Re: Nessus wx-1.4.5a communication protocol tracer password revelation

Kevin Davis Mon, 07 Mar 2005 15:52:46 -0800

Why bother? Over a year ago I brought up the issue that both Nessus and NessusWX store these credentials locally in plaintext in a config file. No one seemed think (aside from CERT) it was a big deal then. You don't need to run the tracer, just open up the config file in notepad.

----- Original Message ----- From: "George A. Theall" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 07, 2005 4:21 PM Subject: Re: Nessus wx-1.4.5a communication protocol tracer password revelation

On Mon, Mar 07, 2005 at 07:56:50PM +0000, A J Hammond wrote:

Has anyone else noticed that if you use the
communication protocol tracer in NessusWX then it
reveals the usernames and passwords for all login
acounts including SSH and SMB even though these are
all obfuscated in the client


It's because the plugins ultimately need them to be
unencrypted in order to make use of them.

I suppose an enhancement would be to add support for
encrypting selected data using the server's public key and
having nessusd decrypt them before passing the data to the
plugins.


George

-- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus


_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Re: Nessus wx-1.4.5a communication protocol tracer password revelation

Reply via email to