Nessus + Metasploit varying results

[promark]

Hi

I don't think this question will have a definitive answer but wanted to see what the experts thought

I have Win Server 2003 R2 SP2 installed in a VM I ran vulnerability scan on it with Nessus and imported the results into Metasploit and ran a db_autopwn and got 3 meterpreter sessions, I think from memory all 3 were from the ms08_067_netapi exploit, now this was few days ago

I ran the same scan with the same profile with nessus yesterday and imported and ran autopwn again and got no sessions.

The only change to Server 2003 in the VM was I changed the IP address nothing else at all also no updates to Metasploit or nessus

now I am guessing nessus got differing results from the scan for whatever reason and due to that MS couldn't exploit

Any thoughts out there

Thanks
Mark

[scottm99]

Well, I'm no expert, but here's my thoughts. Start up msfconsole, run db_hosts, and see what your victim IP address is. It's probably showing the old IP address.

[promark]

I emptied the database before importing the 2nd nessus scan results, but thanks for the reply

I am going to try it again a bit later and see what happens

[promark]

OK bit of an update ran a new nessus scan, imported and ran autopwn twice and got 2 sessions and then 3, re imported the scan from last night and ran autopwn and got 2 sessions and then 3

So guess the msf can be 'flaky' at times and the moral of the story is if at first you get no sessions run again and you probably will

[scottm99]

I've found the framework pretty stable, but I haven't really pushed it either. Do you reboot your victim machine in between exploit attempts? Many of the things the MSF does can leave a box in an unstable condition. Combine that with running the framework and/or victim in a virtual machine, and I'm not surprised you get different results on each try.

[promark]

I've found the framework pretty stable, but I haven't really pushed it either. Do you reboot your victim machine in between exploit attempts? Many of the things the MSF does can leave a box in an unstable condition. Combine that with running the framework and/or victim in a virtual machine, and I'm not surprised you get different results on each try.

Me too to be honest, no I don't reboot between attempts, if msf leaves a machine in need of a reboot is not a good tool for pen testing, to be honest I don't think it is msf more likely the vm or to be precise the software ethernet connection, I am using virtualbox maybe I should try vmware

Anyway thanks for the input scott, peace

[scottm99]

You're welcome I haven't used virtualbox, but always had good luck with vmware products when it comes to virtual machines. Personally, I think any exploit attempt (successful or not, regardless of tool used) has a chance at fouling up a box; because you're doing weird things with memory, ports, packets, etc. So I don't think it's a problem with MSF, just the nature of hacking.