Re: smb-check-vulns.nse reports error on hosts possibly infected with Conficker

[David Fifield <david () bamsoftware com>]

On Wed, Oct 17, 2012 at 11:39:19AM -0500, Kit Peters wrote:
> Environment: nmap / zenmap 6.01 on windows 7 64-bit.  Run against a
> heterogeneous network (TV / radio station) of servers, workstations,
> printers, and other embedded systems.
> Expected behavior: Systems likely to be infected with Conficker are
> reported as such
> Actual behavior: Possibly infected systems (in a previous run on the same
> system with nmap 5.50 they were reported as likely to be infected) generate
> the error: "Conficker: UNKNOWN; got error NT_STATUS_WERR_INVALID_PARAMETER
> (srvsvc.netpathcanonicalize)"
>
> Discussion: When I ran a scan on the network with nmap 5.50 many of the
> systems that generated the NT_STATUS_WERR_INVALID_PARAMETER error were
> reported as likely to be infected with Conficker.C or lower.  One system in
> particular (192.168.87.201) I am fairly certain is infected.  However, when
> I updated to (ze)nmap 6.01, all of these systems instead gave me the above
> error.

Thanks for this report. There was in fact a bug. Please try this
revision of the script:
https://svn.nmap.org/nmap/scripts/smb-check-vulns.nse

The problem was the name of an error code that was being checked for by
the script. It was changed in r24847 from NT_STATUS_WERR_UNKNOWN_57 to
NT_STATUS_WERR_INVALID_PARAMETER, and the code was still looking for an
"UNKNOWN_57" string. I don't know why the code is seaching for status
code names rather than just comparing integers.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/