[Pauldotcom] Scanning for Confiker via nmap

xgermx xgermx at gmail.com
Tue Mar 31 22:02:41 UTC 2009 

Anyone used this tool to scan for conficker?
http://www.doxpara.com/?p=1285
http://iv.cs.uni-bonn.de/uploads/media/scs.zip

Taming Conficker, The Easy Way

We may not know what the Conficker authors have in store for us on
April 1st, but I doubt many network administrators want to find out.
Maybe they don't have to:  I've been working with the Honeynet
Project's Tillmann Werner and Felix Leder, who have been digging into
Conficker's profile on the network.  What we've found is pretty cool:
Conficker actually changes what Windows looks like on the network, and
this change can be detected remotely, anonymously, and very, very
quickly.  You can literally ask a server if it's infected with
Conficker, and it will tell you.  Tillmann and Felix have their own
proof of concept scanner, and with the help of Securosis' Rich Mogull
and the multivendor Conficker Working Group, enterprise-class scanners
should already be out from Tenable (Nessus), McAfee/Foundstone, nmap,
ncircle, and Qualys.

On Tue, Mar 31, 2009 at 4:25 PM, Tim Mugherini <gbugbear at gmail.com> wrote:
> Thanks just read that too
>
> On 3/31/09, Nick Baronian <nbaronian at gmail.com> wrote:
>> I believe vulnerable machines will crash.
>> http://seclists.org/nmap-dev/2009/q1/0878.html
>>
>> If you were getting mixed results you might want to re-grab the latest svn.
>> It has been patched several times already today and corrected some issues I
>> was seeing.
>>
>> 2009/3/31 Tim Mugherini <gbugbear at gmail.com>
>>
>>> I got that too went with -script-args unsafe=1 and seems to work for most
>>>
>>> Think someone mentioned that yesterday somewhere
>>>
>>> not sure what the downside may be
>>>
>>> 2009/3/31 Dan Baxter <danthemanbaxter at gmail.com>
>>>
>>>> Thanks!  That helps a lot.  However, my results aren't quite what I'd
>>>> hoped.  Every machine that has 445 open, I get the result below.  What
>>>> would
>>>> make the Conficker scan fail?  Suggestions?  Thanks
>>>>
>>>>
>>>>
>>>> PORT    STATE SERVICE
>>>>
>>>> 445/tcp open  microsoft-ds
>>>>
>>>> Host script results:
>>>> |  smb-check-vulns:
>>>> |  MS08-067: FIXED
>>>> |  Conficker: ERROR: SMB: Failed to receive bytes: ERROR
>>>> |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
>>>>
>>>>
>>>>
>>>> Dan Baxter
>>>> -------------------------------------------------
>>>> Quis custodiet ipsos custodes?
>>>>
>>>>
>>>> 2009/3/31 Russell Butturini
>>>> <rbutturini at epictn.com<https://mail.google.com/mail?view=cm&tf=0&to=rbutturini@epictn.com>
>>>> >
>>>>
>>>>>  I found you need to add the –vv (very verbose) flag using that
>>>>> command.  Otherwise you don’t see the script results.  See below:
>>>>>
>>>>>
>>>>>
>>>>> Discovered open port 445/tcp on x.x.x.x
>>>>>
>>>>> Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total ports)
>>>>>
>>>>> NSE: Initiating script scanning.
>>>>>
>>>>> Initiating NSE at 09:29
>>>>>
>>>>> Completed NSE at 09:29, 0.50s elapsed
>>>>>
>>>>> Host x.x.x.x appears to be up ... good.
>>>>>
>>>>> Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s
>>>>>
>>>>> Interesting ports on x.x.x.x:
>>>>>
>>>>> PORT    STATE SERVICE
>>>>>
>>>>> 445/tcp open  microsoft-ds
>>>>>
>>>>> MAC Address: 00:11:25:E9:04:52 (IBM)
>>>>>
>>>>>
>>>>>
>>>>> Host script results:
>>>>>
>>>>> |  smb-check-vulns:
>>>>>
>>>>> |  MS08-067: FIXED
>>>>>
>>>>> |  Conficker: Likely CLEAN
>>>>>
>>>>> *From:*
>>>>> pauldotcom-bounces at mail.pauldotcom.com<https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces@mail.pauldotcom.com>[mailto:
>>>>> pauldotcom-bounces at mail.pauldotcom.com<https://mail.google.com/mail?view=cm&tf=0&to=pauldotcom-bounces@mail.pauldotcom.com>]
>>>>> *On Behalf Of *Dan Baxter
>>>>> *Sent:* Tuesday, March 31, 2009 9:01 AM
>>>>> *To:* PaulDotCom Security Weekly Mailing List
>>>>> *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap
>>>>>
>>>>>
>>>>>
>>>>> So forgive my lack of nmap-fu, but if I run this what am I looking for?
>>>>> I get back responses that list some with 445 open, some closed and a few
>>>>> filtered.  How do I determine which may be infected.
>>>>>
>>>>>
>>>>> for clarification I'm running nmap -p 445 --script smb-check-vulns.nse
>>>>>
>>>>> Thanks
>>>>>
>>>>> Dan Baxter
>>>>> -------------------------------------------------
>>>>> Quis custodiet ipsos custodes?
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pauldotcom mailing list
>>>>> Pauldotcom at mail.pauldotcom.com<https://mail.google.com/mail?view=cm&tf=0&to=Pauldotcom@mail.pauldotcom.com>
>>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>>> Main Web Site: http://pauldotcom.com
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Pauldotcom mailing list
>>>> Pauldotcom at mail.pauldotcom.com
>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>>> Main Web Site: http://pauldotcom.com
>>>>
>>>
>>>
>>> _______________________________________________
>>> Pauldotcom mailing list
>>> Pauldotcom at mail.pauldotcom.com
>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>>> Main Web Site: http://pauldotcom.com
>>>
>>
>
> --
> Sent from my mobile device
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>

More information about the Pauldotcom mailing list