![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Conflicker + Network Scanner?
- Thread starter marley1
- Start date
mngl1500
2[H]4U
- Joined
- Feb 28, 2005
- Messages
- 3,589
blk95civicex
Limp Gawd
- Joined
- Feb 10, 2003
- Messages
- 170
My Method:
1. Get Nmap/Zenmap - http://nmap.org/download.html
2. Run the following sweep across your network, replacing "192.168.1.0 /24" with your network information:
3. Results are as follows:
4. Give props to those writing code to help us all out.
Hope this helps you guys out, as we all prep for what may come.
1. Get Nmap/Zenmap - http://nmap.org/download.html
2. Run the following sweep across your network, replacing "192.168.1.0 /24" with your network information:
- nmap -p 445 -d --script smb-check-vulns --script-args safe=1 192.168.1.0 /24
3. Results are as follows:
- Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add script-args=unsafe=1 to run)
Alternatively, it might say Likely CLEAN.
4. Give props to those writing code to help us all out.
Hope this helps you guys out, as we all prep for what may come.
@ blk95civicex
How did you parse the output from nmap? It gives great output, but I'd like to compile a list of unpatched systems, I just want:
Host: Hostname
Host script results:
| MS08-067: NOT RUN
instead of :
Host hostname.domain.com (172.17.8.42) appears to be up ... good.
Scanned at 2009-03-30 20:11:57 Canada Central Standard Time for 5s
Interesting ports on hostname.domain.com (172.17.8.42):
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: XX:XX:XX:XX:XX:XX (Dell)
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
across 300+ systems, it's a big log...
How did you parse the output from nmap? It gives great output, but I'd like to compile a list of unpatched systems, I just want:
Host: Hostname
Host script results:
| MS08-067: NOT RUN
instead of :
Host hostname.domain.com (172.17.8.42) appears to be up ... good.
Scanned at 2009-03-30 20:11:57 Canada Central Standard Time for 5s
Interesting ports on hostname.domain.com (172.17.8.42):
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: XX:XX:XX:XX:XX:XX (Dell)
Host script results:
| smb-check-vulns:
| MS08-067: NOT RUN
| Conficker: Likely CLEAN
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
Final times for host: srtt: 0 rttvar: 3750 to: 100000
across 300+ systems, it's a big log...
blk95civicex
Limp Gawd
- Joined
- Feb 10, 2003
- Messages
- 170
I have a couple subnets, so I did them one at a time, and just tossed the results into a text file and did a find on "Likely INFECTED". It's a pretty dirty search, but it worked for what I wanted to find.
Yea, I've just been asked to enumerate which hosts need the patch applied, so I wanted an easy way to quickly reference and make myself a to-do list to hand to the helpdesk guys. I imported the nmap generated xml file into excel but it leaves out the information i need, I should probably look into why if does that, but I figured someone might have a good idea I haven't thought of yet
For now I've got it open in notepad++ with the requisite information highlighted, that might just have to do