Nmap Development mailing list archives
Re: Question - script: p2p-conficker
From: Ron <ron () skullsecurity net>
Date: Wed, 22 Jan 2014 09:36:12 -0800
Daniel is correct. The reason I chose to use ports 139 and 445 as an example was simply because those are the most likely ports to be open to find a Windows host. After verifying one of those is open - and it's therefor Windows - it checks the four not-quite-randomly chosen UDP ports to see if Conficker is present. The issue with checking UDP is that it's slowwwwwwwwwww. But if you want to be careful, you can easily hack the script to scan all hosts. FWIW, Conficker had an auto-update mechanism built in. Some time since everybody got bored of it, it's quite possible that they've updated it to use a different algorithm to generate the ports, thus bypassing scripts like that. I don't know if they did or not, but anything's possible! Ron On 2014-01-22 06:53, Daniel Miller wrote:
On Mon, Jan 20, 2014 at 5:50 PM, <Joe.Lemak () omya com> wrote:This a comment in a script description: "This check won't work properly on a multihomed or NATed system because the open ports will be based on a nonpublic IP" Does the above script comment is saying that it will not work on my internal network using private IPs?Joe, Conficker uses an algorithm to choose ports to open that depends on the IP address of the host that is infected. If the host only has one IP address, even if it is a private address, the script will work, since it starts with the same information that Conficker does. If, on the other hand, the infected host has multiple IP addresses, or is being accessed via an IP other than its internal IP (i.e. through port forwarding on a NAT device), the script will be calculating open ports based on an IP that is different than the one Conficker is using. Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Question - script: p2p-conficker Joe . Lemak (Jan 22)
- Re: Question - script: p2p-conficker Daniel Miller (Jan 22)
- Re: Question - script: p2p-conficker Ron (Jan 22)
- Re: Question - script: p2p-conficker Daniel Miller (Jan 22)