports FTP
Server, Web Server, Oracle Listener etc. 

 

I have already referred to the following old threads and ensured that
find_service.nes was part of the scan.

 

http://mail.nessus.org/mailman/htdig/nessus/2004-February/msg00302.html

http://mail.nessus.org/mailman/htdig/nessus/2004-February/msg00218.html

 

I have also tried using Nmap scanner instead of the Nessus TCP scanner
with the same results.

http://www.nessus.org/documentation/index.php?doc=nmap-usage

 

Any pointers would be helpful.

 

Thanks

Vishal

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://mail.nessus.org/pipermail/nessus/attachments/20061120/f2fae9cd/attachment.html

------------------------------

Message: 4
Date: Mon, 20 Nov 2006 16:53:31 +0530
From: "Shingari, Nitin V." <nvshingari@ipolicynetworks.com>
Subject: Re: Relating CVE IDs in Nessus Plugins 
To: <nessus@list.nessus.org>
Message-ID:
        
<D269C7CBDF116A48982D4DC51F111BE3022F351B@nsezhpmail01.india.ipolicynet.com>
        
Content-Type: text/plain;       charset=US-ASCII


Hi George,

 

Coincidently there is only One such plug-in.

Namely: smb_nt_ms04-011.nasl

 

Warm Regards

Nitin Shingari
nvshingari@ipolicynetworks.com


-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of
nessus-request@list.nessus.org
Sent: Tuesday, November 14, 2006 10:30 PM
To: nessus@list.nessus.org
Subject: Nessus Digest, Vol 37, Issue 12

Send Nessus mailing list submissions to
        nessus@list.nessus.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://mail.nessus.org/mailman/listinfo/nessus
or, via email, send a message with subject or body 'help' to
        nessus-request@list.nessus.org

You can reach the person managing the list at
        nessus-owner@list.nessus.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Nessus digest..."


Today's Topics:

   1. Nessus 3 logging.. (Paul Hanson)
   2. any news on profilesRe: Plugin 16192 (Darko Gavrilovic)
   3. flash install left part of old version behind (Bob Babcock)
   4. Re: flash install left part of old version behind
      (George A. Theall)
   5. ms msde sql database server version detected incorrectly
      (Ward Taylor)
   6. False negatives? (felix lin)
   7. Relating CVE IDs in Nessus Plugins (Shingari, Nitin V.)
   8. Re: False negatives? (George A. Theall)
   9. Re: Nessus 3 logging.. (George A. Theall)
  10. Re: Information about this scan (George A. Theall)
  11. Re: Relating CVE IDs in Nessus Plugins (George A. Theall)
  12. Inconsistent results for VNC (Bob Babcock)
  13. Re: Inconsistent results for VNC (Michel Arboi)
  14. Re: Inconsistent results for VNC (Michel Arboi)


----------------------------------------------------------------------

Message: 1
Date: Mon, 13 Nov 2006 10:40:16 -0600
From: "Paul Hanson" <phanson@us.checkpoint.com>
Subject: Nessus 3 logging..
To: <nessus@list.nessus.org>
Message-ID: <004501c70742$66869340$7292e4d8@ad.checkpoint.com>
Content-Type: text/plain; charset="us-ascii"

Does nessus 3.0 allow for logging of results directly into a MySql
database?
I now various clients support this, but does the server or nesssusd
support
this? It would definitely be nice to fire off cron jobs for scheduled
tests
and then mine a mysql database for reports.
 
Thanks,
 
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061113/8cd6cbd2/at
tachment.html

------------------------------

Message: 2
Date: Mon, 13 Nov 2006 14:13:09 -0500
From: Darko Gavrilovic <darko.gavrilovic@utoronto.ca>
Subject: any news on profilesRe: Plugin 16192
Cc: nessus@list.nessus.org
Message-ID: <4558C3C5.5070404@utoronto.ca>
Content-Type: text/plain; charset=ISO-8859-1

Hi, I snooped through the list archives and web site.   Can't seem to
see an update on the pofiles quesitons? Are profiles implemented? Will
they be?

