Nmap Development mailing list archives
Re: conficker script in NMAP
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 31 Mar 2009 23:01:06 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll try taking a stab at these. Comments inline. On Tue, 31 Mar 2009 14:58:10 -0500 "Watson, Deborah L" <dwatson () pmrg com> wrote:
Is there a reverence for understanding the output of the script.
Somewhat. See http://nmap.org/nsedoc/scripts/smb-check-vulns.html
I am getting some responses from some systems and NT_STATUS_ACCESS_DENIED from others. I am thinking I need to provide credentials, but not finding an option for that.
You have to be able to connect to the BROWSER named pipe which could require credentials. If you are getting an access denied the machine is likely to not be anonymously exploitable (even if it isn't patched).
Ran like this: sudo -sC -p 445 -T4 -d -n -oA conficker_scan --min-hostgroup 256 --min-parallelism 64 --script smb-check-vulns --script-args safe=1 10.2.105.0/24 Also output is a little confusing: Result example 1: this example seems to have an access issue - is there a way to fix this? Host 10.2.105.19 appears to be up ... good. Scanned at 2009-03-31 12:04:51 Central Daylight Time for 3s Interesting ports on 10.2.105.19: PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack Host script results: | smb-check-vulns: | MS08-067: NOT RUN | Conficker: Likely CLEAN |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) Final times for host: srtt: 0 rttvar: 3750 to: 100000
I don't see the access issue. The line: | Conficker: Likely CLEAN Looks like the check ran properly and the machine is probably clean.
Result Example 2 - this looks like it ran, but what dos MS08-076: NOT RUN mean? We have verified that the patch is in fact installed.
It means the check wasn't run but I see the confusion. It could be read to mean the MS08-067 patch itself wasn't run... Maybe we should change the text to "script check not run" or something like that.
Host 10.2.105.22 appears to be up ... good. Scanned at 2009-03-31 12:04:51 Central Daylight Time for 3s Interesting ports on 10.2.105.22: PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack Host script results: | smb-check-vulns: | MS08-067: NOT RUN | Conficker: Likely CLEAN |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) Final times for host: srtt: 2000 rttvar: 7750 to: 100000
When you run the script with 'safe=1' the MS08-067 check isn't run. Nmap did not try to determine if the machine was patched or not. It only tried to see if Conficker was on the box. If you want to test for MS08-067 too drop the 'safe=1' argument.
Thank you, Deborah Watson
Our pleasure, let us know if you have any other questions or if the above isn't clear. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) iEYEARECAAYFAknSoLMACgkQqaGPzAsl94KRqQCeJOt2fDBCBb/9PThBul2JlN7U lj4AnRWyC/eLVpFUV65pd/20wI101MnS =6fbt -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- conficker script in NMAP Watson, Deborah L (Mar 31)
- Re: conficker script in NMAP Brandon Enright (Mar 31)
- Re: conficker script in NMAP - NT_STATUS_ACCESS_DENIED Stroller (Mar 31)