Scanning for Conficker with Nmap

Using Nmap to scan for the famous Conficker worm.

<Update>
Nmap 4.85beta5 has all the scripts included, download it at http://nmap.org/download.html.

You'll still need to run a scan:

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

</Update>

<Update 2>
If you're having an OpenSSL problem, read this!

OpenSSL isn't included by default in the Nmap RPMs, and I wasn't properly checking for that in my scripts. Fyodor will have a beta5 RPM up tonight, which will fix that issue.

Until then, you have two options:
1. Use a source RPM
2. Compile straight from source, from the svn
</Update 2>

<Update 3>
If you're still having OpenSSL issues, try installing openssl-dev package, and install Nmap from source. Or, download the latest rpm (beta5) or svn version -- they have fixed the issue altogether (OpenSSL is no longer required!)

Further, if you're having an issue with error messages, this great post by Trevor2 might help:

NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser service is disabled. There are at least two ways that can happen:
1) The service itself is disabled in the services list.
2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList is set to Off/False/No rather than Auto or yes.
On these systems, if you reenable the browser service, then the test will complete.

There are probably many other reasons why NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned (e.g. not a windows OS, possibly infected) but I have not confirmed these.

Furthermore, this error will occur against on Windows NT.
</Update 3>

Hot on the coattails of the Simple Conficker Scanner, I've added detection for Conficker to Nmap. Currently, there are two ways of doing this -- you can check out the SVN version of Nmap and compile from source, or you can update the three necessary files.

Update from SVN

If you're on a Unix-like system, this is probably the easiest way. You can install it either system-wide or in a folder. Here is the system-wide command:

$ svn co --username=guest --password='' svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install
$ nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

If you prefer to run it from a local folder, use the following commands:

$ svn co --username=guest --password='' svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ export NMAPDIR=.
$ ./nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

Update just the files

If you're on Windows, or don't want to compile from source, you can install the three datafiles.

First, make sure you're running Nmap 4.85beta4. That's the latest beta version. Then, download this file:

And place it in the "scripts" folder (see below).

Then, download these files:

  • http://www.skullsecurity.org/blogdata/msrpc.lua
  • http://www.skullsecurity.org/blogdata/smb.lua

And place them in the "nselib" folder (see below).

Where are the folders?

On Linux, try /usr/share/nmap/ or /usr/local/share/nmap or even /opt/share/nmap.

On Windows, try c:\program files\nmap

If all else fails, the scripts folder will contain a bunch of .nse files and the nselib folder will contain a bunch of lua files. Try searching your drive for smb-check-vulns.nse and msrpc.lua, and replace those.

Conclusion

Hopefully that helps! If you have any problems or questions, don't hesitate to contact me! My name is Ron, and my email domain is @skullsecurity.net.

Ron

138 thoughts on “Scanning for Conficker with Nmap

  1. Reply

    jp

    Awesome, Ron, thank you!

    1. Reply

      Ron Post author

      Happy to help! :)

      To be honest, it's been awhile since I've had to race a vulnerability (or, in this case, something like one). I missed that feeling of excitement!

  2. Reply

    Todd

    How do you know if it's infected or not. What responses determine positive or negatives?

    1. Reply

      Ron Post author

      Hey Todd,

      It's fairly straight forward. Look for the smb-check-vulns section, and it'll look something like this:
      --
      Host script results:
      | smb-check-vulns:
      | MS08-067: NOT RUN
      | Conficker: Likely INFECTED
      |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
      --
      Alternatively, it might say "Likely CLEAN".

      Ron

  3. Reply

    Brian

    Ron,

    How do I tell if they are infected or not? Its been a long while since I have used NMAP, and my just be missing the answer.

    I do have NMAP installed, patched and running correctly though.

    Thanks
    Brian

  4. Reply

    Brian

    Ron,

    Ignore my first comment, my first scan was against a bad IP range.

    I do have a question though, does " MS08-067: NOT RUN" mean tht the patch was not applied, or just not checked for by NMAP?

    Thanks
    Brian

  5. Reply

    BT

    Ron, this is great...thank you for this.

    If the system is infected with Conficker would it show as "MS08-067: VULNERABLE"?

    My understanding is that Conficker masks itself in that it makes itself appear that MS08-067 is installed, so I'm curious as to what an infected machine looks like.

    Thanks again!

    1. Reply

      Ron Post author

      MS08-067 means it's likely to GET infected, but doesn't mean it's infected. Look for the 'Conficker' line.

  6. Reply

    Chad

    Looks good. Question about the results.

    I've been getting 2 so far.

    Conficker: Likely Clean (easy enough)

    Conficker: NT_STATUS_OBJECT_NAME_NOT_FOUND (Is this an error in script or something else?What would the results show if it was infected?)

    Thanks!

    1. Reply

      Ron Post author

      Chad,

      The second one means either it's a non-Windows system, or the process has crashed (either from an attempted infection or a successful infection).

  7. Reply

    Shaun

    Thanks Ron - this is great. Can you provide usage and expected output when scanning an infected host?

    1. Reply

      Ron Post author

      @Shaun:

      Infected:
      --
      Host script results:
      | smb-check-vulns:
      | MS08-067: NOT RUN
      | Conficker: Likely INFECTED
      |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
      --

      Uninfected:
      --
      Host script results:
      | smb-check-vulns:
      | MS08-067: NOT RUN
      | Conficker: Likely CLEAN
      |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
      --

      Error codes may mean different things, unfortunately I can't guess all conditions. If you get an error, double-check that it's Windows and maybe try again. If it continues not to work, it may be because the service has crashed for an unknown reason.

  8. Reply

    David Hinkle

    Is the result "Conficker: ERROR: NT_STATUS_ACCESS_DENIED" a clean result, or something I did wrong?

    1. Reply

      Ron Post author

      @David Hinkle

      That likely means that the server has been locked down, so we don't have access to the necessary pipe. Fortunately, that means that neither does Conficker -- NT_STATUS_ACCESS_DENIED probably means you're ok. Probably. :)

  9. Reply

    CharlesL

    So, if I don't see either:

    "Conficker: Likely CLEAN"
    or
    "Conficker: Likely INFECTED"

    Does that mean that the script is not running correctly?

    1. Reply

      Ron Post author

      @CharlesL

      Originally, I wasn't printing an error message by default. Now, I am. Try running newest svn version.

  10. Reply

    EJ

    @ Todd: By looking in the files Ron provided, I found text in smb-check-vulns.nse that's likely associated with the determination of Conficker infection. It appears it will either report "Conficker: Likely INFECTED
    Conficker: Likely INFECTED
    " or "Conficker: Likely CLEAN"

  11. Reply

    MemphisBytes

    Hey Ron,

    Thanks and great job!

    FYI - Tested against Windows 2003 and Windows 2008 Server with the following results.

    2003
    ----
    PORT STATE SERVICE REASON
    445/tcp open microsoft-ds syn-ack
    MAC Address: 00:xx
    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: Likely CLEAN
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 2000 rttvar: 7750 to: 100000

    Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-services.
    Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
    Raw packets sent: 2 (86B) | Rcvd: 2 (86B)

    2008
    ----
    PORT STATE SERVICE REASON
    445/tcp open microsoft-ds syn-ack
    MAC Address: 00:xx

    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 0 rttvar: 3750 to: 100000

    Read from C:\Program Files\Nmap: nmap-mac-prefixes nmap-services.
    Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

  12. Reply

    CharlesL

    So, does this mean that if I don't see:

    "Conficker: Likely CLEAN"
    "Conficker: Likely INFECTED"
    or
    "Conficker: "

    then I am not running the script correctly? I don't see any conficker lines.

  13. Reply

    Shaun

    never mind the 2nd half of my comment...just re-read page...thanks very much

  14. Reply

    Milo Velimirović

    What's the interpretation of this result?
    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: ERROR: NT_STATUS_ACCESS_DENIED
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 1551 rttvar: 5000 to: 100000

    1. Reply

      Ron Post author

      @Milo Velimirović

      The interpretation is that the script was unable to access the pipe that's used for MS08-067 exploitation. That likely means that a Conficker attempt would have failed.

