Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: conficker script in NMAP - NT_STATUS_ACCESS_DENIED

From: Stroller <stroller () stellar eclipse co uk>
Date: Wed, 1 Apr 2009 07:13:31 +0100

On 31 Mar 2009, at 20:58, Watson, Deborah L wrote:

...
I am getting some responses from some systems and
NT_STATUS_ACCESS_DENIED from others. I am thinking I need to provide
credentials, but not finding an option for that.


For the record: me, too.
I've run the script on a small domain of Windows XP machines managed by a 2003 SBS server.
Because they're all on the domain, security rights & permissions & stuff should all be the same on them (enforced with GPOs). But patching is sporadic, so they'll all be running different combinations of SP2 / SP3 / other updates.
I can only assume that these adjacent machines give different results because one is more patched than the other: 

        Host 192.168.0.52 appears to be up ... good.
        Interesting ports on 192.168.0.52:
        PORT    STATE SERVICE
        139/tcp open  netbios-ssn
        445/tcp open  microsoft-ds
        MAC Address: 00:16:D3:8B:D1:0C (Wistron)
        
        Host script results:
        |  smb-check-vulns:
        |  MS08-067: NOT RUN
        |  Conficker: ERROR: NT_STATUS_ACCESS_DENIED
        |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
        
        Host 192.168.0.53 appears to be up ... good.
        Interesting ports on 192.168.0.53:
        PORT    STATE SERVICE
        139/tcp open  netbios-ssn
        445/tcp open  microsoft-ds
        MAC Address: 00:19:21:4E:4D:29 (Elitegroup Computer System Co.)
        
        Host script results:
        |  smb-check-vulns:
        |  MS08-067: NOT RUN
        |  Conficker: Likely CLEAN
        |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Whilst others have noted that NT_STATUS_ACCESS_DENIED probably means you're safe, it would be reassuring to have a method to run this with Domain Admin credentials or to have someone state _for sure_ that this means the PC can't be infected.
I don't intend for the above paragraph to in any way detract from my gratitude for the hard work others have put into this facility. 

Stroller.



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: