Scanning for Conficker with Nmap

Using Nmap to scan for the famous Conficker worm.

<Update>
Nmap 4.85beta5 has all the scripts included, download it at http://nmap.org/download.html.

You'll still need to run a scan:

nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

</Update>

<Update 2>
If you're having an OpenSSL problem, read this!

OpenSSL isn't included by default in the Nmap RPMs, and I wasn't properly checking for that in my scripts. Fyodor will have a beta5 RPM up tonight, which will fix that issue.

Until then, you have two options:
1. Use a source RPM
2. Compile straight from source, from the svn
</Update 2>

<Update 3>
If you're still having OpenSSL issues, try installing openssl-dev package, and install Nmap from source. Or, download the latest rpm (beta5) or svn version -- they have fixed the issue altogether (OpenSSL is no longer required!)

Further, if you're having an issue with error messages, this great post by Trevor2 might help:

NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser service is disabled. There are at least two ways that can happen:
1) The service itself is disabled in the services list.
2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList is set to Off/False/No rather than Auto or yes.
On these systems, if you reenable the browser service, then the test will complete.

There are probably many other reasons why NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned (e.g. not a windows OS, possibly infected) but I have not confirmed these.

Furthermore, this error will occur against on Windows NT.
</Update 3>

Hot on the coattails of the Simple Conficker Scanner, I've added detection for Conficker to Nmap. Currently, there are two ways of doing this -- you can check out the SVN version of Nmap and compile from source, or you can update the three necessary files.

Update from SVN

If you're on a Unix-like system, this is probably the easiest way. You can install it either system-wide or in a folder. Here is the system-wide command:

$ svn co --username=guest --password='' svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ sudo make install
$ nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

If you prefer to run it from a local folder, use the following commands:

$ svn co --username=guest --password='' svn://svn.insecure.org/nmap
$ cd nmap
$ ./configure && make
$ export NMAPDIR=.
$ ./nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d <target>

Update just the files

If you're on Windows, or don't want to compile from source, you can install the three datafiles.

First, make sure you're running Nmap 4.85beta4. That's the latest beta version. Then, download this file:

And place it in the "scripts" folder (see below).

Then, download these files:

  • http://www.skullsecurity.org/blogdata/msrpc.lua
  • http://www.skullsecurity.org/blogdata/smb.lua

And place them in the "nselib" folder (see below).

Where are the folders?

On Linux, try /usr/share/nmap/ or /usr/local/share/nmap or even /opt/share/nmap.

On Windows, try c:\program files\nmap

If all else fails, the scripts folder will contain a bunch of .nse files and the nselib folder will contain a bunch of lua files. Try searching your drive for smb-check-vulns.nse and msrpc.lua, and replace those.

Conclusion

Hopefully that helps! If you have any problems or questions, don't hesitate to contact me! My name is Ron, and my email domain is @skullsecurity.net.

Ron

138 thoughts on “Scanning for Conficker with Nmap

  1. Reply

    martin

    NSE (0.152s): smb-check-vulns against 10.0.0.42 ended with error: /usr/local/share/nmap/nselib/smbauth.lua:647: attempt to index global 'openssl' (a nil value)

    I tried to increase the timeout value, but it didn't help.

    nmap -V:
    Nmap version 4.85BETA5 ( http://nmap.org )
    I don't have any other nmap versions installed.

  2. Reply

    Chris

    Re: #38 #56 (openssl issue)

    I tried installing libssl-dev and recompiling from svn. Still failed.

    Finally I removed my nmap source directory, re-downloaded from svn and this time it worked.

    Thanks for your work on nmap.

  3. Reply

    jws

    I was also seeing the openssl error using nmap-4.85BETA5 from source on a newish Ubuntu installation. Installing openssl, libssl0.9.8, and libssl-dev via apt-get and then reconfiguring/recompiling nmap took care of it. Hope this helps.

  4. Reply

    Paul

    Having run nmap for conficker, I also get:

    Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND

    on all of my windows xp desktops.

    I've yet to find a definitive answer to what this means, some people think its a possible infection?

    Anyone know if there is a reason why my desktops are not scanning correctly?

  5. Reply

    Patrick

    Why i have this error

    NSE (1.500s): smb-check-vulns against 10.49.132.11 ended with error: C:\Program Files\Nmap\scripts\smb-check-vulns.nse:184: attempt to call field

  6. Reply

    Patrick

    hey, me again,

    it work now, something was wrong in the Files

  7. Reply

    Trevor2

    @Michael:
    @Paul:

    NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser service is disabled. There are at least two ways that can happen:
    1) The service itself is disabled in the services list.
    2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList is set to Off/False/No rather than Auto or yes.
    On these systems, if you reenable the browser service, then the test will complete.

    There are probably many other reasons why NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned (e.g. not a windows OS, possibly infected) but I have not confirmed these.

  8. Reply

    MadEye

    @jws
    Xubuntu 8.10
    openssl 0.9.8g-10.1ubuntu2.2
    libssl-dev 0.9.8g-10.1ubuntu2.2
    libssl0.9.8g-10.1ubuntu2.2
    nmap-4.85BETA5
    Compiled from source again, and again, but still getting the openssl-error.
    :-(

    Interestingly on another machine with Ubuntu Server 8.0.4.1 LTS it works.

    What am i doing wrong?

  9. Reply

    andy woods

    hi guys - your help would be much appreciated...

    have nmap installed on a windows pc - ran this scrip against a known infected pc - and get the following output...

    not what i was expecting - any ideas ?

    Host script results:

    | smb-check-vulns:

    | MS08-067: NOT RUN

    | Connficker: ERROR: Unexpected error: NT_STATUS_WERR_UNKNOWN_57 (srvsvc.netpathcanonicalize)

    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

    1. Reply

      Ron Post author

      @andy woods

      Is that reproducible? "Error 57" (the one you're getting) is an indication of infection, and it's what I'm checking for. It's weird that you get that..

  10. Reply

    Stephane

    Hi, thanks a lot for your work.

    I receive an SMB error on all machines I scan using BETA5 :

    Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: ERROR: MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
    Final times for host: srtt: 43508 rttvar: 43508 to: 217540

    This SMB error has not been mentioned so far. Any idea ?

    Thanks

    1. Reply

      Ron Post author

      @Stephane

      I used to get that error a lot when checking non-Windows machines, but I thought I had it cleaned up for the most part. If you can get me a packet dump of the traffic, I'd be grateful!

  11. Reply

    William

    Stephane,

    Is it possible that these are Windows NT machines?

    I got this message too but, for the most part, it was only on NT 4 servers (yes, I still have a few kicking around!).

  12. Reply

    Clutch

    I've got a set of IPs that are coming back with this error:
    445/tcp closed microsoft-ds reset and I don't get any further info. on these hosts.
    Other hosts scan with the expected results for both MS08-067 and Conficker.
    Any idea on why some hosts in a range are getting the 445/tcp closed microsoft-ds reset error?

    1. Reply

      Ron Post author

      @Clutch

      The message means that the box isn't listening on that port. It may have the services disabled, or it may be blocked in some way.

  13. Reply

    Clutch

    Yeah, that makes sense.

    What doesn't though is why those hosts aren't listening to that port.

    Those PCs have no local FW, WinXP OS and they are setup exactly the same as other PCs on our network.

    Weird.

    1. Reply

      Ron Post author

      Yeah, that's definitely strange. Out of curiosity, try a full nmap portscan, see if 139 or other windows ports are open. We have some locked down boxes at work where 445 is closed and 139 is open (but communication to 139 is refused).

  14. Reply

    William

    I'm seeing that with (only) a few of my PCs too. No explanation, at this point.

  15. Reply

    Stephane

    @Ron

    I just sent you an email with captures. As I say in it, the same target works with windows NMap but gives an MSRPC error when run from a Solaris NMap. The target is running XP.

    Thanks!

  16. Reply

    Fake Rake

    @Ron

    Many thanks for this script. I have a new error that nobody else has mentioned yet, any idea what would cause this:

    Host script results:
    | smb-check-vulns:
    | MS08-067: ERROR: NT_STATUS_NOT_SUPPORTED
    | MS08-067: FIXED
    | Conficker: ERROR: NT_STATUS_NOT_SUPPORTED
    |_ regsvc DoS: ERROR: NT_STATUS_NOT_SUPPORTED

  17. Reply

    Rich W

    I'm getting lots of what appear to be false positives with nmap 4.85BETA5.

    $ ./nmap -v -PN -d -p445 -script=smb-check-vulns -script-args=safe=1 ip.add.re.ss | grep Conf
    | Conficker: Likely INFECTED

    This system is fully patched (MS08-067) and tools like 'cfremover.exe' from http://www.anti-spyware-101.com/remove-conficker say my system is clean when I run it locally. My Trend AV patterns are also fully up-to-date.

    This has happened for several other systems here, all patched WinXP boxes.

    Anyone else seeing this?

    1. Reply

      Ron Post author

      Can you try running the Simple Conficker Scanner (scs.zip or scs.py) against the host and see if it gets a false positive too?

      The method I'm using for checking is identical to scs, so if it doesn't see the false positive then I have a bug.

      Thanks!

  18. Reply

    andy woods

    Hi Ron

    Thanks for the info - does this mean that the machine is infected for sure?...as it is a machine we suspect to be infected.

    1. Reply

      Ron Post author

      Nothing is for sure.. but if you scan it with the current version of my script (as of about 2 minutes ago, or before about 30 minutes ago), and it comes back as INFECTED, then there's a pretty good chance.

  19. Reply

    Rich W

    @Ron

    Thanks for the quick followup. scs says I'm good:

    $ ./scs.py 129.100.6.29 129.100.6.31

    a.b.6.29 seems to be clean.
    a.b.6.31 seems to be clean.

    1. Reply

      Ron Post author

      Oh, crap, good find. I changed a constant in my code and forgot to change it elsewhere. Fixed in SVN revision 12794.

      Sorry about that!

  20. Reply

    Clutch

    @Ron

    I re-ran the scan and this issue went away. Weird.

  21. Reply

    Frank

    As for the openssl problem: using a/the src.rpm will not solve the problem as it configures nmap '--without-openssl'.

    So:
    1) install (not build) the source package
    2) edit the spec file
    2a) search for without-openssl
    2b) change to with-openssl
    3) create binary package
    4) install binary package.

    Did the trick for me - hope this helps.

    Frank

  22. Reply

    Steve

    Is it me or is there an issue with the download ? I am getting Forbidden on the Windows exe download.

  23. Reply

    Leo

    Anyone having trouble downloading from insecure.org?

    I've tried from two separate places and I keep getting denied.

  24. Reply

    JeSTeR

    No matter how I attempt to run it, I never get an output mentioning whether a machine is clean or infected. All I get is the standard report that 445 is open.

    Using 4.85beta5 installed from source on Ubuntu 8.04.2

  25. Reply

    JeSTeR

    OK, the script not running could very well have to do with running the command as root.

    Though when I do that, I do still get the "attempt to indexl global 'ssl'" error message.

  26. Reply

    Chris

    Thanks Ron!!! This is great. I gotta link to it.

  27. Reply

    Justin

    @Ron

    I also changed smb.lua to “local TIMEOUT = 20000″ and finally got results on machines that were getting timeouts. Thanks!

  28. Reply

    Adam

    I'm still seeing the error:

    evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0

    I get this after compiling from tarball (after fixing the --with-openssl) and via the subversion repository. I don't have other nmap's installed, and the openssl-devel package is installed.

    I'm seeing this on both Fedore Core 10 and RHEL 5.3 - which are using openssl 0.9.8g-12 and openssl-0.9.8e-7 respectively.

  29. Reply

    Steve

    I'm seeing a lot of "445/tcp filtered microsoft-ds" responses.

    Do the nmap scans need to be run on a local subnet to be accurate?

  30. Reply

    Karl

    Hi, has anyone seen this error?
    Conficker: ERROR: NT_STATUS_NOT_SUPPORTED

  31. Reply

    chris

    The nmap command line above does not ping to find live hosts, so all hosts are assumed live. the fltered responses you see are because their is most likely nothing at that IP address

  32. Reply

    Fake Rake

    @Karl

    I get that response from almost every machine I try to scan, I haven't figured out what's going on yet. The python scanner isn't able to scan them either.

  33. Reply

    rob

    any way to scan a ip range?
    maybe I am missing the obvious...

  34. Reply

    Romain

    Even with "local TIMEOUT=20000" I still get :
    Conficker ERROR: SMB: Failed to receive bytes: TIMEOUT

    I'm I missing something ?

  35. Reply

    puggan

    can you add: "Host script results:
    |_ smb-os-discovery: Unix" to the test?

    1. Reply

      Ron Post author

      @puggan

      Yup! Change --script to "--script=smb-check-vulns,smb-os-discovery"

      Ron

  36. Reply

    MadEye

    Just wanted to let you know, that now with nmap 4.85BETA6 i don't get the openssl error on xubuntu 8.1 any longer.

    Ah yes, and thanks for the great work! I really appreciate it.
    Keep on rocking!
    :-D

  37. Reply

    Oswald

    @chris

    I get the "445/tcp filtered microsoft-ds no-response" on an IP that's definitely in existence.

    1. Reply

      Ron Post author

      @Oswald

      The Windows firewall (or another host-based firewall) is probably enabled.

      Ron

  38. Reply

    xaos

    I can confirm that NT_STATUS_OBJECT_NAME_NOT_FOUND is returned on all Linux machines on my network running Samba.

  39. Reply

    Bob

    I ran nmap against all my 2003 servers. They all come back clean except the 2 ips assigned to a customers Windows Server 2008 X64 Enterprise box. It returns:

    NT_STATUS_OBJECT_NAME_NOT_FOUND

    All the updates are done and everything seems OK. The box does have shared folders if that matters. Do I need to worry about this? Is there a way I can make nmap scan this box successfully?

    Thanks

    Bob

    1. Reply

      Ron Post author

      @Bob

      No, I wouldn't worry.

  40. Reply

    Stephane

    @Ron: Thanks a lot ! all your latest patches works perfectly.

    @All: I hacked a quick linux script that filters most of the useless information to emphasize on what's important. Use it like conficker_scan.sh 192.168.0.0/16 or whatever fits your net.

    #!/bin/bash

    # conficker_scan.sh
    # Wrapper for NMap based conficker scan
    # Written 2009-04-01 Stephane Rosa

    if [[ -z "$1" || "x$1" == "x-h" ]]; then
    echo "Usage: conficker_scan.sh nmap_style_targets"
    exit 1
    fi

    nmap -PN -d -p 445 --script="smb-check-vulns,smb-os-discovery" $1 | gawk '

    /^Host.*is up/ {show=0; curhost=$0}
    /^445\/tcp open/ {show=1; print curhost; print $0}

    /(smb-os-discovery|Name|MS08-067|Conficker):/ {
    if (show) { print $0 }
    }'

  41. Reply

    Chris

    Conficker: ERROR: NT_STATUS_NOT_SUPPORTED

    I'm also getting the above error...seems tied to the lines:

    NSE: SMB: Extended login as \guest failed
    NSE: SMB: Extended login as \ failed

    I'm using a domain administrator account on Windows to run the script, though I get similar results from a Linux nmap scan. Must have a group policy the scanner doesn't like...

  42. Reply

    Rob

    Has anyone put this into Zenmap? I can't seem to get it to work right. I created a new profile and added this syntax as the command...

    nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d

    ...but the "Target" section contains the same info and when I add the subnet or IP address on the end I don't see the conflicter text in the output. Any suggestions?

  43. Reply

    Yevette

    Has anyone answered Brian's question about the MS08-067 NOT RUN? I couldn't find the answer if they did.

    Is that supposed to mean the patch was not applied? It is being returned on systems that I know have been patched.

    1. Reply

      Ron Post author

      @Yevette

      "NOT RUN" means the check wasn't run -- it's disabled because it's considered an unsafe check. Remove the "safe=1" part to enable the check.

      I committed a change to Nmap that'll make the message more clear. I hadn't realized it would cause confusion, but it did. :)

  44. Reply

    Yevette

    @Rob

    It's working for me, put the
    -p 445 -d before the script. (also remember the dash before the p.

    Like this:
    nmap -p 445 -d --script smb-check-vulns --script-args safe=1 192.168.10.0/24

  45. Reply

    Steve Horejsi

    I'm having problems with Nmap going into a hard loop when scanning certain groups of hosts for Conficker I set --script-trace and captured the output (huge!) The problem seems to be the following:

    ...
    NSE (3.975s): smb-check-vulns against a.b.50.35 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.36 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.37 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.38 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.39 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.42 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.43 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.40 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    NSE (3.975s): smb-check-vulns against a.b.50.41 ended with error: /usr/local/share/nmap/nselib/smb.lua:1058: attempt to perform arithmetic on field 'time' (a nil value)
    ...

    Am I chasing a phantom or is this a problem?

    -=[ Steve ]=-

  46. Reply

    Frymaster

    I'm also getting the NT_STATUS_OBJECT_NAME_NOT_FOUND error on certain machines, and I can confirm that I only get it on machines where the browser service isn't running. But if I manually start the browser service, it stops straight away again. Registry settings for the service are identical on both machines (set to Auto)

  47. Reply

    Frymaster

    cracked it :D
    If you have windows firewall on, the browser service will only run if you have the File and Print sharing exception set.

    In my corporate environment, those exceptions are mandated open by policy, but set as individual ports and not via the single-click service (and then blocked at the internet firewall).

    "netsh firewall set service type = fileandprint mode = enable scope = subnet" is a good command to run to open these ports for subnet access only, so you can run the scan (or use scope = all)

  48. Reply

    FF

    With tcpdump I see this:

    14:35:39.158298 IP ... > f.root-servers.net.domain: 21923 A? bhcuwhkh.com. (30)
    14:35:49.156369 IP ... > c.root-servers.net.domain: 21925 A? bhcuwhkh.com. (30)
    14:35:59.160827 IP ... > d.root-servers.net.domain: 21927 A? bhcuwhkh.com. (30)

    but the test of IP with "Nmap 4.85BETA7" is

    ...
    Host script results:
    | smb-check-vulns:
    | MS08-067: FIXED
    | Conficker: Likely CLEAN
    ...

    What's wrong ?

    1. Reply

      Ron Post author

      @FF

      Very good question, I'll have to look into this. Is there any way you can get me a packet capture of the traffic when you do a scan?

      And also, are you using the latest build (beta7)? We fixed what we think are some false negatives in that version, based on some work by the Honeynet group and Tenable.

      Thanks!

  49. Reply

    Steve Horejsi

    Nothing quite like answering your own reply =:o)

    There is code in the smb.lua script that looks like this:

    -- Some broken implementations of SMB don't send these variables
    if(smb['time'] == nil) then
    time = 0
    end
    if(smb['timezone'] == nil) then
    timezone = 0
    end
    if(smb['key_length'] == nil) then
    key_length = 0
    end

    This was put in place (apparently) to deal with non-conformant SMB implmentations. I changes this code in my copy to read:

    -- Some broken implementations of SMB don't send these variables
    if(smb['time'] == nil) then
    smb['time'] = 0
    end
    if(smb['timezone'] == nil) then
    smb['timezone'] = 0
    end
    if(smb['key_length'] == nil) then
    smb['key_length'] = 0
    end

    I can now scan subnets with 'troublesome' SMB servers without Nmap going into a loop. I think this is what the author intended.

    Who needs to know about this?

    -=[ Steve ]=-

  50. Reply

    Jose

    I wrote a small script that parses the nmap output and uses nbtscan to retrieve the netbios name and outputs vulnerable / infected machine in comma delimited format. It works well for us, hope it helps!

    Download:
    http://jdltech.com/conficker/

    1. Reply

      Ron Post author

      @Jose

      Cool stuff!

      You might want to look at smb-os-discovery -- it also prints the name, and is more likely to work than nbtscan.

      Ron

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>