On 07/31/07 14:48, Paul Rivers wrote:
I was surprised today when I scanned a system that was open to
anonymous FTP and found that an empty directory (nessus_test) was
left behind on the target. Isn't this on the intrusive side?
Yes. In theory, this shouldn't happen as long as you have safe_checks
enabled (the default). If you disable it, though, Nessus will let you
launch plugins that make changes to the remote host, crash an
application, or even the host itself.
Shouldn't the plugin try to remove it?
Probably. Do you know if permissions on the target allow
anonymous FTP users to delete directories / files?
Was this done by a smtp
plugin?
Probably not. Such plugins generally wouldn't be launched against an FTP
server unless there was an issue with service identification or the FTP
server was running on port 25.
I guess my second question is - which plugins leave an empty
directory behind?
I wonder about #10568. It creates a directory named "Nessus_test". While
it does try to remove it, it will exit without doing so if the FTP
server seems to have crashed.
If that isn't it, you may want ensure that nessusd is configured to log
plugins as they're launched ("log_whole_attack = yes" in nessusd.conf),
make sure clocks on the Nessus server and target are synchronized, and
run another scan. Or to sniff traffic to the FTP server while running a
scan and then using something like ngrep to see what exactly the plugin
is doing.
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
