-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
this test seems to produce lots of false positives. It seems to report (at least) all XP and 2003 hosts that can be scanned (because the firewall is disabled), even if they have the security update installed. I also saw one machine that is definitely a NT host. According to the Microsoft Bulletin (MS05-019) these hosts should not be affected. It also reports Linux Hosts running Samba ...
I am attaching my (new) config below. Any idea how to make this actually work?
Thanks, Michael
trusted_ca = /usr/com/nessus/CA/cacert.pem nessusd_host = localhost nessusd_user = xxx paranoia_level = 3 begin(SCANNER_SET) ~ Nmap tcp connect() scan = no ~ nmap = no ~ 10180 = yes ~ 10277 = no ~ 10278 = no ~ 10331 = no ~ 10335 = yes # Nessus TCP Port Scan ~ 10841 = no ~ 10336 = no # NMAP Port Scan ~ 10796 = no ~ 11219 = no # Nessus SYN Port Scan ~ 11840 = yes ~ 14259 = no ~ 14274 = no ~ 14272 = no end(SCANNER_SET)
begin(SERVER_PREFS) ~ port_range = 135,137,139,445,2103 ~ max_threads = 50 ~ language = english ~ checks_read_timeout = 5 ~ auto_enable_dependencies = no ~ save_session = no ~ save_empty_sessions = no ~ host_expansion = ip ~ ping_hosts = yes ~ reverse_lookup = no ~ optimize_test = yes ~ safe_checks = yes ~ use_mac_addr = no ~ detached_scan = no ~ continuous_scan = no ~ unscanned_closed = no ~ save_knowledge_base = no ~ only_test_hosts_whose_kb_we_dont_have = no ~ only_test_hosts_whose_kb_we_have = no ~ kb_restore = no ~ kb_dont_replay_scanners = no ~ kb_dont_replay_info_gathering = no ~ kb_dont_replay_attacks = no ~ kb_dont_replay_denials = no ~ diff_scan = no ~ kb_max_age = 864000 ~ log_whole_attack = yes end(SERVER_PREFS)
begin(SERVER_INFO) ~ server_info_nessusd_version = 2.2.2 ~ server_info_libnasl_version = 2.2.2 ~ server_info_libnessus_version = 2.2.2 ~ server_info_thread_manager = fork ~ server_info_os = Linux ~ server_info_os_version = 2.4.21-27.0.2.ELsmp end(SERVER_INFO)
begin(RULES) end(RULES)
begin(PLUGIN_SET) ~ 10785 = yes ~ 10150 = yes ~ 11011 = yes ~ 12209 = yes ~ 12213 = yes ~ 18027 = yes ~ 18028 = yes # other plugins set to no end(PLUGIN_SET)
begin(PLUGINS_PREFS) ~ Login configurations[entry]:FTP account : = anonymous ~ Login configurations[password]:FTP password (sent in clear) : = [EMAIL PROTECTED] ~ Login configurations[entry]:FTP writeable directory : = /incoming ~ Login configurations[checkbox]:Never send SMB credentials in clear text = yes ~ Login configurations[checkbox]:Only use NTLMv2 = no ~ Web mirroring[entry]:Number of pages to mirror : = 20 ~ Web mirroring[entry]:Start page : = / ~ SMB use domain SID to enumerate users[entry]:Start UID : = 1000 ~ SMB use domain SID to enumerate users[entry]:End UID : = 1200 ~ SMTP settings[entry]:Third party domain : = example.com ~ SMTP settings[entry]:From address : = [EMAIL PROTECTED] ~ SMTP settings[entry]:To address : = [EMAIL PROTECTED] ~ Services[entry]:Number of connections done in parallel : = 10 ~ Services[entry]:Network connection timeout : = 10 ~ Services[entry]:Network read/write timeout : = 5 ~ Services[entry]:Wrapped service read timeout : = 2 ~ Services[radio]:Test SSL based services = All ~ Unknown CGIs arguments torture[checkbox]:Send POST requests = no ~ ftp writeable directories[radio]:How to check if directories are writeable : = Trust the permissions (drwxrwx---) ~ NIDS evasion[radio]:TCP evasion technique = none ~ NIDS evasion[checkbox]:Send fake RST when establishing a TCP connection = no ~ Brute force login (Hydra)[entry]:Number of simultaneous connections : = 4 ~ Brute force login (Hydra)[checkbox]:Brute force telnet = no ~ Brute force login (Hydra)[checkbox]:Brute force FTP = no ~ Brute force login (Hydra)[checkbox]:Brute force POP3 = no ~ Brute force login (Hydra)[checkbox]:Brute force IMAP = no ~ Brute force login (Hydra)[checkbox]:Brute force cisco = no ~ Brute force login (Hydra)[checkbox]:Brute force cisco-enable = no ~ Brute force login (Hydra)[checkbox]:Brute force VNC = no ~ Brute force login (Hydra)[checkbox]:Brute force SOCKS 5 = no ~ Brute force login (Hydra)[checkbox]:Brute force rexec = no ~ Brute force login (Hydra)[checkbox]:Brute force NNTP = no ~ Brute force login (Hydra)[checkbox]:Brute force HTTP = no ~ Brute force login (Hydra)[checkbox]:Brute force ICQ = no ~ Brute force login (Hydra)[checkbox]:Brute force PCNFS = no ~ Brute force login (Hydra)[checkbox]:Brute force SMB = no ~ Brute force login (Hydra)[checkbox]:Brute force LDAP = no ~ SMB Scope[checkbox]:Request information about the domain = yes ~ Misc information on News server[entry]:From address : = Nessus <[EMAIL PROTECTED]> ~ Misc information on News server[entry]:Test group name regex : = f[a-z]\.tests? ~ Misc information on News server[entry]:Max crosspost : = 7 ~ Misc information on News server[checkbox]:Local distribution = yes ~ Misc information on News server[checkbox]:No archive = no ~ SMB use host SID to enumerate local users[entry]:Start UID : = 1000 ~ SMB use host SID to enumerate local users[entry]:End UID : = 1200 ~ HTTP login page[entry]:Login page : = / ~ HTTP login page[entry]:Login form fields : = user=%USER%&pass=%PASS% ~ HTTP NIDS evasion[checkbox]:Use HTTP HEAD instead of GET = no ~ HTTP NIDS evasion[radio]:URL encoding = none ~ HTTP NIDS evasion[radio]:Absolute URI type = none ~ HTTP NIDS evasion[radio]:Absolute URI host = none ~ HTTP NIDS evasion[checkbox]:Double slashes = no ~ HTTP NIDS evasion[radio]:Reverse traversal = none ~ HTTP NIDS evasion[checkbox]:Self-reference directories = no ~ HTTP NIDS evasion[checkbox]:Premature request ending = no ~ HTTP NIDS evasion[checkbox]:CGI.pm semicolon separator = no ~ HTTP NIDS evasion[checkbox]:Parameter hiding = no ~ HTTP NIDS evasion[checkbox]:Dos/Windows syntax = no ~ HTTP NIDS evasion[checkbox]:Null method = no ~ HTTP NIDS evasion[checkbox]:TAB separator = no ~ HTTP NIDS evasion[checkbox]:HTTP/0.9 requests = no ~ Libwhisker options[radio]:IDS evasion technique: = X (none) ~ Ping the remote host[entry]:TCP ping destination port(s) : = built-in ~ Ping the remote host[checkbox]:Do a TCP ping = no pc168-c503.uibk.ac.at. ~ Ping the remote host[entry]:Number of retries (ICMP) : = 10 ~ Ping the remote host[checkbox]:Make the dead hosts appear in the report = no ~ Ping the remote host[checkbox]:Log live hosts in the report = yes ~ Nmap[radio]:TCP scanning technique : = connect() ~ Nmap[checkbox]:UDP port scan = no ~ Nmap[checkbox]:RPC port scan = no ~ Nmap[checkbox]:Ping the remote host = no ~ Nmap[checkbox]:Identify the remote OS = no ~ Nmap[checkbox]:Use hidden option to identify the remote OS = no ~ Nmap[checkbox]:Fragment IP packets (bypasses firewalls) = no ~ Nmap[checkbox]:Get Identd info = no ~ Nmap[radio]:Port range = User specified range ~ Nmap[checkbox]:Do not randomize the order in which ports are scanned = yes ~ Nmap[entry]:Source port : = any ~ Nmap[radio]:Timing policy : = Normal ~ HTTP NIDS evasion[checkbox]:Random case sensitivity (Nikto only) = no ~ Global variable settings[checkbox]:Enable experimental scripts = no ~ Global variable settings[checkbox]:Thorough tests (slow) = no ~ Global variable settings[radio]:Report verbosity = Normal ~ Global variable settings[radio]:Log verbosity = Normal ~ Global variable settings[entry]:Debug level = 0 ~ Nikto (NASL wrapper)[checkbox]:Force scan all possible CGI directories = no ~ Nikto (NASL wrapper)[checkbox]:Force full (generic) scan = no ~ Global variable settings[radio]:Report paranoia = Normal ~ Netstat 'scanner'[checkbox]:Check found ports (intrusive) = no ~ Nmap (NASL wrapper)[radio]:TCP scanning technique : = connect() ~ Nmap (NASL wrapper)[checkbox]:UDP port scan = no ~ Nmap (NASL wrapper)[checkbox]:Service scan = no ~ Nmap (NASL wrapper)[checkbox]:RPC port scan = no ~ Nmap (NASL wrapper)[checkbox]:Identify the remote OS = no ~ Nmap (NASL wrapper)[checkbox]:Use hidden option to identify the remote OS = no ~ Nmap (NASL wrapper)[checkbox]:Fragment IP packets (bypasses