Nmap Development mailing list archives
Re: How to use Nmap to scan very large networks for Conficker
From: Ionreflex <ionreflex () gmail com>
Date: Tue, 31 Mar 2009 16:20:19 -0400
Hey Brandon and all, Top management here has decided to go with the "Better be prepared than sorry" approach, so I'm actually using Nmap to check Conficker issue in about 30 subnets here... thing is I don't find any info on error messages other than the ones found inside the script (it's true i didn't do a lot of research on the subject, but I though maybe you or someone else would know...) Errors like "DOS_STATUS_NONSPECIFIC_ERROR" or "SMB: Failed to receive bytes: TIMEOUT"... I'm currently scanning, I'm gonna post my collection of error messages as soon as I'm finished (if nobody tells me it would be irrelevent...) Thanks, Ion 2009/3/30 Brandon Enright <bmenrigh () ucsd edu>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fellow security folks, ** For those in a hurry scroll down to how to get the latest release and the the recommended command *** Given that this is many people's first time trying to use Nmap to scan many thousands of hosts at the same time I figure I should share how I've been doing it. Nmap can easily handle scanning a million+ IPs but it isn't tuned to do so by default. Seemingly minor options can have a big impact on time in huge scans. *** How to get the latest release: *** You will need the absolute latest release of Nmap (4.85BETA5) which you can get from: http://nmap.org/download.html *** For those in a hurry, here is the command I recommend using: *** sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 \ -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \ -oA conficker_scan <your network(s) here> *** Interpreting results *** Each host that is checked will have a line about Conficker in the "Host script results" section. If you are going to be scanning a very large network you should use XML output. I have written a perl script (needs XML::Simple) to parse and report on your Conficker/MS08-067 scan results available here: http://noh.ucsd.edu/~bmenrigh/nxml_conficker.pl Nmap can take CIDR targets so 123.234.0.0/16 is perfectly fine for your network. You could also do something like 123.234.2-254.2-254 If you have more than one netblock you can separate them with a space like 123.234.0.0/16 32.64.128.0/24 If you want want to ramp the scan speed up further, increase the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio. I wouldn't recommend more than 4096/1024. You can also change -T4 to -T5 but depending on the network/hosts you are scanning this may or may not have any speed/accuracy effect. There are three options in the above command to help cut down on the amount of work Nmap has to do per host: -n, -p445, and -PN. * -n turns off reverse name resolution which will be nice on your nameservers. * -PN in conjunction with -p445 skips the host up/down detection and goes straight into scanning port 445. This both increases accuracy and reduces the per-host work done. The ping process is pretty fast but is still slower than just checking a single port. Hosts that have a firewall but exceptions for Windows file sharing would not be caught without -PN. It is important to note that scanning for Conficker has the small chance of crashing an unpatched host. Patched and infected hosts won't be crashed though. Note that if Conficker scans unpatched hosts they are even more likely to crash than with this check so the benefits probably outweigh the drawbacks. If you have questions about this script/using Nmap drop a note to nmap-dev () insecure org. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) iEYEARECAAYFAknRMN4ACgkQqaGPzAsl94JrxwCfZTEEfNPxIOYjTsqojgs5+0V1 GzAAoLHX6kDfuPa4wB4UFY1jB7CLYThx =RtSp -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- How to use Nmap to scan very large networks for Conficker Brandon Enright (Mar 30)
- Re: How to use Nmap to scan very large networks for Conficker Lionel Cons (Mar 31)
- Re: How to use Nmap to scan very large networks for Conficker Brandon Enright (Mar 31)
- Re: How to use Nmap to scan very large networks for Conficker Lionel Cons (Mar 31)
- Re: How to use Nmap to scan very large networks for Conficker Brandon Enright (Mar 31)
- Re: How to use Nmap to scan very large networks for Conficker Ionreflex (Mar 31)
- Re: How to use Nmap to scan very large networks for Conficker Lionel Cons (Mar 31)