Fwd: Nmap 4.85BETA6 now avail w/Conficker detection
14 views
Skip to first unread message
Feris Thia
Apr 1, 2009, 3:29:39 AM4/1/09
to Feris Thia
Hope this information is helpful ...
--
Thanks & Best Regards,
Feris Thia
Business Intelligence Consultant
PT. Putera Handal Indotama
Phone : +6221-30119353
Fax : +6221-5513483
Mobile : +628176-474-525
http://www.phi-integration.com
http://pentaho.phi-integration.com
---------- Forwarded message ----------
From: Fyodor <fyo...@insecure.org>
Date: Wed, Apr 1, 2009 at 7:04 AM
Subject: Nmap 4.85BETA6 now avail w/Conficker detection
To: nmap-h...@insecure.org
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet is scheduled for a new
update cycle starting tomorrow. Will this cause Internet doom? No,
but the bad guys might fix the mechanism that lets us remotely detect
'em. Or they might engage in other mischief with their botnet.
That's why we did the emergency releases--so you can scan for and
remove them early! During the process, I had to infect one of my
systems with Conficker for testing, and Nmap even got booted from
Dreamhost's "unlimited bandwidth" hosting because the downloads were
taking too much bandwidth. They said:
"Sadly your file nmap-4.85BETA5-setup.exe, and a few similar, were
getting so many downloads on your machine, iceman, that it
saturated out the 100mbit connection on it, and cause everyone
else's sites to go down."
Dreamhost blocked further downloads, but we quickly switched to using
our colocation provider and also got some mirroring help from Brandon
Enright at UCSD! So UCSD is hosting 4.85BETA6. Of course I'd like to
thank Ron Bowes who wrote the detection code (it is an update to his
existing smb-check-vulns SMB script). David Fifield was a huge help
too.
An example Conficker scan command is:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnets]
A clean machine should report at the bottom: "Conficker: Likely
Clean", while likely infected machines report "Conflicker: Likely
INFECTED". For more details and updates, see our announcement here:
http://insecure.org/
And of course to download Nmap 4.85BETA6, see:
http://nmap.org/download.html
Of course we have some other nice improvements besides Conficker
detection. Here are the changes since BETA4:
Nmap 4.85BETA6 [2009-03-31]
o Fixed some bugs with the Conficker detection script
(smb-check-vulns) [Ron]:
o SMB response timeout raised to 20s from 5s to compensate for
slow/overloaded systems and networks.
o MSRPC now only signs messages if OpenSSL is available (avoids an
error).
o Better error checking for MS08-067 patch
o Fixed forgotten endian-modifier (caused problems on big-endian
systems such as Solaris on SPARC).
o Host status messages (up/down) are now uniform between ping scanning
and port scanning and include more information. They used to vary
slightly, but now all look like
Host is up (Xs latency).
Host is down.
The new latency information is Nmap's estimate of the round trip
time. In addition, the reason for a host being up is now printed for
port scans just as for ping scans, with the --reason option. [David]
o Version detection now has a generic match line for SSLv3 servers,
which matches more servers than the already-existing set of specific
match lines. The match line found 13% more SSL servers in a test.
Note that Nmap will not be able to do SSL scan-through against a
small fraction of these servers, those that are SSLv3-only or
TLSv1-only, because that ability is not yet built into Nsock. There
is also a new version detection probe that works against SSLv2-only
servers. These have shown themselves to be very rare, so that probe
is not sent by default. Kristof Boeynaems provided the patch and did
the testing.
o [Zenmap] A typo that led to a crash if the ndiff subprocess
terminated with an error was fixed. [David] The message was
File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
UnboundLocalError: local variable 'error_test' referenced before assignment
o [Zenmap] A crash was fixed:
File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
KeyError: "Syst\xc3\xa8me d'Exploitation"
The text could be different, because the error was caused by
translating a string that was also being used as an index into an
internal data structure. The string will be untranslated until that
part of the code can be rewritten. [David]
o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
or target: search over hosts that had a MAC address. [David]
The crash output was
File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
File "zenmapCore\SearchResult.pyo", line 183, in match_target
TypeError: argument of type 'NoneType' is not iterable
o Fixed a bug which prevented all comma-separated --script arguments
from being shown in Nmap normal and XML output files where they show
the original Nmap command. [David]
o Fixed ping scanner's runtime statistics system so that instead of
saying "0 undergoing Ping Scan" it gives the actual number of hosts in
the group (e.g. 4096). [David]
o [Zenmap] A crash was fixed in displaying the "Error creating the
per-user configuration directory" dialog:
File "zenmap", line 104, in
File "zenmapGUI\App.pyo", line 129, in run
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
invalid data
The crash would only happen to users with paths containing
multibyte characters in a non-UTF-8 locale, who also had some error
preventing the creation of the directory. [David]
Nmap 4.85BETA5 [2009-03-30]
o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
o Ndiff now includes service (version detection) and OS detection
differences. [David]
o [Ncat] The --exec and --sh-exec options now work in UDP mode like
they do in TCP mode: the server handles multiple concurrent clients
and doesn't have to be restarted after each one. Marius Sturm
provided the patch.
