Scanning for Confiker via nmap

[jsawyer at ufl.edu (John Sawyer)]

The 3rd check in the Nmap script will not run by default because it is  
considered "unsafe" since it has the possibility of crashing machines.

As for timing, I tested on a class C with 224 machines, 212 of which  
are listening on 445.

Nmap with no timing options:
        done: 256 IP addresses (224 hosts up) scanned in 40.38 seconds
Nmap with -T5
        done: 256 IP addresses (224 hosts up) scanned in 8.94 seconds
Nessus using the command you sent earlier.
        2m36.659s


-jhs


On Mar 30, 2009, at 12:40 PM, Paul Asadoorian wrote:

> Okay, to better answer your question, the Nmap NSE script checks for:
>
> * MS08-067, a Windows RPC vulnerability
> * Conficker, an infection by the Conficker worm
> * Unnamed regsvc DoS, a denial-of-service vulnerability I  
> accidentically
> found in Windows 2003
>
> The NASL script in Nessus only checks for the presence of conficker
> (conficker responds to certain RPC calls with specific error codes).
>
> So, if you are scanning a large network (class B for example), I'd  
> lean
> towards the Nessus plugin if its speed your after.  Of course, its  
> not a
> bad idea to check for the MS08-067 vulnerability while you're at it :)
>
> Also, there is another Nessus plugin that will help detect Conficker:
>
> http://www.nessus.org/plugins/index.php?view=single&id=35322
>
> It detects:
>
> "Regardless of the request that's made, the remote web server  
> returns a
> Microsoft executable."
>
> Which is behavior exhibited by Conficker.A.
>
> Cheers,
> Paul
>
> Albert R. Campa wrote:
> > interesting, so not having looked at this yet, whats the difference
> > between that and scanning with Nessus?
> >
> >
> > __________________________________
> > Albert R. Campa
> >
> >
> > 2009/3/30 John Sawyer <jsawyer at ufl.edu <mailto:jsawyer at ufl.edu>>
> >
> >    The Conficker check is in the latest SVN version of Nmap. It's in
> >    the smb-check-vulns.nse which now checks for Conficker, MS08-067  
> > and
> >    a regsvc DoS.
> >
> >    nmap --script smb-check-vulns.nse -p445
> >
> >    For safety's sake, you might want to also run it with
> >    --script-args=unsafe=1 to prevent possible crashes from the regsvc
> >    check. That should not turn off the conficker check.
> >
> >    -jhs
> >
> >    On Mar 30, 2009, at 11:10 AM, Chris Merkel wrote:
> >
> > >    According to this:
> > >    http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
> > >
> > >    A script should be released today to scan for conficker-infected
> > >    machines over the wire.
> > >
> > >    I looked at the NSE portal and haven't seen anything yet -  
> > > would it
> > >    show up there, or is there a development site or repository  
> > > where this
> > >    will first appear?
> > >
> > >    I'd like to get a scan in before April 1st, when variant C drops.
> > >
> > >    --
> > >    - Chris Merkel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090330/8e6a0274/attachment.htm