What I would like to do is save plugin combinations with which to scan
hosts. The goal of this is to reduce the length of the reports and make
it a little more presentable to non-techs.

cheers,
dg





------------------------------

Message: 3
Date: Mon, 13 Nov 2006 15:24:58 -0500 (EST)
From: Bob Babcock <rbabcock@cfa.harvard.edu>
Subject: flash install left part of old version behind
To: nessus@list.nessus.org
Message-ID: <200611132024.kADKOwXc028005@cfa0.cfa.harvard.edu>

Scanning a win/xp machine with Windows Nessus, plugin 11952 says the
flash
version is older than 7.0.19.0, but Shavlik says the version is
7.0.68.0.
Looking closer, I find
  flash7a.ocx  7.0.68.0
  flash.ocx    6.0.79.0
in \windows\system32\macromed\flash.  Looks like the install of version
7
didn't remove all of version 6 and the plugin is seeing the old version.
(I modified the plugin to display the version number and got 6.0.79.0.)
The registry entry at
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\CurrentVersion says
7,0,68,0.  Unless there's some way the old, vulnerable flash can be
triggered, I think the plugin should ignore the old file.


------------------------------

Message: 4
Date: Mon, 13 Nov 2006 17:17:07 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: flash install left part of old version behind
To: nessus@list.nessus.org
Message-ID: <4558EEE3.5030102@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Mon, Nov 13, 2006 at 03:24:58PM -0500, Bob Babcock wrote:


Scanning a win/xp machine with Windows Nessus, plugin 11952 says the

flash

version is older than 7.0.19.0, but Shavlik says the version is

7.0.68.0.

Looking closer, I find
  flash7a.ocx  7.0.68.0
  flash.ocx    6.0.79.0
in \windows\system32\macromed\flash.  


Thanks, I modified plugin #11952, which handles detection, to check for 
flash7a.ocx before flash.ocx; that should correct this issue.

The change should be available via nessus-update-plugins later tonight.

George
-- 
theall@tenablesecurity.com


------------------------------

Message: 5
Date: Mon, 13 Nov 2006 16:58:57 -0600
From: Ward Taylor <wardtayl@st-tel.net>
Subject: ms msde sql database server version detected incorrectly
To: nessus@list.nessus.org
Message-ID: <4558F8B1.8070403@st-tel.net>
Content-Type: text/plain; charset=ISO-8859-1

Hi
I find that plugin 11217 incorrectly identifies our msde databases as
being version 8.00.2039 when a "select @@version" on the server returns
8.00.2187.  2187 is the version that it should be with sp4 and hotfix
KB916287 applied.  This is on a box with windows xp sp2, and also one
with windows 2000 server, same patches, same report from nessus.
Thanks a lot


------------------------------

Message: 6
Date: Mon, 13 Nov 2006 11:35:02 -0600
From: "felix lin" <rastapong2@gmail.com>
Subject: False negatives?
To: <nessus@list.nessus.org>
Message-ID: <005e01c7074a$0d5c8510$a5962fd8@felixbox>
Content-Type: text/plain; charset="us-ascii"

Running Nessus 3.0.0 on Fedora Core 4.  It was working fine, but
recently
started giving false negatives.  Specifically, it will only report
vulnerabilities for 11890 (Messenger Service).  Using NessusWX client,
which
is telling me that it is scanning more than that port on each host.  

 

Anybody else seen this before?

 

felix lin

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061113/9e8c05f6/at
tachment.htm

------------------------------

Message: 7
Date: Tue, 14 Nov 2006 11:11:18 +0530
From: "Shingari, Nitin V." <nvshingari@ipolicynetworks.com>
Subject: Relating CVE IDs in Nessus Plugins
To: <nessus@list.nessus.org>
Cc: "Shingari, Nitin V." <nvshingari@ipolicynetworks.com>
Message-ID:
        
<D269C7CBDF116A48982D4DC51F111BE3022F3510@nsezhpmail01.india.ipolicynet.
com>
        
Content-Type: text/plain; charset="us-ascii"

Hi,

 

In Nessus plug-ins CVE IDs are written in script_cve_id (...).

In some plug-ins few CVE IDs are mentioned with IF conditions like:

 

if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0533");

if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0663");

 

Can we relate CVE ID with the plug-in if it's mentioned in IF condition
but not in script_cve_id tag?