o [Ncat] The -v option (used alone) no longer floods the screen with
debugging messages. With just -v, we now only print the most
important status messages such as "Connected to ...", a startup
banner, and error messages. At -vv, minor debugging messages are
enabled, such as what command is being executed by --sh-exec. With
-vvv you get detailed debugging messages. [David]
o [Ncat] Chat mode now lets other participants know when someone
connects or disconnects, and it also broadcasts a current list of
participants at such times. [David]
o [Ncat] Fixed a socket handling bug which could occur when you
redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
user to connect would end up with file descriptor 0 (which is
normally stdin) and thus confuse Ncat. [David]
o [Zenmap] The "Scan Output" expanders in the diff window now behave
more naturally. Some strange behavior on Windows was noted by Jah.
[David]
o The following OS detection tests are no longer included in OS
fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
and SI were found not be helpful in distinguishing operating systems
because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
but now they are not included in prints at all. [David]
o The compile-time Nmap ASCII dragon is now more ferocious thanks to
better teeth alignment. [David]
o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
test that could cause a closed-port IP ID to be written into the
array for the SEQ.TI test and cause erroneous results. The bug was
found and fixed by Guillaume Prigent.
o Nbase has grown routines for calculating Adler32 and CRC32C
checksums. This is needed for future SCTP support. [Daniel
Roethlisberger]
o [Zenmap] Zenmap no longer shows an error message when running Nmap
with options that cause a zero-length XML file to be produced (like
--iflist). [David]
o Fixed an off-by-one error in printableSize() which could cause Nmap
to crash while reporting NSE results. Also, NmapOutputTable's memory
allocation strategy was improved to conserve memory. [Brandon,
Patrick]
o [Zenmap] We now give the --force option to setup.py for installation
to ensure that it replaces all files. [David]
o Nmap's --packet-trace, --version-trace, and --script-trace now use
an Nsock trace level of 2 rather than 5. This removes some
superfluous lines which can flood the screen. [David]
o [Zenmap] Fixed a crash which could occur when loading the help URL
if the path contains multibyte characters. [David]
o [Ncat] The version number is now matched to the Nmap release it came
with rather than always being 0.2. [David]
o Fixed a strtok issue between load_exclude and
TargetGroup::parse_expr that caused only the first exclude on
a line to be loaded as well as an invalid read into free()'d
memory in load_exclude(). [Brandon, David]
o NSE's garbage collection system (for cleaning up sockets from
completed threads, etc.) has been improved. [Patrick]
Enjoy the new release and disenfect those systems!
-Fyodor
_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org
From: Fyodor <fyo...@insecure.org>
Date: Wed, Apr 1, 2009 at 7:04 AM
Subject: Nmap 4.85BETA6 now avail w/Conficker detection
To: nmap-h...@insecure.org
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet is scheduled for a new
update cycle starting tomorrow. Will this cause Internet doom? No,
but the bad guys might fix the mechanism that lets us remotely detect
'em. Or they might engage in other mischief with their botnet.
That's why we did the emergency releases--so you can scan for and
remove them early! During the process, I had to infect one of my
systems with Conficker for testing, and Nmap even got booted from
Dreamhost's "unlimited bandwidth" hosting because the downloads were
taking too much bandwidth. They said:
"Sadly your file nmap-4.85BETA5-setup.exe, and a few similar, were
getting so many downloads on your machine, iceman, that it
saturated out the 100mbit connection on it, and cause everyone
else's sites to go down."
Dreamhost blocked further downloads, but we quickly switched to using
our colocation provider and also got some mirroring help from Brandon
Enright at UCSD! So UCSD is hosting 4.85BETA6. Of course I'd like to
thank Ron Bowes who wrote the detection code (it is an update to his
existing smb-check-vulns SMB script). David Fifield was a huge help
too.
An example Conficker scan command is:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnets]
A clean machine should report at the bottom: "Conficker: Likely
Clean", while likely infected machines report "Conflicker: Likely
INFECTED". For more details and updates, see our announcement here:
http://insecure.org/
And of course to download Nmap 4.85BETA6, see:
http://nmap.org/download.html
Of course we have some other nice improvements besides Conficker
detection. Here are the changes since BETA4:
Nmap 4.85BETA6 [2009-03-31]
o Fixed some bugs with the Conficker detection script
(smb-check-vulns) [Ron]:
o SMB response timeout raised to 20s from 5s to compensate for
slow/overloaded systems and networks.
o MSRPC now only signs messages if OpenSSL is available (avoids an
error).
o Better error checking for MS08-067 patch
o Fixed forgotten endian-modifier (caused problems on big-endian
systems such as Solaris on SPARC).
o Host status messages (up/down) are now uniform between ping scanning
and port scanning and include more information. They used to vary
slightly, but now all look like
Host is up (Xs latency).
Host is down.
The new latency information is Nmap's estimate of the round trip
time. In addition, the reason for a host being up is now printed for
port scans just as for ping scans, with the --reason option. [David]
o Version detection now has a generic match line for SSLv3 servers,
which matches more servers than the already-existing set of specific
match lines. The match line found 13% more SSL servers in a test.
Note that Nmap will not be able to do SSL scan-through against a
small fraction of these servers, those that are SSLv3-only or
TLSv1-only, because that ability is not yet built into Nsock. There
is also a new version detection probe that works against SSLv2-only
servers. These have shown themselves to be very rare, so that probe
is not sent by default. Kristof Boeynaems provided the patch and did
the testing.
o [Zenmap] A typo that led to a crash if the ndiff subprocess
terminated with an error was fixed. [David] The message was
File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
UnboundLocalError: local variable 'error_test' referenced before assignment
o [Zenmap] A crash was fixed:
File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
KeyError: "Syst\xc3\xa8me d'Exploitation"
The text could be different, because the error was caused by
translating a string that was also being used as an index into an
internal data structure. The string will be untranslated until that
part of the code can be rewritten. [David]
o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
or target: search over hosts that had a MAC address. [David]
The crash output was
File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
File "zenmapCore\SearchResult.pyo", line 183, in match_target
TypeError: argument of type 'NoneType' is not iterable
o Fixed a bug which prevented all comma-separated --script arguments
from being shown in Nmap normal and XML output files where they show
the original Nmap command. [David]
o Fixed ping scanner's runtime statistics system so that instead of
saying "0 undergoing Ping Scan" it gives the actual number of hosts in
the group (e.g. 4096). [David]
o [Zenmap] A crash was fixed in displaying the "Error creating the
per-user configuration directory" dialog:
File "zenmap", line 104, in
File "zenmapGUI\App.pyo", line 129, in run
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
invalid data
The crash would only happen to users with paths containing
multibyte characters in a non-UTF-8 locale, who also had some error
preventing the creation of the directory. [David]
Nmap 4.85BETA5 [2009-03-30]
o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
o Ndiff now includes service (version detection) and OS detection
differences. [David]
o [Ncat] The --exec and --sh-exec options now work in UDP mode like
they do in TCP mode: the server handles multiple concurrent clients
and doesn't have to be restarted after each one. Marius Sturm
provided the patch.
o [Ncat] The -v option (used alone) no longer floods the screen with
debugging messages. With just -v, we now only print the most
important status messages such as "Connected to ...", a startup
banner, and error messages. At -vv, minor debugging messages are
enabled, such as what command is being executed by --sh-exec. With
-vvv you get detailed debugging messages. [David]
o [Ncat] Chat mode now lets other participants know when someone
connects or disconnects, and it also broadcasts a current list of
participants at such times. [David]
o [Ncat] Fixed a socket handling bug which could occur when you
redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
user to connect would end up with file descriptor 0 (which is
normally stdin) and thus confuse Ncat. [David]
o [Zenmap] The "Scan Output" expanders in the diff window now behave
more naturally. Some strange behavior on Windows was noted by Jah.
[David]
o The following OS detection tests are no longer included in OS
fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
and SI were found not be helpful in distinguishing operating systems
because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
but now they are not included in prints at all. [David]
o The compile-time Nmap ASCII dragon is now more ferocious thanks to
better teeth alignment. [David]
o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
test that could cause a closed-port IP ID to be written into the
array for the SEQ.TI test and cause erroneous results. The bug was
found and fixed by Guillaume Prigent.
o Nbase has grown routines for calculating Adler32 and CRC32C
checksums. This is needed for future SCTP support. [Daniel
Roethlisberger]
o [Zenmap] Zenmap no longer shows an error message when running Nmap
with options that cause a zero-length XML file to be produced (like
--iflist). [David]
o Fixed an off-by-one error in printableSize() which could cause Nmap
to crash while reporting NSE results. Also, NmapOutputTable's memory
allocation strategy was improved to conserve memory. [Brandon,
Patrick]
o [Zenmap] We now give the --force option to setup.py for installation
to ensure that it replaces all files. [David]
o Nmap's --packet-trace, --version-trace, and --script-trace now use
an Nsock trace level of 2 rather than 5. This removes some
superfluous lines which can flood the screen. [David]
o [Zenmap] Fixed a crash which could occur when loading the help URL
if the path contains multibyte characters. [David]
o [Ncat] The version number is now matched to the Nmap release it came
with rather than always being 0.2. [David]
o Fixed a strtok issue between load_exclude and
TargetGroup::parse_expr that caused only the first exclude on
a line to be loaded as well as an invalid read into free()'d
memory in load_exclude(). [Brandon, David]
o NSE's garbage collection system (for cleaning up sockets from
completed threads, etc.) has been improved. [Patrick]
Enjoy the new release and disenfect those systems!
-Fyodor
_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org
--
Thanks & Best Regards,
Feris Thia
Business Intelligence Consultant
PT. Putera Handal Indotama
Phone : +6221-30119353
Fax : +6221-5513483
Mobile : +628176-474-525
http://www.phi-integration.com
http://pentaho.phi-integration.com
Reply all
Reply to author
Forward
0 new messages