最近遭遇conficker,正好在cissp forum的mail list看到Brandon说新的NMAP能扫描conficker, Brandon还给了一个Perl脚本将扫描结果进行格式转换。




======= huangyyb的NMAP conficker扫描结果分析脚本 ======
Option Explicit

Dim s_input_filename, s_output_filename
Dim objFSO, objInputFile, objOutputFile, objErrorLogFile, objDialog
Dim s_title, strLineReaded, strLine2Write
Dim arrRecord, i

Const ForReading = 1

‘On Error Resume Next

‘ Open File Dialog just work under windows XP, can’t work under Vista,
‘ Manually edit input file name and remove scripts of related lines when run this script under vista
‘s_input_filename = “D:\Conficker-Scan\20090420-test.nmap”
s_input_filename = “”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If s_input_filename = “” Then
Set objDialog = CreateObject( “SAFRCFileDlg.FileOpen” )

‘ Note: The dialog will be opened without any file name or
‘ type filter, and in the “current” directory, e.g. as
‘ remembered from the last “SAFRCFileDlg.FileOpen” or
‘ “SAFRCFileDlg.FileSave” dialog!
If objDialog.OpenFileOpenDlg Then
s_input_filename = objDialog.FileName
End If

‘ Set objDialog = CreateObject( “UserAccounts.CommonDialog” )
‘ If objDialog.ShowOpen Then
‘ s_input_filename = objDialog.FileName
‘ End If
End If

If Not (objFSO.FileExists(s_input_filename)) Then
WScript.Echo (“You have not choose a NMAP result file”)
‘open input file
Set objInputFile = objFSO.OpenTextFile(s_input_filename, ForReading)

‘open output file
s_output_filename = s_input_filename + “.csv”
If (objFSO.FileExists(s_output_filename)) Then
Set objOutputFile = objFSO.OpenTextFile(s_output_filename,  
Set objOutputFile = objFSO.OpenTextfile(s_output_filename, 2, “True”)
End If

s_title = “IP,MAC,MS08-067,Conficker,regsvc DoS”
objOutputFile.WriteLine s_title

If objInputFile.AtEndOfStream <> True Then strLineReaded = objInputFile.ReadLine

Do While objInputFile.AtEndOfStream <> True
strLine2Write = “”
If inStr(strLineReaded, “Host “) Then
‘Column: IP
arrRecord = split(strLineReaded, ” “)
strLine2Write = strLine2Write + arrRecord(1)

‘Column: MAC
For i=1 To 4
strLineReaded = Trim(objInputFile.ReadLine)
If strLineReaded = “” Then
‘ This line is empty indicate that the scan may not be run in local Vlan, no MAC
strLine2Write = strLine2Write + “,”
strLineReaded = Trim(objInputFile.ReadLine)
strLine2Write = strLine2Write + “,” + Trim(Mid(strLineReaded, 13))
End If

strLineReaded = objInputFile.ReadLine

If inStr(strLineReaded, “Host script results”) Then
‘Column: MS08-067
strLineReaded = objInputFile.ReadLine
arrRecord = split(strLineReaded, “:”)
strLine2Write = strLine2Write + “,” + Trim(arrRecord(1))

‘Column: Conficker
strLineReaded = objInputFile.ReadLine
arrRecord = split(strLineReaded, “:”)
strLine2Write = strLine2Write + “,” + Trim(arrRecord(1))

‘Column: regsvc DoS
strLineReaded = objInputFile.ReadLine
strLine2Write = strLine2Write + “,” + Trim(Mid(strLineReaded, 16))
End If

objOutputFile.WriteLine strLine2Write
strLineReaded = objInputFile.ReadLine
End if

End If

======= huangyyb的NMAP conficker扫描结果分析脚本 ======
********* Brandon的邮件内容 ******************

Fellow security folks,

** For those in a hurry scroll down to how to get the latest release and the the recommended command ***

Given that this is many people’s first time trying to use Nmap to scan many thousands of hosts at the same time I figure I should share how I’ve been doing it.

Nmap can easily handle scanning a million+ IPs but it isn’t tuned to do so by default. Seemingly minor options can have a big impact on time in huge scans.

