The 3rd check in the Nmap script will not run by default because it is
considered "unsafe" since it has the possibility of crashing machines.
As for timing, I tested on a class C with 224 machines, 212 of which
are listening on 445.
Nmap with no timing options:
done: 256 IP addresses (224 hosts up) scanned in 40.38 seconds
Nmap with -T5
done: 256 IP addresses (224 hosts up) scanned in 8.94 seconds
Nessus using the command you sent earlier.
2m36.659s
-jhs
On Mar 30, 2009, at 12:40 PM, Paul Asadoorian wrote:
Okay, to better answer your question, the Nmap NSE script checks for:
* MS08-067, a Windows RPC vulnerability
* Conficker, an infection by the Conficker worm
* Unnamed regsvc DoS, a denial-of-service vulnerability I
accidentically
found in Windows 2003
The NASL script in Nessus only checks for the presence of conficker
(conficker responds to certain RPC calls with specific error codes).
So, if you are scanning a large network (class B for example), I'd
lean
towards the Nessus plugin if its speed your after. Of course, its
not a
bad idea to check for the MS08-067 vulnerability while you're at it :)
Also, there is another Nessus plugin that will help detect Conficker:
http://www.nessus.org/plugins/index.php?view=single&id=35322
It detects:
"Regardless of the request that's made, the remote web server
returns a
Microsoft executable."
Which is behavior exhibited by Conficker.A.
Cheers,
Paul
Albert R. Campa wrote:
interesting, so not having looked at this yet, whats the difference
between that and scanning with Nessus?
__________________________________
Albert R. Campa
2009/3/30 John Sawyer <[email protected] <mailto:[email protected]>>
The Conficker check is in the latest SVN version of Nmap. It's in
the smb-check-vulns.nse which now checks for Conficker, MS08-067
and
a regsvc DoS.
nmap --script smb-check-vulns.nse -p445
For safety's sake, you might want to also run it with
--script-args=unsafe=1 to prevent possible crashes from the regsvc
check. That should not turn off the conficker check.
-jhs
On Mar 30, 2009, at 11:10 AM, Chris Merkel wrote:
According to this:
http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
A script should be released today to scan for conficker-infected
machines over the wire.
I looked at the NSE portal and haven't seen anything yet -
would it
show up there, or is there a development site or repository
where this
will first appear?
I'd like to get a scan in before April 1st, when variant C drops.
--
- Chris Merkel
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
