Re: [NSE] Stuxnet detection

[Bob Radvanovsky <rsradvan () unixworks net>]

Guys --

This is AWESOME!  I have cross-posted this onto the SCADASEC mailing list to see if this can be useful to the SCADASEC 
community.

In the meantime, since I don't repost attachments, I've taken Mr. Kolybabi's script and placed it on our web server 
here:
http://www.infracritical.com/enum-scripts/stuxnet-detect.nse

I'm working on a couple of NSE scripts for SCADA systems right now, and will be (hopefully soon) posting them on this 
mailing list...  ;)

Thanks!

-r


----- Original Message -----
From: Mak Kolybabi [mailto:mak () kolybabi com]
To: nmap-dev () insecure org
Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net], Ron Bowes [mailto:ron () skullsecurity net]
Subject: [NSE] Stuxnet detection


> I've finished the first version of the script, and am submitting it for
> (hopefully) inclusion into Nmap. This version successfully detects infected
> hosts, or at least the one infected host I had access to. It also did not
> raise
> any false positives on any of the forty other hosts I tested against.
>
> Future versions of this script will include the ability to detect the exact
> version of a Stuxnet infection, and offer the option to download a copy of
> the
> executable.
>
> Comments, concerns, criticism, and testing are appreciated.
>
> --
> Mak Kolybabi
> <mak () kolybabi com>
>
> () ASCII Ribbon Campaign | Against HTML e-mail
> /\  www.asciiribbon.org  | Against proprietary extensions
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/