*** How to get the latest release: ***

You will need the absolute latest release of Nmap (4.85BETA5) which you can get from:

*** For those in a hurry, here is the command I recommend using: ***
sudo nmap -sC –script=smb-check-vulns –script-args=safe=1 -p445 \
-d -PN -n -T4 –min-hostgroup 256 –min-parallelism 64 \
-oA conficker_scan

*** Interpreting results ***
Each host that is checked will have a line about Conficker in the “Host script results” section. If you are going to be scanning a very large network you should use XML output. I have written a perl script (needs XML::Simple) to parse and report on your Conficker/MS08-067 scan results available here:

Nmap can take CIDR targets so is perfectly fine for your network. You could also do something like 123.234.2-254.2-254 If you have more than one netblock you can separate them with a space like

If you want want to ramp the scan speed up further, increase the –min-hostgroup and –min-parallelism but keep them in a 4:1 ratio. I wouldn’t recommend more than 4096/1024. You can also change -T4 to -T5 but depending on the network/hosts you are scanning this may or may not have any speed/accuracy effect.

There are three options in the above command to help cut down on the amount of work Nmap has to do per host: -n, -p445, and -PN.

* -n turns off reverse name resolution which will be nice on your nameservers.

* -PN in conjunction with -p445 skips the host up/down detection and goes straight into scanning port 445. This both increases accuracy and reduces the per-host work done. The ping process is pretty fast but is still slower than just checking a single port. Hosts that have a firewall but exceptions for Windows file sharing would not be caught without -PN.

It is important to note that scanning for Conficker has the small chance of crashing an unpatched host. Patched and infected hosts won’t be crashed though. Note that if Conficker scans unpatched hosts they are even more likely to crash than with this check so the benefits probably outweigh the drawbacks.

If you have questions about this script/using Nmap drop a note to nmap-dev_at_insecure.org.


下面引用的就是[url=http://www.net-security.org/secworld.php?id=7252][color=#FF0000]http://www.net-security.org/secworld.php?id=7252[/color][/url] 上的内容
The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Thanks to research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, a new Nmap release is here which can remotely scan for and detect infected machines.

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on Doxpara.com.

While Conficker gets all the attention, 4.85BETA5 also has many other great improvements:
Ndiff now includes service (version detection) and OS detection differences.
[Ncat] The –exec and –sh-exec options now work in UDP mode like they do in TCP mode: the server handles multiple concurrent clients and doesn’t have to be restarted after each one.
[Ncat] The -v option (used alone) no longer floods the screen with debugging messages. With just -v, we now only print the most important status messages such as “Connected to …”, a startup banner, and error messages. At -vv, minor debugging messages are enabled, such as what command is being executed by –sh-exec. With -vvv you get detailed debugging messages.
[Ncat] Chat mode now lets other participants know when someone connects or disconnects, and it also broadcasts a current list of participants at such times.
[Ncat] Fixed a socket handling bug which could occur when you redirect Ncat stdin, such as “ncat -l –chat < /dev/null". The next user to connect would end up with file descriptor 0 (which is normally stdin) and thus confuse Ncat.
[Zenmap] The “Scan Output” expanders in the diff window now behave more naturally. Some strange behavior on Windows was noted by Jah.
The following OS detection tests are no longer included in OS fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI, and SI were found not be helpful in distinguishing operating systems because they didn’t vary. TOS and TOSI were disabled in 4.85BETA1 but now they are not included in prints at all.
The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment.
Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI test that could cause a closed-port IP ID to be written into the array for the SEQ.TI test and cause erroneous results.
Nbase has grown routines for calculating Adler32 and CRC32C checksums. This is needed for future SCTP support.
[Zenmap] Zenmap no longer shows an error message when running Nmap with options that cause a zero-length XML file to be produced (like –iflist).
Fixed an off-by-one error in printableSize() which could cause Nmap to crash while reporting NSE results. Also, NmapOutputTable’s memory allocation strategy was improved to conserve memory.
[Zenmap] We now give the –force option to setup.py for installation to ensure that it replaces all files.
Nmap’s –packet-trace, –version-trace, and –script-trace now use an Nsock trace level of 2 rather than 5. This removes some superfluous lines which can flood the screen.
[Zenmap] Fixed a crash which could occur when loading the help URL if the path contains multibyte characters.
[Ncat] The version number is now matched to the Nmap release it came with rather than always being 0.2.
Fixed a strtok issue between load_exclude and TargetGroup::parse_expr that caused only the first exclude on a line to be loaded as well as an invalid read into free()’d memory in load_exclude().
NSE’s garbage collection system (for cleaning up sockets from completed threads, etc.) has been improved.