Scanning for Conficker with Nmap
Filed under: Malware, NetBIOS/SMB
Using Nmap to scan for the famous Conficker worm.
<Update>
Nmap 4.85beta5 has all the scripts included, download it at http://nmap.org/download.html.
You'll still need to run a scan:
nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>
</Update>
<Update 2>
If you're having an OpenSSL problem, read this!
OpenSSL isn't included by default in the Nmap RPMs, and I wasn't properly checking for that in my scripts. Fyodor will have a beta5 RPM up tonight, which will fix that issue.
Until then, you have two options:
1. Use a source RPM
2. Compile straight from source, from the svn
</Update 2>
<Update 3>
If you're still having OpenSSL issues, try installing openssl-dev package, and install Nmap from source. Or, download the latest rpm (beta5) or svn version -- they have fixed the issue altogether (OpenSSL is no longer required!)
Further, if you're having an issue with error messages, this great post by Trevor2 might help:
NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser service is disabled. There are at least two ways that can happen: 1) The service itself is disabled in the services list. 2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList is set to Off/False/No rather than Auto or yes. On these systems, if you reenable the browser service, then the test will complete. There are probably many other reasons why NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned (e.g. not a windows OS, possibly infected) but I have not confirmed these.
Furthermore, this error will occur against on Windows NT.
</Update 3>
Hot on the coattails of the Simple Conficker Scanner, I've added detection for Conficker to Nmap. Currently, there are two ways of doing this -- you can check out the SVN version of Nmap and compile from source, or you can update the three necessary files.
Update from SVN
If you're on a Unix-like system, this is probably the easiest way. You can install it either system-wide or in a folder. Here is the system-wide command:
$ svn co --username=guest --password='' svn://svn.insecure.org/nmap $ cd nmap $ ./configure && make $ sudo make install $ nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>
If you prefer to run it from a local folder, use the following commands:
$ svn co --username=guest --password='' svn://svn.insecure.org/nmap $ cd nmap $ ./configure && make $ export NMAPDIR=. $ ./nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>
Update just the files
If you're on Windows, or don't want to compile from source, you can install the three datafiles.
First, make sure you're running Nmap 4.85beta4. That's the latest beta version. Then, download this file:
And place it in the "scripts" folder (see below).
Then, download these files:
- http://www.skullsecurity.org/blogdata/msrpc.lua
- http://www.skullsecurity.org/blogdata/smb.lua
And place them in the "nselib" folder (see below).
Where are the folders?
On Linux, try /usr/share/nmap/ or /usr/local/share/nmap or even /opt/share/nmap.
On Windows, try c:\program files\nmap
If all else fails, the scripts folder will contain a bunch of .nse files and the nselib folder will contain a bunch of lua files. Try searching your drive for smb-check-vulns.nse and msrpc.lua, and replace those.
Conclusion
Hopefully that helps! If you have any problems or questions, don't hesitate to contact me! My name is Ron, and my email domain is @skullsecurity.net.
Ron
March 30th, 2009 at 13:15
Awesome, Ron, thank you!
March 30th, 2009 at 13:17
Happy to help! :)
To be honest, it's been awhile since I've had to race a vulnerability (or, in this case, something like one). I missed that feeling of excitement!
March 30th, 2009 at 13:59
How do you know if it's infected or not. What responses determine positive or negatives?
March 30th, 2009 at 14:07
Ron,
How do I tell if they are infected or not? Its been a long while since I have used NMAP, and my just be missing the answer.
I do have NMAP installed, patched and running correctly though.
Thanks
Brian
March 30th, 2009 at 14:13
Hey Todd,
It's fairly straight forward. Look for the smb-check-vulns section, and it'll look something like this:
--
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
--
Alternatively, it might say "Likely CLEAN".
Ron
March 30th, 2009 at 14:16
Ron,
Ignore my first comment, my first scan was against a bad IP range.
I do have a question though, does " MS08-067: NOT RUN" mean tht the patch was not applied, or just not checked for by NMAP?
Thanks
Brian
March 30th, 2009 at 14:23
Ron, this is great...thank you for this.
If the system is infected with Conficker would it show as "MS08-067: VULNERABLE"?
My understanding is that Conficker masks itself in that it makes itself appear that MS08-067 is installed, so I'm curious as to what an infected machine looks like.
Thanks again!
March 30th, 2009 at 14:34
Looks good. Question about the results.
I've been getting 2 so far.
Conficker: Likely Clean (easy enough)
Conficker: NT_STATUS_OBJECT_NAME_NOT_FOUND (Is this an error in script or something else?What would the results show if it was infected?)
Thanks!
March 30th, 2009 at 14:35
MS08-067 means it's likely to GET infected, but doesn't mean it's infected. Look for the 'Conficker' line.
March 30th, 2009 at 14:36
Chad,
The second one means either it's a non-Windows system, or the process has crashed (either from an attempted infection or a successful infection).
March 30th, 2009 at 14:43
Thanks Ron - this is great. Can you provide usage and expected output when scanning an infected host?
March 30th, 2009 at 14:46
Is the result "Conficker: ERROR: NT_STATUS_ACCESS_DENIED" a clean result, or something I did wrong?
March 30th, 2009 at 14:47
So, if I don't see either:
"Conficker: Likely CLEAN"
or
"Conficker: Likely INFECTED"
Does that mean that the script is not running correctly?
March 30th, 2009 at 14:50
@ Todd: By looking in the files Ron provided, I found text in smb-check-vulns.nse that's likely associated with the determination of Conficker infection. It appears it will either report "Conficker: Likely INFECTED
Conficker: Likely INFECTED
" or "Conficker: Likely CLEAN"
March 30th, 2009 at 14:50
Hey Ron,
Thanks and great job!
FYI - Tested against Windows 2003 and Windows 2008 Server with the following results.
2003
----
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:xx
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 2000 rttvar: 7750 to: 100000
Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
Raw packets sent: 2 (86B) | Rcvd: 2 (86B)
2008
----
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:xx
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds
March 30th, 2009 at 14:53
So, does this mean that if I don't see:
"Conficker: Likely CLEAN"
"Conficker: Likely INFECTED"
or
"Conficker: "
then I am not running the script correctly? I don't see any conficker lines.
March 30th, 2009 at 14:56
never mind the 2nd half of my comment...just re-read page...thanks very much
March 30th, 2009 at 15:01
What's the interpretation of this result?
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: NT_STATUS_ACCESS_DENIED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 1551 rttvar: 5000 to: 100000
March 30th, 2009 at 15:03
@Shaun:
Infected:
--
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
--
Uninfected:
--
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
--
Error codes may mean different things, unfortunately I can't guess all conditions. If you get an error, double-check that it's Windows and maybe try again. If it continues not to work, it may be because the service has crashed for an unknown reason.