      Ron

  15. Reply

    Milo Velimirović

    And a big thanks! for putting together this page. It's just what's needed to cut through all the other interesting stuff.

  16. Reply

    Mike

    I am getting an error here it is: NSE: smb-check-vulns against x.x.x.x ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value). And I am not seeing the statement above. Any help is much appreciated. Thanks

    1. Reply

      Ron Post author

      @Mike

      Use the latest version of Nmap (4.85beta4). You're likely on 4.75, which doesn't have the required OpenSSL bindings.

      Ron

  17. Reply

    ScottT

    Seems I'm having problems, what is the command you guys are using? All I get back is a basic nmap result:
    PORT STATE SERVICE
    445/tcp open microsoft-ds

    advice?

    1. Reply

      Ron Post author

      @ScottT

      You may be using an older version of Nmap. Try getting Nmap 4.85beta5 -- it'll have everything included. I'm about to update the main post about that.

  18. Reply

    Rob_G

    Nmap 4.85beta5 for Windows has just been released with these files are ready present. Just an FYI.

    1. Reply

      Ron Post author

      @Rob_G

      Thanks Rob! I was just in the process of posting an updated story. :)

  19. Reply

    ScottT

    @Ron
    Thanks for the quick reply. I do have Nmap 4.85beta5, so I'll post my command here, which may be the problem (Don't use this command guys)
    nmap --script smb-check-vulns.nse -p445 10.0.0.* << Don't use this
    I've tried specifying a single host as well, same output. I'm not getting error messages, just something that says the port is open / closed.

  20. Reply

    MemphisBytes

    @ScottT - Command is at the top of this page - or here -

    Windows - nmap --script=smb-check-vulns --script-args=safe=1 -p445 -
    d

    linux same except ./nmap

  21. Reply

    ScottT

    @myself.

    Sorry, looks like i have beta 4. Updating now.

  22. Reply

    Glenn

    When I run the "Intense Scan" I don't see a value for smb-check-vulns. Sample result below. What might I be doing wrong? Windows, on the beta version.

    Host script results:

    | nbstat: NetBIOS name: PC153, NetBIOS user: , NetBIOS MAC: MAC

    | Name: PC153 Flags:

    | Name: PC153 Flags:

    | Name: DOMAIN Flags:

    |_ Name: DOMAIN Flags:

    | smb-os-discovery: Windows XP

    | LAN Manager: Windows 2000 LAN Manager

    | Name: DOMAIN\PC153

    |_ System time: 2009-03-30 16:12:23 UTC-4

    1. Reply

      Ron Post author

      @Glenn

      What's your commandline?

      smb-check-vulns isn't a "default" script, so you have to explicitly use it.

  23. Reply

    MemphisBytes

    FYI - I am getting this on all 2008 servers... anyone else see the same?

    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND
    |_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
    Final times for host: srtt: 0 rttvar: 3750 to: 100000

  24. Reply

    Jeff

    I am scanning a known infected machine as well as a known clean, but keep running into these errors (same for both):

    Running 1 script threads:

    NSE (6.234s): Starting smb-check-vulns against 10.65.94.57.

    NSE: SMB: ERROR: Received wrong number of bytes, there will likely be issues (recieved 82, expected 43)

    NSE (11.531s): Finished smb-check-vulns against 10.65.94.57.

    Completed NSE at 13:26, 5.30s elapsed

    NSE: Script scanning completed.

    ...

    Host script results:

    | smb-check-vulns:

    | MS08-067: NOT RUN

    | Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT

    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

    Final times for host: srtt: 2000 rttvar: 7750 to: 100000

  25. Reply

    MemphisBytes

    @Glenn

    You should create a new profile (Assuming you are using Zenmap).. and copy the command listed ate the top of the page (minus the target IP(s)) -
    nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d

    in the "Command" box - name it whatever you will - it shoudl fill in the appropriate boxes in Zenmap .. Save it and then use it from the drop down box (Where INtense Scan) lives.

  26. Reply

    Chris

    it seems to fail with:

    smb-check-vulns against 192.168.2.51 ended with error: ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)

    I am on NMAP 4.85beta5.

