Nmap Development: Re: article about Conficker says nmap can be used to discover it

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Nmap Development mailing list archives

Re: article about Conficker says nmap can be used to discover it

From: venkat sanaka <venkatsanaka () gmail com>
Date: Tue, 31 Mar 2009 01:22:14 +0530

These are the test results when i run it in my windows system

./nmap -p 445 -d --script smb-check-vulns --script-args safe=1 10.3.12.1-254

Host 10.3.12.209 appears to be up ... good.

Scanned at 2009-03-31 01:10:03 India Standard Time for 1s

Interesting ports on 10.3.12.209:

PORT    STATE    SERVICE      REASON

445/tcp filtered microsoft-ds no-response

MAC Address: 00:19:B9:7F:42:D8 (Dell)

Final times for host: srtt: 0 rttvar: 5000  to: 100000


Host 10.3.12.223 appears to be up ... good.

Scanned at 2009-03-31 01:10:03 India Standard Time for 9s

Interesting ports on 10.3.12.223:

PORT    STATE SERVICE      REASON

445/tcp open  microsoft-ds syn-ack

MAC Address: 00:16:D3:10:FA:8D (Wistron)

Host script results:

|  smb-check-vulns:

|  MS08-067: NOT RUN

|  Conficker: ERROR: Unexpected error: SMB: Failed to receive bytes: ERROR

|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

Final times for host: srtt: 0 rttvar: 3750  to: 100000


On Tue, Mar 31, 2009 at 12:45 AM, Corey Chandler <lists () sequestered net>wrote:

Fyodor wrote:


http://www.skullsecurity.org/blog/?p=209

If anyone is able to test this, please do report your results!  As
we've been pretty rushed since we just found out about the technique
yesterday.

Ran it across our desktop network here.

bash-3.2# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d
10.10.1.0/24 |grep Conficker

|  Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|  Conficker: Likely CLEAN

I assume the NT_STATUS_OBJECT_NAME_NOT_FOUND implies it's not an actual
Windows box?  We do have some Ubuntu / Mac users here...

--
Corey Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: Me no internet, only janitor, me just wax floors



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

By Date By Thread

Current thread:

Re: article about Conficker says nmap can be used to discover it, (continued)
- Re: article about Conficker says nmap can be used to discover it Michael Pattrick (Mar 30)
- Re: article about Conficker says nmap can be used to discover it Fyodor (Mar 30)
  - Re: article about Conficker says nmap can be used to discover it Corey Chandler (Mar 30)
    - Re: article about Conficker says nmap can be used to discover it Ron (Mar 30)
    - Re: article about Conficker says nmap can be used to discover it Jay Fink (Mar 30)
    - Re: article about Conficker says nmap can be used to discover it venkat sanaka (Mar 30)