What Nessus port scanners are you using and what ports are you scanning for? You might try setting specific ports (i.e. 139, 445) for the port scanner(s) to make sure Nessus sees the necessary ports.
Are you running your Nessus scan from a Windows client? Or from a *nix/BSD command line? Chad -----Original Message----- From: Mark Natoli [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 24, 2005 1:26 PM To: [email protected] Cc: Chad I. Uretsky Subject: RE: plugin 19402 Hi, I have setup a test W2K server machine with no service packs or patches. Eeye retina UMPN scanner shows it vulnerable. I ran a nessus report for only 19408 with auto_enable_dependencies=yes. It returned this: SUMMARY - Number of hosts which were alive during the test : 0 - Number of security holes found : 0 - Number of security warnings found : 0 - Number of security notes found : 0 >From the log: [Wed Aug 24 14:26:06 2005][12400] user nessususer : testing hostname.ourdomain.com (192.168.21.154) [12409] [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching find_service.nes against hostname.ourdomain.com [12410] [Wed Aug 24 14:26:06 2005][12409] find_service.nes (process 12410) finished its job in 0.117 seconds [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching cifs445.nasl against hostname.ourdomain.com [12411] [Wed Aug 24 14:26:06 2005][12409] cifs445.nasl (process 12411) finished its job in 0.143 seconds [Wed Aug 24 14:26:06 2005][12409] user nessususer : launching netbios_name_get.nasl against hostname.ourdomain.com [12412] [Wed Aug 24 14:26:11 2005][12409] netbios_name_get.nasl (process 12412) finished its job in 5.023 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer : launching smb_nativelanman.nasl against hostname.ourdomain.com [12413] [Wed Aug 24 14:26:11 2005][12409] smb_nativelanman.nasl (process 12413) finished its job in 0.079 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer : launching smb_kb899588.nasl against hostname.ourdomain.com [12414] [Wed Aug 24 14:26:11 2005][12409] smb_kb899588.nasl (process 12414) finished its job in 0.007 seconds [Wed Aug 24 14:26:11 2005][12409] Finished testing hostname.ourdomain.com. Time: 5.47 secs [Wed Aug 24 14:26:11 2005][12400] user nessususer : test complete On Wed, 24 Aug 2005, Chad I. Uretsky wrote: > Hi Mark, > > What is the OS on the machine that is "known to be vulnerable"? > MS05-039 is not exploitable without credentials on any Win OS except > 2000. Also, since you don't normally use auto_enable_dependencies, > you may not be getting the other SMB scripts that need to run in order > for 19408 to work (I haven't tested 19402 - it requires administrative > priveleges on the machine it is run against). > > As far as the nessusrc, it gets multiple yes'es added if if has not > yet been updated for new plugins which have been downloaded, as it > adds the numbers for those plugins to the rc file and then turns them > on. You can write a very simple perl script to turn on only the > plugins you want. What I do (right now) is update my plugins, then > launch a scan against a single host and wait for the rc file to get > updated. Then, I break the scan and run my perl script against the rc > file to turn on only those plugins that I want. Of course, you could > just backup your rc file, run a scan against a single host, then > replace the new rc with your backed-up copy. There are obviously > several ways around this problem. > > With the dependencies, just to be sure, you might try manually > enabling plugin 13855 (smb_hotfixes.nasl), which 19402 is dependent on > to set the SMB/Registry/Enumerated key. You might try turning on > "log_whole_attack" and see if you notice Nessus launching 13855 > (smb_hotfixes.nasl) and if it appears to complete successfully. It > also is dependent upon several plugins (another reason to use > auto_enable dependencies). These dependencies are: > > netbios_name_get.nasl > smb_login.nasl > smb_registry_full_access.nasl > smb_reg_service_pack.nasl > smb_reg_service_pack_W2K.nasl > smb_reg_service_pack_XP.nasl > > So you might want to make sure they are enabled, as well as any of > their dependencies (if you do not wish to use > auto_enable_dependencies). > > Regards, > Chad Uretsky > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Mark Natoli > Sent: Wednesday, August 24, 2005 9:29 AM > To: [email protected] > Subject: plugin 19402 > > > Hi All, > > Using a combination of update-nessusrc and scripts run from cron, I > have automated the daily scanning of multiple networks for > vulnerabilites that have known worms. However I cannot get the new > 19402 (nor 19408) to test positive for a machine known to be vulerbable to MS05-039. > Here is a line from the log: > [Wed Aug 24 10:15:09 2005][9628] user nessususer : Not launching > smb_kb899588.nasl against hostname1.ourdomain.com because the key > SMB/Registry/Enumerated is missing (this is not an error) > > Does anyone have a plugin that works? > > Also, after upgrading to 2.2.5 from 2.0.x, I had to make the > .nessusrc read only to the owner of the script running cron. Without > doing this, the .nessusrc is opened when the script is run and > multiple yes'es are added to plugin's slowing down the report even > though I don't have any dependencies > specified: auto_enable_dependencies = no silent_dependencies = no > > Any help? > > btw, I also tried enabling dependencies to get 19402 to work but > this made no difference to me. > > Thanks, > -Mark > > > _______________________________________________ > Nessus mailing list > [email protected] http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
