Hi, I have setup a test W2K server machine with no service packs or patches. Eeye retina UMPN scanner shows it vulnerable. I ran a nessus report for only 19408 with auto_enable_dependencies=yes. It returned this:
SUMMARY - Number of hosts which were alive during the test : 0 - Number of security holes found : 0 - Number of security warnings found : 0 - Number of security notes found : 0 >From the log: [Wed Aug 24 14:26:06 2005][12400] user nessususer : testing hostname.ourdomain.com (192.168.21.154) [12409] [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching find_service.nes against hostname.ourdomain.com [12410] [Wed Aug 24 14:26:06 2005][12409] find_service.nes (process 12410) finished its job in 0.117 seconds [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching cifs445.nasl against hostname.ourdomain.com [12411] [Wed Aug 24 14:26:06 2005][12409] cifs445.nasl (process 12411) finished its job in 0.143 seconds [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching netbios_name_get.nasl against hostname.ourdomain.com [12412] [Wed Aug 24 14:26:11 2005][12409] netbios_name_get.nasl (process 12412) finished its job in 5.023 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer : launching smb_nativelanman.nasl against hostname.ourdomain.com [12413] [Wed Aug 24 14:26:11 2005][12409] smb_nativelanman.nasl (process 12413) finished its job in 0.079 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer : launching smb_kb899588.nasl against hostname.ourdomain.com [12414] [Wed Aug 24 14:26:11 2005][12409] smb_kb899588.nasl (process 12414) finished its job in 0.007 seconds [Wed Aug 24 14:26:11 2005][12409] Finished testing hostname.ourdomain.com. Time: 5.47 secs [Wed Aug 24 14:26:11 2005][12400] user nessususer : test complete On Wed, 24 Aug 2005, Chad I. Uretsky wrote: > Hi Mark, > > What is the OS on the machine that is "known to be vulnerable"? MS05-039 is > not exploitable without credentials on any Win OS except 2000. Also, since > you don't normally use auto_enable_dependencies, you may not be getting the > other SMB scripts that need to run in order for 19408 to work (I haven't > tested 19402 - it requires administrative priveleges on the machine it is > run against). > > As far as the nessusrc, it gets multiple yes'es added if if has not yet been > updated for new plugins which have been downloaded, as it adds the numbers > for those plugins to the rc file and then turns them on. You can write a > very simple perl script to turn on only the plugins you want. What I do > (right now) is update my plugins, then launch a scan against a single host > and wait for the rc file to get updated. Then, I break the scan and run my > perl script against the rc file to turn on only those plugins that I want. > Of course, you could just backup your rc file, run a scan against a single > host, then replace the new rc with your backed-up copy. There are obviously > several ways around this problem. > > With the dependencies, just to be sure, you might try manually enabling > plugin 13855 (smb_hotfixes.nasl), which 19402 is dependent on to set the > SMB/Registry/Enumerated key. You might try turning on "log_whole_attack" > and see if you notice Nessus launching 13855 (smb_hotfixes.nasl) and if it > appears to complete successfully. It also is dependent upon several plugins > (another reason to use auto_enable dependencies). These dependencies are: > > netbios_name_get.nasl > smb_login.nasl > smb_registry_full_access.nasl > smb_reg_service_pack.nasl > smb_reg_service_pack_W2K.nasl > smb_reg_service_pack_XP.nasl > > So you might want to make sure they are enabled, as well as any of their > dependencies (if you do not wish to use auto_enable_dependencies). > > Regards, > Chad Uretsky > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Mark Natoli > Sent: Wednesday, August 24, 2005 9:29 AM > To: [email protected] > Subject: plugin 19402 > > > Hi All, > > Using a combination of update-nessusrc and scripts run from cron, I have > automated the daily scanning of multiple networks for vulnerabilites that > have known worms. However I cannot get the new 19402 (nor 19408) to test > positive for a machine known to be vulerbable to MS05-039. > Here is a line from the log: > [Wed Aug 24 10:15:09 2005][9628] user nessususer : Not launching > smb_kb899588.nasl against hostname1.ourdomain.com because the key > SMB/Registry/Enumerated is missing (this is not an error) > > Does anyone have a plugin that works? > > Also, after upgrading to 2.2.5 from 2.0.x, I had to make the .nessusrc > read only to the owner of the script running cron. Without doing this, the > .nessusrc is opened when the script is run and multiple yes'es are added to > plugin's slowing down the report even though I don't have any dependencies > specified: auto_enable_dependencies = no silent_dependencies = no > > Any help? > > btw, I also tried enabling dependencies to get 19402 to work but this made > no difference to me. > > Thanks, > -Mark > > > _______________________________________________ > Nessus mailing list > [email protected] http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
