Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question - script: p2p-conficker

From: Ron <ron () skullsecurity net>
Date: Wed, 22 Jan 2014 09:36:12 -0800
Daniel is correct.

The reason I chose to use ports 139 and 445 as an example was simply
because those are the most likely ports to be open to find a Windows
host. After verifying one of those is open - and it's therefor Windows -
it checks the four not-quite-randomly chosen UDP ports to see if
Conficker is present.

The issue with checking UDP is that it's slowwwwwwwwwww. But if you want
to be careful, you can easily hack the script to scan all hosts.

FWIW, Conficker had an auto-update mechanism built in. Some time since
everybody got bored of it, it's quite possible that they've updated it
to use a different algorithm to generate the ports, thus bypassing
scripts like that. I don't know if they did or not, but anything's
possible!

Ron

On 2014-01-22 06:53, Daniel Miller wrote:

On Mon, Jan 20, 2014 at 5:50 PM,  <Joe.Lemak () omya com> wrote:

This a comment in a script description:
"This check won't work properly on a multihomed or NATed system because
the open ports will be based on a nonpublic IP"

Does the above script comment is saying that it will not work on my
internal network using private IPs?



Joe,

Conficker uses an algorithm to choose ports to open that depends on
the IP address of the host that is infected. If the host only has one
IP address, even if it is a private address, the script will work,
since it starts with the same information that Conficker does.

If, on the other hand, the infected host has multiple IP addresses, or
is being accessed via an IP other than its internal IP (i.e. through
port forwarding on a NAT device), the script will be calculating open
ports based on an IP that is different than the one Conficker is
using.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: