Hi George,
Coincidently there is only One such plug-in.
Namely: smb_nt_ms04-011.nasl
Warm Regards
Nitin Shingari
nvshingari@ipolicynetworks.com
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of
nessus-request@list.nessus.org
Sent: Tuesday, November 14, 2006 10:30 PM
To: nessus@list.nessus.org
Subject: Nessus Digest, Vol 37, Issue 12
Send Nessus mailing list submissions to
nessus@list.nessus.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.nessus.org/mailman/listinfo/nessus
or, via email, send a message with subject or body 'help' to
nessus-request@list.nessus.org
You can reach the person managing the list at
nessus-owner@list.nessus.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Nessus digest..."
Today's Topics:
1. Nessus 3 logging.. (Paul Hanson)
2. any news on profilesRe: Plugin 16192 (Darko Gavrilovic)
3. flash install left part of old version behind (Bob Babcock)
4. Re: flash install left part of old version behind
(George A. Theall)
5. ms msde sql database server version detected incorrectly
(Ward Taylor)
6. False negatives? (felix lin)
7. Relating CVE IDs in Nessus Plugins (Shingari, Nitin V.)
8. Re: False negatives? (George A. Theall)
9. Re: Nessus 3 logging.. (George A. Theall)
10. Re: Information about this scan (George A. Theall)
11. Re: Relating CVE IDs in Nessus Plugins (George A. Theall)
12. Inconsistent results for VNC (Bob Babcock)
13. Re: Inconsistent results for VNC (Michel Arboi)
14. Re: Inconsistent results for VNC (Michel Arboi)
----------------------------------------------------------------------
Message: 1
Date: Mon, 13 Nov 2006 10:40:16 -0600
From: "Paul Hanson" <phanson@us.checkpoint.com>
Subject: Nessus 3 logging..
To: <nessus@list.nessus.org>
Message-ID: <004501c70742$66869340$7292e4d8@ad.checkpoint.com>
Content-Type: text/plain; charset="us-ascii"
Does nessus 3.0 allow for logging of results directly into a MySql
database?
I now various clients support this, but does the server or nesssusd
support
this? It would definitely be nice to fire off cron jobs for scheduled
tests
and then mine a mysql database for reports.
Thanks,
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061113/8cd6cbd2/at
tachment.html
------------------------------
Message: 2
Date: Mon, 13 Nov 2006 14:13:09 -0500
From: Darko Gavrilovic <darko.gavrilovic@utoronto.ca>
Subject: any news on profilesRe: Plugin 16192
Cc: nessus@list.nessus.org
Message-ID: <4558C3C5.5070404@utoronto.ca>
Content-Type: text/plain; charset=ISO-8859-1
Hi, I snooped through the list archives and web site. Can't seem to
see an update on the pofiles quesitons? Are profiles implemented? Will
they be?
What I would like to do is save plugin combinations with which to scan
hosts. The goal of this is to reduce the length of the reports and make
it a little more presentable to non-techs.
cheers,
dg
------------------------------
Message: 3
Date: Mon, 13 Nov 2006 15:24:58 -0500 (EST)
From: Bob Babcock <rbabcock@cfa.harvard.edu>
Subject: flash install left part of old version behind
To: nessus@list.nessus.org
Message-ID: <200611132024.kADKOwXc028005@cfa0.cfa.harvard.edu>
Scanning a win/xp machine with Windows Nessus, plugin 11952 says the
flash
version is older than 7.0.19.0, but Shavlik says the version is
7.0.68.0.
Looking closer, I find
flash7a.ocx 7.0.68.0
flash.ocx 6.0.79.0
in \windows\system32\macromed\flash. Looks like the install of version
7
didn't remove all of version 6 and the plugin is seeing the old version.
(I modified the plugin to display the version number and got 6.0.79.0.)
The registry entry at
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\CurrentVersion says
7,0,68,0. Unless there's some way the old, vulnerable flash can be
triggered, I think the plugin should ignore the old file.
------------------------------
Message: 4
Date: Mon, 13 Nov 2006 17:17:07 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: flash install left part of old version behind
To: nessus@list.nessus.org
Message-ID: <4558EEE3.5030102@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On Mon, Nov 13, 2006 at 03:24:58PM -0500, Bob Babcock wrote:
> Scanning a win/xp machine with Windows Nessus, plugin 11952 says the
flash
> version is older than 7.0.19.0, but Shavlik says the version is
7.0.68.0.
> Looking closer, I find
> flash7a.ocx 7.0.68.0
> flash.ocx 6.0.79.0
> in \windows\system32\macromed\flash.
Thanks, I modified plugin #11952, which handles detection, to check for
flash7a.ocx before flash.ocx; that should correct this issue.
The change should be available via nessus-update-plugins later tonight.
