Nmap Development mailing list archives

Re: Nmap 4.85BETA7 Released!

From: henry.nymann () valeosylvania com
Date: Thu, 2 Apr 2009 10:25:48 -0400

David Fifield <david () bamsoftware com> wrote on 04/02/2009 10:02:43 AM:

On Thu, Apr 02, 2009 at 09:47:49AM -0400, henry.
nymann () valeosylvania com wrote:

David Fifield <david () bamsoftware com> wrote on 04/02/2009 09:44:01 AM:

On Thu, Apr 02, 2009 at 09:28:43AM -0400, henry.
nymann () valeosylvania com wrote:

  o Add helpful text for the two most common errors seen in the
    Conficker check in smb-check-vulns.nse.  So instead of saying
    things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
    |  Conficker: Likely CLEAN; access was denied.
    |  |  If you have a login, try using --script-

args=smbuser=xxx,smbpass=yyy

    |  |  (replace xxx and yyy with your username and

password). Also try

    |  |_ smbdomain=zzz if you know the domain. (Error

NT_STATUS_ACCESS_DENIED)

    The other improved message is for
    NT_STATUS_OBJECT_NAME_NOT_FOUND. [David]


I downloaded and tried the new beta 7 version this morning.

Specifically,

I'm running it on a Windows 2003 SP2 server, and I uninstalled beta

first.  However, I am not getting the new messages that this e-mail
references, so does that mean something did not update correctly on

my

server?  Doing a "Help | About" confirms the beta 7 version.


The only added help messages are for the errors

NT_STATUS_ACCESS_DENIED

and NT_STATUS_OBJECT_NAME_NOT_FOUND. If you weren't getting those

errors

before then you won't get any new output. Specifically, if all you

saw

was "Likely CLEAN" or "Likely INFECTED" then nothing in the output

will

change.


I get many of the NT_STATUS_ACCESS_DENIED and
NT_STATUS_OBJECT_NAME_NOT_FOUND responses during my scans.  With the

beta 7

version I am still getting those responses.  I get very few "likely

clean"

messages, and no "likely infected" messages (so far).


Are you getting the help text with those errors? Instead of just saying,
"ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND", does it say
| Conficker: UNKNOWN; not Windows, or Windows with disabled browser
service (CLEAN); or Windows with crashed browser service (possibly

INFECTED).

| |  If you know the remote system is Windows, try rebooting it and

scanning

| |_ again. (Error NT_STATUS_OBJECT_NAME_NOT_FOUND)

If you are getting the longer error messages, then the script is working
like it is supposed to. Unfortunately the error messages could be from a
variety of causes and the script can't differentiate between all of
them. For NT_STATUS_OBJECT_NAME_NOT_FOUND for example, if the remote
operating system is not Windows, then it is not infected. But it could
be that the service required to do detection (the "browser service") has
crashed, and then you can't test infection remotely. You will have to
find that computer and check it locally.

You can use the smb-os-discovery.nse script to find out operating
systems.

David Fifield


I'll show you a portion of the output I am getting so that things are
clear.

Host vls-sey-w01411.seymour.vls.valeo (10.106.17.83) is up, received
user-set (0.020s latency).
Scanned at 2009-04-02 08:58:18 Eastern Daylight Time for 1s
Interesting ports on vls-sey-w01411.seymour.vls.valeo (10.106.17.83):
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: Check disabled (remove 'safe=1' argument to run)
|  Conficker: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_ regsvc DoS: Check disabled (add --script-args=unsafe=1 to run)
Final times for host: srtt: 20000 rttvar: 20000  to: 100000

Host sevs0000585.seymour.vls.valeo (10.106.17.84) is up, received user-set
(0.020s latency).
Scanned at 2009-04-02 08:58:18 Eastern Daylight Time for 1s
Interesting ports on sevs0000585.seymour.vls.valeo (10.106.17.84):
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: Check disabled (remove 'safe=1' argument to run)
|  Conficker: Likely CLEAN
|_ regsvc DoS: Check disabled (add --script-args=unsafe=1 to run)
Final times for host: srtt: 20000 rttvar: 20000  to: 100000

Host vls-sey-l01605.seymour.vls.valeo (10.106.17.85) is up, received
user-set (0.020s latency).
Scanned at 2009-04-02 08:58:18 Eastern Daylight Time for 1s
Interesting ports on vls-sey-l01605.seymour.vls.valeo (10.106.17.85):
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: Check disabled (remove 'safe=1' argument to run)
|  Conficker: NT_STATUS_ACCESS_DENIED
|_ regsvc DoS: Check disabled (add --script-args=unsafe=1 to run)
Final times for host: srtt: 20000 rttvar: 20000  to: 100000

Henry Nymann
This e-mail message is intended only for the use of the intended recipient(s).
The information contained therein may be confidential or privileged, and its disclosure or reproduction is strictly 
prohibited.
If you are not the intended recipient, please return it immediately to its sender at the above address and destroy it. 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Nmap 4.85BETA7 Released! Fyodor (Apr 01)
- Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)
  - Re: Nmap 4.85BETA7 Released! David Fifield (Apr 02)
    - Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)
    - Re: Nmap 4.85BETA7 Released! David Fifield (Apr 02)
    - Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)
    - Re: Nmap 4.85BETA7 Released! David Fifield (Apr 02)
    - Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)
    - Re: Nmap 4.85BETA7 Released! David Fifield (Apr 02)
    - Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)
    - Re: Nmap 4.85BETA7 Released! David Fifield (Apr 02)
    - Re: Nmap 4.85BETA7 Released! henry . nymann (Apr 02)