Penetration Testing mailing list archives
Re: Nessus question
From: "Thor" <thor () hammerofgod com>
Date: Mon, 25 Oct 2004 15:50:42 -0700
This doesn't solve your Nessus issue, but it may help you (or others) in the right environment. I wrote a couple of utils a long time ago that approach Terminal Services detection a bit differently than your standard "check for 3389."
"ProbeTS" will detect terminal services running on any system that you can hit with RPC, as long as you have authenticated access to it, regardless of what port TS is running on. This is helpful when trying to find "rouge" TS boxes where the listen port has been changed. The authenticated RPC requirement typically limits use of this tool to in-house testing, but I have not found another tool that does the same thing. Oh, and the C-Class scan feature is very slow, as I never figured out how to set a time-out when attempting to grab a TS handle. I haven't messed with it in a while, but it detects Win2k, Win2k3, as well as XP boxes running RD.
"TSEnum" is also port independent, but it only works with Win2k boxes, or Win2k3 boxes with true "Terminal Services" loaded (not just Remote Desktop-- it won't find those.) TSEnum queries the master browser and asks for a list all systems it knows about, along with the system role. If the system is running Terminal Services, it will tell you. And actually, it will tell you everything else to-- SQL Servers, DC's, Workstations, etc. This is quite fast, and can give you a great list of all systems on a network and their role. I've had some problems with it regarding authentication (sometimes I've been able to use a null session, sometimes I've had to be logged on.)
These are available in the download section of HammerOfGod for those interested. Note that I have not messed with these in a long time, so I prob won't be able to provide much help ;)
T----- Original Message ----- From: "Dan Tesch" <dan.tesch () comcast net>
To: "Pen Test" <pen-test () securityfocus com> Sent: Thursday, October 21, 2004 10:29 AM Subject: Nessus question
I have been running some scans on a net that has several boxes running MS TermServ - I can connect to them and I know 3389 is open but Nessusisn't seeing it - When I look in the Configure services it shows 3389 listed.Anyone seen this? Where else can I look in Nessus settings? Thanks ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the ThreatWhen business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the ThreatWhen business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
Current thread:
- Nessus question Dan Tesch (Oct 25)
- Re: Nessus question Thor (Oct 26)
- Re: Nessus question xyberpix (Oct 26)
- Re: Nessus question Renaud Deraison (Oct 26)
- <Possible follow-ups>
- RE: Nessus question M. Shirk (Oct 26)
- RE: Nessus question Todd Towles (Oct 26)