Note that the problem is not specifically related to the smb_login.nasl.
It appears that smb_login_as_users.nasl, smb_login_deloder.nasl and
others don't supply a domain_name but use a NULL for the domain-name. If
that's the case, then the scanned server tries to authenticate the user
locally, and also tries to authenticate the user against the domain if
the first login was unsuccesfull. Again if local useraccounts on the
scanned servers are also defined in the domain, the domain-account may
be locked because scanning multiple servers resultst in the
clipping-level of the domain-acount to be exceeded and that account will
be locked, the local-acocunt however stays under the defined
clipping-level and will not be locked.
Mike
Nicolas Pouvesle wrote:
You should update your plugins.
I changed smb_login.nasl some times ago to first try to connect with the
given domain name instead to first try to connect with no domain name.
Nicolas
On Tue, 2006-04-04 at 09:10 +0200, m g wrote:
After further investigating this issue, it appears that the
SMB/domain-entry is not set at all during the scans I performed, so the
previous conclusion I made is incorrect. It turns out that the plugin
smb_login_as_users.nasl tries to login to the specified host with the
enumerated username and a combination of a blank password and a password
same as the username, however a domainname is not provided. The
Windows-host first tries to login locally with the supplied credentials
and it turn out that the windows-host (not Nessus) then tries to login
to the domain with the supplied credentials (note again that no
domain-name was supplied to the logon-function).
I also manually verified this (not using Nessus) by connecting to a
share (net use \\servername\share "invalid_password" /user:"username) of
the Windows-host supplying only a username and invalid password. It
turns out that two logons are performed, one locally with the supplied
credentials and one in the domain.
Now the key question: Is this a problem in the Nessus-plugin (which
should supply a valid hostname/domain to login to) or is this a problem
with Windows in how it handles logon-requests that lack the domainname.
Also is it perhaps possible to tune Nessus so that it always supplies
the proper domain/hostname.
Of course, the obvious solution, enabling safe-checks etc. results in
the plugin not being performed, however this is not an option in my
situation.
Thanx again if anyone can provide me a solution.
Mike
m g wrote:
Hello,
Consider the following scenario:
Several workstations or servers that are domain-members contain a
local useraccount (ie. testuser). In the domain also an account named
testuser is defined.
In the above configuration I've experienced the following problem.
While scanning some systems that are members of the domain, nessus
tries to login to the local system using several combinations
(username / no password, username / password=username). This results
in two logons per enumerated account. However the scan also tries to
login on the domain using the locally enumerated account. This means
that for the testuser-account, scanning four domain-members results in
eight invalid logins ==> result is that the domain-account is locked.
As far as I could see, the problem is related to the
smb_login_as_users.nasl. This plugin tries to login using the locally
enumerated accounts and uses the SMB/domain entry from the knowledge
base. I did not define the SMB-domain in my nessusrc-file, however
further investigation turns out that other plugins set the
SMB/domain-entry, for example if NULL-sessions are enabled (true for
my configuration), the smb_login.nasl sets the SMB/domain entry.
According to my opinion, because of NULL-sessions being enabled, the
smb_login_as_users.nasl now tries to authenticate local users against
the domain.
Anyone else experienced this problem and if so, any advice on how this
can be solved.
Thanx in advance.
Mike
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
