Re: Nmap 4.85BETA8 Released!

[Ron <ron () skullsecurity net>]

Ionreflex wrote:
> Hi Ron,
>
> I'll probably give b8 a try tomorrow in our corporate network, see if I
> can find anything more than I did with b6 (I jumped over b7...)
Looking forward to hearing your results!

> I had the impression all the "little" worm did on April Fools was the
> "ET phone home" subroutine and nobody answered the call; than again I've
> talked with two consultants who said they've had to deal with an
> outbreak... but was it really Conficker ? Guess we'll never know!
On April 1, the advanced "phone home" was activated, and sometime after
that Conficker.E showed up. The Internet may not have ended, but there's
no telling what the Conficker guys are planning on doing next.

> I wonder how many will have to get b8 via http://sectools.org/nmap/ ...
> is there a counter to record how much hits ? :o)
It'd be interesting to find out.. though a lot of people will probably
download from there for fun.

> Ion
Ron



> 2009/4/21 Ron <ron () skullsecurity net <mailto:ron () skullsecurity net>>
>
>     Hopefully some of you have tried this out.. I haven't heard any
>     feedback, so I'll assume that's good news for the time being. I'd really
>     like to hear if this rooted out any infections, though!
>
>     If you want to read some more details, check out my blog post about it:
>     http://www.skullsecurity.org/blog/?p=230
>
>     I tried to be pretty thorough with explaining how the script works and
>     how to use it.
>
>     Any questions or comments, feel free to ask!
>
>     Fyodor wrote:
>     > Hi All.  I'm happy to report the release of Nmap 4.85BETA8.  It
>     > includes many improvements from our last 20 days of work, including
>     > much better Ncat http proxy server support (including authentication,
>     > and the GET/HEAD/POST methods so you can use it with Firefox), redone
>     > (much easier to read) text output for Ndiff, a whole bunch of
>     > Conficker improvements (including a great new script by Ron based on
>     > Symantec research and numerous improvements to the existing
>     > smb-check-vulns), and much more.  Our anti-Conficker efforts have
>     > apparently pissed off the Conficker authors so much that the latest
>     > variants ban nmap.* and insecure.* domains.  No worries: I've mirrored
>     > this release at http://sectools.org/nmap/.
>     >
>     > And those of you who aren't infected by Conficker can download
>     > 4.85BETA8 at the normal location:
>     >
>     > http://nmap.org/download.html
>     >
>     > To scan you network quickly for Conficker infections before the next
>     > variant breaks this new techinque, we recommend this command:
>     >
>     > nmap -p139,445 --script
>     p2p-conficker,smb-os-discovery,smb-check-vulns --script-args
>     checkconficker=1,safe=1 -T4 [target networks]
>     >
>     > If you have time for a slower but more comprehensive scan, use
>     this instead:
>     >
>     > nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
>     --script-args checkall=1,safe=1 -T4 [target networks]
>     >
>     > And here is the full list of changes since BETA7:
>     >
>     > Nmap 4.85BETA8 [2009-04-21]
>     >
>     > o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
>     >   addition to the CONNECT tunneling method, so it can be used as a
>     >   proxy with an ordinary web browser.[David]
>     >
>     > o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
>     >   --proxy-auth to provide a username and password that will be
>     required
>     >   of proxy users. Only the insecure (not encrypted) Basic
>     authentication
>     >   method is supported. [David]
>     >
>     > o Ndiff's text output has been redone to look more like Nmap output
>     >   and be easier to read. See the Ndiff README file for an example. The
>     >   XML output is now based on Nmap's XML output as well. Zenmap's diff
>     >   viewer now shows the new output with syntax highlighting. [David]
>     >
>     > o The new versions of the Conficker Internet worm ban infected systems
>     >   from visiting Insecure.Org and Nmap.Org.  We take that as a
>     >   compliment to the effectiveness of our remote Conficker scanner.
>     >   They also ban DNS substrings "honey" (for the Honeynet Project),
>     >   "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
>     >   Security, "coresecur" for Core Security Technologies, and
>     >   "iv.cs.uni" for those meddlesome (to the Conficker authors)
>     >   researchers at the University of Bonn.  For people who can't reach
>     >   nmap.org <http://nmap.org> due to infection, I've mirrored this
>     release at
>     >   http://sectools.org/nmap/. [Fyodor]
>     >
>     > o New Conficker versions eliminate the loophole we were using to
>     >   detect them with smb-check-vulns,nse, so we've added new methods
>     >   which work with the newest variants. Here are the Conficker-related
>     >   improvements since BETA7:
>     >   o Added new p2p-conficker script which detects Conficker using its
>     >     P2P update ports rather than MSRPC.  This is based on some new
>     >     research by Symantec. See
>     >     http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
>     >   o Since new Conficker variants prevent detection by our previous
>     >     MSRPC check in smb-check-vulns, we've added a new check which
>     still
>     >     works. It involves calling netpathcanonicalize on "\" rather than
>     >     "\..\" and checking for a different return value.  It was
>     discovered
>     >     by Felix Leder and Tillmann Werner.
>     >   o Improved smb-check-vulns Conficker error message text to be more
>     >     useful. [David]
>     >   o smb-check-vulns now defaults to using basic login rather than
>     >     extended logins as this seems to work better on some machines.
>     >   o Recommended command for a fast Conficker scan:
>     >     nmap -p139,445 --script
>     p2p-conficker,smb-os-discovery,smb-check-vulns \
>     >     --script-args checkconficker=1,safe=1 -T4 [target networks]
>     >   o Recommended command for a more comprehensive (but slower) scan:
>     >     nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- \
>     >     --script-args checkall=1,safe=1 -T4 [target networks]
>     >
>     > o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
>     >   code simplicity and extensibility. See
>     >   http://seclists.org/nmap-dev/2009/q2/0090.html and
>     >   http://seclists.org/nmap-dev/2009/q1/0047.html. [Patrick]
>     >
>     > o [Zenmap] The "Cancel" button has been restored to the main screen.
>     >   It will cancel the scan that is currently being displayed.
>     >
>     > o Fixed an SMB library bug which could case a nil-pointer exception
>     >   when scanning broken SMB implementations. Reported by Steve
>     >   Horejsi. [Ron]
>     >
>     > o [Ndiff] The setup.py installation script now suggests installing the
>     >   python-dev package in a certain error situation. Previously the
>     >   error message it printed was misleading:
>     >     error: invalid Python installation: unable to open
>     >     /usr/lib/python2.6/config/Makefile (No such file or directory)
>     >   The change was suggested by Aaron Leininger. [David]
>     >
>     > o [Nbase] The checksum functions now have an nbase_ prefix.  This
>     >   should prevent name collisions with internal but exported functions
>     >   in shared libraries Nmap links against (e.g. adler32() in zlib).
>     >   Such collisions seem to confuse the runtime linker on some
>     platforms.
>     >   [Daniel Roethlisberger]
>     >
>     > o Fixed banner.nse to remove surrounding whitespace from banners. For
>     >   example, this avoids a superfluous carriage return and newline
>     at the
>     >   end of SSH greetings. [Patrick]
>     >
>     > o Expanded and tweaked the product/version/info of service scans in an
>     >   attempt to reduce the number of warnings like "Warning: Servicescan
>     >   failed to fill info_template...".  Parts of this change include:
>     >   o Improved the text of the warning to be less confusing
>     >   o Increased the internal version info buffer to 256 chars from 128
>     >   o Increased the final version string length to 160 from 128 chars
>     >   o Changed the behavior when constructing the final version string so
>     >     that if it runs out of space, rather than dropping the output
>     of that
>     >     template it truncates the template with ...
>     >   o Fixed the printing of unneeded spaces between templates when
>     one of the
>     >     templates isn't going to be printed at all.
>     >   [Brandon]
>     >
>     > o Improved the service scan DB to remove certain problematic regex
>     >   patterns which could lead to PCRE_MATCHLIMIT errors. For example,
>     >   instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
>     >   ".*" as long as the DOTALL (/s) modifier was set. [Brandon]
>     >
>     > o Changed some error() calls (which were more informational than error
>     >   messages) to use log_write() instead, and changed a few f?printf()
>     >   calls into error() or log_write(). [Brandon]
>     >
>     > o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
>     >   to resolve names using the wrong address family (such as AF_INET
>     >   rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
>     >
>     > o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry
>     Nymann.
>     >   It caused a crash when opening the Hosts Viewer on a host that
>     had OS
>     >   information. A window appeared saying simply "Runtime Error!".
>     [David]
>     >
>     > o [Zenmap] Gracefully handle unrecognized port states in the hosts
>     >   viewer. Apparently old versions of Nmap can return a state of
>     >   "unknown". This prevents this crash:
>     >       File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
>     >       File "radialnet\gui\NodeNotebook.pyo", line 257, in
>     __create_widgets
>     >     KeyError: u'unknown'
>     >   [David]
>     >
>     > o Rewrote the debugging error message "Found whacked packet protocol
>     >   17 in get_ping_pcap_result" because we decided that receiving a UDP
>     >   packet during TCP ping scan is not egregious enough to qualify as
>     >   "whacked". [David]
>     >
>     > Enjoy the new release!  And let us know on nmap-dev if you encounter
>     > any problems!  See http://nmap.org/book/man-bugs.html.
>     >
>     > -Fyodor
>     >
>     > _______________________________________________
>     > Sent through the nmap-dev mailing list
>     > http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     > Archived at http://SecLists.Org
>
>
>     --
>     Ron Bowes
>     http://www.skullsecurity.org/
>
>     _______________________________________________
>     Sent through the nmap-dev mailing list
>     http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     Archived at http://SecLists.Org


-- 
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org