March 30th, 2009 at 15:03
@David Hinkle
That likely means that the server has been locked down, so we don't have access to the necessary pipe. Fortunately, that means that neither does Conficker -- NT_STATUS_ACCESS_DENIED probably means you're ok. Probably. :)
March 30th, 2009 at 15:04
@CharlesL
Originally, I wasn't printing an error message by default. Now, I am. Try running newest svn version.
March 30th, 2009 at 15:04
And a big thanks! for putting together this page. It's just what's needed to cut through all the other interesting stuff.
March 30th, 2009 at 15:05
I am getting an error here it is: NSE: smb-check-vulns against x.x.x.x ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value). And I am not seeing the statement above. Any help is much appreciated. Thanks
March 30th, 2009 at 15:07
@Mike
Use the latest version of Nmap (4.85beta4). You're likely on 4.75, which doesn't have the required OpenSSL bindings.
Ron
March 30th, 2009 at 15:08
Seems I'm having problems, what is the command you guys are using? All I get back is a basic nmap result:
PORT STATE SERVICE
445/tcp open microsoft-ds
advice?
March 30th, 2009 at 15:09
@Milo Velimirović
The interpretation is that the script was unable to access the pipe that's used for MS08-067 exploitation. That likely means that a Conficker attempt would have failed.
Ron
March 30th, 2009 at 15:11
@ScottT
You may be using an older version of Nmap. Try getting Nmap 4.85beta5 -- it'll have everything included. I'm about to update the main post about that.
March 30th, 2009 at 15:11
Nmap 4.85beta5 for Windows has just been released with these files are ready present. Just an FYI.
March 30th, 2009 at 15:14
@Ron
Thanks for the quick reply. I do have Nmap 4.85beta5, so I'll post my command here, which may be the problem (Don't use this command guys)
nmap --script smb-check-vulns.nse -p445 10.0.0.* << Don't use this
I've tried specifying a single host as well, same output. I'm not getting error messages, just something that says the port is open / closed.
March 30th, 2009 at 15:14
@ScottT - Command is at the top of this page - or here -
Windows - nmap --script=smb-check-vulns --script-args=safe=1 -p445 -
d
linux same except ./nmap
March 30th, 2009 at 15:16
@myself.
Sorry, looks like i have beta 4. Updating now.
March 30th, 2009 at 15:17
@Rob_G
Thanks Rob! I was just in the process of posting an updated story. :)
March 30th, 2009 at 15:18
When I run the "Intense Scan" I don't see a value for smb-check-vulns. Sample result below. What might I be doing wrong? Windows, on the beta version.
Host script results:
| nbstat: NetBIOS name: PC153, NetBIOS user: , NetBIOS MAC: MAC
| Name: PC153 Flags:
| Name: PC153 Flags:
| Name: DOMAIN Flags:
|_ Name: DOMAIN Flags:
| smb-os-discovery: Windows XP
| LAN Manager: Windows 2000 LAN Manager
| Name: DOMAIN\PC153
|_ System time: 2009-03-30 16:12:23 UTC-4
March 30th, 2009 at 15:19
FYI - I am getting this on all 2008 servers... anyone else see the same?
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
March 30th, 2009 at 15:21
@Glenn
What's your commandline?
smb-check-vulns isn't a "default" script, so you have to explicitly use it.
March 30th, 2009 at 15:28
I am scanning a known infected machine as well as a known clean, but keep running into these errors (same for both):
Running 1 script threads:
NSE (6.234s): Starting smb-check-vulns against 10.65.94.57.
NSE: SMB: ERROR: Received wrong number of bytes, there will likely be issues (recieved 82, expected 43)
NSE (11.531s): Finished smb-check-vulns against 10.65.94.57.
Completed NSE at 13:26, 5.30s elapsed
NSE: Script scanning completed.
...
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 2000 rttvar: 7750 to: 100000
March 30th, 2009 at 15:37
@Glenn
You should create a new profile (Assuming you are using Zenmap).. and copy the command listed ate the top of the page (minus the target IP(s)) -
nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d
in the "Command" box - name it whatever you will - it shoudl fill in the appropriate boxes in Zenmap .. Save it and then use it from the drop down box (Where INtense Scan) lives.
March 30th, 2009 at 15:39
it seems to fail with:
smb-check-vulns against 192.168.2.51 ended with error: ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)
I am on NMAP 4.85beta5.
March 30th, 2009 at 15:39
I'm getting a similar error to someone else, but I've compiled 4.85beta5 and even taken to updating from subversion to make sure I've got the most recent.
smb-check-vulns against 172.24.107.125 ended with error: ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)
March 30th, 2009 at 15:42
For all of you who are getting OpenSSL nil-pointer errors, you're definitely running a non-current version of Nmap -- that, or something else is failing.
My guess is that two versions are installed beside each other, and you're running the older one. Could that possibly be happening?
Sorry I can't help more!
Ron
March 30th, 2009 at 15:42
@MemphisBytes
I'm seeing this quite a bit on machines that have guest accounts disabled. It looks as if the Status account is dead, it's not able to scan it properly.
March 30th, 2009 at 15:44
Ron,
Thanks. Great script. All is good here -- back to regular work.
As a suggestion, include host.ip in the output line that shows CLEAN or INFECTED, so running the output through 'grep Conficker' will show the status of each machine.
March 30th, 2009 at 15:47
@Karl
That's a great idea, I've been thinking about doing something like that -- it would be useful as a generic thing, though, not just my script. In fact, there may already be a way of doing it using the -o? options.
I personally use this hack:
nmap ... | egrep "(ports|Conficker)" | grep -B1 "Conficker"
It works, but it isn't pretty.
March 30th, 2009 at 15:53
What would this indicate?
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
March 30th, 2009 at 15:56
@Parker
That means either it isn't a Windows machine, or the service is either crashed or not running. That may indicate a failed (or successful) exploit attempt, or just a locked down system.
March 30th, 2009 at 16:04
#Rob_G - Thanks :)
March 30th, 2009 at 16:10
I've found another explanation for the OpenSSL nil pointer error. It seems that the RPMs available on nmap.org do not include the OpenSSL bindings. I rebuilt nmap4.85BETA5 from source and things ran just fine.
March 30th, 2009 at 16:14
@Jeff, #36
I'm getting the same thing,
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 2000 rttvar: 7750 to: 100000
I have 2 packets sent and received, so what is this timeout business all about? BTW I'm a first time nmap user, be gentle if I'm doing something foolish.
March 30th, 2009 at 16:21
@Russ:
Hmm, I have the timeout set to 5 seconds, which generally works. Is it actually taking longer than 5 seconds for the server to respond?
You can tweak it without a recompile by editing nselib/smb.lua -- look for "local TIMEOUT = 5000" and try changing it to 10000 or 20000. Does that help?
Ron
March 30th, 2009 at 16:22
@Addam
I talked to Fyodor, and he said that OpenSSL bindings are left out of the RPMs intentionally, because OpenSSL isn't necessarily going to be present. I'm going to add an updated check for a missing OpenSSL library which will let you do some checks.
March 30th, 2009 at 16:28
Ron,
Thank you for your outstanding effort to get this update out.
I've got this error from zenmap when I run it:
NSE (0.298s): smb-check-vulns against 192.168.1.129 ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)
Ideas?
Best,
Dietrich
March 30th, 2009 at 16:33
@Ron:
That was it. I changed smb.lua to "local TIMEOUT = 20000" and got the output shown below (I could probably set the timeout to less, but this will do for now):
Running 1 script threads:
NSE (6.187s): Starting smb-check-vulns against 10.65.94.57.
NSE: SMB: Extended login as \guest failed (NT_STATUS_LOGON_FAILURE)
NSE: SMB: Extended login as \ succeeded
NSE (11.515s): Finished smb-check-vulns against 10.65.94.57.
Completed NSE at 14:30, 5.33s elapsed
NSE: Script scanning completed.
...
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
Thank you!!
March 30th, 2009 at 16:35
@Jeff: Awesome! Maybe I'll tweak the defaults.
March 30th, 2009 at 16:37
See "Update 2" in the document for OpenSSL issues.
March 30th, 2009 at 16:42
Thanks Ron, I can confirm Jeff's results too. Increased timeout to 20,000 and everything's rosy.
March 30th, 2009 at 16:56
@Ron
Re. the OpenSSL nil-pointer errors
Definitely on 4.85beta5, compiled from source from svn. There was definitely no other nmap existing on my system.
I have removed again, and reinstalled this time from http://nmap.org/download.html. Same error.
I have removed and reinstalled from svn, changing smb.lua to “local TIMEOUT = 20000″, but no better.
nmap -V gives 4.85BETA5
March 30th, 2009 at 17:05
Hmmm. Scanned two machines. One gives the likely clean message, the other doesn't give results in a section as shown here:
NSE: Initiating script scanning.
NSE: Script scanning machine001 (192.168.1.2).
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Script scanning completed.
Host machine001 (192.168.1.2) appears to be up ... good.
Scanned at 2009-03-30 16:58:04 Central Daylight Time for 0s
Interesting ports on machine001 (192.168.1.2):
PORT STATE SERVICE REASON
445/tcp filtered microsoft-ds no-response
And doesn't say anything about running smb-check-vulns against 192.168.1.2. While I'm fairly certain all patches have been applied and the virus signatures are up-to-date, am I just to assume at this point that the no response is a good response?
March 30th, 2009 at 17:06
I also get the error: ( ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value))
This is running (Nmap 4.85BETA5) on CentOS v.5 with OpenSSL 0.9.8b
Also, of note on CentOS, you may need to manually edit the file-if_packet.h- to show:
#include
make fails before modifying it, slightly annoying.
March 30th, 2009 at 17:08
update: this is compiling from source via SVN.
March 30th, 2009 at 17:09
update #2
that include line should be:
#include <linux/types.h>
March 30th, 2009 at 17:13
Some of my subnet scans yield:
evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0
probably when poking on netapp machines.
On other subnets it runs fine.
Any fix for this?
SSL run/devel @ 0.9.8g-12.fc10
March 30th, 2009 at 17:14
Ron,
Consider adding the -PN switch to the nmap command. Several of our workstations have non-microsoft firewalls that do respond to pings but for some reason nmap wasn't scanning them. On a class C this doesn't add a lot of time, but could for larger networks.
March 30th, 2009 at 17:14
Every time I run the nmap scan, I get the following error under Host script results:
Conficker: ERROR: Unexpected error: SMB: Failed to receive bytes: ERROR
Thoughts?
March 30th, 2009 at 17:48
@Ron
think I found another contributor to the openssl issue. If you've installed openssl via a package, you don't have the libs so grabbing the openssl-devel package and then recompiling should work.
March 30th, 2009 at 17:55
Re my comment #61.
openssl 0.9.8g crashes when probing netapp servers (and maybe others)
downloaded, compiled, and linked nmap against 0.9.8.k and it seems to work
March 30th, 2009 at 18:43
If i run it across the network using something like x.x.x.0-255 or x.x.x.0/24 it skips ~50% of the machines (inc infected ones) ie goes from 98 to 101 to 150. If i run it across a smaller subset ie .90-110 it returns results for all ips inc 100 and 105 which come up as likely infected
March 30th, 2009 at 20:30
Nice article. I had the openssl errors after installing from source. Removed that and install via svn and all is good in the world. (no conficker here!)
Thanks for increasing my peace of mind.
March 31st, 2009 at 00:55
If the guest account is disabled and renamed will the script return
"NT_STATUS_OBJECT_NAME_NOT_FOUND"?
March 31st, 2009 at 02:45
@Martin:
I had "failed to receive bytes: ERROR" when I had a 3rd-party firewall on the Windows machine I was scanning from.
March 31st, 2009 at 03:14
NSE (0.152s): smb-check-vulns against 10.0.0.42 ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)
I tried to increase the timeout value, but it didn't help.
nmap -V:
Nmap version 4.85BETA5 ( http://nmap.org )
I don't have any other nmap versions installed.
March 31st, 2009 at 03:43
Re: #38 #56 (openssl issue)
I tried installing libssl-dev and recompiling from svn. Still failed.
Finally I removed my nmap source directory, re-downloaded from svn and this time it worked.
Thanks for your work on nmap.
March 31st, 2009 at 03:46
I was also seeing the openssl error using nmap-4.85BETA5 from source on a newish Ubuntu installation. Installing openssl, libssl0.9.8, and libssl-dev via apt-get and then reconfiguring/recompiling nmap took care of it. Hope this helps.
March 31st, 2009 at 04:47
Having run nmap for conficker, I also get:
Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
on all of my windows xp desktops.
I've yet to find a definitive answer to what this means, some people think its a possible infection?
Anyone know if there is a reason why my desktops are not scanning correctly?
March 31st, 2009 at 05:02
Why i have this error
NSE (1.500s): smb-check-vulns against 10.49.132.11 ended with error: C:\Program Files\Nmap\scripts\smb-check-vulns.nse:184: attempt to call field
March 31st, 2009 at 05:45
hey, me again,
it work now, something was wrong in the Files
March 31st, 2009 at 05:58
@Michael:
@Paul:
NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser service is disabled. There are at least two ways that can happen:
1) The service itself is disabled in the services list.
2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList is set to Off/False/No rather than Auto or yes.
On these systems, if you reenable the browser service, then the test will complete.
There are probably many other reasons why NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned (e.g. not a windows OS, possibly infected) but I have not confirmed these.
March 31st, 2009 at 07:04
@jws
Xubuntu 8.10
openssl 0.9.8g-10.1ubuntu2.2
libssl-dev 0.9.8g-10.1ubuntu2.2
libssl0.9.8g-10.1ubuntu2.2
nmap-4.85BETA5
Compiled from source again, and again, but still getting the openssl-error.
:-(
Interestingly on another machine with Ubuntu Server 8.0.4.1 LTS it works.
What am i doing wrong?
March 31st, 2009 at 07:12
hi guys - your help would be much appreciated...
have nmap installed on a windows pc - ran this scrip against a known infected pc - and get the following output...
not what i was expecting - any ideas ?
