Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Finding Nessus False POsitives

From: H Carvey <keydet89 () yahoo com>
Date: 8 Feb 2005 14:44:08 -0000
In-Reply-To: <20050207001634.71240.qmail () web31101 mail mud yahoo com>


I would like to know how experieced vulnerability
assesment anaylsts determine nessus results as false
positives or not.
The way i ascertain a result being a false positive or
not is by crafting the same http request to the
webserver .
The point where i struggle is how to craft the same
request.I mean if nessus says 
"nessus was able to find the authentication mechanism
behind an smtp server as NTLM how cud i believe or
deduce tis true"
"or nessus cud actually upload a test file with PUT
and then delete the TEST file with DEL on the
webserver"

how can i determine these to be true?


First off, you're all over the map with your request...talking about HTTP URLs, SMTP authentication, etc.

Second, one of the first ways I would suggest in determining how the Nessus check is done is to use a regular text 
editor to open the particular plugin you're interested in.  If it's the plugin is HTTP-based and sends a URL, then 
you'll likely see the URL there.  

Another way to find out what Nessus is doing is to configure it to fire off only that particular plugin, and then run a 
sniffer while the plugin is being executed.  

Alternatively, many (though not all) of the plugins have documentation describing the check, so again, look in the 
plugin for any information.  At the very least, you may be able to get the author's email address, and contact them 
directly.

Finally, on the overall issue of false positives, you really need to look at how the plugin is written.  ISS's Internet 
Scanner, version 6.01 and prior, had an issue with the AutoAdminLogon Registry value.  According to MS documentation, 
the functionality of the key (and the password in plaintext in the Registry) was only enabled if the value was equal to 
1.  However, Internet Scanner would state that AutoAdminLogon was 'enabled', even if the value was 0.  

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
Previous By Date Next
Previous By Thread Next

Current thread: