Hello,
I have noticed that even if I have performed the operations described on the web
site to the page "http://www.nessus.org/documentation.html"; ("Nessus scanning on
Windows Domain" and "Configuring your Windows domain for Nessus") continuous not
to succeed in accessing the registers of system of Windows 2000 Server SP3, in
fact I have developed a plugin taking some parts of code from the smb_nt.inc to
test in what point of accessing to the registers it fails and I have effected of
the tests on Windows 2000 Profetional SP4 and SP3, Windows 2000 Server SP3 and
WindowsXP Profetional.
The code of the plugin is the following:
#
if(description)
{
script_id(999999);
script_version("$Revision: 1.1 $");
name["english"] = "TESTING access to registry of Windows";
script_name(english:name["english"]);
desc["english"] = "Redirect output to nessus.dump";
script_description(english:desc["english"]);
summary["english"] = "Checks the version of Windows for testing the access to
system registry";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"Adragna Girolamo");
family["english"] = "Windows";
script_family(english:family["english"]);
script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_full_access.nasl",
"smb_reg_service_pack_XP.nasl",
"smb_reg_service_pack_W2K.nasl");
script_require_keys("SMB/name", "SMB/login", "SMB/password",
"SMB/registry_full_access","SMB/WindowsVersion");
script_exclude_keys("SMB/Win2003/ServicePack");
script_require_ports(139, 445);
exit(0);
}
include("smb_nt.inc");
port = get_kb_item("SMB/transport");
if(!port)port = 139;
################################
display("\n\n************************INIZIO**************************");
display("\n\n port_smb_from_kb: ",port);
################################
if ( get_kb_item("SMB/samba") ) exit(0);
################################
display("\n step2");
################################
###############################################################################################
item = "CurrentVersion";
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion";
name = kb_smb_name();
################################
display("\n name: ",name);
################################
if(!name)exit(0);
_smb_port = kb_smb_transport();
################################
display("\n _smb_port =",_smb_port);
################################
if(!_smb_port)exit(0);
if(!get_port_state(_smb_port))exit(0);
################################
display("\n step3");
################################
login = kb_smb_login();
pass = kb_smb_password();
################################
display("\n login= ",login);
display("\n pass= ",pass);
################################
domain = kb_smb_domain();
################################
display("\n domain= ",domain);
################################
if(!login)login = "";
if(!pass) pass = "";
soc = open_sock_tcp(_smb_port);
################################
display("\n soc open");
################################
if(!soc)exit(0);
################################
display("\n soc ok");
################################
#
# Request the session
#
r = smb_session_request(soc:soc, remote:name);
if(!r) { close(soc); exit(0); }
################################
display("\n Request the session OK");
################################
#
# Negociate the protocol
#
prot = smb_neg_prot(soc:soc);
if(!prot){ close(soc); exit(0); }
################################
display("\n Negociate the protocol OK");
################################
#
# Set up our session
#
r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
prot:prot);
if(!r){ close(soc); exit(0); }
################################
display("\n Set up our session OK");
################################
# and extract our uid
uid = session_extract_uid(reply:r);
################################
display("\n extract our uid OK");
################################
#
# Connect to the remote IPC and extract the TID
# we are attributed
#
r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
################################
display("\n Connect to the remote IPC OK");
################################
# and extract our tree id
tid = tconx_extract_tid(reply:r);
if(!tid){ close(soc); exit(0); }
################################
display("\n extract our tree id OK");
################################
#
# Create a pipe to \winreg
#
r = smbntcreatex(soc:soc, uid:uid, tid:tid);
if(!r){ close(soc); exit(0);}
################################
display("\n Create a pipe to winreg OK");
################################
# and extract its ID
pipe = smbntcreatex_extract_pipe(reply:r);
################################
display("\n extract its ID OK");
################################
#
# Setup things
#
r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
if(!r){ close(soc); exit(0); }
################################
display("\n step4");
################################
r = registry_access_step_1(soc:soc, uid:uid, tid:tid, pipe:pipe);
r2 = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:r);
if(r2)
{
r3 = registry_get_item_sz(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item,
reply:r2);
value = registry_decode_sz(data:r3);
################################
display("\n access OK, value key= ",value);
################################
close(soc);
}
################################
display("\n access KO, value r2= ",r2);
################################
this plugin doesn't return any Hole, Warning or Info because its output is sent
on the file nessus.dump.
The test on the Windows 2000 Profetional SP4 - SP3 and Windows XP Profetional
are ending with success, instead on Windows 2000 Server SP3 didn't succeed.
The dumps that I have drawn following the tests is the followings:
Windows 2000 Server SP3:
************************INIZIO**************************
port_smb_from_kb: 445
step2
name: *SMBSERVER
_smb_port =445
step3
login= nessus_iuser
pass= test
domain= WORKGROUP
soc open
soc ok
Request the session OK
Negociate the protocol OK
Set up our session OK
extract our uid OK
Connect to the remote IPC OK
There would be very thankful if someone could give me some suggestion.
Thanks for the attention.
Adragna Girolamo
PS. I have used the smb_nt.inc $Revision: 1.55 $
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
