If anyones interested ... There is a nessus plugin that will identify hosts that are vulnerable but not yet infected (a tcpdump port 135 will show you that). the plugin is here http://cgi.nessus.org/plugins/dump.php3?id=11808 you can get it by running nessus-update-plugins the plugin itself is msrpc_dcom.nasl You can run it via nessus or from the command line thusly: 'nasl -t 192.168.2.3 msrpc_dcom.nasl' if the machine is vulnerable you'll get 'success', this method may be more usefull if you wish to script it or combine with something other than nmap for the port 135 scanning. I believe ISS and e-eye scanners for windows will find it aswell (ISS will run ok under wine apparently). -- Donovan Jones Network Engineer Comnet Networks +64-4-569 0060 http://www.comnet.co.nz