Scanning for Confiker via nmap

[paul at pauldotcom.com (Paul Asadoorian)]

I would also recommend grabbing the latest SVN as of this morning.
Renaud found a bug in the checking algorithm. Both Nmap and Nessus have
been updates, for more details on the Nessus side see:

http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html

Cheers,
Paul

Nick Baronian wrote:
> I believe vulnerable machines will crash.
> http://seclists.org/nmap-dev/2009/q1/0878.html
>
> If you were getting mixed results you might want to re-grab the latest
> svn.  It has been patched several times already today and corrected some
> issues I was seeing.
>
> 2009/3/31 Tim Mugherini <gbugbear at gmail.com <mailto:gbugbear at gmail.com>>
>
>     I got that too went with -script-args unsafe=1 and seems to work for
>     most
>
>     Think someone mentioned that yesterday somewhere
>
>     not sure what the downside may be
>
>     2009/3/31 Dan Baxter <danthemanbaxter at gmail.com
>     <mailto:danthemanbaxter at gmail.com>>
>
>         Thanks!  That helps a lot.  However, my results aren't quite
>         what I'd hoped.  Every machine that has 445 open, I get the
>         result below.  What would make the Conficker scan fail? 
>         Suggestions?  Thanks
>
>
>
>         PORT    STATE SERVICE
>
>         445/tcp open  microsoft-ds
>
>         Host script results:
>         |  smb-check-vulns: 
>         |  MS08-067: FIXED
>         |  Conficker: ERROR: SMB: Failed to receive bytes: ERROR
>         |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
>
>
>
>
>         Dan Baxter
>         -------------------------------------------------
>         Quis custodiet ipsos custodes?
>
>
>         2009/3/31 Russell Butturini <rbutturini at epictn.com
>         <https://mail.google.com/mail?view=cm&tf=0&to=rbutturini at epictn.com>>
>
>             I found you need to add the ?vv (very verbose) flag using
>             that command.  Otherwise you don?t see the script results. 
>             See below:
>
>              
>
>             Discovered open port 445/tcp on x.x.x.x
>
>             Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total
>             ports)
>
>             NSE: Initiating script scanning.
>
>             Initiating NSE at 09:29
>
>             Completed NSE at 09:29, 0.50s elapsed
>
>             Host x.x.x.x appears to be up ... good.
>
>             Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s
>
>             Interesting ports on x.x.x.x:
>
>             PORT    STATE SERVICE
>
>             445/tcp open  microsoft-ds
>
>             MAC Address: 00:11:25:E9:04:52 (IBM)
>
>              
>
>             Host script results:
>
>             |  smb-check-vulns:
>
>             |  MS08-067: FIXED
>
>             |  Conficker: Likely CLEAN
>
>             *From:* pauldotcom-bounces at mail.pauldotcom.com
>             <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com>
>             [mailto:pauldotcom-bounces at mail.pauldotcom.com
>             <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com>]
>             *On Behalf Of *Dan Baxter
>             *Sent:* Tuesday, March 31, 2009 9:01 AM
>
>             *To:* PaulDotCom Security Weekly Mailing List
>             *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap
>
>              
>
>             So forgive my lack of nmap-fu, but if I run this what am I
>             looking for?  I get back responses that list some with 445
>             open, some closed and a few filtered.  How do I determine
>             which may be infected.
>
>
>             for clarification I'm running nmap -p 445 --script
>             smb-check-vulns.nse
>
>             Thanks
>
>             Dan Baxter
>             -------------------------------------------------
>             Quis custodiet ipsos custodes?
>
>
>             _______________________________________________
>             Pauldotcom mailing list
>             Pauldotcom at mail.pauldotcom.com
>             <https://mail.google.com/mail?view=cm&tf=0&to=Pauldotcom at mail.pauldotcom.com>
>             http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>             Main Web Site: http://pauldotcom.com
>
>
>
>         _______________________________________________
>         Pauldotcom mailing list
>         Pauldotcom at mail.pauldotcom.com
>         <mailto:Pauldotcom at mail.pauldotcom.com>
>         http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>         Main Web Site: http://pauldotcom.com
>
>
>
>     _______________________________________________
>     Pauldotcom mailing list
>     Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
>     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>     Main Web Site: http://pauldotcom.com
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552