Tools, Tools, Tools
Couple useful things for IT admins out there. I’ve packaged up Werner and Feder’s PoC scanner via py2exe here. You can now simply run:
C:\Python26\scs\scs>scanner.exe 1.2.3.4
———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-[WARNING] 1.2.3.4 seems to be infected by Conficker!
C:\Python26\scs\scs>scs.exe 1.2.3.4 1.2.3.4
———————————-
Simple Conficker Scanner
———————————-
scans selected network ranges for
conficker infections
———————————-
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
———————————-[WARNING] 1.2.3.4 seems to be infected by Conficker!
Done
Note that scs.exe will also take an IP list, so if you can generate that in a fast sweeper, scs.exe will go much faster.
Of course, what would be really helpful is getting nmap going — and the code is in fact in SVN! I believe the nmap guys are working on packages right now, but in the meantime, here’s what their dev says to do if you’re on Unix:
If you prefer to install it:
svn co –username=guest –password=” svn://svn.insecure.org/nmap
cd nmap
./configure && make
sudo make install
nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 <host>If you don’t want to install it:
svn co –username=guest –password=” svn://svn.insecure.org/nmap
cd nmap
./configure && make
export NMAPDIR=.
./nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 <host>
Building nmap is a little tricky on Windows apparently, but happily enough, this isn’t necessary. Follow these steps to get high speed scanning on Windows:
1) Install the latest development build, of nmap, 4.85Beta4, from here.
2) Retrieve this package, extracted from SVN, and merge it into your c:\Program Files\nmap directory.
3) Enjoy:
C:\Documents and Settings\dan>nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1 1.2.3.4
Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll version 4.
0.0.1040), based on libpcap version 0.9.5Starting Nmap 4.85BETA4 ( http://nmap.org ) at 2009-03-30 08:42 Pacific Daylight
Time
————— Timing report —————
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
———————————————
mass_rdns: Using DNS server 4.2.2.1
Initiating Parallel DNS resolution of 1 host. at 08:42
mass_rdns: 0.38s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 08:42, 0.36s elapsed
DNS resolution of 1 IPs took 0.38s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF:
0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:42
Scanning 21Cust103.tnt1.kingston.on.da.uu.net (1.2.3.4) [1 port]
Packet capture filter (device eth0): dst host 192.168.1.103 and (icmp or ((tcp o
r udp) and (src host 1.2.3.4)))
Discovered open port 445/tcp on 1.2.3.4 Completed SYN Stealth Scan at 08:42, 0.75s elapsed (1 total ports)
Overall sending rates: 1.33 packets / s, 58.67 bytes / s.
NSE: Initiating script scanning.
NSE: Script scanning foo (1.2.3.4).
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Runlevel: 2.000000
Initiating NSE at 08:42
Running 1 script threads:
NSE (1.438s): Starting smb-check-vulns against 1.2.3.4.
NSE: SMB: Extended login as \guest failed, but was given guest access (username
may be wrong, or system may only allow guest)
NSE (6.001s): Finished smb-check-vulns against 1.2.3.4.
Completed NSE at 08:42, 4.58s elapsed
NSE: Script scanning completed.
Host foo (1.2.3.4) appears to be up … goo
d.
Scanned at 2009-03-30 08:42:46 Pacific Daylight Time for 6s
Interesting ports on foo (1.2.3.4):
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ackHost script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Connficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
Final times for host: srtt: 360000 rttvar: 360000 to: 1800000Read from C:\Program Files\Nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.00 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
I’m sure there’s some way to use the NMAP GUI too — if someone wants to post a doc for that, I’ll link to it.
Dan Kaminsky's Blog 