Detect Conficker in your network using NMAP

April 8, 2009 3:10 am · 0 comments

by Black

in Tutorials

Okay! So, since the first of this month, all of the security community was looking intently for Conficker to strut it’s stuff. It did not do exactly that. But, it did manage to get a newer version of NMAP out to scan for its vulnerability!

Mighty for a measly worm I must say. It also already has a site dedicated to its information & also has documented page! Anyways, getting back to the topic, you can use NMAP to scan for Conficker using this simple command:

nmap -PN -p139,445 -n -v --script smb-check-vulns --script-args safe=1

Here target_IPs is a single hostname, IP address or range of IP addresses.

The result for a clean machine might look like this:
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)

A compromised machine:
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)

The “–script-args safe=1″ part of the command prevents the MS08-67 check from being performed which is why you see “NOT RUN” next to it’s entry in the Host script results.

This check has a high chance of crashing vulnerable machines and so executing that test is not recommended. We have posted if for your information and you should first test it in a non-important enviornment!

Download NMAP here.

Related Blogs

Searches leading to this post:
detect conficker on network, conficker scanner v2 1, nmap confiker test, nmap detect conficker

Random Posts

Tagged as:

Comments on this entry are closed.

Previous post:

Next post: