Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nmap 4.85BETA8 Released!
From: Ionreflex <ionreflex () gmail com>
Date: Wed, 22 Apr 2009 16:03:47 -0400

Hi Ron,
I'll probably give b8 a try tomorrow in our corporate network, see if I can
find anything more than I did with b6 (I jumped over b7...)

I had the impression all the "little" worm did on April Fools was the "ET
phone home" subroutine and nobody answered the call; than again I've talked
with two consultants who said they've had to deal with an outbreak... but
was it really Conficker ? Guess we'll never know!

I wonder how many will have to get b8 via http://sectools.org/nmap/ ... is
there a counter to record how much hits ? :o)


2009/4/21 Ron <ron () skullsecurity net>

Hopefully some of you have tried this out.. I haven't heard any
feedback, so I'll assume that's good news for the time being. I'd really
like to hear if this rooted out any infections, though!

If you want to read some more details, check out my blog post about it:

I tried to be pretty thorough with explaining how the script works and
how to use it.

Any questions or comments, feel free to ask!

Fyodor wrote:
Hi All.  I'm happy to report the release of Nmap 4.85BETA8.  It
includes many improvements from our last 20 days of work, including
much better Ncat http proxy server support (including authentication,
and the GET/HEAD/POST methods so you can use it with Firefox), redone
(much easier to read) text output for Ndiff, a whole bunch of
Conficker improvements (including a great new script by Ron based on
Symantec research and numerous improvements to the existing
smb-check-vulns), and much more.  Our anti-Conficker efforts have
apparently pissed off the Conficker authors so much that the latest
variants ban nmap.* and insecure.* domains.  No worries: I've mirrored
this release at http://sectools.org/nmap/.

And those of you who aren't infected by Conficker can download
4.85BETA8 at the normal location:


To scan you network quickly for Conficker infections before the next
variant breaks this new techinque, we recommend this command:

nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
--script-args checkconficker=1,safe=1 -T4 [target networks]

If you have time for a slower but more comprehensive scan, use this

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
--script-args checkall=1,safe=1 -T4 [target networks]

And here is the full list of changes since BETA7:

Nmap 4.85BETA8 [2009-04-21]

o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
  addition to the CONNECT tunneling method, so it can be used as a
  proxy with an ordinary web browser.[David]

o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
  --proxy-auth to provide a username and password that will be required
  of proxy users. Only the insecure (not encrypted) Basic authentication
  method is supported. [David]

o Ndiff's text output has been redone to look more like Nmap output
  and be easier to read. See the Ndiff README file for an example. The
  XML output is now based on Nmap's XML output as well. Zenmap's diff
  viewer now shows the new output with syntax highlighting. [David]

o The new versions of the Conficker Internet worm ban infected systems
  from visiting Insecure.Org and Nmap.Org.  We take that as a
  compliment to the effectiveness of our remote Conficker scanner.
  They also ban DNS substrings "honey" (for the Honeynet Project),
  "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
  Security, "coresecur" for Core Security Technologies, and
  "iv.cs.uni" for those meddlesome (to the Conficker authors)
  researchers at the University of Bonn.  For people who can't reach
  nmap.org due to infection, I've mirrored this release at
  http://sectools.org/nmap/. [Fyodor]

o New Conficker versions eliminate the loophole we were using to
  detect them with smb-check-vulns,nse, so we've added new methods
  which work with the newest variants. Here are the Conficker-related
  improvements since BETA7:
  o Added new p2p-conficker script which detects Conficker using its
    P2P update ports rather than MSRPC.  This is based on some new
    research by Symantec. See
    http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
  o Since new Conficker variants prevent detection by our previous
    MSRPC check in smb-check-vulns, we've added a new check which still
    works. It involves calling netpathcanonicalize on "\" rather than
    "\..\" and checking for a different return value.  It was discovered
    by Felix Leder and Tillmann Werner.
  o Improved smb-check-vulns Conficker error message text to be more
    useful. [David]
  o smb-check-vulns now defaults to using basic login rather than
    extended logins as this seems to work better on some machines.
  o Recommended command for a fast Conficker scan:
    nmap -p139,445 --script
p2p-conficker,smb-os-discovery,smb-check-vulns \
    --script-args checkconficker=1,safe=1 -T4 [target networks]
  o Recommended command for a more comprehensive (but slower) scan:
    nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- \
    --script-args checkall=1,safe=1 -T4 [target networks]

o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
  code simplicity and extensibility. See
  http://seclists.org/nmap-dev/2009/q2/0090.html and
  http://seclists.org/nmap-dev/2009/q1/0047.html. [Patrick]

o [Zenmap] The "Cancel" button has been restored to the main screen.
  It will cancel the scan that is currently being displayed.

o Fixed an SMB library bug which could case a nil-pointer exception
  when scanning broken SMB implementations. Reported by Steve
  Horejsi. [Ron]

o [Ndiff] The setup.py installation script now suggests installing the
  python-dev package in a certain error situation. Previously the
  error message it printed was misleading:
    error: invalid Python installation: unable to open
    /usr/lib/python2.6/config/Makefile (No such file or directory)
  The change was suggested by Aaron Leininger. [David]

o [Nbase] The checksum functions now have an nbase_ prefix.  This
  should prevent name collisions with internal but exported functions
  in shared libraries Nmap links against (e.g. adler32() in zlib).
  Such collisions seem to confuse the runtime linker on some platforms.
  [Daniel Roethlisberger]

o Fixed banner.nse to remove surrounding whitespace from banners. For
  example, this avoids a superfluous carriage return and newline at the
  end of SSH greetings. [Patrick]

o Expanded and tweaked the product/version/info of service scans in an
  attempt to reduce the number of warnings like "Warning: Servicescan
  failed to fill info_template...".  Parts of this change include:
  o Improved the text of the warning to be less confusing
  o Increased the internal version info buffer to 256 chars from 128
  o Increased the final version string length to 160 from 128 chars
  o Changed the behavior when constructing the final version string so
    that if it runs out of space, rather than dropping the output of that
    template it truncates the template with ...
  o Fixed the printing of unneeded spaces between templates when one of
    templates isn't going to be printed at all.

o Improved the service scan DB to remove certain problematic regex
  patterns which could lead to PCRE_MATCHLIMIT errors. For example,
  instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
  ".*" as long as the DOTALL (/s) modifier was set. [Brandon]

o Changed some error() calls (which were more informational than error
  messages) to use log_write() instead, and changed a few f?printf()
  calls into error() or log_write(). [Brandon]

o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
  to resolve names using the wrong address family (such as AF_INET
  rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]

o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
  It caused a crash when opening the Hosts Viewer on a host that had OS
  information. A window appeared saying simply "Runtime Error!". [David]

o [Zenmap] Gracefully handle unrecognized port states in the hosts
  viewer. Apparently old versions of Nmap can return a state of
  "unknown". This prevents this crash:
      File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
      File "radialnet\gui\NodeNotebook.pyo", line 257, in
    KeyError: u'unknown'

o Rewrote the debugging error message "Found whacked packet protocol
  17 in get_ping_pcap_result" because we decided that receiving a UDP
  packet during TCP ping scan is not egregious enough to qualify as
  "whacked". [David]

Enjoy the new release!  And let us know on nmap-dev if you encounter
any problems!  See http://nmap.org/book/man-bugs.html.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

Ron Bowes

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]