Conflicker discovery tool

bobdole369

Gawd
Joined
Jun 27, 2004
Messages
856
Working on running the script on all my machines here.

One thing you need to do is to generate a txt file with all the hosts you intend to scan.

I'm running the following batch file to do so:

Code:
@echo off
 
set prefix=192.168.1
if not exist IPs.txt copy nul IPs.txt >nul
 
FOR /L %%a IN (1, 1, 254) DO (
  findstr /X /L /c:"%prefix%.%%a " IPs.txt >nul
  if errorlevel 1 (
    ping -n 1 -w 60 %prefix%.%%a | findstr /i "Antwort" >nul && echo %prefix%.%%a >> IPs.txt
  )
)

The above makes a file IPs.txt with the machines IP that are currently responding to pings.
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
Use the scs.py file. You can specify an IP range. Although your script is good for cutting down the amount of time the tool runs for.
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
I ran it via; scs.py 192.168.1.1 192.168.1.254

It's python, so you'll need that installed. Along with the Crypt and Impacket modules. I ran it from linux, but I'm sure it'll work from windows too.
 

blk95civicex

Limp Gawd
Joined
Feb 10, 2003
Messages
170
My Method:

1. Get Nmap/Zenmap - http://nmap.org/download.html

2. Run the following sweep across your network, replacing "192.168.1.0 /24" with your network information:
  • nmap -p 445 -d --script smb-check-vulns --script-args safe=1 192.168.1.0 /24

3. Results are as follows:
  • Host script results:
    | smb-check-vulns:
    | MS08-067: NOT RUN
    | Conficker: Likely INFECTED
    |_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
    –
    Alternatively, it might say “Likely CLEAN”.

4. Give props to those writing code to help us all out.


Hope this helps you guys out, as we all prep for what may come.
 

InvisiBill

2[H]4U
Joined
Jan 2, 2003
Messages
2,608
The Conficker Eye Chart is a simple way to help tell if a single PC has it. It tries to load images from some of the sites that the different variants block. Depending on which images show up and which ones don't, you can narrow it down to a certain version.

I used the Coralized link, as the site went down before. Only the confickerworkinggroup.org relative links get cached. The absolute links to the test images still try to pull from the original sites, so the test is still valid even when run through Coral.
 

Ockie

*** Self Proclaimed Storage King ***
Joined
Mar 2, 2005
Messages
18,003
The Conficker Eye Chart is a simple way to help tell if a single PC has it. It tries to load images from some of the sites that the different variants block. Depending on which images show up and which ones don't, you can narrow it down to a certain version.

I used the Coralized link, as the site went down before. Only the confickerworkinggroup.org relative links get cached. The absolute links to the test images still try to pull from the original sites, so the test is still valid even when run through Coral.

The eye chart is a nifty idea, worked great.
 
Top