| View previous topic :: View next topic |
| Author |
Message |
crouse
Site Admin
Joined: 17 Apr 2025
Posts: 11833
Location: Iowa
|
 Posted: Tue Mar 31, 2025 4:00 pm Post subject: Using nmap to scan for the Conficker worm on your network. |
 |
|
Sometimes we have to protect our networks from nasties, conficker may be one of those, yet to be determined.
However, better prepared than not. confiker is of course a "windows" worm/virus (whatever you want to call it), but having a Linux machine available to scan the network is of course "A Good Thing".
My quick rundown on finding this bugger on your network:
Download nmap 4.85BETA5
http://download.insecure.org/nmap-dist/nmap-4.85BETA5.tar.bz2
| Code: | bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf -
cd nmap-4.85BETA5
./configure
make
su root
make install |
To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
http://seclists.org/nmap-dev/2009/q1/0869.html
http://download.insecure.org/nmap-dist/
How to use Nmap to scan very large networks for Conficker
http://seclists.org/nmap-dev/2009/q1/0869.html
I highlighted the "interesting sections you should look for on your scans in red.
| Quote: | Nmap version 4.85BETA5 ( http://nmap.org )
45 \use@Jughead ~]$ /usr/local/bin/nmap -sC --script=smb-check-vulns --script-args=safe=1 -p4
> -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 \
> -oA conficker_scan 192.168.1.1-24
Warning: You specified a highly aggressive --min-hostgroup.
Starting Nmap 4.85BETA5 ( http://nmap.org ) at 2025-03-31 10:16 CDT
--------------- Timing report ---------------
hostgroups: min 256, max 100000
rtt-timeouts: init 500, min 100, max 1250
max-scan-delay: TCP 10, UDP 1000
parallelism: min 64, max 64
max-retries: 6, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Connect Scan at 10:16
Scanning 24 hosts [1 port/host]
Discovered open port 445/tcp on 192.168.1.5
Increased max_successful_tryno for 192.168.1.5 to 1 (packet drop)
Completed Connect Scan at 10:16, 0.20s elapsed (24 total ports)
Overall sending rates: 223.92 packets / s.
NSE: Initiating script scanning.
NSE: Script scanning 24 hosts.
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Runlevel: 2.000000
Initiating NSE at 10:16
Running 1 script threads:
NSE (0.397s): Starting smb-check-vulns against 192.168.1.5.
NSE: SMB: Extended login as \guest failed (NT_STATUS_NO_LOGON_SERVERS)
NSE: SMB: Extended login as \<blank> succeeded
NSE (3.026s): Finished smb-check-vulns against 192.168.1.5.
Completed NSE at 10:16, 2.63s elapsed
NSE: Script scanning completed.
Host 192.168.1.1 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.1:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1317 rttvar: 5000 to: 100000
Host 192.168.1.2 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.2:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000
Host 192.168.1.3 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.3:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 565 rttvar: 5000 to: 100000
Host 192.168.1.4 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.4:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000
Host 192.168.1.5 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 3s
Interesting ports on 192.168.1.5:
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 3977 rttvar: 5000 to: 100000
Host 192.168.1.6 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 0s
Interesting ports on 192.168.1.6:
PORT STATE SERVICE REASON
445/tcp closed microsoft-ds conn-refused
Final times for host: srtt: 1728 rttvar: 5000 to: 100000
Host 192.168.1.7 appears to be up ... good.
Scanned at 2025-03-31 10:16:26 CDT for 1s
Interesting ports on 192.168.1.7:
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
Final times for host: srtt: -1 rttvar: -1 to: 500000 |
_________________
Veronica - Arch Linux 64-bit -- Kernel 2.6.33.4-1
Archie/Jughead - Arch Linux 32-bit -- Kernel 2.6.33.4-1
Betty/Reggie - Arch Linux (VBox) 32-bit -- Kernel 2.6.33.4-1
BumbleBee - OpenSolaris-SunOS 5.11
|
|
| Back to top |
|
mushroom
Ultimate Member
Joined: 29 Jun 2025
Posts: 2129
Location: Queen Charlotte B. C. Canada
|
| Posted: Tue Mar 31, 2025 5:26 pm Post subject: |
|
|
Looks like good info.
