With the help of Symantec’s Security Intelligence Analysis Team, I’ve put together a script that’ll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p445 <host>
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=safe=1 -T4 -p U:137,T:139 <host>
See below for more information!
Or, if you just want to scan your network fast, give this a shot:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args=checkconficker=1,safe=1 -T4 <host>
Updated Conficker detection
Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks.
Using PsTools in a pentest
I’m going to start off this blog by wishing a happy birthday to a very important person – me. :)
Now, onto the content!
PsTools is a suite of tools developed by Sysinternals (now Microsoft). They’re a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As good as they are, they aren’t without their quirks!
Here are a few topics worth discussing:
- Ports and traffic
- Specifying an account
- Running it purely in a console
Most (possibly all) of the PsTools use standard Windows functions. That makes life easy – we can expect PsTools to act the same way other remote functions work. If we know how!
Scanning for Conficker with Nmap
Using Nmap to scan for the famous Conficker worm.
Bruteforcing Windows over SMB: Tips and Tricks
Today, I’m going to share some knowledge and techniques on bruteforcing Windows passwords. Hopefully, some of you have thought about this and can give me even more advice. If you know anything, post it!