Hi, Please note I'm new to both this list and to writing Nessus plugins, so bear with me :) I've tried the msrpc_dcom.nasl plugin (11808), but it does not appear to work for me. It detects both patched and unpatched W2k systems as vulnerable. It is actually not entirely clear to me whether this plugin was designed to test W2k systems as the comment states "Now works for NT4 -- Now works for Win 95/98/ME", but of course this comment doesn't rule it out either. Does anyone have other experiences with this plugin? Lately, I've been trying to build a script to detect the MS RPC vulnerability on both NT, W2k and XP systems. This script should be able to test this without actually DoSing the service or having registry access. To this extend, I have analysed the (non intrusive) tools released by Microsoft, Eeye and Xforce. As these tools are (to my knowledge) binary releases only, I resorted to analysing the network traffic they generated. Especially with the tools from Microsoft and Eeye, I have found it hard to discover how exactly they detect a vulnerable system. There appear to be no significant differences between the network traffic with a vulnerable and that with a patched system, except what could be expected (IP's, checksums) and a value added to the 'Bind_ack' packet called "Assoc Group". However, this latter value appears to increment every time a 'Bind_ack' is sent, and therefore does not seem to be of much use. I have however found something interesting in the Xforce tool, which claims to test a host in two seperate ways. The Xforce tool sends six "RemoteActivation Requests" to the target system and receives six "RemoteActivation Replies" in return. The delay between a request and a reply appears not to be constant, and after some testing I have found this is not (only) caused by network traffic or CPU load. It appears that on a patched system, there is actually a very regular and distinct pattern in the replies. Example: Delay 1: 0.002550 seconds Delay 2: 0.000305 Delay 3: 0.002438 Delay 4: 0.000301 Delay 5: 0.002458 Delay 6: 0.000307 On an unpatched system, the pattern is 'always' much more irregular: Delay 1: 0.002298 seconds Delay 2: 0.000687 Delay 3: 0.002254 Delay 4: 0.002833 Delay 5: 0.005187 Delay 6: 0.000663 Of course 'always' is not the right term, as I've only been able to test W2k systems. I have in all performed 16 tests on 4 different systems. More tests would be required. I was wondering if this difference could be a good basis for a nessus plugin. Of course, it is always hard to perform accurate timing analysis on a network, but I think that by analysing the difference in timing of a number of replies, you gain some accuracy. If the network or system is slow, all replies will take longer, but the difference between them will remain the same. So, my question is, do you guys think I'm on the right path? Has anyone else noticed the timing differences? Or does anyone perhaps know of another way to detect vulnerable systems in a non-intrusive way, w/o registry access? And, is it feasible to write a plugin that tests this? Any feedback would be greatly appreciated, Abe ITsec Security Services
This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 04:15:45 PDT