News from Fyodor > Date: Tue, 31 Mar 2009 17:04:29 -0700 > From: fyodor@insecure.org > To: nmap-hackers@insecure.org > Subject: Nmap 4.85BETA6 now avail w/Conficker detection > > Hi Folks! In case you missed all the news reports yesterday, a couple > great researchers from the Honeynet Project (Tillmann Werner and Felix > Leder) and Dan Kaminsky came up with a way to remotely detect the > Conficker worm which has infected millions of machines worldwide. > Some say 15,000,000 machines infected, but that might just be > exaggerated AV-company BS for all I know. But there are clearly > millions of infections, and this massive botnet is scheduled for a new > update cycle starting tomorrow. Will this cause Internet doom? No, > but the bad guys might fix the mechanism that lets us remotely detect > 'em. Or they might engage in other mischief with their botnet. > That's why we did the emergency releases--so you can scan for and > remove them early! During the process, I had to infect one of my > systems with Conficker for testing, and Nmap even got booted from > Dreamhost's "unlimited bandwidth" hosting because the downloads were > taking too much bandwidth. They said: > > "Sadly your file nmap-4.85BETA5-setup.exe, and a few similar, were > getting so many downloads on your machine, iceman, that it > saturated out the 100mbit connection on it, and cause everyone > else's sites to go down." > > Dreamhost blocked further downloads, but we quickly switched to using > our colocation provider and also got some mirroring help from Brandon > Enright at UCSD! So UCSD is hosting 4.85BETA6. Of course I'd like to > thank Ron Bowes who wrote the detection code (it is an update to his > existing smb-check-vulns SMB script). David Fifield was a huge help > too. > > An example Conficker scan command is: > > nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnets] > > A clean machine should report at the bottom: "Conficker: Likely > Clean", while likely infected machines report "Conflicker: Likely > INFECTED". For more details and updates, see our announcement here: > > http://insecure.org/ > > And of course to download Nmap 4.85BETA6, see: > > http://nmap.org/download.html > > Of course we have some other nice improvements besides Conficker > detection. Here are the changes since BETA4: > > Nmap 4.85BETA6 [2009-03-31] > > o Fixed some bugs with the Conficker detection script > (smb-check-vulns) [Ron]: > o SMB response timeout raised to 20s from 5s to compensate for > slow/overloaded systems and networks. > o MSRPC now only signs messages if OpenSSL is available (avoids an > error). > o Better error checking for MS08-067 patch > o Fixed forgotten endian-modifier (caused problems on big-endian > systems such as Solaris on SPARC). > > o Host status messages (up/down) are now uniform between ping scanning > and port scanning and include more information. They used to vary > slightly, but now all look like > Host is up (Xs latency). > Host is down. > The new latency information is Nmap's estimate of the round trip > time. In addition, the reason for a host being up is now printed for > port scans just as for ping scans, with the --reason option. [David] > > o Version detection now has a generic match line for SSLv3 servers, > which matches more servers than the already-existing set of specific > match lines. The match line found 13% more SSL servers in a test. > Note that Nmap will not be able to do SSL scan-through against a > small fraction of these servers, those that are SSLv3-only or > TLSv1-only, because that ability is not yet built into Nsock. There > is also a new version detection probe that works against SSLv2-only > servers. These have shown themselves to be very rare, so that probe > is not sent by default. Kristof Boeynaems provided the patch and did > the testing. > > o [Zenmap] A typo that led to a crash if the ndiff subprocess > terminated with an error was fixed. [David] The message was > File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process > UnboundLocalError: local variable 'error_test' referenced before assignment > > o [Zenmap] A crash was fixed: > File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed > KeyError: "Syst\xc3\xa8me d'Exploitation" > The text could be different, because the error was caused by > translating a string that was also being used as an index into an > internal data structure. The string will be untranslated until that > part of the code can be rewritten. [David] > > o [Zenmap] A bug was fixed that caused a crash when doing a keyword: > or target: search over hosts that had a MAC address. [David] > The crash output was > File "zenmapCore\SearchResult.pyo", line 86, in match_keyword > File "zenmapCore\SearchResult.pyo", line 183, in match_target > TypeError: argument of type 'NoneType' is not iterable > > o Fixed a bug which prevented all comma-separated --script arguments > from being shown in Nmap normal and XML output files where