Nmap Development mailing list archives
Re: Running Malware Scripts
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 24 Dec 2008 21:42:31 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 24 Dec 2008 13:06:44 -0800 or thereabouts "Rathbun, Dan" <Dan.Rathbun () aecom com> wrote:
Greetings all, I bought the 'NMAP Network Scanning' book from Amazon the other day and it's a GREAT read! I have already learned many new tricks about how to leverage NMAP more fully, and I am fast at work thinking up new uses for it in our environment. Right now I am trying now to learn how best to use the '-script=malware' option to scan our substantial network for infected machines. But I am finding that the resulting XML files are too large to review manually (over 50,000 hosts). So I am looking for some guidance as far as what things to search the output file for. I was originally thinking of IRC ports or SMTP ports, but that is not proving very fruitful. Has anyone developed a productive routine to accomplish this task? If not can you suggest some ideas about how I could begin to develop one for our organization? Dan Rathbun Information Security Director CISSP, GSLC, GSEC, GLEG and G7799 Certified
Hi Dan, I don't have time for a full response right now. You are describing my primary use of Nmap. I've had excellent success detecting compromised machines at my organization and at others. There are a few things to think about when using Nmap for malware detection: * The malware NSE scripts are targeted to specific malware variants * The malware and backdoor service fingerprints are also targeted at specific malware variants * Most malware isn't going to be automatically detected, it will leave a service fingerprint that you'll need to analyze later. * Malware and backdoors are rarely on standard ports, you *MUST* scan with -PN, -sV, and -p- if you expect to find anything useful. I developed a script to parse through hundreds of thousands of Nmap scans searching for patterns indicative of compromised machines. I discussed the script a little bit in this post: http://seclists.org/nmap-dev/2008/q2/0781.html I have attached a newer copy of the script. Please note that it still doesn't do XML. My development version of the script handles XML but there are still a lot of problems to work out with it. It also doesn't yet make NSE output available to the rules and heuristics. My XML version geared towards fixing this issue. My goal with Npwn is to clean it up and make it release quality. That means creating a compromised host descriptor language similar to procmail recipes so that rules and heuristics can be moved out of the script and into a definition file. It also means handling arbitrarily large XML files (our network produces 60 gigabytes of XML). To give you an idea of what format the exclude file takes, here in an except of mine: ======= a.b.0.0/17 WSD SSDP STCP NOPASSWD OLDTCPIP HTTP_PROXY SQUID SOHOHTTPD FTP SMTP HTTP MYSQL MSSQL MULTI_RADMIN NNTP IPHONE OLD_MSFTP OLD_MSSMTP SYNERGY LOGMEIN OPENX11 MANYPORTS SOCKS MULTI_SSHPORTS a.b.128.0/17 WSD SSDP HTTP IPHONE OLDTCPIP SOCKS c.d.222.0/24 BADPORT e.f.119.242 L33TSPEAK e.f.1.47 SMTPFP e.f.16.68 FTPUSERS c.d.115.111 FTPFP ====== It will take a while to get up to speed using Nmap for compromised host detection but it _is_the_right_tool_for_the_job_. I'm currently scanning an organization that has IDS/IPS boxes deployed everywhere. The felt that these boxes were excellent compromise detectors and while they are -- a single sweep (-PN, -sV, -p-, etc) with Nmap found more compromised hosts than I care to mention here. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklSrM0ACgkQqaGPzAsl94JRQgCgguCG2hs4NhG/BGiYXShk5Xd6 Q3AAnAravUAspCkj67jKnT8QrA1gkvVx =YY2s -----END PGP SIGNATURE-----
Attachment:
npwn.pl
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Running Malware Scripts Rathbun, Dan (Dec 24)
- Re: Running Malware Scripts Brandon Enright (Dec 24)
- Message not available
- Message not available
- Message not available
- How I scan large networks (was Re: Running Malware Scripts) Brandon Enright (Dec 31)
- Message not available
- Re: Running Malware Scripts Brandon Enright (Dec 24)