Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: Nmap 4.85BETA5: Now with Conficker detection!
From: Craig Humphrey <Craig.Humphrey () chapmantripp com>
Date: Tue, 31 Mar 2009 15:01:51 +1300

Hi Guys,

Awesome for getting this out so quick!

Just wanting to clarify the output from nmap when scanning for Conficker.
When it says: "MS08-067: NOT RUN"
Does that mean the scan/probe hasn't been run, or the patch hasn't been applied?


-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Fyodor
Sent: Tuesday, March 31, 2009 9:03 AM
To: nmap-dev () insecure org
Subject: Nmap 4.85BETA5: Now with Conficker detection!

Hi All!  We found out just yesterday about new research by Tillmann
Werner and Felix Leder of a way to anonymously scan for Conficker worm
infections!  Ron sprang into action and added the detection to the
smb-check-vulns NSE script!  I even had to infect one of my own
systems for Ron to test with.  David and Brandon helped too.  And now
we're happy to release Nmap 4.85BETA5, which includes the Conficker

You can find it on the download page:


Here is an example command for detecting Conficker:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

It is worth scanning soon, since Conficker nodes are set to be updated
with new instructions on Wednesday if they aren't cleaned by then!

Note that I've removed 4.76 from the D/L page as I think 4.85BETA5 is
the way to go in general.

Test this out soon, if you can, and send your results to nmap-dev, as
this release is sure to get a lot of attention and interest :).

Here are the changes since 4.85BETA4 a couple weeks ago:

o Ron (in just a few hours of furious coding) added remote detection
  of the Conficker worm to smb-check-vulns. It is based on new
  research by Tillmann Werner and Felix Leder.  You can scan your
  network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
  -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

[snip snip]
This email is intended solely for the use of the addressee and may contain information that is confidential or subject 
to legal professional privilege. If you receive this email in error please immediately notify the sender and delete the 

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]