Could you do a network capture (tcpdump, ethereal) of the following
cases and send me the result ?
- Nessus scan for ms05-039 (just scan for this plugin) - pcap
between nessus daemon and vulnerable host
- Metasploit attack for ms05-039 - pcap between metasploit and
vulnerable host
Thanks,
Nicolas
PS: do the scan for a host where results are different from Nessus
and Metasploit.
On Sep 20, 2005, at 12:52 PM, [EMAIL PROTECTED] wrote:
Plugin ID 19408 "Vulnerability in Plug and Play Service Could Allow
Remote
Code Execution (899588) - Network Check" does not seem to be
accurate. We
have a list of machines that Nessus are saying are vulnerable. We then
scaned these with Retina's UMPNP scanner:
http://www.eeye.com/html/resources/downloads/audits/index.html and
2 out of
the 5 machines Nessus is saying is vulnerable, Retina says they are
not. I
then used Metasploit's MS05-039 plugin and it is showing the same
results
as Retina. I was able to check and exploit the 3 that Retina and
Nessus
says are vulnerable, but not the 2 just Nessus is showing as
vulnerable.
Here is the version of Nessus we are running:
[EMAIL PROTECTED] ~]# nessusd -v
nessusd (Nessus) 2.2.5 for Linux
(C) 1998 - 2004 Renaud Deraison <[EMAIL PROTECTED]>
Regards,
*****************************
Jason Drury
Security/Data Team
*****************************
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
