Mailing List Archive

Just a guess -- but I would try enumerating the shares via null session
(see foundstone/superscan free tool) to see if the share is visible to
everyone without any authentication.

Remotely, you can "learn" the shares on a windows box in a few ways:

a) You set it up/someone told you -- obviously, Nessus can't find that.
b) Null session -- the box will tell everyone about the shares
c) Credentials: You can log in and enumerate the shares.

So I'm guessing that on your linux box, you use a) above -- your knowledge
that the share exists, to connect/access it. Nessus only finds B and C,
as far as I know. Finding any random/open share that may have been
created, without logging in/null sessions, would require brute forcing,
with \\target\<dictionaryword/brute force sharename>. Not feasible.

Make sense?






<Steven.Moore@ocfl.net>
Sent by: nessus-bounces@list.nessus.org
09/24/2008 01:25 PM

To
<nessus@list.nessus.org>
cc

Subject
Scan for Windows (SMB) Shares






I am attempting to scan the network for open SMB shares. The only plug-in
I have enabled is ?SMB shares access.? I have set up a shared test folder
with some mock data in it on two of my boxes and given ?Full Control? to
?Everyone.?

When I scan with credentials that have local admin privileges on the box,
I retrieve a list of the shares.

When I scan without credentials or with credentials that do not have local
admin privileges on the box I retrieve no results; however, if I try to
access the shares from another windows box using the same (non admin on
other machine) credentials, I am able to view and edit the share (as they
are set to full control to everyone).

Why would the results not be showing when I am purposely adding unsecure
permissions? Is there another plug-in I should enable?

Thanks for your help!
Steven Moore
Enterprise Security Unit
Information Systems and Services Divistion
Orange County Government, Florida
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Steven-
When you created a scan under the plugin tab did you enable plugin
dependencies? I would recommend that you attempt a new scan without
login credentials, and enable plugin credentials and remove the checkbox for
silent dependencies.

This will configure the scanner to load all plugins needed to execute "SMB
Share Access" and report all plugin activity.

hope this helps.
ashby


On Wed, Sep 24, 2008 at 4:25 PM, <Steven.Moore@ocfl.net> wrote:

> I am attempting to scan the network for open SMB shares. The only plug-in
> I have enabled is "SMB shares access." I have set up a shared test folder
> with some mock data in it on two of my boxes and given "Full Control" to
> "Everyone."
>
>
>
> When I scan with credentials that have local admin privileges on the box, I
> retrieve a list of the shares.
>
>
>
> When I scan without credentials or with credentials that do not have local
> admin privileges on the box I retrieve no results; however, if I try to
> access the shares from another windows box using the same (non admin on
> other machine) credentials, I am able to view and edit the share (as they
> are set to full control to everyone).
>
>
>
> Why would the results not be showing when I am purposely adding unsecure
> permissions? Is there another plug-in I should enable?
>
>
>
> Thanks for your help!
>
> *Steven Moore*
> Enterprise Security Unit
> Information Systems and Services Divistion
> Orange County Government, Florida
>
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
ashby