they show > the original Nmap command. [David] > > o Fixed ping scanner's runtime statistics system so that instead of > saying "0 undergoing Ping Scan" it gives the actual number of hosts in > the group (e.g. 4096). [David] > > o [Zenmap] A crash was fixed in displaying the "Error creating the > per-user configuration directory" dialog: > File "zenmap", line 104, in > File "zenmapGUI\App.pyo", line 129, in run > UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45: > invalid data > The crash would only happen to users with paths containing > multibyte characters in a non-UTF-8 locale, who also had some error > preventing the creation of the directory. [David] > > Nmap 4.85BETA5 [2009-03-30] > > o Ron (in just a few hours of furious coding) added remote detection > of the Conficker worm to smb-check-vulns. It is based on new > research by Tillmann Werner and Felix Leder. You can scan your > network for Conficker with a command like: nmap -PN -T4 -p139,445 -n > -v --script=smb-check-vulns --script-args safe=1 [targetnetworks] > > o Ndiff now includes service (version detection) and OS detection > differences. [David] > > o [Ncat] The --exec and --sh-exec options now work in UDP mode like > they do in TCP mode: the server handles multiple concurrent clients > and doesn't have to be restarted after each one. Marius Sturm > provided the patch. > > o [Ncat] The -v option (used alone) no longer floods the screen with > debugging messages. With just -v, we now only print the most > important status messages such as "Connected to ...", a startup > banner, and error messages. At -vv, minor debugging messages are > enabled, such as what command is being executed by --sh-exec. With > -vvv you get detailed debugging messages. [David] > > o [Ncat] Chat mode now lets other participants know when someone > connects or disconnects, and it also broadcasts a current list of > participants at such times. [David] > > o [Ncat] Fixed a socket handling bug which could occur when you > redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next > user to connect would end up with file descriptor 0 (which is > normally stdin) and thus confuse Ncat. [David] > > o [Zenmap] The "Scan Output" expanders in the diff window now behave > more naturally. Some strange behavior on Windows was noted by Jah. > [David] > > o The following OS detection tests are no longer included in OS > fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI, > and SI were found not be helpful in distinguishing operating systems > because they didn't vary. TOS and TOSI were disabled in 4.85BETA1 > but now they are not included in prints at all. [David] > > o The compile-time Nmap ASCII dragon is now more ferocious thanks to > better teeth alignment. [David] > > o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI > test that could cause a closed-port IP ID to be written into the > array for the SEQ.TI test and cause erroneous results. The bug was > found and fixed by Guillaume Prigent. > > o Nbase has grown routines for calculating Adler32 and CRC32C > checksums. This is needed for future SCTP support. [Daniel > Roethlisberger] > > o [Zenmap] Zenmap no longer shows an error message when running Nmap > with options that cause a zero-length XML file to be produced (like > --iflist). [David] > > o Fixed an off-by-one error in printableSize() which could cause Nmap > to crash while reporting NSE results. Also, NmapOutputTable's memory > allocation strategy was improved to conserve memory. [Brandon, > Patrick] > > o [Zenmap] We now give the --force option to setup.py for installation > to ensure that it replaces all files. [David] > > o Nmap's --packet-trace, --version-trace, and --script-trace now use > an Nsock trace level of 2 rather than 5. This removes some > superfluous lines which can flood the screen. [David] > > o [Zenmap] Fixed a crash which could occur when loading the help URL > if the path contains multibyte characters. [David] > > o [Ncat] The version number is now matched to the Nmap release it came > with rather than always being 0.2. [David] > > o Fixed a strtok issue between load_exclude and > TargetGroup::parse_expr that caused only the first exclude on > a line to be loaded as well as an invalid read into free()'d > memory in load_exclude(). [Brandon, David] > > o NSE's garbage collection system (for cleaning up sockets from > completed threads, etc.) has been improved. [Patrick] > > > Enjoy the new release and disenfect those systems! > -Fyodor > _______________________________________________ > Sent through the nmap-hackers mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-hackers > Archived at http://seclists.org Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM _________________________________________________________________ Quick access to your favorite MSN content and Windows Live with Internet Explorer 8. http://ie8.msn.com/microsoft/internet-explorer-8/en-us/ie8.aspx?ocid=B037MSN55C0701A