Wednesday, April 1, 2009

using NMAP to Scan your entire network for Conficker


Since a signature has been discovered that conficker worm leaves
on infected machines, you can now scan a machine and ask it ,if it is infected with the conficker worm,
beta5 version of NMAP provides this ability.

follow these quick steps to scan entire networks and give them a clean
bill of health from the conficker worm.
to download and install Nmap beta 5 do the following:

wget http://download.insecure.org/nmap-dist/nmap-4.85BETA5.tar.bz2
bzip2 -cd nmap-4.85BETA5.tar.bz2 | tar xvf -
cd nmap-4.85BETA5

./configure

make
su root
make install


to Scan for conficker type the following

nmap -PN T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [target network]

eg:
nmap -PN T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.1.0/24

the scan will take a while depending on the size of your network.