Home page logo
/

nmap-dev logo Nmap Development mailing list archives

How to use Nmap to scan very large networks for Conficker
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Mon, 30 Mar 2009 20:51:35 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fellow security folks,

** For those in a hurry scroll down to how to get the latest release and
the the recommended command ***

Given that this is many people's first time trying to use Nmap to scan
many thousands of hosts at the same time I figure I should share how
I've been doing it.

Nmap can easily handle scanning a million+ IPs but it isn't tuned to do
so by default.  Seemingly minor options can have a big impact on time
in huge scans.

*** How to get the latest release: ***

You will need the absolute latest release of Nmap (4.85BETA5) which you
can get from:

http://nmap.org/download.html

*** For those in a hurry, here is the command I recommend using: ***

sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \
 -d -PN -n -T4  --min-hostgroup 256 --min-parallelism 64 \
 -oA conficker_scan <your network(s) here>

*** Interpreting results ***

Each host that is checked will have a line about Conficker in the "Host
script results" section.  If you are going to be scanning a very large
network you should use XML output.  I have written a perl script (needs
XML::Simple) to parse and report on your Conficker/MS08-067 scan
results available here:

http://noh.ucsd.edu/~bmenrigh/nxml_conficker.pl


Nmap can take CIDR targets so 123.234.0.0/16 is perfectly fine for your
network.  You could also do something like 123.234.2-254.2-254  If you
have more than one netblock you can separate them with a space like
123.234.0.0/16 32.64.128.0/24

If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio.  I
wouldn't recommend more than 4096/1024.  You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.

There are three options in the above command to help cut down on the
amount of work Nmap has to do per host: -n, -p445, and -PN.

* -n turns off reverse name resolution which will be nice on your
nameservers.

* -PN in conjunction with -p445 skips the host up/down detection and
goes straight into scanning port 445.  This both increases accuracy and
reduces the per-host work done.  The ping process is pretty fast but is
still slower than just checking a single port.  Hosts that have a
firewall but exceptions for Windows file sharing would not be caught
without -PN.

It is important to note that scanning for Conficker has the small
chance of crashing an unpatched host.  Patched and infected hosts won't
be crashed though.  Note that if Conficker scans unpatched hosts they
are even more likely to crash than with this check so the benefits
probably outweigh the drawbacks.

If you have questions about this script/using Nmap drop a note to
nmap-dev () insecure org 

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAknRMN4ACgkQqaGPzAsl94JrxwCfZTEEfNPxIOYjTsqojgs5+0V1
GzAAoLHX6kDfuPa4wB4UFY1jB7CLYThx
=RtSp
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]