OK, I have cut down the plugins on both 1.0.x and 1.2.x to the bare minimum needed to reproduce the problem and then run nessus from two different systems against my test OS/2 system. I have output from both from
tcpdump -l host os2.system -s 2048 -n -x and can see that on 1.0 we get back a 1132 byte packet in response to the query (1024 bytes param data, 108 bytes data data) and on 1.2.6 we get back a 102 byte packet containing no data! The offending packet is a response to a request we send with SMB Command = 0x25 and it appears identical except for Tree ID = 18432 (1.2.6) Tree ID = 20480 (1.0.10) UID = 57344 (1.2.6) UID = 18432 (1.0.10) MaxDataCnt = 65504 (1.2.6) MaxDataCnt = 65535 (1.0.10) Data = 0x0100e0ff (1.2.6) Data - 0x0100ffff (1.0.10) Of course the problem may be earlier in the conversation, I'm not able to tell that with my level of knowledge of the protocol. bzipped tcpdump output from both runs totals 27KB available to those able to help in debugging this. -----Original Message----- From: Michael Scheidell [mailto:[EMAIL PROTECTED]] Sent: Tue 12/3/2002 8:57 PM To: Hemsley, Trevor Cc: [EMAIL PROTECTED] Subject: Re: smb_enum_shares broken between 1.0.10 and 1.2.6 > Hi > > I'm in the middle of migrating from nessus 1.0.10 to 1.2.6 and I notice that >smb_enum_shares.nasl (plugin id 10395) seems to have broken between the two releases. >More specifically, it appears to not work when scanning OS/2 machines - OK I know >they're fairly rare nowadays but... On 1.0.10 I get > > Here is the list of SMB shares of this host: > IPC$ - Remote IPC > ADMIN$ - Remote Admin > CDROM - > > On 1.2.6 I get > > Here is the list of the SMB shares of this host: > Warning: Only 215 out of 12336 shares enumerated yep, I am the one who may have made those changes, or maybe its the general new smb stuff that is in smb_nt.inc. (if problem in smb_nt.inc, look to Renaud) I don't know what to tell you, except that you might need some massive packet traces just to figure out what is happening. Based on what you show there, it looks like OS2 sends back a malformed (not CIFS?) packet. wondering if we can put back in the 'if(o2s) do something strange? > Before I start to debug this I thought I'd ask on the list to see if the author(s) of this plugin might know why this happens. 12336 seems to be a decimal representation of 0x3030 or two ascii zeros! > > Trevor > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. > -- Michael Scheidell, CEO SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
