Hi everybody,
With the help of Symantec’s Security Intelligence Analysis Team, I’ve put together a script that’ll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p445 <host>
or
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p U:137,T:139 <host>
See below for more information!
Or, if you just want to scan your network fast, give this a shot:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=checkconficker=1,safe=1 -T4 <host>
Continue reading →
Updated Conficker detection
Morning, all!
Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks.
Continue reading →
Using PsTools in a pentest
I’m going to start off this blog by wishing a happy birthday to a very important person – me. :)
Now, onto the content!
PsTools is a suite of tools developed by Sysinternals (now Microsoft). They’re a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As good as they are, they aren’t without their quirks!
Here are a few topics worth discussing:
- Ports and traffic
- Specifying an account
- Running it purely in a console
Most (possibly all) of the PsTools use standard Windows functions. That makes life easy – we can expect PsTools to act the same way other remote functions work. If we know how!
Continue reading →