Re: conficker script in NMAP

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll try taking a stab at these.  Comments inline.


On Tue, 31 Mar 2009 14:58:10 -0500
"Watson, Deborah L" <dwatson () pmrg com> wrote:

> Is there a reverence for understanding the output of the script.

Somewhat.  See http://nmap.org/nsedoc/scripts/smb-check-vulns.html

>  
>
> I am getting some responses from some systems and
> NT_STATUS_ACCESS_DENIED from others. I am thinking I need to provide
> credentials, but not finding an option for that.

You have to be able to connect to the BROWSER named pipe which could
require credentials.  If you are getting an access denied the machine
is likely to not be anonymously exploitable (even if it isn't patched).

> Ran like this: sudo -sC -p 445 -T4 -d -n -oA conficker_scan
> --min-hostgroup 256 --min-parallelism 64 --script smb-check-vulns
> --script-args safe=1 10.2.105.0/24
>
> Also output is a little confusing:
>
>  
>
> Result example 1: this example seems to have an access issue - is
> there a way to fix this?
>
>  
>
> Host 10.2.105.19 appears to be up ... good.
>
> Scanned at 2009-03-31 12:04:51 Central Daylight Time for 3s
>
> Interesting ports on 10.2.105.19:
>
> PORT    STATE SERVICE      REASON
>
> 445/tcp open  microsoft-ds syn-ack
>
>  
> Host script results:
>
> |  smb-check-vulns:  
>
> |  MS08-067: NOT RUN
>
> |  Conficker: Likely CLEAN
>
> |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
>
> Final times for host: srtt: 0 rttvar: 3750  to: 100000
>
>  

I don't see the access issue.  The line:

|  Conficker: Likely CLEAN

Looks like the check ran properly and the machine is probably clean.


>  
>
> Result Example 2 - this looks like it ran, but what dos MS08-076: NOT
> RUN mean? We have verified that the patch is in fact installed.

It means the check wasn't run but I see the confusion.  It could be
read to mean the MS08-067 patch itself wasn't run...  Maybe we should
change the text to "script check not run" or something like that.

> Host 10.2.105.22 appears to be up ... good.
>
> Scanned at 2009-03-31 12:04:51 Central Daylight Time for 3s
>
> Interesting ports on 10.2.105.22:
>
> PORT    STATE SERVICE      REASON
>
> 445/tcp open  microsoft-ds syn-ack
>
>
> Host script results:
>
> |  smb-check-vulns:  
>
> |  MS08-067: NOT RUN
>
> |  Conficker: Likely CLEAN
>
> |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
>
> Final times for host: srtt: 2000 rttvar: 7750  to: 100000


When you run the script with 'safe=1' the MS08-067 check isn't run.
Nmap did not try to determine if the machine was patched or not.  It
only tried to see if Conficker was on the box.

If you want to test for MS08-067 too drop the 'safe=1' argument.


> Thank you,
>
> Deborah Watson


Our pleasure, let us know if you have any other questions or if the
above isn't clear.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAknSoLMACgkQqaGPzAsl94KRqQCeJOt2fDBCBb/9PThBul2JlN7U
lj4AnRWyC/eLVpFUV65pd/20wI101MnS
=6fbt
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org