mailing list archives
RE: Nmap 4.85BETA5: Now with Conficker detection!
From: Craig Humphrey <Craig.Humphrey () chapmantripp com>
Date: Tue, 31 Mar 2009 15:01:51 +1300
Awesome for getting this out so quick!
Just wanting to clarify the output from nmap when scanning for Conficker.
When it says: "MS08-067: NOT RUN"
Does that mean the scan/probe hasn't been run, or the patch hasn't been applied?
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Fyodor
Sent: Tuesday, March 31, 2009 9:03 AM
To: nmap-dev () insecure org
Subject: Nmap 4.85BETA5: Now with Conficker detection!
Hi All! We found out just yesterday about new research by Tillmann
Werner and Felix Leder of a way to anonymously scan for Conficker worm
infections! Ron sprang into action and added the detection to the
smb-check-vulns NSE script! I even had to infect one of my own
systems for Ron to test with. David and Brandon helped too. And now
we're happy to release Nmap 4.85BETA5, which includes the Conficker
You can find it on the download page:
Here is an example command for detecting Conficker:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
It is worth scanning soon, since Conficker nodes are set to be updated
with new instructions on Wednesday if they aren't cleaned by then!
Note that I've removed 4.76 from the D/L page as I think 4.85BETA5 is
the way to go in general.
Test this out soon, if you can, and send your results to nmap-dev, as
this release is sure to get a lot of attention and interest :).
Here are the changes since 4.85BETA4 a couple weeks ago:
o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
This email is intended solely for the use of the addressee and may contain information that is confidential or subject
to legal professional privilege. If you receive this email in error please immediately notify the sender and delete the
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org