Tuesday, June 30, 2009

Network Scan for Conficker

The conficker worm is a pretty nasty one! How do you scan if a machine on your network is infected ?

In this article we'll be using the awesome open-source nmap network scanning engine. In this example I will be preforming my scan from a Linux box. However you can use other OSs.

wget http://nmap.org/dist/nmap-4.90RC1-1.i386.rpm
rpm -Uvh nmap-4.90RC1-1.i386.rpm

It is recommended that you get the latest nmap from their download page. Next, launch nmap on the local network IP range, in this example it is, but YMMV. The interesting argument here is the --script which utilizes the NSE (Nmap scripting engine) in order to assess whether or not the current windows machine nmap is connected to is vulnerable. So let's launch the scan

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1

Once the scan has completed Identify the potentially infected machine on the LAN. An infected machine would result in nmap output similar to

Host script results:
| smb-os-discovery: Windows XP
| LAN Manager: Windows 2000 LAN Manager
|_ System time: 2009-06-30 10:47:12 UTC+3
| smb-check-vulns:
| MS08-067: CHECK DISABLED (remove 'safe=1' argument to run)
| Conficker: Likely INFECTED (by Conficker.C or lower)
|_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

Once identified, you can use the great kkiller tool from kaspersky labs to clean the infected machine

You can find the latest kkiller from the following page page as well

Have fun, patch your broken windows, or better yet, learn some *nix foo or bar :)

1 comment:

swMan said...

nice article, thanks.