Conflicker discovery tool

Working on running the script on all my machines here.

One thing you need to do is to generate a txt file with all the hosts you intend to scan.

I'm running the following batch file to do so:

Code: 
@echo off
 
set prefix=192.168.1
if not exist IPs.txt copy nul IPs.txt >nul
 
FOR /L %%a IN (1, 1, 254) DO (
  findstr /X /L /c:"%prefix%.%%a " IPs.txt >nul
  if errorlevel 1 (
    ping -n 1 -w 60 %prefix%.%%a | findstr /i "Antwort" >nul && echo %prefix%.%%a >> IPs.txt
  )
)

The above makes a file IPs.txt with the machines IP that are currently responding to pings.
 
Use the scs.py file. You can specify an IP range. Although your script is good for cutting down the amount of time the tool runs for.
 
I ran it via; scs.py 192.168.1.1 192.168.1.254

It's python, so you'll need that installed. Along with the Crypt and Impacket modules. I ran it from linux, but I'm sure it'll work from windows too.
 
My Method:

1. Get Nmap/Zenmap - http://nmap.org/download.html

2. Run the following sweep across your network, replacing "192.168.1.0 /24" with your network information:
  • nmap -p 445 -d --script smb-check-vulns --script-args safe=1 192.168.1.0 /24

3. Results are as follows:
  • Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: Likely INFECTED
    |_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
    –
    Alternatively, it might say “Likely CLEAN”.

4. Give props to those writing code to help us all out.


Hope this helps you guys out, as we all prep for what may come.
 
The Conficker Eye Chart is a simple way to help tell if a single PC has it. It tries to load images from some of the sites that the different variants block. Depending on which images show up and which ones don't, you can narrow it down to a certain version.

I used the Coralized link, as the site went down before. Only the confickerworkinggroup.org relative links get cached. The absolute links to the test images still try to pull from the original sites, so the test is still valid even when run through Coral.
 
InvisiBill said:
The Conficker Eye Chart is a simple way to help tell if a single PC has it. It tries to load images from some of the sites that the different variants block. Depending on which images show up and which ones don't, you can narrow it down to a certain version.

I used the Coralized link, as the site went down before. Only the confickerworkinggroup.org relative links get cached. The absolute links to the test images still try to pull from the original sites, so the test is still valid even when run through Coral.
Click to expand...

The eye chart is a nifty idea, worked great.
 
You must log in or register to reply here.
Back
Top