Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: nessus-3.06 requires local admin privs to work?

from [Renaud Deraison (lists)] Network Security [Permanent Link]
Subject: Re: nessus-3.06 requires local admin privs to work?
Date: Tue, 19 Feb 2008 09:54:47 +0100 

Hi Jason,


On Feb 19, 2008, at 8:39 AM, Jason Haar wrote:


Hi there

[reposted: last attempt blackholed after being delivered to  
66.240.11.103]

We've been noticing Nessus incorrectly reporting a tonne of Windows
vulnerabilities on our fully patched XP workstations, and I've figured
out why.

It appears nessus now requires that you run it using a local admin
account to get the correct results, as a whole bunch of tests now
involve looking at the version numbers of DLL files, etc - something
that has to be done via connecting to the admin$ share.

e.g. we are seeing most (but not all) of our fully patched XP-SP2
machines showing up as not being patched against ms03-024 (i.e.  
11787).
If I re-run the scan using an account that has local admin privs,  
these
"hits" disappear.


There are two ways to look for the presence of a given Microsoft  
patch : either check in the registry that the patch has been applied,  
or look at the version of the DLL itself.

Looking at the registry used to be a reliable way of checking for  
patches, but it's increasingly becoming less and less of an option :  
some 3rd party patch deployment tools apparently do not create the  
proper registry entries when applying a patch, there are/were some  
problematic patches in the past where the registry entry would be  
created, then the patch would make sure it can be applied and then it  
would be applied (so if the host is missing a requisite, then the  
registry entry would be there but the patch would not be deployed),  
and starting with Windows Vista, Microsoft dropped support for getting  
patches from the registry altogether and this is something I assume  
will also be true for Windows Server 2008.

In fact, for a while Microsoft recommended to check for the version of  
the DLLs themselves to make sure that a patch is applied.


So, whenever possible, Nessus does both - it looks at the DLL itself  
if it's granted the proper credentials, or it looks at the registry  
entry if it does not have enough privileges to read ADMIN$. In the  
future, I would not be surprised if it only checked for the version of  
the DLLs on disk (some patches deployments are already solely checked  
by looking at files on disk, as there are no option to check for it in  
the registry).


So you should discuss your policy between your infosec and netops  
teams and make sure that infosec has an account with the proper  
privileges -- being able to *properly* audit your hosts is definitely  
a SOX requirement.



                                        -- Renaud



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  nessus-3.06 requires local admin privs to work?, Jason Haar
Next by Date:  Error: File is too long > 65,530, Rushing, Derek
Previous by Thread:  nessus-3.06 requires local admin privs to work?, Jason Haar
Next by Thread:  Error: File is too long > 65,530, Rushing, Derek
Indexes:  [Date] [Thread] [Top] [All Lists]