Home > Gentoo > Scan for Conficker with Nmap 4.85 beta5 Gentoo ebuild

Scan for Conficker with Nmap 4.85 beta5 Gentoo ebuild

March 31st, 2009

On Monday Dan Kaminsky, along with the Honeynet Project’s Tillmann Werner and Felix Lede announced they discovered the ability to detect if a machine is infected with the Conficker worm by scanning a network. See Dan’s post for more information. Shortly thereafter, version 4.85BETA5 of the nmap tool was released to allow remote scanning for the Conficker worm.

As April 1st is just a few hours away (I guess it’s already here in some parts of the world), I wanted to scan my network using the latest version of the nmap tool. As Gentoo doesn’t have an ebuild yet, I quickly created one and thought I’d share it.

This file contains everything you need:
Nmap 4.85BETA5 ebuild

Installing Nmap 4.85BETA5

$ cd ~
$ wget http://www.brandonturner.net/blog/wp-content/uploads/2009/03/nmap-485_beta5ebuild.tgz
$ sudo mkdir -p /usr/local/portage
$ cd /usr/local/portage
$ sudo tar -xzf ~/nmap-485_beta5ebuild.tgz
$ echo '=net-analyzer/nmap-4.85_beta5' | sudo tee -a /etc/portage/package.keywords
$ echo 'net-analyzer/nmap lua' | sudo tee -a /etc/portage/package.use
$ emerge -pv nmap
(If emerge doesn’t show that it will emerge nmap-4.85_beta5, ensure you have PORTDIR_OVERLAY="/usr/local/portage" in your /etc/make.conf file)
$ sudo emerge nmap

Scanning for Conficker

insecure.org has some instructions on how to scan for Conficker. Basically, here is what I did to scan a 192.168.1.0/24 network:

$ cd ~
$ nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 192.168.1.0/24 | tee conficker_scan.txt | grep -P 'Host \d|Conficker' | grep -B 1 'Conficker'

This stores the complete output of the nmap command in conficker_scan.txt, but displays a quick-and-dirty summary to stdout. Your milage may vary. Obviously you should edit the network address (in green above) for your network.

You should see something like:

Host 192.168.1.101 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.102 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.103 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.104 appears to be up ... good.
|  Conficker: Likely INFECTED
--

Linux boxes usually return something like Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND.

Gentoo ,

  1. April 12th, 2016 at 04:52 | #1

    I see you don’t monetize your website, i’v got idea how to earn some extra money using one simple method, just
    search in g00gle for: ruthiezx’s method

  1. No trackbacks yet.