##########################################################
Scanning for Conficker Vulnerability & Infection
##########################################################
=================
**Disclaimer**
This is all pretty ugly, but should help those who find themselves in a pinch. This little guide comes with no warranties or guarantees effectiveness.
=================
---------------
Pre-requisites
---------------
This method has been tested using nmap version 5.85BETA5 on Mac OS X. This should work on any *nix system.
Open the terminal and input the following commands:
svn co --username=guest --password='' svn://svn.insecure.org/nmap
cd nmap
./configure && make
sudo make install
---------------
Running the Scan
---------------
*note that if you already have a version of nmap installed on your machine from another source (Fink for example) you must type ./nmap from within the directory you compiled. For example, I created a folder on my desktop called svn_nmap where I placed the source and compiled. Launching from other locations will open an older version.
Type the following from within the nmap directory:
nmap -PN -d -p445 --script=smb-check-vulns --script-args=safe=1 xxx.xxx.xxx.zzz-zzz >> conficker_scan.txt
This will execute the scan on a range of ports and outputs the results to conficker_scan.txt. You may want to do small ranges so you keep track of how well the scan is proceeding. Feel free to use the same output file as >> designates that output will be appended.
--------------
Wading Through the Results
--------------
You should now have a number of text files containing the results of your scan. In order to pull out information on the infected machines, run the following:
grep -B 7 -A 4 INFECTED conficker_scan.txt >> infected_machines.txt
To determine if any machines are vulnerable but not yet infected run the following:
grep -B 8 -A 3 VULNERABLE conficker_scan.txt >> vulnerable_machines.txt
------------
Dealing With the Consequences
------------
At this point I leave you to determine the best course of action once you have identified all the vulnerable/infected machines.
+++++++++++++++++++++++++++
Author: jur1st - CCCKC
Credit to: Fyodor, Dan Kaminsky, Felix Leder, Tillmann Werner, Rich Mogull and the Conficker Working Group for the hard work. All I did was make the info a little more accessible.
+++++++++++++++++++++++++++
Followers
Thursday, April 2, 2009
Using NMAP to detect Conficker infected hosts | The Edge of I-Hacked
Using NMAP to detect Conficker infected hosts | The Edge of I-Hacked
Subscribe to:
Post Comments (Atom)
About Me
Twitter Updates
Blog Archive
Tags
- Backtrack (3)
- Cain Abel (1)
- Eee PC (1)
- fgdump (2)
- finger printing (1)
- fingerprinting (1)
- Hping2 (1)
- Linux (2)
- metasploit (6)
- netcat (2)
- news (16)
- nmap (5)
- Ophcrack (1)
- password cracking (5)
- RainbowCrack (3)
- rdp (1)
- Snort (2)
- tcpdump (1)
- training (25)
- vulnerabilities (12)
- WiFi (1)
- xprobe2 (1)
Packet Storm Security Headlines
Packet Storm Security Exploits
milw0rm.com
The Ethical Hacker Network RSS News Feed
SecurityFocus News
SecurityFocus Vulnerabilities
The Security Zealot
2 comments:
This is cool work, but it's unreadable in Firefox. Can you rejigger your theme so I can link to it?
I changed it up...
Also, you can follow the link to the original post.
Post a Comment