 

To make my question clearer, below is the small section of a plug-in:

------------------------------------------------------------------------
-----------------------------------------------------

#

# (C) Tenable Network Security

#

 

if(description)

{

 script_id(12205);

 script_bugtraq_id(10111, 10113, 10117, 10119, 10122, 10124, 10125);

 script_cve_id( "CVE-2003-0907", "CVE-2003-0908", "CVE-2003-0909",

                        "CVE-2003-0910", "CVE-2004-0117",
"CVE-2004-0118", "CVE-2004-0119", "CVE-2004-0121");

 if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0533");

 if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0663");

 if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0719");

 if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0806");

 if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0906");

 if(defined_func("script_xref"))script_xref(name:"IAVA",
value:"2004-A-0006");

 

 script_version("$Revision: 1.17 $");

------------------------------------------------------------------------
-----------------------------------------------------

 

In the above script "CVE-2003-0533", "CVE-2003-0663"... are not
mentioned in script_cve_id(...) so can we relate these CVE IDs with the
plug-in?

 

Warm Regards

Nitin Shingari

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061114/bc8dbca0/at
tachment.htm

------------------------------

Message: 8
Date: Tue, 14 Nov 2006 08:44:30 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: False negatives?
To: nessus@list.nessus.org
Message-ID: <4559C83E.7090101@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Mon, Nov 13, 2006 at 11:35:02AM -0600, felix lin wrote:


Running Nessus 3.0.0 on Fedora Core 4.  It was working fine, but 
recently started giving false negatives.  


Do you know when the change occurred? What if anything changed in the 
Nessus environment (eg, plugin updates, scan configs)? Have you looked 
at Nessus' logs and/or KBs for the affected hosts to see if they contain

any clues?


Specifically, it will only
report vulnerabilities for 11890 (Messenger Service).  Using NessusWX 
client, which is telling me that it is scanning more than that port on



each host. 


Have you verified that the remote hosts are still running additional 
services that Nessus should pick up? Is the scanned running afoul of any

sort of IPS? Have you done a packet capture while running a scan to see 
what traffic is being exchanged?


George
-- 
theall@tenablesecurity.com


------------------------------

Message: 9
Date: Tue, 14 Nov 2006 09:29:14 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Nessus 3 logging..
To: nessus@list.nessus.org
Message-ID: <4559D2BA.8060405@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Mon, Nov 13, 2006 at 10:40:16AM -0600, Paul Hanson wrote:


Does nessus 3.0 allow for logging of results directly into a MySql 
database?


No.


I now various clients support this,  but does the server or nesssusd
support this? It would definitely be nice to fire off cron jobs for
scheduled tests and then mine a mysql database for reports.


NessusWX can output results to a MySQL database, but that runs on 
Windows and its support of commandline usage is lacking.

The Unix clients can generate SQL statements for the list of plugins on
a server as well as preferences but not results to a database.

You could look into saving results from the Unix commandline client as, 
say, NBE, and then using that to populate your database. Inprotect, 
http://www.inprotect.com/, is an open-source solution that reportedly 
uses this approach.

Or you could go with Security Center, 
http://www.tenablesecurity.com/products/sc.shtml, a commercial product 
from Tenable.

George
-- 
theall@tenablesecurity.com


------------------------------

Message: 10
Date: Tue, 14 Nov 2006 10:00:49 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Information about this scan
To: Nessus@list.nessus.org
Message-ID: <4559DA21.7050305@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

On Sat, Nov 11, 2006 at 05:41:20PM +0100, p.0155 wrote:


Hello everyone, I'm using the latest version of Nessus on Linux

(Fedora 

5) and WindowsXP.


"Latest version" is confusing... there are currently two branches of 
Nessus, 2.2.x and 3.x, and I woudln't be surprised if the latest 
packaged version of Nessus for FC5 is not necessarily that same as what 
we make available.


Sometimes my reports displays "Information about this scan" and 
sometimes this information is missing, even if I use the same 
configuration, the same target, the same Nessus server and the same 
Nessus client.
Can anybody tell me why?


Do you have KB saving enabled? If so, you may want to look at the 
various associated settings.


George
-- 
theall@tenablesecurity.com


------------------------------

Message: 11
Date: Tue, 14 Nov 2006 10:29:02 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Relating CVE IDs in Nessus Plugins
To: nessus@list.nessus.org
Message-ID: <4559E0BE.1060309@tenablesecurity.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

On Tue, Nov 14, 2006 at 11:11:18AM +0530, Shingari, Nitin V. wrote:


In Nessus plug-ins CVE IDs are written in script_cve_id (...).