George
--
theall@tenablesecurity.com
------------------------------
Message: 5
Date: Mon, 13 Nov 2006 16:58:57 -0600
From: Ward Taylor <wardtayl@st-tel.net>
Subject: ms msde sql database server version detected incorrectly
To: nessus@list.nessus.org
Message-ID: <4558F8B1.8070403@st-tel.net>
Content-Type: text/plain; charset=ISO-8859-1
Hi
I find that plugin 11217 incorrectly identifies our msde databases as
being version 8.00.2039 when a "select @@version" on the server returns
8.00.2187. 2187 is the version that it should be with sp4 and hotfix
KB916287 applied. This is on a box with windows xp sp2, and also one
with windows 2000 server, same patches, same report from nessus.
Thanks a lot
------------------------------
Message: 6
Date: Mon, 13 Nov 2006 11:35:02 -0600
From: "felix lin" <rastapong2@gmail.com>
Subject: False negatives?
To: <nessus@list.nessus.org>
Message-ID: <005e01c7074a$0d5c8510$a5962fd8@felixbox>
Content-Type: text/plain; charset="us-ascii"
Running Nessus 3.0.0 on Fedora Core 4. It was working fine, but
recently
started giving false negatives. Specifically, it will only report
vulnerabilities for 11890 (Messenger Service). Using NessusWX client,
which
is telling me that it is scanning more than that port on each host.
Anybody else seen this before?
felix lin
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061113/9e8c05f6/at
tachment.htm
------------------------------
Message: 7
Date: Tue, 14 Nov 2006 11:11:18 +0530
From: "Shingari, Nitin V." <nvshingari@ipolicynetworks.com>
Subject: Relating CVE IDs in Nessus Plugins
To: <nessus@list.nessus.org>
Cc: "Shingari, Nitin V." <nvshingari@ipolicynetworks.com>
Message-ID:
<D269C7CBDF116A48982D4DC51F111BE3022F3510@nsezhpmail01.india.ipolicynet.
com>
Content-Type: text/plain; charset="us-ascii"
Hi,
In Nessus plug-ins CVE IDs are written in script_cve_id (...).
In some plug-ins few CVE IDs are mentioned with IF conditions like:
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0533");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0663");
Can we relate CVE ID with the plug-in if it's mentioned in IF condition
but not in script_cve_id tag?
To make my question clearer, below is the small section of a plug-in:
------------------------------------------------------------------------
-----------------------------------------------------
#
# (C) Tenable Network Security
#
if(description)
{
script_id(12205);
script_bugtraq_id(10111, 10113, 10117, 10119, 10122, 10124, 10125);
script_cve_id( "CVE-2003-0907", "CVE-2003-0908", "CVE-2003-0909",
"CVE-2003-0910", "CVE-2004-0117",
"CVE-2004-0118", "CVE-2004-0119", "CVE-2004-0121");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0533");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0663");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0719");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0806");
if(defined_func("script_xref"))script_xref(name:"CVE",
value:"CVE-2003-0906");
if(defined_func("script_xref"))script_xref(name:"IAVA",
value:"2004-A-0006");
script_version("$Revision: 1.17 $");
------------------------------------------------------------------------
-----------------------------------------------------
In the above script "CVE-2003-0533", "CVE-2003-0663"... are not
mentioned in script_cve_id(...) so can we relate these CVE IDs with the
plug-in?
Warm Regards
Nitin Shingari
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20061114/bc8dbca0/at
tachment.htm
------------------------------
Message: 8
Date: Tue, 14 Nov 2006 08:44:30 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: False negatives?
To: nessus@list.nessus.org
Message-ID: <4559C83E.7090101@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On Mon, Nov 13, 2006 at 11:35:02AM -0600, felix lin wrote:
> Running Nessus 3.0.0 on Fedora Core 4. It was working fine, but
> recently started giving false negatives.
Do you know when the change occurred? What if anything changed in the
Nessus environment (eg, plugin updates, scan configs)? Have you looked
at Nessus' logs and/or KBs for the affected hosts to see if they contain
any clues?
> Specifically, it will only
> report vulnerabilities for 11890 (Messenger Service). Using NessusWX
> client, which is telling me that it is scanning more than that port on
> each host.
Have you verified that the remote hosts are still running additional
services that Nessus should pick up? Is the scanned running afoul of any
sort of IPS? Have you done a packet capture while running a scan to see
what traffic is being exchanged?
George
--
theall@tenablesecurity.com
------------------------------
Message: 9
Date: Tue, 14 Nov 2006 09:29:14 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Nessus 3 logging..
To: nessus@list.nessus.org
Message-ID: <4559D2BA.8060405@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On Mon, Nov 13, 2006 at 10:40:16AM -0600, Paul Hanson wrote:
> Does nessus 3.0 allow for logging of results directly into a MySql
> database?
No.
> I now various clients support this, but does the server or nesssusd
> support this? It would definitely be nice to fire off cron jobs for
> scheduled tests and then mine a mysql database for reports.
NessusWX can output results to a MySQL database, but that runs on
Windows and its support of commandline usage is lacking.
The Unix clients can generate SQL statements for the list of plugins on
a server as well as preferences but not results to a database.
You could look into saving results from the Unix commandline client as,
say, NBE, and then using that to populate your database. Inprotect,
http://www.inprotect.com/, is an open-source solution that reportedly
uses this approach.
Or you could go with Security Center,
http://www.tenablesecurity.com/products/sc.shtml, a commercial product
from Tenable.