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Connficker: ERROR: Unexpected error: NT_STATUS_WERR_UNKNOWN_57 (srvsvc.netpathcanonicalize)
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
March 31st, 2009 at 07:46
Hi, thanks a lot for your work.
I receive an SMB error on all machines I scan using BETA5 :
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: ERROR: MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 43508 rttvar: 43508 to: 217540
This SMB error has not been mentioned so far. Any idea ?
Thanks
March 31st, 2009 at 08:30
@andy woods
Is that reproducible? "Error 57" (the one you're getting) is an indication of infection, and it's what I'm checking for. It's weird that you get that..
March 31st, 2009 at 08:32
@Christian
"failed to receive bytes: ERROR" -- the "ERROR" is what was returned from the recv() function -- it likely means that there was a network error. Is it reproducible? Normally I find that it goes away if I do the test again.
March 31st, 2009 at 08:32
Stephane,
Is it possible that these are Windows NT machines?
I got this message too but, for the most part, it was only on NT 4 servers (yes, I still have a few kicking around!).
March 31st, 2009 at 08:33
@Stephane
I used to get that error a lot when checking non-Windows machines, but I thought I had it cleaned up for the most part. If you can get me a packet dump of the traffic, I'd be grateful!
March 31st, 2009 at 08:53
I've got a set of IPs that are coming back with this error:
445/tcp closed microsoft-ds reset and I don't get any further info. on these hosts.
Other hosts scan with the expected results for both MS08-067 and Conficker.
Any idea on why some hosts in a range are getting the 445/tcp closed microsoft-ds reset error?
March 31st, 2009 at 08:58
@Clutch
The message means that the box isn't listening on that port. It may have the services disabled, or it may be blocked in some way.
March 31st, 2009 at 09:29
Yeah, that makes sense.
What doesn't though is why those hosts aren't listening to that port.
Those PCs have no local FW, WinXP OS and they are setup exactly the same as other PCs on our network.
Weird.
March 31st, 2009 at 09:32
Yeah, that's definitely strange. Out of curiosity, try a full nmap portscan, see if 139 or other windows ports are open. We have some locked down boxes at work where 445 is closed and 139 is open (but communication to 139 is refused).
March 31st, 2009 at 09:33
I'm seeing that with (only) a few of my PCs too. No explanation, at this point.
March 31st, 2009 at 09:40
@Ron
I just sent you an email with captures. As I say in it, the same target works with windows NMap but gives an MSRPC error when run from a Solaris NMap. The target is running XP.
Thanks!
March 31st, 2009 at 09:59
@Ron
Many thanks for this script. I have a new error that nobody else has mentioned yet, any idea what would cause this:
Host script results:
| smb-check-vulns:
| MS08-067: ERROR: NT_STATUS_NOT_SUPPORTED
| MS08-067: FIXED
| Conficker: ERROR: NT_STATUS_NOT_SUPPORTED
|_ regsvc DoS: ERROR: NT_STATUS_NOT_SUPPORTED
March 31st, 2009 at 10:03
I'm getting lots of what appear to be false positives with nmap 4.85BETA5.
$ ./nmap -v -PN -d -p445 -script=smb-check-vulns -script-args=safe=1 ip.add.re.ss | grep Conf
| Conficker: Likely INFECTED
This system is fully patched (MS08-067) and tools like 'cfremover.exe' from http://www.anti-spyware-101.com/remove-conficker say my system is clean when I run it locally. My Trend AV patterns are also fully up-to-date.
This has happened for several other systems here, all patched WinXP boxes.
Anyone else seeing this?
March 31st, 2009 at 10:07
Can you try running the Simple Conficker Scanner (scs.zip or scs.py) against the host and see if it gets a false positive too?
The method I'm using for checking is identical to scs, so if it doesn't see the false positive then I have a bug.
Thanks!
March 31st, 2009 at 10:11
Hi Ron
Thanks for the info - does this mean that the machine is infected for sure?...as it is a machine we suspect to be infected.
March 31st, 2009 at 10:13
@Ron
Thanks for the quick followup. scs says I'm good:
$ ./scs.py 129.100.6.29 129.100.6.31
a.b.6.29 seems to be clean.
a.b.6.31 seems to be clean.
March 31st, 2009 at 10:19
Oh, crap, good find. I changed a constant in my code and forgot to change it elsewhere. Fixed in SVN revision 12794.
Sorry about that!
March 31st, 2009 at 10:20
Nothing is for sure.. but if you scan it with the current version of my script (as of about 2 minutes ago, or before about 30 minutes ago), and it comes back as INFECTED, then there's a pretty good chance.
March 31st, 2009 at 10:56
@Ron
I re-ran the scan and this issue went away. Weird.
March 31st, 2009 at 11:06
As for the openssl problem: using a/the src.rpm will not solve the problem as it configures nmap '--without-openssl'.
So:
1) install (not build) the source package
2) edit the spec file
2a) search for without-openssl
2b) change to with-openssl
3) create binary package
4) install binary package.
Did the trick for me - hope this helps.
Frank
March 31st, 2009 at 11:20
Is it me or is there an issue with the download ? I am getting Forbidden on the Windows exe download.
March 31st, 2009 at 12:02
Anyone having trouble downloading from insecure.org?
I've tried from two separate places and I keep getting denied.
March 31st, 2009 at 12:07
No matter how I attempt to run it, I never get an output mentioning whether a machine is clean or infected. All I get is the standard report that 445 is open.
Using 4.85beta5 installed from source on Ubuntu 8.04.2
March 31st, 2009 at 12:15
OK, the script not running could very well have to do with running the command as root.
Though when I do that, I do still get the "attempt to indexl global 'ssl'" error message.
March 31st, 2009 at 12:34
Thanks Ron!!! This is great. I gotta link to it.
March 31st, 2009 at 13:22
@Ron
I also changed smb.lua to “local TIMEOUT = 20000″ and finally got results on machines that were getting timeouts. Thanks!
March 31st, 2009 at 13:36
I'm still seeing the error:
evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0
I get this after compiling from tarball (after fixing the --with-openssl) and via the subversion repository. I don't have other nmap's installed, and the openssl-devel package is installed.
I'm seeing this on both Fedore Core 10 and RHEL 5.3 - which are using openssl 0.9.8g-12 and openssl-0.9.8e-7 respectively.
March 31st, 2009 at 13:46
I'm seeing a lot of "445/tcp filtered microsoft-ds" responses.
Do the nmap scans need to be run on a local subnet to be accurate?
March 31st, 2009 at 14:25
Hi, has anyone seen this error?
Conficker: ERROR: NT_STATUS_NOT_SUPPORTED
March 31st, 2009 at 15:28
The nmap command line above does not ping to find live hosts, so all hosts are assumed live. the fltered responses you see are because their is most likely nothing at that IP address
March 31st, 2009 at 16:00
@Karl
I get that response from almost every machine I try to scan, I haven't figured out what's going on yet. The python scanner isn't able to scan them either.
March 31st, 2009 at 17:46
any way to scan a ip range?
maybe I am missing the obvious...
April 1st, 2009 at 02:40
Even with "local TIMEOUT=20000" I still get :
Conficker ERROR: SMB: Failed to receive bytes: TIMEOUT
I'm I missing something ?
April 1st, 2009 at 04:50
can you add: "Host script results:
|_ smb-os-discovery: Unix" to the test?
April 1st, 2009 at 06:10
Just wanted to let you know, that now with nmap 4.85BETA6 i don't get the openssl error on xubuntu 8.1 any longer.
Ah yes, and thanks for the great work! I really appreciate it.
Keep on rocking!
:-D
April 1st, 2009 at 07:26
@puggan
Yup! Change --script to "--script=smb-check-vulns,smb-os-discovery"
Ron
April 1st, 2009 at 08:36
@chris
I get the "445/tcp filtered microsoft-ds no-response" on an IP that's definitely in existence.
April 1st, 2009 at 08:42
@Oswald
The Windows firewall (or another host-based firewall) is probably enabled.
Ron
April 1st, 2009 at 09:49
I can confirm that NT_STATUS_OBJECT_NAME_NOT_FOUND is returned on all Linux machines on my network running Samba.
April 1st, 2009 at 10:26
I ran nmap against all my 2003 servers. They all come back clean except the 2 ips assigned to a customers Windows Server 2008 X64 Enterprise box. It returns:
NT_STATUS_OBJECT_NAME_NOT_FOUND
All the updates are done and everything seems OK. The box does have shared folders if that matters. Do I need to worry about this? Is there a way I can make nmap scan this box successfully?
Thanks
Bob
April 1st, 2009 at 11:07
@Bob
No, I wouldn't worry.
April 1st, 2009 at 11:39
@Ron: Thanks a lot ! all your latest patches works perfectly.
@All: I hacked a quick linux script that filters most of the useless information to emphasize on what's important. Use it like conficker_scan.sh 192.168.0.0/16 or whatever fits your net.
#!/bin/bash
# conficker_scan.sh
# Wrapper for NMap based conficker scan
# Written 2009-04-01 Stephane Rosa
if [[ -z "$1" || "x$1" == "x-h" ]]; then
echo "Usage: conficker_scan.sh nmap_style_targets"
exit 1
fi
nmap -PN -d -p 445 --script="smb-check-vulns,smb-os-discovery" $1 | gawk '
/^Host.*is up/ {show=0; curhost=$0}
/^445\/tcp open/ {show=1; print curhost; print $0}
/(smb-os-discovery|Name|MS08-067|Conficker):/ {
if (show) { print $0 }
}'
April 1st, 2009 at 11:46
Conficker: ERROR: NT_STATUS_NOT_SUPPORTED
I'm also getting the above error...seems tied to the lines:
NSE: SMB: Extended login as \guest failed
NSE: SMB: Extended login as \ failed
I'm using a domain administrator account on Windows to run the script, though I get similar results from a Linux nmap scan. Must have a group policy the scanner doesn't like...
April 1st, 2009 at 12:26
Has anyone put this into Zenmap? I can't seem to get it to work right. I created a new profile and added this syntax as the command...
nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d
...but the "Target" section contains the same info and when I add the subnet or IP address on the end I don't see the conflicter text in the output. Any suggestions?
April 1st, 2009 at 13:24
Has anyone answered Brian's question about the MS08-067 NOT RUN? I couldn't find the answer if they did.
Is that supposed to mean the patch was not applied? It is being returned on systems that I know have been patched.
April 1st, 2009 at 13:27
@Rob
It's working for me, put the
-p 445 -d before the script. (also remember the dash before the p.
Like this:
nmap -p 445 -d --script smb-check-vulns --script-args safe=1 192.168.10.0/24
April 1st, 2009 at 13:27
@Yevette
"NOT RUN" means the check wasn't run -- it's disabled because it's considered an unsafe check. Remove the "safe=1" part to enable the check.
I committed a change to Nmap that'll make the message more clear. I hadn't realized it would cause confusion, but it did. :)
April 2nd, 2009 at 06:03
I'm having problems with Nmap going into a hard loop when scanning certain groups of hosts for Conficker I set --script-trace and captured the output (huge!) The problem seems to be the following:
...
NSE (3.975s): smb-check-vulns against a.b.50.35 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.36 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.37 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.38 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.39 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.42 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.43 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.40 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
NSE (3.975s): smb-check-vulns against a.b.50.41 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
...
Am I chasing a phantom or is this a problem?
-=[ Steve ]=-
April 2nd, 2009 at 06:33
I'm also getting the NT_STATUS_OBJECT_NAME_NOT_FOUND error on certain machines, and I can confirm that I only get it on machines where the browser service isn't running. But if I manually start the browser service, it stops straight away again. Registry settings for the service are identical on both machines (set to Auto)
April 2nd, 2009 at 06:52
cracked it :D
If you have windows firewall on, the browser service will only run if you have the File and Print sharing exception set.
In my corporate environment, those exceptions are mandated open by policy, but set as individual ports and not via the single-click service (and then blocked at the internet firewall).
"netsh firewall set service type = fileandprint mode = enable scope = subnet" is a good command to run to open these ports for subnet access only, so you can run the scan (or use scope = all)
April 2nd, 2009 at 07:51
With tcpdump I see this:
14:35:39.158298 IP ... > f.root-servers.net.domain: 21923 A? bhcuwhkh.com. (30)
14:35:49.156369 IP ... > c.root-servers.net.domain: 21925 A? bhcuwhkh.com. (30)
14:35:59.160827 IP ... > d.root-servers.net.domain: 21927 A? bhcuwhkh.com. (30)
but the test of IP with "Nmap 4.85BETA7" is
...
Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely CLEAN
...
What's wrong ?
April 2nd, 2009 at 07:56
Nothing quite like answering your own reply =:o)
There is code in the smb.lua script that looks like this:
-- Some broken implementations of SMB don't send these variables
if(smb['time'] == nil) then
time = 0
end
if(smb['timezone'] == nil) then
timezone = 0
end
if(smb['key_length'] == nil) then
key_length = 0
end
This was put in place (apparently) to deal with non-conformant SMB implmentations. I changes this code in my copy to read:
-- Some broken implementations of SMB don't send these variables
if(smb['time'] == nil) then
smb['time'] = 0
end
if(smb['timezone'] == nil) then
smb['timezone'] = 0
end
if(smb['key_length'] == nil) then
smb['key_length'] = 0
end
I can now scan subnets with 'troublesome' SMB servers without Nmap going into a loop. I think this is what the author intended.
Who needs to know about this?
-=[ Steve ]=-
April 2nd, 2009 at 09:03
@FF
Very good question, I'll have to look into this. Is there any way you can get me a packet capture of the traffic when you do a scan?
And also, are you using the latest build (beta7)? We fixed what we think are some false negatives in that version, based on some work by the Honeynet group and Tenable.
Thanks!
April 2nd, 2009 at 10:21
I wrote a small script that parses the nmap output and uses nbtscan to retrieve the netbios name and outputs vulnerable / infected machine in comma delimited format. It works well for us, hope it helps!
Download:
http://jdltech.com/conficker/
April 2nd, 2009 at 10:37
@Jose
Cool stuff!
You might want to look at smb-os-discovery -- it also prints the name, and is more likely to work than nbtscan.
Ron
April 2nd, 2009 at 10:41
Yes I'm using the latest build (beta7).
Which of 100 packets do you need ?
Traffic sequence:
15:50:06.861377 IP source_ip.43155 > target_ip.445: Flags [S], seq 1341990831, win 1024, options [mss 1460], length 0
15:50:06.861442 IP source_ip.43155 > target_ip.139: Flags [S], seq 1341990831, win 1024, options [mss 1460], length 0
15:50:06.872869 IP target_ip.445 > source_ip.43155: Flags [S.], seq 3623159805, ack 1341990832, win 65535, options [mss 1460], length 0
15:50:06.872902 IP source_ip.43155 > target_ip.445: Flags [R], seq 1341990832, win 0, length 0
15:50:06.873277 IP target_ip.139 > source_ip.43155: Flags [S.], seq 4021475204, ack 1341990832, win 65535, options [mss 1460], length 0
15:50:06.873294 IP source_ip.43155 > target_ip.139: Flags [R], seq 1341990832, win 0, length 0
15:50:06.923894 IP source_ip.34694 > target_ip.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
15:50:06.938724 IP target_ip.137 > source_ip.34694: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
15:50:06.939967 IP source_ip.39845 > target_ip.445: Flags [S], seq 2346041494, win 5840, options [mss 1460,sackOK,TS val 115837 ecr 0,nop,wscale 6], length 0
15:50:06.949950 IP target_ip.445 > source_ip.39845: Flags [S.], seq 331664242, ack 2346041495, win 65535, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
15:50:06.949983 IP source_ip.39845 > target_ip.445: Flags [.], ack 1, win 92, options [nop,nop,TS val 115840 ecr 0], length 0
15:50:06.951081 IP source_ip.39845 > target_ip.445: Flags [P.], ack 1, win 92, options [nop,nop,TS val 115840 ecr 0], length 53SMB PACKET: SMBnegprot (REQUEST)
15:50:06.964497 IP target_ip.445 > source_ip.39845: Flags [P.], ack 54, win 65482, options [nop,nop,TS val 321580 ecr 115840], length 111SMB PACKET: SMBnegprot (REPLY)
15:50:06.964535 IP source_ip.39845 > target_ip.445: Flags [.], ack 112, win 92, options [nop,nop,TS val 115843 ecr 321580], length 0
15:50:06.965772 IP source_ip.39845 > target_ip.445: Flags [P.], ack 112, win 92, options [nop,nop,TS val 115844 ecr 321580], length 87SMB PACKET: SMBsesssetupX (REQUEST)
15:50:06.978940 IP target_ip.445 > source_ip.39845: Flags [P.], ack 141, win 65395, options [nop,nop,TS val 321580 ecr 115844], length 88SMB PACKET: SMBsesssetupX (REPLY)
15:50:06.979886 IP source_ip.39845 > target_ip.445: Flags [P.], ack 200, win 92, options [nop,nop,TS val 115847 ecr 321580], length 43SMB PACKET: SMBulogoffX (REQUEST)
15:50:06.990513 IP target_ip.445 > source_ip.39845: Flags [P.], ack 184, win 65352, options [nop,nop,TS val 321580 ecr 115847], length 43SMB PACKET: SMBulogoffX (REPLY)
15:50:06.991362 IP source_ip.39845 > target_ip.445: Flags [F.], seq 184, ack 243, win 92, options [nop,nop,TS val 115850 ecr 321580], length 0
15:50:06.993362 IP source_ip.39846 > target_ip.445: Flags [S], seq 2341911890, win 5840, options [mss 1460,sackOK,TS val 115850 ecr 0,nop,wscale 6], length 0
15:50:07.002825 IP target_ip.445 > source_ip.39845: Flags [F.], seq 243, ack 185, win 65352, options [nop,nop,TS val 321580 ecr 115850], length 0
15:50:07.002883 IP source_ip.39845 > target_ip.445: Flags [.], ack 244, win 92, options [nop,nop,TS val 115853 ecr 321580], length 0
15:50:07.003408 IP target_ip.445 > source_ip.39846: Flags [S.], seq 3985791898, ack 2341911891, win 65535, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
15:50:07.003441 IP source_ip.39846 > target_ip.445: Flags [.], ack 1, win 92, options [nop,nop,TS val 115853 ecr 0], length 0
15:50:07.020167 IP source_ip.39846 > target_ip.445: Flags [P.], ack 1, win 92, options [nop,nop,TS val 115857 ecr 0], length 53SMB PACKET: SMBnegprot (REQUEST)
15:50:07.034156 IP target_ip.445 > source_ip.39846: Flags [P.], ack 54, win 65482, options [nop,nop,TS val 321581 ecr 115857], length 190SMB PACKET: SMBnegprot (REPLY)
15:50:07.034212 IP source_ip.39846 > target_ip.445: Flags [.], ack 191, win 108, options [nop,nop,TS val 115861 ecr 321581], length 0
15:50:07.035829 IP source_ip.39846 > target_ip.445: Flags [P.], ack 191, win 108, options [nop,nop,TS val 115861 ecr 321581], length 115SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.048892 IP target_ip.445 > source_ip.39846: Flags [P.], ack 169, win 65367, options [nop,nop,TS val 321581 ecr 115861], length 140SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.050007 IP source_ip.39846 > target_ip.445: Flags [P.], ack 331, win 125, options [nop,nop,TS val 115865 ecr 321581], length 164SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.064729 IP target_ip.445 > source_ip.39846: Flags [P.], ack 333, win 65203, options [nop,nop,TS val 321581 ecr 115865], length 84SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.065800 IP source_ip.39846 > target_ip.445: Flags [P.], ack 415, win 125, options [nop,nop,TS val 115869 ecr 321581], length 58SMB PACKET: SMBtconX (REQUEST)
15:50:07.078746 IP target_ip.445 > source_ip.39846: Flags [P.], ack 391, win 65145, options [nop,nop,TS val 321581 ecr 115869], length 50SMB PACKET: SMBtconX (REPLY)
15:50:07.079941 IP source_ip.39846 > target_ip.445: Flags [P.], ack 465, win 125, options [nop,nop,TS val 115872 ecr 321581], length 97SMB PACKET: SMBntcreateX (REQUEST)
15:50:07.094218 IP target_ip.445 > source_ip.39846: Flags [P.], ack 488, win 65048, options [nop,nop,TS val 321581 ecr 115872], length 139SMB PACKET: SMBntcreateX (REPLY)
15:50:07.095541 IP source_ip.39846 > target_ip.445: Flags [P.], ack 604, win 142, options [nop,nop,TS val 115876 ecr 321581], length 139SMB PACKET: SMBwriteX (REQUEST)
15:50:07.108664 IP target_ip.445 > source_ip.39846: Flags [P.], ack 627, win 64909, options [nop,nop,TS val 321581 ecr 115876], length 51SMB PACKET: SMBwriteX (REPLY)
15:50:07.110016 IP source_ip.39846 > target_ip.445: Flags [P.], ack 655, win 142, options [nop,nop,TS val 115880 ecr 321581], length 63SMB PACKET: SMBreadX (REQUEST)
15:50:07.121179 IP target_ip.445 > source_ip.39846: Flags [P.], ack 690, win 64846, options [nop,nop,TS val 321582 ecr 115880], length 132SMB PACKET: SMBreadX (REPLY)
15:50:07.122728 IP source_ip.39846 > target_ip.445: Flags [P.], ack 787, win 159, options [nop,nop,TS val 115883 ecr 321582], length 267SMB PACKET: SMBwriteX (REQUEST)
15:50:07.136050 IP target_ip.445 > source_ip.39846: Flags [P.], ack 957, win 64579, options [nop,nop,TS val 321582 ecr 115883], length 51SMB PACKET: SMBwriteX (REPLY)
15:50:07.137261 IP source_ip.39846 > target_ip.445: Flags [P.], ack 838, win 159, options [nop,nop,TS val 115886 ecr 321582], length 63SMB PACKET: SMBreadX (REQUEST)
15:50:07.148884 IP target_ip.445 > source_ip.39846: Flags [P.], ack 1020, win 64516, options [nop,nop,TS val 321582 ecr 115886], length 92SMB PACKET: SMBreadX (REPLY)
15:50:07.150364 IP source_ip.39846 > target_ip.445: Flags [P.], ack 930, win 159, options [nop,nop,TS val 115890 ecr 321582], length 39SMB PACKET: SMBtdis (REQUEST)
15:50:07.163114 IP target_ip.445 > source_ip.39846: Flags [P.], ack 1059, win 64477, options [nop,nop,TS val 321582 ecr 115890], length 39SMB PACKET: SMBtdis (REPLY)
15:50:07.164302 IP source_ip.39846 > target_ip.445: Flags [P.], ack 969, win 159, options [nop,nop,TS val 115893 ecr 321582], length 43SMB PACKET: SMBulogoffX (REQUEST)
15:50:07.175300 IP target_ip.445 > source_ip.39846: Flags [P.], ack 1102, win 64434, options [nop,nop,TS val 321582 ecr 115893], length 43SMB PACKET: SMBulogoffX (REPLY)
15:50:07.176291 IP source_ip.39846 > target_ip.445: Flags [F.], seq 1102, ack 1012, win 159, options [nop,nop,TS val 115896 ecr 321582], length 0
15:50:07.176551 IP source_ip.39847 > target_ip.445: Flags [S], seq 2349645251, win 5840, options [mss 1460,sackOK,TS val 115896 ecr 0,nop,wscale 6], length 0
15:50:07.188768 IP target_ip.445 > source_ip.39846: Flags [F.], seq 1012, ack 1103, win 64434, options [nop,nop,TS val 321582 ecr 115896], length 0
15:50:07.188816 IP source_ip.39846 > target_ip.445: Flags [.], ack 1013, win 159, options [nop,nop,TS val 115899 ecr 321582], length 0
15:50:07.188967 IP target_ip.445 > source_ip.39847: Flags [S.], seq 544434197, ack 2349645252, win 65535, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
15:50:07.188990 IP source_ip.39847 > target_ip.445: Flags [.], ack 1, win 92, options [nop,nop,TS val 115899 ecr 0], length 0
15:50:07.190228 IP source_ip.39847 > target_ip.445: Flags [P.], ack 1, win 92, options [nop,nop,TS val 115900 ecr 0], length 53SMB PACKET: SMBnegprot (REQUEST)
15:50:07.204204 IP target_ip.445 > source_ip.39847: Flags [P.], ack 54, win 65482, options [nop,nop,TS val 321582 ecr 115900], length 190SMB PACKET: SMBnegprot (REPLY)
15:50:07.204264 IP source_ip.39847 > target_ip.445: Flags [.], ack 191, win 108, options [nop,nop,TS val 115903 ecr 321582], length 0
15:50:07.205927 IP source_ip.39847 > target_ip.445: Flags [P.], ack 191, win 108, options [nop,nop,TS val 115904 ecr 321582], length 115SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.219088 IP target_ip.445 > source_ip.39847: Flags [P.], ack 169, win 65367, options [nop,nop,TS val 321582 ecr 115904], length 140SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.220064 IP source_ip.39847 > target_ip.445: Flags [P.], ack 331, win 125, options [nop,nop,TS val 115907 ecr 321582], length 164SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.235342 IP target_ip.445 > source_ip.39847: Flags [P.], ack 333, win 65203, options [nop,nop,TS val 321583 ecr 115907], length 84SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.236239 IP source_ip.39847 > target_ip.445: Flags [P.], ack 415, win 125, options [nop,nop,TS val 115911 ecr 321583], length 58SMB PACKET: SMBtconX (REQUEST)
15:50:07.248875 IP target_ip.445 > source_ip.39847: Flags [P.], ack 391, win 65145, options [nop,nop,TS val 321583 ecr 115911], length 50SMB PACKET: SMBtconX (REPLY)
15:50:07.249816 IP source_ip.39847 > target_ip.445: Flags [P.], ack 465, win 125, options [nop,nop,TS val 115914 ecr 321583], length 97SMB PACKET: SMBntcreateX (REQUEST)
15:50:07.263986 IP target_ip.445 > source_ip.39847: Flags [P.], ack 488, win 65048, options [nop,nop,TS val 321583 ecr 115914], length 139SMB PACKET: SMBntcreateX (REPLY)
15:50:07.264877 IP source_ip.39847 > target_ip.445: Flags [P.], ack 604, win 142, options [nop,nop,TS val 115918 ecr 321583], length 139SMB PACKET: SMBwriteX (REQUEST)
15:50:07.278824 IP target_ip.445 > source_ip.39847: Flags [P.], ack 627, win 64909, options [nop,nop,TS val 321583 ecr 115918], length 51SMB PACKET: SMBwriteX (REPLY)
15:50:07.279688 IP source_ip.39847 > target_ip.445: Flags [P.], ack 655, win 142, options [nop,nop,TS val 115922 ecr 321583], length 63SMB PACKET: SMBreadX (REQUEST)
15:50:07.291150 IP target_ip.445 > source_ip.39847: Flags [P.], ack 690, win 64846, options [nop,nop,TS val 321583 ecr 115922], length 132SMB PACKET: SMBreadX (REPLY)
15:50:07.292123 IP source_ip.39847 > target_ip.445: Flags [P.], ack 787, win 159, options [nop,nop,TS val 115925 ecr 321583], length 187SMB PACKET: SMBwriteX (REQUEST)
15:50:07.304547 IP target_ip.445 > source_ip.39847: Flags [P.], ack 877, win 64659, options [nop,nop,TS val 321583 ecr 115925], length 51SMB PACKET: SMBwriteX (REPLY)
15:50:07.305471 IP source_ip.39847 > target_ip.445: Flags [P.], ack 838, win 159, options [nop,nop,TS val 115928 ecr 321583], length 63SMB PACKET: SMBreadX (REQUEST)
15:50:07.318709 IP target_ip.445 > source_ip.39847: Flags [P.], ack 940, win 64596, options [nop,nop,TS val 321583 ecr 115928], length 104SMB PACKET: SMBreadX (REPLY)
15:50:07.319607 IP source_ip.39847 > target_ip.445: Flags [P.], ack 942, win 159, options [nop,nop,TS val 115932 ecr 321583], length 39SMB PACKET: SMBtdis (REQUEST)
15:50:07.331030 IP target_ip.445 > source_ip.39847: Flags [P.], ack 979, win 64557, options [nop,nop,TS val 321583 ecr 115932], length 39SMB PACKET: SMBtdis (REPLY)
15:50:07.331885 IP source_ip.39847 > target_ip.445: Flags [P.], ack 981, win 159, options [nop,nop,TS val 115935 ecr 321583], length 43SMB PACKET: SMBulogoffX (REQUEST)
15:50:07.342965 IP target_ip.445 > source_ip.39847: Flags [P.], ack 1022, win 64514, options [nop,nop,TS val 321584 ecr 115935], length 43SMB PACKET: SMBulogoffX (REPLY)
15:50:07.344017 IP source_ip.39847 > target_ip.445: Flags [F.], seq 1022, ack 1024, win 159, options [nop,nop,TS val 115938 ecr 321584], length 0
15:50:07.344314 IP source_ip.39848 > target_ip.445: Flags [S], seq 2343636157, win 5840, options [mss 1460,sackOK,TS val 115938 ecr 0,nop,wscale 6], length 0
15:50:07.353725 IP target_ip.445 > source_ip.39847: Flags [F.], seq 1024, ack 1023, win 64514, options [nop,nop,TS val 321584 ecr 115938], length 0
15:50:07.353778 IP source_ip.39847 > target_ip.445: Flags [.], ack 1025, win 159, options [nop,nop,TS val 115940 ecr 321584], length 0
15:50:07.354625 IP target_ip.445 > source_ip.39848: Flags [S.], seq 3187009972, ack 2343636158, win 65535, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
15:50:07.354654 IP source_ip.39848 > target_ip.445: Flags [.], ack 1, win 92, options [nop,nop,TS val 115941 ecr 0], length 0
15:50:07.355614 IP source_ip.39848 > target_ip.445: Flags [P.], ack 1, win 92, options [nop,nop,TS val 115941 ecr 0], length 53SMB PACKET: SMBnegprot (REQUEST)
15:50:07.369151 IP target_ip.445 > source_ip.39848: Flags [P.], ack 54, win 65482, options [nop,nop,TS val 321584 ecr 115941], length 190SMB PACKET: SMBnegprot (REPLY)
15:50:07.369202 IP source_ip.39848 > target_ip.445: Flags [.], ack 191, win 108, options [nop,nop,TS val 115944 ecr 321584], length 0
15:50:07.370602 IP source_ip.39848 > target_ip.445: Flags [P.], ack 191, win 108, options [nop,nop,TS val 115945 ecr 321584], length 115SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.384675 IP target_ip.445 > source_ip.39848: Flags [P.], ack 169, win 65367, options [nop,nop,TS val 321584 ecr 115945], length 140SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.385607 IP source_ip.39848 > target_ip.445: Flags [P.], ack 331, win 125, options [nop,nop,TS val 115948 ecr 321584], length 164SMB PACKET: SMBsesssetupX (REQUEST)
15:50:07.401645 IP target_ip.445 > source_ip.39848: Flags [P.], ack 333, win 65203, options [nop,nop,TS val 321584 ecr 115948], length 84SMB PACKET: SMBsesssetupX (REPLY)
15:50:07.402552 IP source_ip.39848 > target_ip.445: Flags [P.], ack 415, win 125, options [nop,nop,TS val 115952 ecr 321584], length 58SMB PACKET: SMBtconX (REQUEST)
15:50:07.551454 IP target_ip.445 > source_ip.39848: Flags [P.], ack 391, win 65145, options [nop,nop,TS val 321585 ecr 115952], length 50SMB PACKET: SMBtconX (REPLY)
15:50:07.552374 IP source_ip.39848 > target_ip.445: Flags [P.], ack 465, win 125, options [nop,nop,TS val 115990 ecr 321585], length 95SMB PACKET: SMBntcreateX (REQUEST)
15:50:07.768936 IP target_ip.445 > source_ip.39848: Flags [P.], ack 486, win 65050, options [nop,nop,TS val 321587 ecr 115990], length 39SMB PACKET: SMBntcreateX (REPLY)
15:50:07.769958 IP source_ip.39848 > target_ip.445: Flags [P.], ack 504, win 125, options [nop,nop,TS val 116044 ecr 321587], length 39SMB PACKET: SMBtdis (REQUEST)
15:50:07.886409 IP target_ip.445 > source_ip.39848: Flags [P.], ack 525, win 65011, options [nop,nop,TS val 321590 ecr 116044], length 39SMB PACKET: SMBtdis (REPLY)
15:50:07.887258 IP source_ip.39848 > target_ip.445: Flags [P.], ack 543, win 125, options [nop,nop,TS val 116073 ecr 321590], length 43SMB PACKET: SMBulogoffX (REQUEST)
15:50:07.899029 IP target_ip.445 > source_ip.39848: Flags [P.], ack 568, win 64968, options [nop,nop,TS val 321590 ecr 116073], length 43SMB PACKET: SMBulogoffX (REPLY)
15:50:07.899921 IP source_ip.39848 > target_ip.445: Flags [F.], seq 568, ack 586, win 125, options [nop,nop,TS val 116076 ecr 321590], length 0
15:50:07.909459 IP target_ip.445 > source_ip.39848: Flags [F.], seq 586, ack 569, win 64968, options [nop,nop,TS val 321590 ecr 116076], length 0
15:50:07.909519 IP source_ip.39848 > target_ip.445: Flags [.], ack 587, win 125, options [nop,nop,TS val 116079 ecr 321590], length 0
April 2nd, 2009 at 10:45
@@FF
It's hard to say -- can you email me the full packet capture? ron at skullsecurity.net.
If you're using tcpdump, the command would probably be:
tcpdump -s0 -w output.pcap "tcp port 445"
When it's done, send me output.pcap.
Thanks!
May 22nd, 2010 at 19:29
If you have windows firewall on, the browser service will only run if you have the File and Print sharing exception set.