Nessus Plugin Question
Results 1 to 6 of 6

Thread: Nessus Plugin Question

  1. #1
    Member
    Join Date
    Sep 2003
    Posts
    42

    Nessus Plugin Question

    I'm having a problem with scanning windows boxes that belong to a domain. Nessus is installed and works properly. The problem is that some of the plugins don't give the proper results. For instance, I have a box with a default installation of AOL IM on it. When I scan it with Nessus it does not return a positive result. It gives no info about AOL. It does, however return results about open ports, Window vulnerabilites, and versions of native Windows software. I have the plug-in "AOL Instant Messenger is Installed (11882)" and all the dependencies. Matter of fact I have "enable all but dangerous plug-ins" enabled. So, I don't think I'm missing any dependencies. I do have "Safe Checks" enabled, could this be the problem? This is not the only plug-in like this that does not work. Other plug-ins like detect Yahoo Messenger and detect Ezula don't work. I can't quite figure out why. I'm scanning the boxes with a domain admin account and it has access to HKLM and HKCU.

    Thanks for your help.

    Ok, back to googling for me.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Are you using the NessusWX front-end? If so, there are settings within the plugins that need to be set or you will see results like you are experiencing. Give me the plugin ID numbers and I will see what's up.

    --TheHorse13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Member
    Join Date
    Sep 2003
    Posts
    42
    Yeah, I'm using the front end. The only setting I see for the plug-ins I'm dealing with is "Set Timeout" and I can't type in the box. I need to copy and paste a value in there. Perhaps there are more settings per plug-in and I'm missing them. If you could direct me to any more settings I could poke around and see if I can get it working. Do I need to fiddle with any config files or anything. This is probably something simple.

    Anyway, here's a few of the plug-ins I was having problems with:
    11882 AOL Installed
    11432 Yahoo Installed
    12107 McAfee Installed
    and more...

    I have to be missing something. I'm testing against computers in my domain and I know what is running on them. Are there any settings beyond the plug-in settings that need to be enabled to get good results?

    Thanks so much for giving me a hand,
    Trench

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Trench, the timeout option won`t be affecting it. Does your scan report everything else as expected?

    Having to dig back into my nessus windows client database...when you use the windows client isn`t the server where the scan is actually launched from? and if thats the case then woudln`t you need to have the server logged into the boxes (if they are yours) to get the most accurate results?? (so getting a combination of network and host vulnerability scan) ??
    Quis custodiet ipsos custodes

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    OK, I did a very simple scan with all non DoS plugins selected and I received identical results as you have. I am going to look at the NASL code in these plug-ins and see exactly what they do. Stay tuned...


    --TH13

    **EDIT**

    Here is your problem:

    Code:
    script_dependencies("netbios_name_get.nasl",
     		    "smb_login.nasl","smb_registry_access.nasl",
    		    "smb_registry_full_access.nasl");
     script_require_keys("SMB/name", "SMB/login", "SMB/password",
    		     "SMB/domain","SMB/transport");
    
     script_require_ports(139, 445);
     exit(0);
    exit(0);
    }
    
    include("smb_nt.inc");
    
    rootfile = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOL Instant Messenger", item:"DisplayName");
    if(rootfile)
    {
     security_note(get_kb_item("SMB/transport"));
    }
    Are you able to login and obtain full access to these hosts? As you can see, it looks for a registry value and unless you can see the registry, it thinks that AIM is not installed.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Member
    Join Date
    Sep 2003
    Posts
    42
    Yeah, I can definitely see the registry with the account I'm using. I'm using a domain admin account right now(for testing). I actually got it working, but I'm not sure what I did. I hate that!

    Now the scan reports shows that AOL IM is installed. You need to look under Security Info for port 445.

    I was able to obtain these results with safe checks enabled and not dangerous plugins. The only thing I can think of is that one of the dependencies was not enabled and this was causing the problem.

    I'm going to continue testing this and making sure I'm not getting a lot of false negatives.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •