Home page logo
/

pen-test logo Penetration Testing mailing list archives

nessus scan - epmap (135/tcp)
From: christopher.riley () r-it at
Date: Fri, 19 Dec 2008 09:42:07 +0100

As somebody has already pointed out, the version of Nessus is a little 
outdated (and not from the newer 3.x branch). That said, you have to 
understand the way in which a vulnerability scanner works to truely 
appreciate the problem. Nessus (as well as other true vulnerability 
scanners) are prone to false positives due to the "passive" methods used 
to find vulnerable systems. I use the word passive here not to show that 
they don't send packets (although I think Tenable still offers their fully 
passive vuln scanner for this), but that they do not actively exploit the 
service. At least not if the vulnerability can be found through simple 
enumeration. Nessus will do just enough to enumerate the 
service/process/port in order to check for a known vulnerability. This is 
the main reason the vulnerability scanning and penetration testing are two 
seperate things.

In this case, the vulnerable service needs patch number KB823980 (and 
possibly KB824146) installed. The best sure fire way to check is a local 
tool that you can run on the (possibly) vulnerable box to check that the 
patch is listed as installed. 

You can use WMIC to output a full list -->  wmic qfe list full 
/format:htable > output.html

or you can search through for one specific patch using -->  wmic qfe list 
full | findstr "823980"

Chris John Riley

listbounce () securityfocus com@inet wrote on 18.12.2008 21:06:30:

hi list,

some nessus scans have the following result:

Vulnerability found on port epmap (135/tcp)
  The remote host is running a version of Windows which has a flaw in
  its RPC interface which may allow an attacker to execute arbitrary 
code
  and gain SYSTEM privileges. There is at least one Worm which is
  currently exploiting this vulnerability. Namely, the MsBlaster worm.

  Solution: see 
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
       Risk factor : High
       CVE : CAN-2003-0352
       BID : 8205
       Other references : IAVA:2003-A-0011
       Nessus ID : 11808



the microsoft link leads to a scanner which should show, if a system is 
patched or not:
http://support.microsoft.com/kb/827363/EN-US/

--> result: system is patched

C:KB824146Scan.exe <hostname>
Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.
<+> Starting scan (timeout = 5000 ms)
Checking hostname
hostname: patched with both KB824146 (MS03-039) and KB823980 (MS03-0
<-> Scan completed
Statistics:
   Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1
   Patched with only KB823980 (MS03-026) ............................ 0
   Unpatched ........................................................ 0
   TOTAL HOSTS SCANNED .............................................. 1

   DCOM Disabled .................................................... 0
   Needs Investigation .............................................. 0
   Connection refused ............................................... 0
   Host unreachable ................................................. 0
   Other Errors ..................................................... 0
   TOTAL HOSTS SKIPPED .............................................. 0
   TOTAL ADDRESSES SCANNED .......................................... 1


which tool is right?
is there a 3rd-party tool to test?
is nessus (2.2.9 ubuntu) state of the art?

thanks,
markus

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault