Re: Nmap 4.85BETA8 Released!

[Ionreflex <ionreflex () gmail com>]

Hi Ron,
I'll probably give b8 a try tomorrow in our corporate network, see if I can
find anything more than I did with b6 (I jumped over b7...)

I had the impression all the "little" worm did on April Fools was the "ET
phone home" subroutine and nobody answered the call; than again I've talked
with two consultants who said they've had to deal with an outbreak... but
was it really Conficker ? Guess we'll never know!

I wonder how many will have to get b8 via http://sectools.org/nmap/ ... is
there a counter to record how much hits ? :o)



Ion

2009/4/21 Ron <ron () skullsecurity net>

> Hopefully some of you have tried this out.. I haven't heard any
> feedback, so I'll assume that's good news for the time being. I'd really
> like to hear if this rooted out any infections, though!
>
> If you want to read some more details, check out my blog post about it:
> http://www.skullsecurity.org/blog/?p=230
>
> I tried to be pretty thorough with explaining how the script works and
> how to use it.
>
> Any questions or comments, feel free to ask!
>
> Fyodor wrote:
> > Hi All.  I'm happy to report the release of Nmap 4.85BETA8.  It
> > includes many improvements from our last 20 days of work, including
> > much better Ncat http proxy server support (including authentication,
> > and the GET/HEAD/POST methods so you can use it with Firefox), redone
> > (much easier to read) text output for Ndiff, a whole bunch of
> > Conficker improvements (including a great new script by Ron based on
> > Symantec research and numerous improvements to the existing
> > smb-check-vulns), and much more.  Our anti-Conficker efforts have
> > apparently pissed off the Conficker authors so much that the latest
> > variants ban nmap.* and insecure.* domains.  No worries: I've mirrored
> > this release at http://sectools.org/nmap/.
> >
> > And those of you who aren't infected by Conficker can download
> > 4.85BETA8 at the normal location:
> >
> > http://nmap.org/download.html
> >
> > To scan you network quickly for Conficker infections before the next
> > variant breaks this new techinque, we recommend this command:
> >
> > nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
> --script-args checkconficker=1,safe=1 -T4 [target networks]
> > If you have time for a slower but more comprehensive scan, use this
> instead:
> > nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
> --script-args checkall=1,safe=1 -T4 [target networks]
> > And here is the full list of changes since BETA7:
> >
> > Nmap 4.85BETA8 [2009-04-21]
> >
> > o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
> >   addition to the CONNECT tunneling method, so it can be used as a
> >   proxy with an ordinary web browser.[David]
> >
> > o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
> >   --proxy-auth to provide a username and password that will be required
> >   of proxy users. Only the insecure (not encrypted) Basic authentication
> >   method is supported. [David]
> >
> > o Ndiff's text output has been redone to look more like Nmap output
> >   and be easier to read. See the Ndiff README file for an example. The
> >   XML output is now based on Nmap's XML output as well. Zenmap's diff
> >   viewer now shows the new output with syntax highlighting. [David]
> >
> > o The new versions of the Conficker Internet worm ban infected systems
> >   from visiting Insecure.Org and Nmap.Org.  We take that as a
> >   compliment to the effectiveness of our remote Conficker scanner.
> >   They also ban DNS substrings "honey" (for the Honeynet Project),
> >   "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
> >   Security, "coresecur" for Core Security Technologies, and
> >   "iv.cs.uni" for those meddlesome (to the Conficker authors)
> >   researchers at the University of Bonn.  For people who can't reach
> >   nmap.org due to infection, I've mirrored this release at
> >   http://sectools.org/nmap/. [Fyodor]
> >
> > o New Conficker versions eliminate the loophole we were using to
> >   detect them with smb-check-vulns,nse, so we've added new methods
> >   which work with the newest variants. Here are the Conficker-related
> >   improvements since BETA7:
> >   o Added new p2p-conficker script which detects Conficker using its
> >     P2P update ports rather than MSRPC.  This is based on some new
> >     research by Symantec. See
> >     http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
> >   o Since new Conficker variants prevent detection by our previous
> >     MSRPC check in smb-check-vulns, we've added a new check which still
> >     works. It involves calling netpathcanonicalize on "\" rather than
> >     "\..\" and checking for a different return value.  It was discovered
> >     by Felix Leder and Tillmann Werner.
> >   o Improved smb-check-vulns Conficker error message text to be more
> >     useful. [David]
> >   o smb-check-vulns now defaults to using basic login rather than
> >     extended logins as this seems to work better on some machines.
> >   o Recommended command for a fast Conficker scan:
> >     nmap -p139,445 --script
> p2p-conficker,smb-os-discovery,smb-check-vulns \
> >     --script-args checkconficker=1,safe=1 -T4 [target networks]
> >   o Recommended command for a more comprehensive (but slower) scan:
> >     nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- \
> >     --script-args checkall=1,safe=1 -T4 [target networks]
> >
> > o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
> >   code simplicity and extensibility. See
> >   http://seclists.org/nmap-dev/2009/q2/0090.html and
> >   http://seclists.org/nmap-dev/2009/q1/0047.html. [Patrick]
> >
> > o [Zenmap] The "Cancel" button has been restored to the main screen.
> >   It will cancel the scan that is currently being displayed.
> >
> > o Fixed an SMB library bug which could case a nil-pointer exception
> >   when scanning broken SMB implementations. Reported by Steve
> >   Horejsi. [Ron]
> >
> > o [Ndiff] The setup.py installation script now suggests installing the
> >   python-dev package in a certain error situation. Previously the
> >   error message it printed was misleading:
> >     error: invalid Python installation: unable to open
> >     /usr/lib/python2.6/config/Makefile (No such file or directory)
> >   The change was suggested by Aaron Leininger. [David]
> >
> > o [Nbase] The checksum functions now have an nbase_ prefix.  This
> >   should prevent name collisions with internal but exported functions
> >   in shared libraries Nmap links against (e.g. adler32() in zlib).
> >   Such collisions seem to confuse the runtime linker on some platforms.
> >   [Daniel Roethlisberger]
> >
> > o Fixed banner.nse to remove surrounding whitespace from banners. For
> >   example, this avoids a superfluous carriage return and newline at the
> >   end of SSH greetings. [Patrick]
> >
> > o Expanded and tweaked the product/version/info of service scans in an
> >   attempt to reduce the number of warnings like "Warning: Servicescan
> >   failed to fill info_template...".  Parts of this change include:
> >   o Improved the text of the warning to be less confusing
> >   o Increased the internal version info buffer to 256 chars from 128
> >   o Increased the final version string length to 160 from 128 chars
> >   o Changed the behavior when constructing the final version string so
> >     that if it runs out of space, rather than dropping the output of that
> >     template it truncates the template with ...
> >   o Fixed the printing of unneeded spaces between templates when one of
> the
> >     templates isn't going to be printed at all.
> >   [Brandon]
> >
> > o Improved the service scan DB to remove certain problematic regex
> >   patterns which could lead to PCRE_MATCHLIMIT errors. For example,
> >   instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
> >   ".*" as long as the DOTALL (/s) modifier was set. [Brandon]
> >
> > o Changed some error() calls (which were more informational than error
> >   messages) to use log_write() instead, and changed a few f?printf()
> >   calls into error() or log_write(). [Brandon]
> >
> > o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
> >   to resolve names using the wrong address family (such as AF_INET
> >   rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
> >
> > o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
> >   It caused a crash when opening the Hosts Viewer on a host that had OS
> >   information. A window appeared saying simply "Runtime Error!". [David]
> >
> > o [Zenmap] Gracefully handle unrecognized port states in the hosts
> >   viewer. Apparently old versions of Nmap can return a state of
> >   "unknown". This prevents this crash:
> >       File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
> >       File "radialnet\gui\NodeNotebook.pyo", line 257, in
> __create_widgets
> >     KeyError: u'unknown'
> >   [David]
> >
> > o Rewrote the debugging error message "Found whacked packet protocol
> >   17 in get_ping_pcap_result" because we decided that receiving a UDP
> >   packet during TCP ping scan is not egregious enough to qualify as
> >   "whacked". [David]
> >
> > Enjoy the new release!  And let us know on nmap-dev if you encounter
> > any problems!  See http://nmap.org/book/man-bugs.html.
> >
> > -Fyodor
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://SecLists.Org
>
>
> --
> Ron Bowes
> http://www.skullsecurity.org/
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org