Hi, I added the port scanner nmap.nasl (14259) but this only appended a tcp scan to the report, it didn't find the vulnerability. I also tried recreating the .nessusrc by launching the gui and then deleting all but 19408 rather then relying on the file that was created update-nessusrc and modified manually. This also failed it identify the vulnerability. I'm using the a linux server and client on same machine and I successfully scan for sasser, dcom, etc. using this method but I can't get PNP (19408 or 19402) to work. Is anyone else successful in getting the same results from Retina's scanner as they are from nessus for MS05-039? If so can you please share your .nessusrc file.
Thanks, -Mark On Wed, 24 Aug 2005, Chad I. Uretsky wrote: > What Nessus port scanners are you using and what ports are you scanning for? > You might try setting specific ports (i.e. 139, 445) for the port scanner(s) > to make sure Nessus sees the necessary ports. > > Are you running your Nessus scan from a Windows client? Or from a *nix/BSD > command line? > > Chad > > > -----Original Message----- > From: Mark Natoli [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 24, 2005 1:26 PM > To: [email protected] > Cc: Chad I. Uretsky > Subject: RE: plugin 19402 > > > Hi, > > I have setup a test W2K server machine with no service packs or patches. > Eeye retina UMPN scanner shows it vulnerable. > I ran a nessus report for only 19408 with auto_enable_dependencies=yes. It > returned this: > > SUMMARY > > - Number of hosts which were alive during the test : 0 > - Number of security holes found : 0 > - Number of security warnings found : 0 > - Number of security notes found : 0 > > >From the log: > [Wed Aug 24 14:26:06 2005][12400] user nessususer : testing > hostname.ourdomain.com (192.168.21.154) [12409] [Wed Aug 24 14:26:06 > 2005][12409] user nessususer : launching find_service.nes against > hostname.ourdomain.com [12410] [Wed Aug 24 14:26:06 2005][12409] > find_service.nes (process 12410) finished its job in 0.117 seconds [Wed Aug > 24 14:26:06 2005][12409] user nessususer : launching cifs445.nasl against > hostname.ourdomain.com [12411] [Wed Aug 24 14:26:06 2005][12409] > cifs445.nasl (process 12411) finished its job in 0.143 seconds [Wed Aug 24 > 14:26:06 2005][12409] user nessususer : launching netbios_name_get.nasl > against hostname.ourdomain.com [12412] [Wed Aug 24 14:26:11 2005][12409] > netbios_name_get.nasl (process 12412) finished its job in 5.023 seconds [Wed > Aug 24 14:26:11 2005][12409] user nessususer : launching > smb_nativelanman.nasl against hostname.ourdomain.com [12413] [Wed Aug 24 > 14:26:11 2005][12409] smb_nativelanman.nasl (process 12413) finished its job > in 0.079 seconds [Wed Aug 24 14:26:11 2005][12409] user nessususer : > launching smb_kb899588.nasl against hostname.ourdomain.com [12414] [Wed Aug > 24 14:26:11 2005][12409] smb_kb899588.nasl (process 12414) finished its job > in 0.007 seconds [Wed Aug 24 14:26:11 2005][12409] Finished testing > hostname.ourdomain.com. > Time: 5.47 secs > [Wed Aug 24 14:26:11 2005][12400] user nessususer : test complete > > > On Wed, 24 Aug 2005, Chad I. Uretsky wrote: > > > Hi Mark, > > > > What is the OS on the machine that is "known to be vulnerable"? > > MS05-039 is not exploitable without credentials on any Win OS except > > 2000. Also, since you don't normally use auto_enable_dependencies, > > you may not be getting the other SMB scripts that need to run in order > > for 19408 to work (I haven't tested 19402 - it requires administrative > > priveleges on the machine it is run against). > > > > As far as the nessusrc, it gets multiple yes'es added if if has not > > yet been updated for new plugins which have been downloaded, as it > > adds the numbers for those plugins to the rc file and then turns them > > on. You can write a very simple perl script to turn on only the > > plugins you want. What I do (right now) is update my plugins, then > > launch a scan against a single host and wait for the rc file to get > > updated. Then, I break the scan and run my perl script against the rc > > file to turn on only those plugins that I want. Of course, you could > > just backup your rc file, run a scan against a single host, then > > replace the new rc with your backed-up copy. There are obviously > > several ways around this problem. > > > > With the dependencies, just to be sure, you might try manually > > enabling plugin 13855 (smb_hotfixes.nasl), which 19402 is dependent on > > to set the SMB/Registry/Enumerated key. You might try turning on > > "log_whole_attack" and see if you notice Nessus launching 13855 > > (smb_hotfixes.nasl) and if it appears to complete successfully. It > > also is dependent upon several plugins (another reason to use > > auto_enable dependencies). These dependencies are: > > > > netbios_name_get.nasl > > smb_login.nasl > > smb_registry_full_access.nasl > > smb_reg_service_pack.nasl > > smb_reg_service_pack_W2K.nasl > > smb_reg_service_pack_XP.nasl > > > > So you might want to make sure they are enabled, as well as any of > > their dependencies (if you do not wish to use > > auto_enable_dependencies). > > > > Regards, > > Chad Uretsky > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > On Behalf Of Mark Natoli > > Sent: Wednesday, August 24, 2005 9:29 AM > > To: [email protected] > > Subject: plugin 19402 > > > > > > Hi All, > > > > Using a combination of update-nessusrc and scripts run from cron, I > > have automated the daily scanning of multiple networks for > > vulnerabilites that have known worms. However I cannot get the new > > 19402 (nor 19408) to test positive for a machine known to be vulerbable to > MS05-039. > > Here is a line from the log: > > [Wed Aug 24 10:15:09 2005][9628] user nessususer : Not launching > > smb_kb899588.nasl against hostname1.ourdomain.com because the key > > SMB/Registry/Enumerated is missing (this is not an error) > > > > Does anyone have a plugin that works? > > > > Also, after upgrading to 2.2.5 from 2.0.x, I had to make the > > .nessusrc read only to the owner of the script running cron. Without > > doing this, the .nessusrc is opened when the script is run and > > multiple yes'es are added to plugin's slowing down the report even > > though I don't have any dependencies > > specified: auto_enable_dependencies = no silent_dependencies = no > > > > Any help? > > > > btw, I also tried enabling dependencies to get 19402 to work but > > this made no difference to me. > > > > Thanks, > > -Mark > > > > > > _______________________________________________ > > Nessus mailing list > > [email protected] http://mail.nessus.org/mailman/listinfo/nessus > > > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
