Nmap Development mailing list archives
Re: smb-check-vulns.nse reports error on hosts possibly infected with Conficker
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Oct 2012 21:30:41 -0700
On Wed, Oct 17, 2012 at 11:39:19AM -0500, Kit Peters wrote:
Environment: nmap / zenmap 6.01 on windows 7 64-bit. Run against a heterogeneous network (TV / radio station) of servers, workstations, printers, and other embedded systems. Expected behavior: Systems likely to be infected with Conficker are reported as such Actual behavior: Possibly infected systems (in a previous run on the same system with nmap 5.50 they were reported as likely to be infected) generate the error: "Conficker: UNKNOWN; got error NT_STATUS_WERR_INVALID_PARAMETER (srvsvc.netpathcanonicalize)" Discussion: When I ran a scan on the network with nmap 5.50 many of the systems that generated the NT_STATUS_WERR_INVALID_PARAMETER error were reported as likely to be infected with Conficker.C or lower. One system in particular (192.168.87.201) I am fairly certain is infected. However, when I updated to (ze)nmap 6.01, all of these systems instead gave me the above error.
Thanks for this report. There was in fact a bug. Please try this revision of the script: https://svn.nmap.org/nmap/scripts/smb-check-vulns.nse The problem was the name of an error code that was being checked for by the script. It was changed in r24847 from NT_STATUS_WERR_UNKNOWN_57 to NT_STATUS_WERR_INVALID_PARAMETER, and the code was still looking for an "UNKNOWN_57" string. I don't know why the code is seaching for status code names rather than just comparing integers. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb-check-vulns.nse reports error on hosts possibly infected with Conficker Kit Peters (Oct 17)
- Re: smb-check-vulns.nse reports error on hosts possibly infected with Conficker David Fifield (Oct 17)