firewalls) = no ~ Nmap (NASL wrapper)[checkbox]:Get Identd info = no ~ Nmap (NASL wrapper)[checkbox]:Do not randomize the order in which ports are scanned = no ~ Nmap (NASL wrapper)[radio]:Timing policy : = Auto (nessus specific!) ~ SSH settings[entry]:SSH user name : = root ~ Nmap (NASL wrapper)[checkbox]:Do not scan targets not in the file = no ~ Global variable settings[radio]:Network type = Mixed (use RFC 1918) ~ SSH settings[password]:SSH password (unsafe!) : = ~ SSH settings[file]:SSH public key to use : = ~ SSH settings[file]:SSH private key to use : = ~ SSH settings[password]:Passphrase for SSH key : = ~ HTTP NIDS evasion[entry]:HTTP User-Agent = ~ HTTP NIDS evasion[entry]:Force protocol string : = ~ HTTP login page[entry]:Login form : = ~ Login configurations[entry]:HTTP account : = ~ Login configurations[password]:HTTP password (sent in clear) : = ~ Login configurations[entry]:NNTP account : = ~ Login configurations[password]:NNTP password (sent in clear) : = ~ Login configurations[entry]:POP2 account : = ~ Login configurations[password]:POP2 password (sent in clear) : = ~ Login configurations[entry]:POP3 account : = ~ Login configurations[password]:POP3 password (sent in clear) : = ~ Login configurations[entry]:IMAP account : = ~ Login configurations[password]:IMAP password (sent in clear) : = ~ Login configurations[entry]:SMB account : = ~ Login configurations[password]:SMB password : = ~ Login configurations[entry]:SMB domain (optional) : = ~ Login configurations[entry]:SNMP community (sent in clear) : = ~ Services[file]:SSL certificate : = ~ Services[file]:SSL private key : = ~ Services[password]:PEM password : = ~ Services[file]:CA file : = ~ Nmap (NASL wrapper)[entry]:Source port : = ~ Nmap (NASL wrapper)[entry]:Host Timeout (ms) : = ~ Nmap (NASL wrapper)[entry]:Min RTT Timeout (ms) : = ~ Nmap (NASL wrapper)[entry]:Max RTT Timeout (ms) : = ~ Nmap (NASL wrapper)[entry]:Initial RTT timeout (ms) : = ~ Nmap (NASL wrapper)[entry]:Ports scanned in parallel (max) = ~ Nmap (NASL wrapper)[entry]:Ports scanned in parallel (min) = ~ Nmap (NASL wrapper)[entry]:Minimum wait between probes (ms) = ~ Nmap (NASL wrapper)[file]:File containing grepable results : = ~ Nmap (NASL wrapper)[entry]:Data length : = end(PLUGINS_PREFS)
Nicolas Pouvesle wrote: | | On Apr 15, 2005, at 6:39 AM, Michael Redinger wrote: | |> |> Most of the clients are running german Windows versions. Does this |> affect the check? |> | | It should not. | |> I had a quick look at the nasl files. I have not learned this scripting |> language, but ... |> |> ... TCP/seq_window_flaw must be set for 18028, right? I therefore now |> also set 12213 to yes (in addition to auto_enable_dependencies). But I |> do not see any 12213 related log messages in the NBE output file. Should |> there be any? | | | Yes. | You must set a portscan because this plugin rely on open ports. If you | just scan Windows hosts you can only scan port 139 & 445. | | |> ... 18027 seems to test port 2103, right? Why this port? It does not |> seem to be open on my clients. |> | | | It's a RPC port associated to Microsoft Message Queueing service. This | service is not installed by default on Windows. | This vulnerability can be exploited remotely but in most cases in cannot | because the service is not present. | | | Nicolas | | _______________________________________________ | Nessus mailing list | [email protected] | http://mail.nessus.org/mailman/listinfo/nessus |
- -- Michael Redinger Zentraler Informatikdienst (Central IT Services) Universitaet Innsbruck Technikerstrasse 13 Tel.: ++43 512 507 2335 6020 Innsbruck Fax.: ++43 512 507 2944 Austria Mail: [EMAIL PROTECTED] BB98 D2FE 0F2C 2658 3780 3CB1 0FD7 A9D9 65C2 C11D http://www.uibk.ac.at/~c102mr/mred-pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCZN5jD9ep2WXCwR0RAhU+AJ0b1aeVGCfiEmxBFVxRf4i3RorkoACeJf04 eCmi8Mr/8yiBoEgIbOYHN2w= =ptxR -----END PGP SIGNATURE----- _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
