You are not logged in.

#1 2009-03-31 15:33:33

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Using nmap to scan for the Conficker Virus on your network.

Sometimes we have to protect our networks from nasties, conficker may be one of those, yet to be determined.
However, better prepared than not.   confiker is of course a "windows" worm, but having a Linux machine available to scan the network is of course "A Good Thing".

My quick rundown on finding this bugger on your network:

Download nmap 4.85BETA5
http://download.insecure.org/nmap-dist/ … A5.tar.bz2

bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf -
cd nmap-4.85BETA5
./configure
make
su root
make install

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]


http://seclists.org/nmap-dev/2009/q1/0869.html
http://download.insecure.org/nmap-dist/

How to use Nmap to scan very large networks for Conficker
http://seclists.org/nmap-dev/2009/q1/0869.html

I highlighted the "interesting sections you should look for on your scans in red.

Nmap version 4.85BETA5 ( http://nmap.org )
45 \use@Jughead ~]$ /usr/local/bin/nmap -sC --script=smb-check-vulns --script-args=safe=1 -p4
>  -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \
>  -oA conficker_scan 192.168.1.1-24

Warning: You specified a highly aggressive --min-hostgroup.

Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2009-03-31 10:16 CDT
--------------- Timing report ---------------
  hostgroups: min 256, max 100000
  rtt-timeouts: init 500, min 100, max 1250
  max-scan-delay: TCP 10, UDP 1000
  parallelism: min 64, max 64
  max-retries: 6, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Connect Scan at 10:16
Scanning 24 hosts [1 port/host]
Discovered open port 445/tcp on 192.168.1.5
Increased max_successful_tryno for 192.168.1.5 to 1 (packet drop)
Completed Connect Scan at 10:16, 0.20s elapsed (24 total ports)
Overall sending rates: 223.92 packets / s.
NSE: Initiating script scanning.
NSE: Script scanning 24 hosts.
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Runlevel: 2.000000
Initiating NSE at 10:16
Running 1 script threads:
NSE (0.397s): Starting smb-check-vulns against 192.168.1.5.
NSE: SMB: Extended login as \guest failed (NT_STATUS_NO_LOGON_SERVERS)
NSE: SMB: Extended login as \<blank> succeeded
NSE (3.026s): Finished smb-check-vulns against 192.168.1.5.
Completed NSE at 10:16, 2.63s elapsed
NSE: Script scanning completed.
Host 192.168.1.1 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.1:
PORT    STATE  SERVICE      REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1317 rttvar: 5000  to: 100000

Host 192.168.1.2 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.2:
PORT    STATE    SERVICE      REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1  to: 500000

Host 192.168.1.3 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.3:
PORT    STATE  SERVICE      REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 565 rttvar: 5000  to: 100000

Host 192.168.1.4 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.4:
PORT    STATE    SERVICE      REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1  to: 500000

Host 192.168.1.5 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 3s
Interesting ports on 192.168.1.5:
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 3977 rttvar: 5000  to: 100000

Host 192.168.1.6 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.6:
PORT    STATE  SERVICE      REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1728 rttvar: 5000  to: 100000

Host 192.168.1.7 appears to be up ... good.
Scanned at 2009-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.7:
PORT    STATE    SERVICE      REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1  to: 500000

edit:  Interesting timeline of conficker:  http://lastwatchdog.com/evolution-confi … ning-worm/

Last edited by crouse (2009-03-31 20:35:03)

Offline

#2 2009-03-31 21:49:41

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Using nmap to scan for the Conficker Virus on your network.

If you're scanning a lot of hosts, you can grep -i for either 'conficker' or 'infected' to just get the juicy details.