In some plug-ins few CVE IDs are mentioned with IF conditions like:
*if(defined_func("script_xref"))script_xref(name:"CVE", 
value:"CVE-2003-0533");*

*if(defined_func("script_xref"))script_xref(name:"CVE", 
value:"CVE-2003-0663");*

Can we relate *CVE ID *with the plug-in if it's mentioned in IF 
condition but not in *script_cve_id* tag?


Yes. Older versions of Nessus (pre 2.2.x, I believe) had issues if there

were more than 8 ids in a call to script_cve_id(). So if a plugin 
corresponded to more than that, additional ones would be added using 
script_xref(). The report should still lists all [unless you're running 
with a version of Nessus that didn't support script_xref(), which is the

reason for the 'if(defined_func("script_xref"))'].

I'll adjust this particular plugin shortly to collect all the CVE ids 
together since no one should be using Nessus 2.0 any longer. If you're 
aware of any similar plugins, let me know please.

George
-- 
theall@tenablesecurity.com


------------------------------

Message: 12
Date: Tue, 14 Nov 2006 11:14:00 -0500 (EST)
From: Bob Babcock <rbabcock@cfa.harvard.edu>
Subject: Inconsistent results for VNC
To: nessus@list.nessus.org
Message-ID: <200611141614.kAEGE0mx004120@cfa0.cfa.harvard.edu>

I'm getting inconsistent results scanning with plugin 19288 (VNC
security
types).  Scanning the same machines, I sometimes get:

  The remote VNC server chose security type #0 (Invalid)
  Any user can connect to it without authentication, and thus take
  control of this machine.

and other times get:

  The remote VNC server chose security type #2 (VNC authentication)

I'm scanning with Windows Nessus 3.0.4 build W306.  Target machines are
Win/2K or Win/XP with RealVNC 3.3.7.  I can make VNC connections to the
target machines using a password, and if I try to clear the password
with
this version of VNC, it says it won't accept connections with no
password.
I think I always get security type #0 for localhost.


------------------------------

Message: 13
Date: Tue, 14 Nov 2006 17:46:14 +0100
From: Michel Arboi <mikhail@nessus.org>
Subject: Re: Inconsistent results for VNC
To: rbabcock@cfa.harvard.edu
Cc: nessus@list.nessus.org
Message-ID: <m3u012nfhl.fsf@kissmedeadly.afraid.org>
Content-Type: text/plain; charset="us-ascii"

On Tue Nov 14 2006 at 17:14, Bob Babcock wrote:


  The remote VNC server chose security type #0 (Invalid)
  Any user can connect to it without authentication, and thus take
  control of this machine.
and other times get:

[snip]

Try applying this patch (or wait for a while and run
nessus-update-plugins). The script should be more robust.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-patch
Size: 527 bytes
Desc: not available
Url :
http://mail.nessus.org/pipermail/nessus/attachments/20061114/550bca9f/at
tachment.bin

------------------------------

Message: 14
Date: Tue, 14 Nov 2006 17:58:59 +0100
From: Michel Arboi <mikhail@nessus.org>
Subject: Re: Inconsistent results for VNC
To: rbabcock@cfa.harvard.edu
Cc: nessus@list.nessus.org
Message-ID: <m3lkmenewc.fsf@kissmedeadly.afraid.org>
Content-Type: text/plain; charset=us-ascii

On Tue Nov 14 2006 at 17:46, Michel Arboi wrote:


Try applying this patch


Oops. Forget it, I read the code too quickly.
No, the script was fine.

Security type 0 does not exist and should not be returned by a VNC
server. This is odd.

If possible, sniff the trafic...


------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

End of Nessus Digest, Vol 37, Issue 12
**************************************


------------------------------

Message: 5
Date: Mon, 20 Nov 2006 09:03:47 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Need assistance in testing Nessus
To: nessus@list.nessus.org
Message-ID: <4561B5C3.8010503@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Fri, Nov 17, 2006 at 02:29:03PM -0800, Christina Davis wrote:


We have downloaded and installed the free version of Nessus 3 for Windows
to test in our environment. It looks like it would be a useful tool for
audit purposes. We are able to run port scans, but not retrieve windows
user information using the Windows: user management plug in family. We were
wondering if this is only available with the subscription, or are we
missing something here..  


