Re: Consistent nmap hang scanning for Conficker

[shorejsi2 () mmm com]

Ron;

 This was an old post that somehow appeared from the past.  This was this 
was the smb.lua script problem before I chased to a definitive cause.


                        -=[ Steve ]=-





Ron <ron () skullsecurity net> 
04/02/2009 02:28 PM

To
shorejsi2 () mmm com
cc
nmap-dev () insecure org
Subject
Re: Consistent nmap hang scanning for Conficker






shorejsi2 () mmm com wrote:
>  I have been having problems using Nmap 4.85BETA6 to scan for Conficker 
> infections. I have been able to narrow this down to a consistent set of 
> IPs which always results in a hard loop (nmap at 100% CPU). The output 
> looks like this:
>
> $ nmap -T4 -p139,445 -v  -v --script=smb-check-vulns --script-args 
safe=1 
> a.b.50.32/28
>
> Starting Nmap 4.85BETA6 ( http://nmap.org ) at 2009-04-02 05:02 CDT
> Initiating Ping Scan at 05:02
> Scanning 16 hosts [1 port/host]
> Completed Ping Scan at 05:02, 0.09s elapsed (16 total hosts)
> Initiating Parallel DNS resolution of 16 hosts. at 05:02
> Completed Parallel DNS resolution of 16 hosts. at 05:02, 0.00s elapsed
> Initiating Connect Scan at 05:02
> Scanning 16 hosts [2 ports/host]
> Discovered open port 139/tcp on a.b.50.35
> Discovered open port 139/tcp on a.b.50.36
> Discovered open port 139/tcp on a.b.50.39
> Discovered open port 139/tcp on a.b.50.40
> Discovered open port 139/tcp on a.b.50.45
> Discovered open port 139/tcp on a.b.50.38
> Discovered open port 139/tcp on a.b.50.37
> Discovered open port 139/tcp on a.b.50.32
> Discovered open port 139/tcp on a.b.50.41
> Discovered open port 139/tcp on a.b.50.42
> Discovered open port 139/tcp on a.b.50.44
> Discovered open port 139/tcp on a.b.50.43
> Discovered open port 139/tcp on a.b.50.47
> Completed Connect Scan at 05:02, 1.48s elapsed (32 total ports)
> NSE: Initiating script scanning.
> Initiating NSE at 05:02
> NSE Timing: About 84.62% done; ETC: 05:03 (0:00:06 remaining)
> NSE Timing: About 84.62% done; ETC: 05:03 (0:00:11 remaining)
> NSE Timing: About 84.62% done; ETC: 05:04 (0:00:17 remaining)
> NSE Timing: About 84.62% done; ETC: 05:04 (0:00:22 remaining)
> NSE Timing: About 84.62% done; ETC: 05:05 (0:00:27 remaining)
> NSE Timing: About 84.62% done; ETC: 05:06 (0:00:33 remaining)
> NSE Timing: About 84.62% done; ETC: 05:06 (0:00:38 remaining)
> NSE Timing: About 84.62% done; ETC: 05:07 (0:00:44 remaining)
> NSE Timing: About 84.62% done; ETC: 05:07 (0:00:49 remaining)
> NSE Timing: About 84.62% done; ETC: 05:08 (0:00:55 remaining)
>
>
>  What can I contribute that will help understand this problem?
>
>
>                         -=[ Steve ]=-
Hey Steve,

Can you try running it with -d and maybe even -d2, and seeing where it 
gets stuck?

Odds are it's erroring on one of the hosts and the mutex isn't being 
freed properly.

Ron



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org