Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: article about Conficker says nmap can be used to discover it

From: Ron <ron () skullsecurity net>
Date: Mon, 30 Mar 2009 14:38:18 -0500


Corey Chandler wrote:

Fyodor wrote:


http://www.skullsecurity.org/blog/?p=209

If anyone is able to test this, please do report your results!  As
we've been pretty rushed since we just found out about the technique
yesterday.

Ran it across our desktop network here.
bash-3.2# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d 10.10.1.0/24 |grep Conficker 

|  Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: Likely CLEAN
|  Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|  Conficker: Likely CLEAN
I assume the NT_STATUS_OBJECT_NAME_NOT_FOUND implies it's not an actual Windows box? We do have some Ubuntu / Mac users here...
Yeah, it could mean it isn't a Windows box, or it could mean the service has crashed (due to an infection and/or an infection attempt). 

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: