A few months ago I shared some information about checking for Conficker with nmap. Unfortunately, it turns out that post was out of date pretty quickly. Whoops. How about some updates?
From the nmap changelog page:
New Conficker versions eliminate the loophole we were using to detect them with smb-check-vulns,nse, so we’ve added new methods which work with the newest variants. Here are the Conficker-related improvements since BETA7:
- Added new p2p-conficker script which detects Conficker using its P2P update ports rather than MSRPC. This is based on some new research by Symantec. See http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
- Since new Conficker variants prevent detection by our previous MSRPC check in smb-check-vulns, we’ve added a new check which still works. It involves calling netpathcanonicalize on “\” rather than “\..\” and checking for a different return value. It was discovered by Felix Leder and Tillmann Werner. [Ron]
- Improved smb-check-vulns Conficker error message text to be more useful. [David]
- smb-check-vulns now defaults to using basic login rather than extended logins as this seems to work better on some machines. [Ron]
- Recommended command for a fast Conficker scan (combine into 1 line):
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]- Recommended command for a more comprehensive (but slower) scan:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
The key commands are in those last two bullet points (bolded by me). You can just copy and paste one into a console or command prompt. Using Windows and Zenmap, the nifty GUI? Just as simple:
In the example above, I’m checking all addresses of a local network using the “fast” scan.
Now, go get the latest nmap beta and check out your network(s). Just in case…
Possibly Related posts:
June 14th, 2009 
Tags: 