    1. Reply

      Ron Post author

      For all of you who are getting OpenSSL nil-pointer errors, you're definitely running a non-current version of Nmap -- that, or something else is failing.

      My guess is that two versions are installed beside each other, and you're running the older one. Could that possibly be happening?

      Sorry I can't help more!

      Ron

  27. Reply

    Jackson

    I'm getting a similar error to someone else, but I've compiled 4.85beta5 and even taken to updating from subversion to make sure I've got the most recent.

    smb-check-vulns against 172.24.107.125 ended with error: ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)

  28. Reply

    Rob_G

    @MemphisBytes

    I'm seeing this quite a bit on machines that have guest accounts disabled. It looks as if the Status account is dead, it's not able to scan it properly.

  29. Reply

    Karl

    Ron,

    Thanks. Great script. All is good here -- back to regular work.

    As a suggestion, include host.ip in the output line that shows CLEAN or INFECTED, so running the output through 'grep Conficker' will show the status of each machine.

    1. Reply

      Ron Post author

      @Karl

      That's a great idea, I've been thinking about doing something like that -- it would be useful as a generic thing, though, not just my script. In fact, there may already be a way of doing it using the -o? options.

      I personally use this hack:
      nmap ... | egrep "(ports|Conficker)" | grep -B1 "Conficker"

      It works, but it isn't pretty.

  30. Reply

    Parker

    What would this indicate?
    Host script results:

    | smb-check-vulns:

    | MS08-067: NOT RUN

    | Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND

    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

    1. Reply

      Ron Post author

      @Parker

      That means either it isn't a Windows machine, or the service is either crashed or not running. That may indicate a failed (or successful) exploit attempt, or just a locked down system.

  31. Reply

    MemphisBytes

    #Rob_G - Thanks :)

  32. Reply

    Addam

    I've found another explanation for the OpenSSL nil pointer error. It seems that the RPMs available on nmap.org do not include the OpenSSL bindings. I rebuilt nmap4.85BETA5 from source and things ran just fine.

    1. Reply

      Ron Post author

      @Addam

      I talked to Fyodor, and he said that OpenSSL bindings are left out of the RPMs intentionally, because OpenSSL isn't necessarily going to be present. I'm going to add an updated check for a missing OpenSSL library which will let you do some checks.

  33. Reply

    Russ

    @Jeff, #36

    I'm getting the same thing,

    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: ERROR: SMB: Failed to receive bytes: TIMEOUT
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 2000 rttvar: 7750 to: 100000

    I have 2 packets sent and received, so what is this timeout business all about? BTW I'm a first time nmap user, be gentle if I'm doing something foolish.

    1. Reply

      Ron Post author

      @Russ:

      Hmm, I have the timeout set to 5 seconds, which generally works. Is it actually taking longer than 5 seconds for the server to respond?

      You can tweak it without a recompile by editing nselib/smb.lua -- look for "local TIMEOUT = 5000" and try changing it to 10000 or 20000. Does that help?

      Ron

  34. Reply

    Dietrich

    Ron,

    Thank you for your outstanding effort to get this update out.

    I've got this error from zenmap when I run it:

    NSE (0.298s): smb-check-vulns against 192.168.1.129 ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)

    Ideas?

    Best,
    Dietrich

    1. Reply

      Ron Post author

      See "Update 2" in the document for OpenSSL issues.

  35. Reply

    Jeff

    @Ron:

    That was it. I changed smb.lua to "local TIMEOUT = 20000" and got the output shown below (I could probably set the timeout to less, but this will do for now):

    Running 1 script threads:
    NSE (6.187s): Starting smb-check-vulns against 10.65.94.57.
    NSE: SMB: Extended login as \guest failed (NT_STATUS_LOGON_FAILURE)
    NSE: SMB: Extended login as \ succeeded
    NSE (11.515s): Finished smb-check-vulns against 10.65.94.57.
    Completed NSE at 14:30, 5.33s elapsed
    NSE: Script scanning completed.

    ...

    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: Likely INFECTED
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 0 rttvar: 3750 to: 100000

    Thank you!!

    1. Reply

      Ron Post author

      @Jeff: Awesome! Maybe I'll tweak the defaults.

  36. Reply

    Russ

    Thanks Ron, I can confirm Jeff's results too. Increased timeout to 20,000 and everything's rosy.

  37. Reply

    Chris

    @Ron

    Re. the OpenSSL nil-pointer errors

    Definitely on 4.85beta5, compiled from source from svn. There was definitely no other nmap existing on my system.

    I have removed again, and reinstalled this time from http://nmap.org/download.html. Same error.

    I have removed and reinstalled from svn, changing smb.lua to “local TIMEOUT = 20000″, but no better.

    nmap -V gives 4.85BETA5

  38. Reply

    Oswald

    Hmmm. Scanned two machines. One gives the likely clean message, the other doesn't give results in a section as shown here:

    NSE: Initiating script scanning.
    NSE: Script scanning machine001 (192.168.1.2).
    NSE: Initialized 1 rules
    NSE: Matching rules.
    NSE: Running scripts.
    NSE: Script scanning completed.
    Host machine001 (192.168.1.2) appears to be up ... good.
    Scanned at 2009-03-30 16:58:04 Central Daylight Time for 0s
    Interesting ports on machine001 (192.168.1.2):
    PORT STATE SERVICE REASON
    445/tcp filtered microsoft-ds no-response

    And doesn't say anything about running smb-check-vulns against 192.168.1.2. While I'm fairly certain all patches have been applied and the virus signatures are up-to-date, am I just to assume at this point that the no response is a good response?

  39. Reply

    Brian

    I also get the error: ( ./nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value))

    This is running (Nmap 4.85BETA5) on CentOS v.5 with OpenSSL 0.9.8b

    Also, of note on CentOS, you may need to manually edit the file-if_packet.h- to show:
    #include

    make fails before modifying it, slightly annoying.

  40. Reply

    Brian

    update: this is compiling from source via SVN.

  41. Reply

    Brian

    update #2
    that include line should be:
    #include <linux/types.h>

  42. Reply

    Henrique

    Some of my subnet scans yield:
    evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0
    probably when poking on netapp machines.
    On other subnets it runs fine.
    Any fix for this?
    SSL run/devel @ 0.9.8g-12.fc10

  43. Reply

    Karl

    Ron,

    Consider adding the -PN switch to the nmap command. Several of our workstations have non-microsoft firewalls that do respond to pings but for some reason nmap wasn't scanning them. On a class C this doesn't add a lot of time, but could for larger networks.

  44. Reply

    Martin

    Every time I run the nmap scan, I get the following error under Host script results:

    Conficker: ERROR: Unexpected error: SMB: Failed to receive bytes: ERROR

    Thoughts?

  45. Reply

    Brian

    @Ron
    think I found another contributor to the openssl issue. If you've installed openssl via a package, you don't have the libs so grabbing the openssl-devel package and then recompiling should work.

  46. Reply

    Henrique

    Re my comment #61.
    openssl 0.9.8g crashes when probing netapp servers (and maybe others)
    downloaded, compiled, and linked nmap against 0.9.8.k and it seems to work

  47. Reply

    JK

    If i run it across the network using something like x.x.x.0-255 or x.x.x.0/24 it skips ~50% of the machines (inc infected ones) ie goes from 98 to 101 to 150. If i run it across a smaller subset ie .90-110 it returns results for all ips inc 100 and 105 which come up as likely infected

  48. Reply

    Trevor

    Nice article. I had the openssl errors after installing from source. Removed that and install via svn and all is good in the world. (no conficker here!)

    Thanks for increasing my peace of mind.

  49. Reply

    Michael

    If the guest account is disabled and renamed will the script return
    "NT_STATUS_OBJECT_NAME_NOT_FOUND"?

  50. Reply

    Christian

    @Martin:

    I had "failed to receive bytes: ERROR" when I had a 3rd-party firewall on the Windows machine I was scanning from.

    1. Reply

      Ron Post author

      @Christian

      "failed to receive bytes: ERROR" -- the "ERROR" is what was returned from the recv() function -- it likely means that there was a network error. Is it reproducible? Normally I find that it goes away if I do the test again.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>