Offline

#3 2009-04-01 13:25:04

Daenyth
Forum Fellow
From: Boston, MA
Registered: 2008-02-24
Posts: 1,244

Re: Using nmap to scan for the Conficker Virus on your network.

crouse wrote:
bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf -
cd nmap-4.85BETA5
./configure
make
su root
make install

NO! Please do not give out bad advice like this. All it takes is to get the PKGBUILD from abs, bump the pkgver to 4.85BETA5, change the source to use .tar.bz2 instead of .tgz, update the md5sums, then makepkg, and all works. Do NOT manually compile it.
Also, I've mailed the updated PKGBUILD to huge, so hopefully we should see a new version in repos soon.

Offline

#4 2009-04-02 11:04:58

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Using nmap to scan for the Conficker Virus on your network.

Not necessarily bad advice, there's nothing wrong with doing that if you understand what you're doing

In this case, it goes to /usr/local by default and won't conflict with anything. A make uninstall usually gets rid of it.

No need to install though, just run ./nmap from the built src directory.

Offline

#5 2009-04-03 04:54:33

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Re: Using nmap to scan for the Conficker Virus on your network.

Daenyth,  conflicker wasn't as much of threat as previously thought, but if it had been, your repo solution would have been too late to do much good.
fukawi2 --- grep -i wouldn't show much........ just clean or infected, not the ip's

grep -B 10 "Conficker" < results

would actually show what you needed from any machines that had hits.

Last edited by crouse (2009-04-03 04:56:58)

Offline

#6 2009-04-03 05:12:03

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Using nmap to scan for the Conficker Virus on your network.

crouse wrote:

fukawi2 --- grep -i wouldn't show much........ just clean or infected, not the ip's

You must get different output to me hmm

# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -PN -d 192.168.0.0/24 | grep Conficker
|  Conficker: 192.168.0.1 Likely INFECTED
|  Conficker: 192.168.0.2 Likely CLEAN
|  Conficker: 192.168.0.3 Likely INFECTED
|  Conficker: 192.168.0.4 Likely INFECTED
|  Conficker: 192.168.0.5 Likely INFECTED
|  Conficker: 192.168.0.6 Likely INFECTED
|  Conficker: 192.168.0.7 Likely INFECTED
|  Conficker: 192.168.0.8 Likely INFECTED
|  Conficker: 192.168.0.9 Likely INFECTED

Last edited by fukawi2 (2009-04-03 06:24:34)

Offline

#7 2009-04-03 05:47:43

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Re: Using nmap to scan for the Conficker Virus on your network.

Yes I did, my output is shown above.

Offline

#8 2009-04-03 06:15:11

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: Using nmap to scan for the Conficker Virus on your network.

crouse wrote:

Daenyth,  conflicker wasn't as much of threat as previously thought, but if it had been, your repo solution would have been too late to do much good.

FYI crouse - daenyth didn't suggest a "repo solution", he simply advised building an Arch package instead of installing directly from source. It's not going to take any longer than your suggestion, and in general, packages are preferred over source installs on systems with effective package management.

Offline

#9 2009-04-04 00:16:24

crouse
Arch Linux f@h Team Member
From: Iowa - USA
Registered: 2006-08-19
Posts: 907
Website

Re: Using nmap to scan for the Conficker Virus on your network.

I simply meant that the "official" PKGBUILD was going to be too late for scanning at that point. Sorry Daenyth, I didn't word that very well at all though. What I get for staying up too late wink

Offline

#10 2009-04-04 02:22:52

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Using nmap to scan for the Conficker Virus on your network.

fukawi2 wrote:
# nmap --script=smb-check-vulns --script-args=safe=1 -p445 -PN -d 192.168.0.0/24

command i used at work:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

*shrug* not sure if the 139 port is needed, but that is another port for SMB networking, and it was referenced in the nmap changelog.
http://nmap.org/changelog.html

Nmap 4.85BETA5 [2009-03-30]

o Ron (in just a few hours of furious coding) added remote detection
  of the Conficker worm to smb-check-vulns. It is based on new
  research by Tillmann Werner and Felix Leder.  You can scan your
  network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
  -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB