Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question - script: p2p-conficker

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 22 Jan 2014 06:53:31 -0600
On Mon, Jan 20, 2014 at 5:50 PM,  <Joe.Lemak () omya com> wrote:

This a comment in a script description:
"This check won't work properly on a multihomed or NATed system because
the open ports will be based on a nonpublic IP"

Does the above script comment is saying that it will not work on my
internal network using private IPs?



Joe,

Conficker uses an algorithm to choose ports to open that depends on
the IP address of the host that is infected. If the host only has one
IP address, even if it is a private address, the script will work,
since it starts with the same information that Conficker does.

If, on the other hand, the infected host has multiple IP addresses, or
is being accessed via an IP other than its internal IP (i.e. through
port forwarding on a NAT device), the script will be calculating open
ports based on an IP that is different than the one Conficker is
using.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: