From: Thor (thor@hammerofgod.com)
Date: Mon Oct 25 2004 - 18:50:42 EDT
This doesn't solve your Nessus issue, but it may help you (or others) in the
right environment. I wrote a couple of utils a long time ago that approach
Terminal Services detection a bit differently than your standard "check for
3389."
"ProbeTS" will detect terminal services running on any system that you can
hit with RPC, as long as you have authenticated access to it, regardless of
what port TS is running on. This is helpful when trying to find "rouge" TS
boxes where the listen port has been changed. The authenticated RPC
requirement typically limits use of this tool to in-house testing, but I
have not found another tool that does the same thing. Oh, and the C-Class
scan feature is very slow, as I never figured out how to set a time-out when
attempting to grab a TS handle. I haven't messed with it in a while, but it
detects Win2k, Win2k3, as well as XP boxes running RD.
"TSEnum" is also port independent, but it only works with Win2k boxes, or
Win2k3 boxes with true "Terminal Services" loaded (not just Remote Desktop--
it won't find those.) TSEnum queries the master browser and asks for a list
all systems it knows about, along with the system role. If the system is
running Terminal Services, it will tell you. And actually, it will tell you
everything else to-- SQL Servers, DC's, Workstations, etc. This is quite
fast, and can give you a great list of all systems on a network and their
role. I've had some problems with it regarding authentication (sometimes
I've been able to use a null session, sometimes I've had to be logged on.)
These are available in the download section of HammerOfGod for those
interested. Note that I have not messed with these in a long time, so I
prob won't be able to provide much help ;)
T
----- Original Message -----
From: "Dan Tesch" <dan.tesch@comcast.net>
To: "Pen Test" <pen-test@securityfocus.com>
Sent: Thursday, October 21, 2004 10:29 AM
Subject: Nessus question
>I have been running some scans on a net that has several boxes running
> MS TermServ - I can connect to them and I know 3389 is open but Nessus
> isn't seeing it - When I look in the Configure services it shows 3389
> listed.
>
> Anyone seen this? Where else can I look in Nessus settings?
>
> Thanks
>
> ------------------------------------------------------------------------------
> Internet Security Systems. - Keeping You Ahead of the Threat
>
> When business losses are measured in seconds, Internet threats must be
> stopped before they impact your network. To learn how Internet Security
> Systems keeps organizations ahead of the threat with preemptive intrusion
> prevention, download the new whitepaper, Defining the Rules of Preemptive
> Protection, and end your reliance on reactive security technology.
> http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> -------------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:07 EDT