Chandra, Summarising my response to what you asked/stated yesterday on IRC (you'd already logged off for the day).
The payload I submitted to you guys for MS08-067 is not the same as the one used by nmap for ms08-067, nmap actuaally uses a different payload developed later by one of my colleagues which is available from http://labs.portcullis.co.uk/. Moreover, neither are the same as the payload nmap uses for the Conficker check, since this validates whether Conficker's own custom patch for MS08-067 has been applied. Conficker's patch behaves differently from Microsoft's. The conficker NASL I sent round generates the nmap payload to test for Conficker but I was troubled by a) SMB authentication problems and b) as I note below I haven't had a chance to run it against a compromised system. We may be able to use my first payload to detect Conficker but for that... I/we need to run it against a Conficker infected box so that we see how it responds... I will ask around but as I have some good contacts in the AV / malware community. Indeed, we probably need to do that anyway so we can see how the SMB function in openvas decode the respond - smb_rev() in particular. Cheers, Tim -- Tim Brown <mailto:[email protected]> <http://www.nth-dimension.org.uk/> _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
