Full Disclosure mailing list archives

Re: Nessus stores credentials in plain text

From: ~Kevin Davis³ <kevin.davis () mindless com>
Date: Sun, 28 Mar 2004 16:17:29 -0500

Q.  Does Nessus use username and password data and store it in plaintext
locally even after the client connections are long gone?

A. Yes.


If is not ok for vulnerability scanners like ISS and others to do this, why
is it ok for Nessus to do this?

----- Original Message ----- 
From: "Raymond Morsman" <raymond () dyn org>
To: "~Kevin Davis³" <computerguy () cfl rr com>
Cc: <full-disclosure () lists netsys com>
Sent: Sunday, March 28, 2004 4:27 PM
Subject: Re: [Full-disclosure] Nessus stores credentials in plain text

On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote:

Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who were doing the same
thing and once realized it changed it.  I don't see how a plaintext

username

and
password is simply "system data" and not also credentials.  And guess

what?

Nessus itself has several plugins that check for plaintext passwords in
other applications.


Q: Does Nessus use this data for its own persona-check?
A: No, it uses it for client connections.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Nessus stores credentials in plain text ~Kevin Davis³ (Mar 26)
- Re: Nessus stores credentials in plain text Raymond Morsman (Mar 27)
  - Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 27)
- <Possible follow-ups>
- Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 27)
  - Re: Nessus stores credentials in plain text Raymond Morsman (Mar 28)
    - Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 28)