Sorry, I wasn't clear, this is run from nessusd using nessus --config-file=configs/rpcdcom.nessusrc --output-type=nsr --batch-mode 127.0.0.1 1241 user password targets/range results/range
and rpcdcom.nessusrc contains the following things set to yes here:~ $ grep -i yes configs/rpcdcom.nessusrc 10180 = yes log_whole_attack = yes report_killed_plugins = yes optimize_test = yes safe_checks = yes auto_enable_dependencies = yes ping_hosts = yes 10150 = yes 10785 = yes 11808 = yes 11835 = yes Misc information on News server[checkbox]:Local distribution = yes Ping the remote host[checkbox]:Do a TCP ping = yes Ping the remote host[checkbox]:Log live hosts in the report = yes SMB Scope[checkbox]:Request information about the domain = yes Services[checkbox]:Quick SOCKS proxy checking = yes Nmap[checkbox]:Ping the remote host = yes Nmap[checkbox]:Do not randomize the order in which ports are scanned = yes Login configurations[checkbox]:Never send SMB credentials in clear text = yes nessusd.messages says (for one of the hosts) [Fri Sep 19 10:21:23 2003][16078] user nessus : testing x.x.x.x (x.x.x.x) [16241] [Fri Sep 19 10:21:23 2003][16241] user nessus : launching ping_host.nasl against x.x.x.x [16246] [Fri Sep 19 10:21:24 2003][16241] user nessus : launching find_service.nes against x.x.x.x [16325] [Fri Sep 19 10:21:24 2003][16241] user nessus : launching msrpc_dcom2.nasl against x.x.x.x [16329] [Fri Sep 19 10:21:48 2003][16241] user nessus : launching cifs445.nasl against x.x.x.x [16696] [Fri Sep 19 10:21:48 2003][16241] user nessus : launching msrpc_dcom.nasl against x.x.x.x [16697] [Fri Sep 19 10:22:02 2003][16241] user nessus : launching netbios_name_get.nasl against x.x.x.x [16907] [Fri Sep 19 10:22:05 2003][16241] user nessus : launching smb_nativelanman.nasl against x.x.x.x [16934] [Fri Sep 19 10:22:08 2003][16241] Finished testing x.x.x.x. Time : 44.91 secs -----Original Message----- From: Renaud Deraison [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 13:46 To: [EMAIL PROTECTED] Subject: Re: msrpc_dcom2.nasl false positive anyone ? On Fri, Sep 19, 2003 at 01:24:49PM +0100, Hemsley, Trevor wrote: > I am still seeing some weirdness that doesn't make sense. I have machines that are > telling me that they're vulnerable to MS03-026 but not to MS03-039 and I do not > think that this is possible. I'm running msrpc_dcom2.nasl v1.22 and msrpc_dcom.nasl > v1.10. Err - this is expected. If you run msrpc_dcom.nasl in command-line mode, it will produce false positives against systems patched with MS03-039. The solution is to run the scripts from within nessusd, which handles the plugin cooperation nicely and will avoid such false positives.