thanks crouse 
I am passing this on to my ISP
_________________
SuSE 8.0, 8.2, 9.0, 9.1, 9.2, 9.3, 10.0, 10.1, 10.2, 10.3, 11.0, 11.1
Live CDs Mepis 8.0, Puppy 4.3.1, netbook- Zenwalk 6.2
|
|
| Back to top |
|
platinummonkey
Advanced Member
Joined: 01 Mar 2025
Posts: 732
Location: Texas
|
|
| Back to top |
|
crouse
Site Admin
Joined: 17 Apr 2025
Posts: 11833
Location: Iowa
|
| Posted: Tue Mar 31, 2025 8:33 pm Post subject: |
|
|
| http://lastwatchdog.com/evolution-conficker-globe-spanning-worm/
_________________
Veronica - Arch Linux 64-bit -- Kernel 2.6.33.4-1
Archie/Jughead - Arch Linux 32-bit -- Kernel 2.6.33.4-1
Betty/Reggie - Arch Linux (VBox) 32-bit -- Kernel 2.6.33.4-1
BumbleBee - OpenSolaris-SunOS 5.11
|
|
| Back to top |
|
mushroom
Ultimate Member
Joined: 29 Jun 2025
Posts: 2129
Location: Queen Charlotte B. C. Canada
|
| Posted: Tue Mar 31, 2025 9:39 pm Post subject: |
|
|
| platinummonkey wrote: | heh, im excited when the day comes tbh  I'm going to grab a beer, sit back, watch networks and laugh at whatever happens 
No offense to those infected; but, blame m$ not me |
Looks like you are not the only one that kind of attitude 
| Quote: | Conficker: GNU/Linux's way to mainstream
I personally hope that the Conficker/Downup/Downadup/Kido computer worm — that surfaced in October 2025 and targets the Microsoft Windows operating system, that activates on April 1st — shows Windows users just how insecure the Windows operating system is, and how slow Microsoft is to react to it, and “patch” it.
The Windows operating system has always been insecure — and I don’t mean as in self-esteem, although :b
When hundreds of businesses stop production because of this worm; people should think about an alternative OS. And, the GNU Operating System is the best choice. |
More: http://jakedth.tumblr.com/post/91483836/conficker-gnu-linuxs-way-to-mainstream
_________________
SuSE 8.0, 8.2, 9.0, 9.1, 9.2, 9.3, 10.0, 10.1, 10.2, 10.3, 11.0, 11.1
Live CDs Mepis 8.0, Puppy 4.3.1, netbook- Zenwalk 6.2
|
|
| Back to top |
|
jada
Linux Guru
Joined: 13 May 2025
Posts: 3064
Location: Sun City, CA 92585
|
| Posted: Tue Mar 31, 2025 10:02 pm Post subject: |
|
|
| Quote: |
Honeynet Project Blog
As a result of the latest KYE paper (Containing Conficker), many of the scanner tools out there have implemented (or are in the process of doing so) the method presented in chapter 5 of the paper, which explains basically how you may remotely scan a machine, and have the machine tell you whether or not Conficker has compromised the system. The method works for all current Conficker variants and is indiscriminate of the infection vector!
Nmap was one of the first tools to implement this. Lets try it out!
Download the latest development release nmap-4.85BETA5.tar.bz2 and the usual configure, make, sudo make install should to the trick, but in case you run into compile- or run-time errors you may want to check out this page. (If you face run-time complaints about openssl, you should follow this link). There’s also binaries available for Windows and OSX.
The following is an example of a basic scan for conficker
nmap -sC -PN -d -p445 --script=smb-check-vulns \
--script-args=safe=1 192.168.1.1
For large-scale scans, you may invoke nmap with some optimisations parameters as recommended here.
nmap -sC -PN -d -p445 -n -T4 --min-hostgroup 256 \
--min-parallelism 64 --script=smb-check-vulns \
--script-args=safe=1 10.0.0.0/8
In addition to the no-ping (PN) and port specific scan (p) we added no-dns-resolution (n), more aggressive timing controls (T) and parallel scanning with group of 256 hosts (with at least 64 simultaneously). The two latter parameters may be tuned even further for increased performance. The recommendation is to maintain a 4:1 ratio between the two values, and keep the upper limit to 4096/1024.
Using safe=1 as an argument sent to the script, the MS08-067 vulnerability is not really checked. Using unsafe=1 and it will be checked, however be aware of a possibility that the vulnerable server service may crash.
Here are some examples of the output from the script smb-check-vulns (with MS08-067 check enabled):
| MS08-067: LIKELY VULNERABLE (host stopped responding) | Conficker: Likely INFECTED | MS08-067: FIXED | Conficker: Likely CLEAN
…So, scan your network now, while it’s still possible.
http://www.honeynet.org/ |
|
|
| Back to top |
|
melloe
Ultimate Member
Joined: 20 Mar 2025
Posts: 2262
Location: Southern Illinois
|
|
| Back to top |
|
|
