Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Nessus stores credentials in plain text
From: ~Kevin Davis³ <kevin.davis () mindless com>
Date: Sun, 28 Mar 2004 16:17:29 -0500

Q.  Does Nessus use username and password data and store it in plaintext
locally even after the client connections are long gone?

A. Yes.


If is not ok for vulnerability scanners like ISS and others to do this, why
is it ok for Nessus to do this?

----- Original Message ----- 
From: "Raymond Morsman" <raymond () dyn org>
To: "~Kevin Davis³" <computerguy () cfl rr com>
Cc: <full-disclosure () lists netsys com>
Sent: Sunday, March 28, 2004 4:27 PM
Subject: Re: [Full-disclosure] Nessus stores credentials in plain text


On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote:
Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who were doing the same
thing and once realized it changed it.  I don't see how a plaintext
username
and
password is simply "system data" and not also credentials.  And guess
what?
Nessus itself has several plugins that check for plaintext passwords in
other applications.

Q: Does Nessus use this data for its own persona-check?
A: No, it uses it for client connections.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]