Nmap Development mailing list archives
Nmap 4.85BETA5: Now with Conficker detection!
From: Fyodor <fyodor () insecure org>
Date: Mon, 30 Mar 2009 13:03:19 -0700
Hi All! We found out just yesterday about new research by Tillmann Werner and Felix Leder of a way to anonymously scan for Conficker worm infections! Ron sprang into action and added the detection to the smb-check-vulns NSE script! I even had to infect one of my own systems for Ron to test with. David and Brandon helped too. And now we're happy to release Nmap 4.85BETA5, which includes the Conficker detection! You can find it on the download page: http://nmap.org/download.html Here is an example command for detecting Conficker: nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks] It is worth scanning soon, since Conficker nodes are set to be updated with new instructions on Wednesday if they aren't cleaned by then! Note that I've removed 4.76 from the D/L page as I think 4.85BETA5 is the way to go in general. Test this out soon, if you can, and send your results to nmap-dev, as this release is sure to get a lot of attention and interest :). Here are the changes since 4.85BETA4 a couple weeks ago: o Ron (in just a few hours of furious coding) added remote detection of the Conficker worm to smb-check-vulns. It is based on new research by Tillmann Werner and Felix Leder. You can scan your network for Conficker with a command like: nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks] o Ndiff now includes service (version detection) and OS detection differences. [David] o [Ncat] The --exec and --sh-exec options now work in UDP mode like they do in TCP mode: the server handles multiple concurrent clients and doesn't have to be restarted after each one. Marius Sturm provided the patch. o [Ncat] The -v option (used alone) no longer floods the screen with debugging messages. With just -v, we now only print the most important status messages such as "Connected to ...", a startup banner, and error messages. At -vv, minor debugging messages are enabled, such as what command is being executed by --sh-exec. With -vvv you get detailed debugging messages. [David] o [Ncat] Chat mode now lets other participants know when someone connects or disconnects, and it also broadcasts a current list of participants at such times. [David] o [Ncat] Fixed a socket handling bug which could occur when you redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next user to connect would end up with file descriptor 0 (which is normally stdin) and thus confuse Ncat. [David] o [Zenmap] The "Scan Output" expanders in the diff window now behave more naturally. Some strange behavior on Windows was noted by Jah. [David] o The following OS detection tests are no longer included in OS fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI, and SI were found not be helpful in distinguishing operating systems because they didn't vary. TOS and TOSI were disabled in 4.85BETA1 but now they are not included in prints at all. [David] o The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment. [David] o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI test that could cause a closed-port IP ID to be written into the array for the SEQ.TI test and cause erroneous results. The bug was found and fixed by Guillaume Prigent. o Nbase has grown routines for calculating Adler32 and CRC32C checksums. This is needed for future SCTP support. [Daniel Roethlisberger] o [Zenmap] Zenmap no longer shows an error message when running Nmap with options that cause a zero-length XML file to be produced (like --iflist). [David] o Fixed an off-by-one error in printableSize() which could cause Nmap to crash while reporting NSE results. Also, NmapOutputTable's memory allocation strategy was improved to conserve memory. [Brandon, Patrick] o [Zenmap] We now give the --force option to setup.py for installation to ensure that it replaces all files. [David] o Nmap's --packet-trace, --version-trace, and --script-trace now use an Nsock trace level of 2 rather than 5. This removes some superfluous lines which can flood the screen. [David] o [Zenmap] Fixed a crash which could occur when loading the help URL if the path contains multibyte characters. [David] o [Ncat] The version number is now matched to the Nmap release it came with rather than always being 0.2. [David] o Fixed a strtok issue between load_exclude and TargetGroup::parse_expr that caused only the first exclude on a line to be loaded as well as an invalid read into free()'d memory in load_exclude(). [Brandon, David] o NSE's garbage collection system (for cleaning up sockets from completed threads, etc.) has been improved. [Patrick] Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap 4.85BETA5: Now with Conficker detection! Fyodor (Mar 30)
- RE: Nmap 4.85BETA5: Now with Conficker detection! Craig Humphrey (Mar 30)
- Re: Nmap 4.85BETA5: Now with Conficker detection! Fyodor (Mar 30)
- RE: Nmap 4.85BETA5: Now with Conficker detection! Craig Humphrey (Mar 30)
- Re: Nmap 4.85BETA5: Now with Conficker detection! Fyodor (Mar 30)
- Re: Nmap 4.85BETA5: Now with Conficker detection! Fyodor (Mar 30)
- Re: Nmap 4.85BETA5: Now with Conficker detection! LevelZero (Mar 31)
- Re: Nmap 4.85BETA5: Now with Conficker detection! David Fifield (Mar 31)
- RE: Nmap 4.85BETA5: Now with Conficker detection! Craig Humphrey (Mar 30)