Nessus 3 for Windows is distributed with checks in the "Windows : User 
management" family. Even if you don't have a registered / direct feed, 
you can still use them. As Tim Doty already mentioned, make sure you 
provide credentials to log on to Windows machines remotely. With the 
Windows server, you do this by first adding a new policy and then 
editing the settings for credentials as discussed in our white paper here:

   http://www.nessus.org/documentation/nessus_credential_checks.pdf

Btw, note that while you can technically continue to use the download, 
you will not get any updates / new plugins that we write unless you 
register or purchase a direct feed. And our compliance checks are only 
available to direct feed customers.

George
-- 
theall@tenablesecurity.com


------------------------------

Message: 6
Date: Mon, 20 Nov 2006 14:55:09 +0000
From: jfvanmeter@comcast.net
Subject: Plugin ID : 10930 Question
To: nessus@list.nessus.org (Nessus)
Message-ID:
        
<112020061455.16678.4561C1CD00043EAA0000412622058863609D0A9B0A03020E900006@comcast.net>
        

Hello everyone 

I have some concerns with a scan of a  Windows 2003 SP1 Server running McAfee 
ePolicy Orchestrtor client 3.5.5.438 the version of Nessus used is 3.0.3 Build 
W334 with plug ins update today (Nov 20). 

I recieve the following hole reported in both an administrative and a non 
administrative scan

(8081/tcp)
It was possible to freeze or reboot Windows by reading a MS/DOS device through 
HTTP, using a file name like CON\CON, AUX.htm or AUX.

A cracker may use this flaw to make your system crash continuously, preventing 
you from working properly.
Solution: upgrade your system or use a  HTTP server that filters those names 
out.
Risk Factor : High
CVE : CVE-2001-0386, CVE-2001-0493, CVE-2001-0391, CVE-2001-0558, 
CVE-2002-0200, CVE-2000-0168, CVE-2003-0016, CVE-2001-0602
BID : 1043, 2575, 2608, 2622, 2649, 2704, 3929, 6659, 6662
Plugin ID : 10930

It looks like plug in 10930 tries to enumerate a Apache < 2.0.44 CVE-2003-0016 
- Apache before 2.0.44, when running on unpatched Windows 9x and Me operating 
systems

Can anyone show/point me to a way that I can verify this manually? I believe 
this is a false postive, but I believe ePolicy Orchestrtor using some version 
of Apache I would like to find out. The server doesn't crash continuously

Telnet shows
HTTP/1.0 
Server: Agent-ListenServer-HttpSvr/1.0
Date: Mon, 20 Nov 2006 12:54:16 GMT

Thanks in advance --John


------------------------------

Message: 7
Date: Mon, 20 Nov 2006 10:29:38 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Export/Import Policies with Nessus Windows
To: nessus@list.nessus.org
Message-ID: <4561C9E2.20008@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Wed, Nov 15, 2006 at 04:39:04PM -0500, Steve_Mullen@dai.com wrote:


I am running Nessus Windows 3.0.4 Build W306 installed on a Windows XP 
workstation. I am planning to install Nessus Windows on a Windows 2003 
Server and would like to export/import the policies I've created. Is 
there a way to do that?


Policies that you've created are stored in 'C:\Documents and 
Settings\Administrator\Tenable\Nessus\config', with file type '.conf'. 
You can copy them from one Windows server to another without any issues.

George
-- 
theall@tenablesecurity.com


------------------------------

Message: 8
Date: Mon, 20 Nov 2006 16:32:02 +0100
From: Renaud Deraison <deraison@nessus.org>
Subject: Re: losing configuration (listening interface) when updating
        Nessus3
To: Nessus List <nessus@list.nessus.org>
Message-ID: <C8027B76-FABE-43EB-8976-C1833AB00523@nessus.org>
Content-Type: text/plain; charset=UTF-8; format=flowed



Hi Martin,

On Nov 12, 2006, at 9:28 PM, Martin MaÄ?ok wrote:


I need to configure Nessus to listen only on loopback interface and
the only way (afaik) to do it is editing nessusd startup script. Last
time I upgraded from Nessus-3.0.2 to Nessus-3.0.4 I overlooked that
the script was replaced and my Nessus server went accessible from the
outside.

I would like to be able to set listening interface and be sure that
when Nessus is upgraded it keeps this configuration. Would it be
possible to do at least one of the following?




[...]
3) adding nessusd.conf option that sets interface nessusd will listen
   on


We'll add this one in Nessus 3.0.5.


Thanks,

                                -- Renaud

------------------------------

Message: 9
Date: Mon, 20 Nov 2006 11:32:46 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Nessusd 3.0.3 not updating every 24 hours
To: nessus@list.nessus.org
Message-ID: <4561D8AE.6090007@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Fri, Nov 17, 2006 at 09:21:54AM -0500, Kelly, Jim wrote:


Nessusd 3.0.3
It is configured to update plugins every 24 hours, but as you can see 
from November's logs it isn't:
[Wed Nov  1 08:46:53 2006][10796] nessusd-update: started. Will update 
plugins every 24 hours
[Sun Nov  5 04:37:32 2006][12934] nessusd-update: started. Will update 
plugins every 24 hours

...

Now I'm not sure what, if anything, I should be looking for in
nessusd.dump. Can anyone tell me what could be causing this?


Was nessusd running during this time? [For example, what do you see if 
you grep nessusd.messages for "started"?] Do you see "nessusd-update" in 
the list of running processes while nessusd itself is running?


George
-- 
theall@tenablesecurity.com


------------------------------

Message: 10
Date: Mon, 20 Nov 2006 08:44:31 -0800
From: "Doug Nordwall" <raleel@gmail.com>
Subject: Re: Application Fingerprinting & Reporting
To: "Asthana, Vishal" <vasthana@ipolicynetworks.com>
Cc: nessus@list.nessus.org
Message-ID:
        <752305c00611200844q4b1b5bebm4dbd9e96293a3724@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Try using a credentialed check. Those will find local applications and tell
you versions. A non-credentialled check normally just hits the ports and can
often only tell version from the banners of externally listening
applications

On 11/19/06, Asthana, Vishal <vasthana@ipolicynetworks.com> wrote:


 Hi,



Is there any Nessus plugin that helps report *Application names and
versions* e.g. Internet Explorer, Yahoo, Firefox etc? There are
Application *DETECTION* plugins for the same but the post-scan operation
does not report the *specific Application installed*. It only reports FTP
Server, Web Server, Oracle Listener etc.



I have already referred to the following old threads and ensured that *
find_service.nes* was part of the scan.



http://mail.nessus.org/mailman/htdig/nessus/2004-February/msg00302.html

http://mail.nessus.org/mailman/htdig/nessus/2004-February/msg00218.html



I have also tried using *Nmap scanner* instead of the Nessus TCP scanner
with the same results.

http://www.nessus.org/documentation/index.php?doc=nmap-usage



Any pointers would be helpful.



Thanks

Vishal



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus





-- 
Doug Nordwall
Unix, Network, and Security Administrator
Noise proves nothing. Often a hen who has merely laid an egg cackles as if
she laid an asteroid. -- Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://mail.nessus.org/pipermail/nessus/attachments/20061120/ca44fb8e/attachment.htm

------------------------------

Message: 11
Date: Mon, 20 Nov 2006 11:45:33 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Nessus plugins update failure
To: nessus@list.nessus.org
Message-ID: <4561DBAD.9070902@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On Sun, Nov 19, 2006 at 11:18:15AM -0500, BCC wrote:


Currently running Nessus 2.2.8

Whenever I try updating the plugins by running
sh nessus-update-plugins

I get the error error
Something went wrong when installing the plugins - uncompressing the 
plugins archive failed.


That error message suggests you have a version of Nessus older than 
2.2.1 installed as well. Remove that or make sure you're calling the 
nessus-update-plugins script from 2.2.8.

George
-- 
theall@tenablesecurity.com


------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

End of Nessus Digest, Vol 37, Issue 18
**************************************
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Application Fingerprinting & Reporting, Ron Gula
Next by Date:  Re: Application Fingerprinting & Reporting, Ron Gula
Previous by Thread:  Re: Nessus plugins update failure, George A. Theall
Next by Thread:  Nessus Scans host without any plugins and port scanners selected., tech tech
Indexes:  [Date] [Thread] [Top] [All Lists]