Auto_enable_dependencies is set to yes (though that seems to have stopped working with 2.2.5). As well, I've made sure all of the dependent plugins are individually enabled (10150, 10785, 11011, and 12213). Plugin 10785 does record an entry stating that the operating system is Windows 2003, even when nessus fails to run smb_kb893066. Plugin 11011 records that the host is a CIFS server (port 445) and an SMB server (port 139). Plugin 10150 records NetBIOS names it found for the host. Here are the contents of the nbe output when 18028 doesn't work (I replaced the actual IP with all 0's):
timestamps|||scan_start|Thu Aug 4 19:26:23 2005| timestamps||00.00.00.00|host_start|Thu Aug 4 19:26:23 2005| results|00.00.00|00.00.00.00|microsoft-ds (445/tcp)|11011|Security Note|A CIFS server is running on this port\n results|00.00.00|00.00.00.00|netbios-ssn (139/tcp)|11011|Security Note|An SMB server is running on this port\n results|00.00.00|00.00.00.00|netbios-ns (137/udp)|10150|Security Note|The following 4 NetBIOS names have been gathered :\n HOUTRUECTEST01 \n NETIQUS = Workgroup / Domain name\n HOUTRUECTEST01 = This is the computer name\n NETIQUS = Workgroup / Domain name (part of the Browser elections)\nThe remote host has the following MAC address on its adapter :\n 00:b0:d0:df:e3:ae\n\nIf you do not want to allow everyone to find the NetBios name\nof your computer, you should filter incoming traffic to this port.\n\nRisk factor : Low\nCVE : CAN-1999-0621\n results|00.00.00|00.00.00.00|microsoft-ds (445/tcp)|10785|Security Note|The remote native lan manager is : Windows Server 2003 5.2\nThe remote Operating System is : Windows Server 2003 3790\nThe remote SMB Domain Name is : NETIQUS\n\n results|00.00.00|00.00.00.00|microsoft-ds (445/tcp)|12054|Security Hole|\n The remote Windows host has a ASN.1 library which is vulnerable to a \nflaw which could allow an attacker to execute arbitrary code on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\nASN.1 encoded packet with improperly advertised lengths.\n\nThis particular check sent a malformed NTLM packet and determined that \nthe remote host is not patched.\n\nSolution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx\nRisk factor : High\nCVE : CAN-2003-0818\nBID : 9633, 9635, 9743, 13300\nOther references : IAVA:2004-A-0001\n results|00.00.00|00.00.00.00|microsoft-ds (445/tcp)|12209|Security Hole|\nThe remote host seems to be running a version of Microsoft OS \nwhich is vulnerable to several flaws, ranging from denial of service\nto remote code execution. Microsoft has released a Hotfix (KB835732)\nwhich addresses these issues.\n\nSolution : Install the Windows cumulative update from Microsoft\n\nSee also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx\n\nRisk factor : High\nOther references : IAVA:2004-A-0006\n timestamps||00.00.00.00|host_end|Thu Aug 4 19:26:54 2005| timestamps|||scan_end|Thu Aug 4 19:26:54 2005| When it works, it does record the OS in the nbe file. I can give you nbe results for that as well, if you'd like. Thanks. Chad -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Pouvesle Sent: Thursday, August 04, 2005 5:21 PM To: [email protected] Subject: Re: (tcp_sql_window.nasl) id 12213 - inconsistant results On Aug 4, 2005, at 2:48 PM, Chad I. Uretsky wrote: > Strange. I can get tcp_seq_window.nasl to report a positive > against my host > and that it sets TCP/seq_window_flaw = 1, however, plugin 18028 > (smb_kb893066.nasl) apparently does not consistently recognize that > tcp_seq_flaw has been set, as runnig a normal scan, 18028 will not > launch > against the same host because (as it says) TCP/seq_window_flaw is > 'missing'. > > Any thoughts? Did you enable plugin dependencies ? Another thing: when the smb_kb893066.nasl works do you have another entry in the report like what the remote host has been fingerprinted as a Windows System ? And when smb_kb893066.nasl does not work, Is the host fingerprinted as Windows ? or Nessus reports it is unable to identify the remote OS ? (I just think about a bug I forgot to fix in os detection plugin ;) Thanks, Nicolas _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
