mailing list archives
Re: Question - script: p2p-conficker
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 22 Jan 2014 06:53:31 -0600
On Mon, Jan 20, 2014 at 5:50 PM, <Joe.Lemak () omya com> wrote:
This a comment in a script description:
"This check won't work properly on a multihomed or NATed system because
the open ports will be based on a nonpublic IP"
Does the above script comment is saying that it will not work on my
internal network using private IPs?
Conficker uses an algorithm to choose ports to open that depends on
the IP address of the host that is infected. If the host only has one
IP address, even if it is a private address, the script will work,
since it starts with the same information that Conficker does.
If, on the other hand, the infected host has multiple IP addresses, or
is being accessed via an IP other than its internal IP (i.e. through
port forwarding on a NAT device), the script will be calculating open
ports based on an IP that is different than the one Conficker is
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/