PaulDotCom mailing list archives
Scanning for Confiker via nmap
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Wed, 01 Apr 2009 10:16:37 -0400
I would also recommend grabbing the latest SVN as of this morning. Renaud found a bug in the checking algorithm. Both Nmap and Nessus have been updates, for more details on the Nessus side see: http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html Cheers, Paul Nick Baronian wrote:
I believe vulnerable machines will crash. http://seclists.org/nmap-dev/2009/q1/0878.html If you were getting mixed results you might want to re-grab the latest svn. It has been patched several times already today and corrected some issues I was seeing. 2009/3/31 Tim Mugherini <gbugbear at gmail.com <mailto:gbugbear at gmail.com>> I got that too went with -script-args unsafe=1 and seems to work for most Think someone mentioned that yesterday somewhere not sure what the downside may be 2009/3/31 Dan Baxter <danthemanbaxter at gmail.com <mailto:danthemanbaxter at gmail.com>> Thanks! That helps a lot. However, my results aren't quite what I'd hoped. Every machine that has 445 open, I get the result below. What would make the Conficker scan fail? Suggestions? Thanks PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-check-vulns: | MS08-067: FIXED | Conficker: ERROR: SMB: Failed to receive bytes: ERROR |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) Dan Baxter ------------------------------------------------- Quis custodiet ipsos custodes? 2009/3/31 Russell Butturini <rbutturini at epictn.com <https://mail.google.com/mail?view=cm&tf=0&to=rbutturini at epictn.com>> I found you need to add the ?vv (very verbose) flag using that command. Otherwise you don?t see the script results. See below: Discovered open port 445/tcp on x.x.x.x Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total ports) NSE: Initiating script scanning. Initiating NSE at 09:29 Completed NSE at 09:29, 0.50s elapsed Host x.x.x.x appears to be up ... good. Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s Interesting ports on x.x.x.x: PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:11:25:E9:04:52 (IBM) Host script results: | smb-check-vulns: | MS08-067: FIXED | Conficker: Likely CLEAN *From:* pauldotcom-bounces at mail.pauldotcom.com <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com> [mailto:pauldotcom-bounces at mail.pauldotcom.com <https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces at mail.pauldotcom.com>] *On Behalf Of *Dan Baxter *Sent:* Tuesday, March 31, 2009 9:01 AM *To:* PaulDotCom Security Weekly Mailing List *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap So forgive my lack of nmap-fu, but if I run this what am I looking for? I get back responses that list some with 445 open, some closed and a few filtered. How do I determine which may be infected. for clarification I'm running nmap -p 445 --script smb-check-vulns.nse Thanks Dan Baxter ------------------------------------------------- Quis custodiet ipsos custodes? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com <https://mail.google.com/mail?view=cm&tf=0&to=Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552
Current thread:
- Scanning for Confiker via nmap Paul Asadoorian (Apr 01)