RE: MS05-039 Scanner

• Previous message: Chris Kuethe: "Re: Bruteforce HTTP Basic authentification"
• Maybe in reply to: michael_black_at_comcast.net: "MS05-039 Scanner"
• Next in thread: fatb: "Re: MS05-039 Scanner"
• Reply: fatb: "Re: MS05-039 Scanner"
• Reply: David Cravshaw: "Re: MS05-039 Scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 18 Aug 2005 16:14:38 -0400
To: "fatb" <fatb@security.zz.ha.cn>, "Marc Maiffret" <mmaiffret@eeye.com>

Why not make that scanner public?

Hook us up.

JMB

-----Original Message-----
From: fatb [mailto:fatb@security.zz.ha.cn]
Sent: Thursday, August 18, 2005 11:47 AM
To: Marc Maiffret
Cc: pen-test@securityfocus.com
Subject: Re: MS05-039 Scanner

I could not understand why the 05039 scanner is large to 3M.
my friends has written a 05039 scanner which is 20k size .....

----- Original Message -----
From: "Marc Maiffret" <mmaiffret@eeye.com>
To: <jeff@jeffbryner.com>; <michael_black@comcast.net>;
<pen-test@securityfocus.com>
Sent: Wednesday, August 17, 2005 10:18 AM
Subject: RE: MS05-039 Scanner

A quick side note not to confuse MBSA or Shavlik with how Retina or
others do it. Retina is able to detect the patch as missing, as Shavlik
and MBSA do, (registry/file, which requires admin creds) but we also are
able to remotely identify a vulnerable system without requiring
authenticated credentials. That obviously makes it easier to find
vulnerable systems on a Class B network because really who has
credentials for a whole Class B and even if you miraculously did then
what about all the systems you don't know about that are unmanaged and
you definitely don't have access too. This is just one reason why stuff
like MBSA is great for very small shops but is really unreasonable for
any real network. Shavlik and others obviously are really meant more for
patching, which means systems you know, so while it's a deficiency that
they cant truly give you a view of vulnerability within your Class B
network it's a limitation that is probably something they are not
meaning to address in the first place, again because they do patch
management instead of vulnerability management.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense. Please delete if obtained in error and email
confirmation to the sender.
-----Original Message-----
From: Jeff Bryner [mailto:jbryner1@yahoo.com]
Sent: Tuesday, August 16, 2005 9:29 AM
To: michael_black@comcast.net; pen-test@securityfocus.com
Subject: Re: MS05-039 Scanner

> Does anyone know of any available scanners for this vulnerability? I
> know Tenable has a plugin for Nessus and eEye has a free one for up

I dunno if you've solved this or not, but the tenable ones are usually
just templates that look for different hotfixes.

The source for this particular one is on their website at:

http://www.nessus.org/plugins/index.php?view=viewsrc&id=19402

and you can see what it looks for.

Assuming you have admin access to this class B network you could use the
nessus plugin, or script something to mount the admin share and look for
the hotfix.

Alternatively http://hfnetchk.shavlik.com/ can also check for hotfixes
remotely again assuming you have admin access.

Jeff.

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Previous message: Chris Kuethe: "Re: Bruteforce HTTP Basic authentification"
• Maybe in reply to: michael_black_at_comcast.net: "MS05-039 Scanner"
• Next in thread: fatb: "Re: MS05-039 Scanner"
• Reply: fatb: "Re: MS05-039 Scanner"
• Reply: David Cravshaw: "Re: MS05-039 Scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]