I would also recommend grabbing the latest SVN as of this morning. Renaud found a bug in the checking algorithm. Both Nmap and Nessus have been updates, for more details on the Nessus side see:
http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html Cheers, Paul Nick Baronian wrote: > I believe vulnerable machines will crash. > http://seclists.org/nmap-dev/2009/q1/0878.html > > If you were getting mixed results you might want to re-grab the latest > svn. It has been patched several times already today and corrected some > issues I was seeing. > > 2009/3/31 Tim Mugherini <[email protected] <mailto:[email protected]>> > > I got that too went with -script-args unsafe=1 and seems to work for > most > > Think someone mentioned that yesterday somewhere > > not sure what the downside may be > > 2009/3/31 Dan Baxter <[email protected] > <mailto:[email protected]>> > > Thanks! That helps a lot. However, my results aren't quite > what I'd hoped. Every machine that has 445 open, I get the > result below. What would make the Conficker scan fail? > Suggestions? Thanks > > > > PORT STATE SERVICE > > 445/tcp open microsoft-ds > > Host script results: > | smb-check-vulns: > | MS08-067: FIXED > | Conficker: ERROR: SMB: Failed to receive bytes: ERROR > |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run) > > > > > Dan Baxter > ------------------------------------------------- > Quis custodiet ipsos custodes? > > > 2009/3/31 Russell Butturini <[email protected] > <https://mail.google.com/mail?view=cm&tf=0&[email protected]>> > > I found you need to add the –vv (very verbose) flag using > that command. Otherwise you don’t see the script results. > See below: > > > > Discovered open port 445/tcp on x.x.x.x > > Completed SYN Stealth Scan at 09:29, 0.00s elapsed (1 total > ports) > > NSE: Initiating script scanning. > > Initiating NSE at 09:29 > > Completed NSE at 09:29, 0.50s elapsed > > Host x.x.x.x appears to be up ... good. > > Scanned at 2009-03-31 09:29:47 Central Daylight Time for 1s > > Interesting ports on x.x.x.x: > > PORT STATE SERVICE > > 445/tcp open microsoft-ds > > MAC Address: 00:11:25:E9:04:52 (IBM) > > > > Host script results: > > | smb-check-vulns: > > | MS08-067: FIXED > > | Conficker: Likely CLEAN > > *From:* [email protected] > > <https://mail.google.com/mail?view=cm&tf=0&[email protected]> > [mailto:[email protected] > > <https://mail.google.com/mail?view=cm&tf=0&[email protected]>] > *On Behalf Of *Dan Baxter > *Sent:* Tuesday, March 31, 2009 9:01 AM > > *To:* PaulDotCom Security Weekly Mailing List > *Subject:* Re: [Pauldotcom] Scanning for Confiker via nmap > > > > So forgive my lack of nmap-fu, but if I run this what am I > looking for? I get back responses that list some with 445 > open, some closed and a few filtered. How do I determine > which may be infected. > > > for clarification I'm running nmap -p 445 --script > smb-check-vulns.nse > > Thanks > > Dan Baxter > ------------------------------------------------- > Quis custodiet ipsos custodes? > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > > <https://mail.google.com/mail?view=cm&tf=0&[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
