Re: nmap/Conficker question

[Tom Sellers <nmap () fadedcode net>]

Peter Fisher wrote:
> nmap -p 139,445 -T4 -v -n -PN --script smb-check-vulns --script-args
> unsafe=1 192.168.1.1-255[replace the preceeding with YOUR network setup]
>
> On Tue, Mar 31, 2009 at 6:53 AM, Ed Braiter <ebraiter () scitraining com>wrote:
>
> > Hi,
> >
> > When I run the command line (as per
> > http://seclists.org/nmap-dev/2009/q1/0869.html):
> >
> > nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 -d -PN -n -T4
> > --min-hostgroup 256 --min-parallelism 64 -oA conficker_scan 172.16.1.3
> >
> > in an elevated command prompt from Windows XP I am getting the following
> > message:
> >
> >  smb-check-vulns:
> >  MS08-067: NOT RUN
> >  Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
> >
> > What does "ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND" mean? Can't detect if
> > its
> > on the system?
> >
> > Note that I'm a bit of a novice with nmap.
> >
> > Thanks
> >
> > Ed


The primary change in Peter's command line, going from
--script-args=safe=1
to
--script-args=unsafe=1

will not (as far as I know) correct the error Ed asked about.

The change will likely result in service crashes on any unpatched
Windows machines that have the port open and (Computer) Browser
service running.  This is due to the checks for the MS08-067 patch
as well as a DoS vulnerability in Windows that Ron discovered.

According to Ron's blog the error message likely means that the
target is a non-Windows machine, that the service has crashed
or otherwise locked down, secured, etc.

Here is a link to Ron's blog entry on the new Conficker scanning
code in Nmap:

http://www.skullsecurity.org/blog/?p=209

Tom Sellers

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org