Re: Troubleshooting the Conficker script

[Ron <ron () skullsecurity net>]

Unfortunately, the errors you see are the errors that Windows gives me, 
I just display them. I could interpret them better in the script, but 
often it's just a mystery. Might be better if I displayed less 
information, but eh? ;)

The most common one seems to be OBJECT_NAME_NOT_FOUND -- that one can be 
caused by any number of things, such as scanning older OSes (Windows NT 
and such) or non-Windows OSes (Samba, etc), or locked down Windows 
systems (where the services are stopped).

On the other hand, it could also mean that the service has crashed, 
either because of Conficker or something else bringing it down.

Since I use the same technique as Conficker would use to infect, being 
unable to scan in this way means that you *probably* won't become 
infected over the network.

Ron

Rathbun, Dan wrote:
> I'm using the Conficker script and every reachable host is returning
> these same script results.  I tried backing down from -T4 to -T3 with no
> change in result.  Thoughts?  The site I am scanning is connected via a
> T3 to the Nmap server site so it should not be bandwidth related.  The
> server is running RHEL5 and Nmap is at 12798.
>
>  
>
> Here is the syntax I am using and the results I get when the port is
> open:
>
>  
>
> ./nmap --datadir=. -v -sC --script=smb-check-vulns.nse
> --script-args=safe=1 -p445 -d -PN -n -T3 --min-hostgroup 256
> --min-parallelism 64 -oA conficker_scan X.X.52.0/24
>
>  
>
> Host script results:
>
>  
>
>  |  smb-check-vulns:  
>
>  
>
>  |  MS08-067: NOT RUN
>
>  
>
>  |  Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT
>
>  
>
>  |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
>
>  
>
>  Final times for host: srtt: 83494 rttvar: 83494  to: 417470
>
>  
>
> Path: .
>
> URL: svn://svn.insecure.org/nmap
>
> Repository Root: svn://svn.insecure.org
>
> Repository UUID: e0a8ed71-7df4-0310-8962-fdc924857419
>
> Revision: 12798
>
> Node Kind: directory
>
> Schedule: normal
>
> Last Changed Author: david
>
> Last Changed Rev: 12798
>
> Last Changed Date: 2009-03-31 11:29:52 -0700 (Tue, 31 Mar 2009)
>
> Dan Rathbun
> Information Security Director   
> CISSP, GSLC, GSEC, GLEG, GSNA and G7799 Certified
>
> D 978.930.5656
> dan.rathbun () aecom com
>
> AECOM
> 515 South Flower Street, 4th Floor
> Los Angeles, CA 90071-2201
>
> http://www.aecom.com <http://www.aecom.com/> 
>
> This communication is intended for the sole use of the person(s) to whom
> it is addressed and may contain information that is privileged,
> confidential or subject to copyright.  Any unauthorized use, disclosure
> or copying of this communication is strictly prohibited.  If you have
> received this communication in error, please contact the sender
> immediately.  Any communication received in error should be deleted and
> all copies destroyed.
>
>  
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org