Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Scanning for Confiker via nmap
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Wed, 01 Apr 2009 10:16:37 -0400

I would also recommend grabbing the latest SVN as of this morning.
Renaud found a bug in the checking algorithm. Both Nmap and Nessus have
been updates, for more details on the Nessus side see:

http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html

Cheers,
Paul

Nick Baronian wrote:
I believe vulnerable machines will crash.
http://seclists.org/nmap-dev/2009/q1/0878.html

If you were getting mixed results you might want to re-grab the latest
svn.  It has been patched several times already today and corrected some
issues I was seeing.

2009/3/31 Tim Mugherini <gbugbear at gmail.com <mailto:gbugbear at gmail.com>>

    I got that too went with -script-args unsafe=1 and seems to work for
    most

    Think someone mentioned that yesterday somewhere

    not sure what the downside may be

    2009/3/31 Dan Baxter <danthemanbaxter at gmail.com
    <mailto:danthemanbaxter at gmail.com>>

        Thanks!  That helps a lot.  However, my results aren't quite
        what I'd hoped.  Every machine that has 445 open, I get the
        result below.  What would make the Conficker scan fail? 
        Suggestions?  Thanks



        PORT    STATE SERVICE

        445/tcp open  microsoft-ds

        Host script results:
        |  smb-check-vulns: 
        |  MS08-067: FIXED
        |  Conficker: ERROR: SMB: Failed to receive bytes: ERROR
        |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)




        Dan Baxter
        -------------------------------------------------
        Quis custodiet ipsos custodes?


        2009/3/31 Russell Butturini <rbutturini at epictn.com
        <https://mail.google.com/mail?view=cm&tf=0&to=rbutturini at epictn.com>>

            I found you need to add the ?vv (very verbose) flag using
            that command.  Otherwise you don?t see the script results. 
            See below:

             

            Discovered open port 445/tcp on x.x.x.x

            Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total
            ports)

            NSE: Initiating script scanning.

            Initiating NSE at 09:29

            Completed NSE at 09:29, 0.50s elapsed

            Host x.x.x.x appears to be up ... good.

            Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s

            Interesting ports on x.x.x.x:

            PORT    STATE SERVICE

            445/tcp open  microsoft-ds

            MAC Address: 00:11:25:E9:04:52 (IBM)

             

            Host script results:

            |  smb-check-vulns:

            |  MS08-067: FIXED

            |  Conficker: Likely CLEAN

            *From:* pauldotcom-bounces at mail.pauldotcom.com
            <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com>
            [mailto:pauldotcom-bounces at mail.pauldotcom.com
            <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com>]
            *On Behalf Of *Dan Baxter
            *Sent:* Tuesday, March 31, 2009 9:01 AM

            *To:* PaulDotCom Security Weekly Mailing List
            *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap

             

            So forgive my lack of nmap-fu, but if I run this what am I
            looking for?  I get back responses that list some with 445
            open, some closed and a few filtered.  How do I determine
            which may be infected.


            for clarification I'm running nmap -p 445 --script
            smb-check-vulns.nse

            Thanks

            Dan Baxter
            -------------------------------------------------
            Quis custodiet ipsos custodes?


            _______________________________________________
            Pauldotcom mailing list
            Pauldotcom at mail.pauldotcom.com
            <https://mail.google.com/mail?view=cm&tf=0&to=Pauldotcom at mail.pauldotcom.com>
            http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
            Main Web Site: http://pauldotcom.com



        _______________________________________________
        Pauldotcom mailing list
        Pauldotcom at mail.pauldotcom.com
        <mailto:Pauldotcom at mail.pauldotcom.com>
        http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
        Main Web Site: http://pauldotcom.com



    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com



------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552


  By Date           By Thread  

Current thread:
  • Scanning for Confiker via nmap Paul Asadoorian (Apr 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault