Penetration Testing mailing list archives
nessus scan - epmap (135/tcp)
From: christopher.riley () r-it at
Date: Fri, 19 Dec 2008 09:42:07 +0100
As somebody has already pointed out, the version of Nessus is a little outdated (and not from the newer 3.x branch). That said, you have to understand the way in which a vulnerability scanner works to truely appreciate the problem. Nessus (as well as other true vulnerability scanners) are prone to false positives due to the "passive" methods used to find vulnerable systems. I use the word passive here not to show that they don't send packets (although I think Tenable still offers their fully passive vuln scanner for this), but that they do not actively exploit the service. At least not if the vulnerability can be found through simple enumeration. Nessus will do just enough to enumerate the service/process/port in order to check for a known vulnerability. This is the main reason the vulnerability scanning and penetration testing are two seperate things. In this case, the vulnerable service needs patch number KB823980 (and possibly KB824146) installed. The best sure fire way to check is a local tool that you can run on the (possibly) vulnerable box to check that the patch is listed as installed. You can use WMIC to output a full list --> wmic qfe list full /format:htable > output.html or you can search through for one specific patch using --> wmic qfe list full | findstr "823980" Chris John Riley listbounce () securityfocus com@inet wrote on 18.12.2008 21:06:30:
hi list, some nessus scans have the following result: Vulnerability found on port epmap (135/tcp) The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary
code
and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Risk factor : High CVE : CAN-2003-0352 BID : 8205 Other references : IAVA:2003-A-0011 Nessus ID : 11808 the microsoft link leads to a scanner which should show, if a system is patched or not: http://support.microsoft.com/kb/827363/EN-US/ --> result: system is patched C:KB824146Scan.exe <hostname> Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved. <+> Starting scan (timeout = 5000 ms) Checking hostname hostname: patched with both KB824146 (MS03-039) and KB823980 (MS03-0 <-> Scan completed Statistics: Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1 Patched with only KB823980 (MS03-026) ............................ 0 Unpatched ........................................................ 0 TOTAL HOSTS SCANNED .............................................. 1 DCOM Disabled .................................................... 0 Needs Investigation .............................................. 0 Connection refused ............................................... 0 Host unreachable ................................................. 0 Other Errors ..................................................... 0 TOTAL HOSTS SKIPPED .............................................. 0 TOTAL ADDRESSES SCANNED .......................................... 1 which tool is right? is there a 3rd-party tool to test? is nessus (2.2.9 ubuntu) state of the art? thanks, markus ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- nessus scan - epmap (135/tcp) m sesser (Dec 18)
- Re: nessus scan - epmap (135/tcp) Chris Griffin (Dec 18)
- Re: nessus scan - epmap (135/tcp) Volker Tanger (Dec 18)
- Re: nessus scan - epmap (135/tcp) m sesser (Dec 19)
- Re: nessus scan - epmap (135/tcp) Ron (Dec 19)
- Re: nessus scan - epmap (135/tcp) security curmudgeon (Dec 19)
- <Possible follow-ups>
- nessus scan - epmap (135/tcp) christopher . riley (Dec 19)