George
--
theall@tenablesecurity.com
------------------------------
Message: 10
Date: Tue, 14 Nov 2006 10:00:49 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Information about this scan
To: Nessus@list.nessus.org
Message-ID: <4559DA21.7050305@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
On Sat, Nov 11, 2006 at 05:41:20PM +0100, p.0155 wrote:
> Hello everyone, I'm using the latest version of Nessus on Linux
(Fedora
> 5) and WindowsXP.
"Latest version" is confusing... there are currently two branches of
Nessus, 2.2.x and 3.x, and I woudln't be surprised if the latest
packaged version of Nessus for FC5 is not necessarily that same as what
we make available.
> Sometimes my reports displays "Information about this scan" and
> sometimes this information is missing, even if I use the same
> configuration, the same target, the same Nessus server and the same
> Nessus client.
> Can anybody tell me why?
Do you have KB saving enabled? If so, you may want to look at the
various associated settings.
George
--
theall@tenablesecurity.com
------------------------------
Message: 11
Date: Tue, 14 Nov 2006 10:29:02 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Relating CVE IDs in Nessus Plugins
To: nessus@list.nessus.org
Message-ID: <4559E0BE.1060309@tenablesecurity.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
On Tue, Nov 14, 2006 at 11:11:18AM +0530, Shingari, Nitin V. wrote:
> In Nessus plug-ins CVE IDs are written in script_cve_id (...).
>
> In some plug-ins few CVE IDs are mentioned with IF conditions like:
> *if(defined_func("script_xref"))script_xref(name:"CVE",
> value:"CVE-2003-0533");*
>
> *if(defined_func("script_xref"))script_xref(name:"CVE",
> value:"CVE-2003-0663");*
>
> Can we relate *CVE ID *with the plug-in if it's mentioned in IF
> condition but not in *script_cve_id* tag?
Yes. Older versions of Nessus (pre 2.2.x, I believe) had issues if there
were more than 8 ids in a call to script_cve_id(). So if a plugin
corresponded to more than that, additional ones would be added using
script_xref(). The report should still lists all [unless you're running
with a version of Nessus that didn't support script_xref(), which is the
reason for the 'if(defined_func("script_xref"))'].
I'll adjust this particular plugin shortly to collect all the CVE ids
together since no one should be using Nessus 2.0 any longer. If you're
aware of any similar plugins, let me know please.
George
--
theall@tenablesecurity.com
------------------------------
Message: 12
Date: Tue, 14 Nov 2006 11:14:00 -0500 (EST)
From: Bob Babcock <rbabcock@cfa.harvard.edu>
Subject: Inconsistent results for VNC
To: nessus@list.nessus.org
Message-ID: <200611141614.kAEGE0mx004120@cfa0.cfa.harvard.edu>
I'm getting inconsistent results scanning with plugin 19288 (VNC
security
types). Scanning the same machines, I sometimes get:
The remote VNC server chose security type #0 (Invalid)
Any user can connect to it without authentication, and thus take
control of this machine.
and other times get:
The remote VNC server chose security type #2 (VNC authentication)
I'm scanning with Windows Nessus 3.0.4 build W306. Target machines are
Win/2K or Win/XP with RealVNC 3.3.7. I can make VNC connections to the
target machines using a password, and if I try to clear the password
with
this version of VNC, it says it won't accept connections with no
password.
I think I always get security type #0 for localhost.
------------------------------
Message: 13
Date: Tue, 14 Nov 2006 17:46:14 +0100
From: Michel Arboi <mikhail@nessus.org>
Subject: Re: Inconsistent results for VNC
To: rbabcock@cfa.harvard.edu
Cc: nessus@list.nessus.org
Message-ID: <m3u012nfhl.fsf@kissmedeadly.afraid.org>
Content-Type: text/plain; charset="us-ascii"
On Tue Nov 14 2006 at 17:14, Bob Babcock wrote:
> The remote VNC server chose security type #0 (Invalid)
> Any user can connect to it without authentication, and thus take
> control of this machine.
> and other times get:
[snip]
Try applying this patch (or wait for a while and run
nessus-update-plugins). The script should be more robust.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-patch
Size: 527 bytes
Desc: not available
Url :
http://mail.nessus.org/pipermail/nessus/attachments/20061114/550bca9f/at
tachment.bin
------------------------------
Message: 14
Date: Tue, 14 Nov 2006 17:58:59 +0100
From: Michel Arboi <mikhail@nessus.org>
Subject: Re: Inconsistent results for VNC
To: rbabcock@cfa.harvard.edu
Cc: nessus@list.nessus.org
Message-ID: <m3lkmenewc.fsf@kissmedeadly.afraid.org>
Content-Type: text/plain; charset=us-ascii
On Tue Nov 14 2006 at 17:46, Michel Arboi wrote:
> Try applying this patch
Oops. Forget it, I read the code too quickly.
No, the script was fine.
Security type 0 does not exist and should not be returned by a VNC
server. This is odd.
If possible, sniff the trafic...
------------------------------
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
End of Nessus Digest, Vol 37, Issue 12
**************************************
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
|