-
Nessus Plugin Question
I'm having a problem with scanning windows boxes that belong to a domain. Nessus is installed and works properly. The problem is that some of the plugins don't give the proper results. For instance, I have a box with a default installation of AOL IM on it. When I scan it with Nessus it does not return a positive result. It gives no info about AOL. It does, however return results about open ports, Window vulnerabilites, and versions of native Windows software. I have the plug-in "AOL Instant Messenger is Installed (11882)" and all the dependencies. Matter of fact I have "enable all but dangerous plug-ins" enabled. So, I don't think I'm missing any dependencies. I do have "Safe Checks" enabled, could this be the problem? This is not the only plug-in like this that does not work. Other plug-ins like detect Yahoo Messenger and detect Ezula don't work. I can't quite figure out why. I'm scanning the boxes with a domain admin account and it has access to HKLM and HKCU.
Thanks for your help.
Ok, back to googling for me.
-
Are you using the NessusWX front-end? If so, there are settings within the plugins that need to be set or you will see results like you are experiencing. Give me the plugin ID numbers and I will see what's up.
--TheHorse13
-
Yeah, I'm using the front end. The only setting I see for the plug-ins I'm dealing with is "Set Timeout" and I can't type in the box. I need to copy and paste a value in there. Perhaps there are more settings per plug-in and I'm missing them. If you could direct me to any more settings I could poke around and see if I can get it working. Do I need to fiddle with any config files or anything. This is probably something simple.
Anyway, here's a few of the plug-ins I was having problems with:
11882 AOL Installed
11432 Yahoo Installed
12107 McAfee Installed
and more...
I have to be missing something. I'm testing against computers in my domain and I know what is running on them. Are there any settings beyond the plug-in settings that need to be enabled to get good results?
Thanks so much for giving me a hand,
Trench
-
Trench, the timeout option won`t be affecting it. Does your scan report everything else as expected?
Having to dig back into my nessus windows client database...when you use the windows client isn`t the server where the scan is actually launched from? and if thats the case then woudln`t you need to have the server logged into the boxes (if they are yours) to get the most accurate results?? (so getting a combination of network and host vulnerability scan) ??
-
OK, I did a very simple scan with all non DoS plugins selected and I received identical results as you have. I am going to look at the NASL code in these plug-ins and see exactly what they do. Stay tuned...
--TH13
**EDIT**
Here is your problem:
Code:
script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_access.nasl",
"smb_registry_full_access.nasl");
script_require_keys("SMB/name", "SMB/login", "SMB/password",
"SMB/domain","SMB/transport");
script_require_ports(139, 445);
exit(0);
exit(0);
}
include("smb_nt.inc");
rootfile = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOL Instant Messenger", item:"DisplayName");
if(rootfile)
{
security_note(get_kb_item("SMB/transport"));
}
Are you able to login and obtain full access to these hosts? As you can see, it looks for a registry value and unless you can see the registry, it thinks that AIM is not installed.
-
Yeah, I can definitely see the registry with the account I'm using. I'm using a domain admin account right now(for testing). I actually got it working, but I'm not sure what I did. I hate that!
Now the scan reports shows that AOL IM is installed. You need to look under Security Info for port 445.
I was able to obtain these results with safe checks enabled and not dangerous plugins. The only thing I can think of is that one of the dependencies was not enabled and this was causing the problem.
I'm going to continue testing this and making sure I'm not getting a lot of false negatives.
