NSEDoc

• Index
• NSE Documentation

Categories

• auth
• default
• demo
• discovery
• dos
• exploit
• external
• intrusive
• malware
• safe
• version
• vuln

Scripts

• afp-showmount
• asn-query
• auth-owners
• auth-spoof
• banner
• citrix-brute-xml
• citrix-enum-apps
• citrix-enum-apps-xml
• citrix-enum-servers
• citrix-enum-servers-xml
• daap-get-library
• daytime
• db2-info
• dhcp-discover
• dns-random-srcport
• dns-random-txid
• dns-recursion
• dns-service-discovery
• dns-zone-transfer
• finger
• ftp-anon
• ftp-bounce
• ftp-brute
• html-title
• http-auth
• http-date
• http-enum
• http-favicon
• http-headers
• http-iis-webdav-vuln
• http-malware-host
• http-open-proxy
• http-passwd
• http-trace
• http-userdir-enum
• iax2-version
• imap-capabilities
• irc-info
• ms-sql-info
• mysql-brute
• mysql-databases
• mysql-empty-password
• mysql-info
• mysql-users
• mysql-variables
• nbstat
• nfs-showmount
• ntp-info
• oracle-sid-brute
• p2p-conficker
• pjl-ready-message
• pop3-brute
• pop3-capabilities
• pptp-version
• realvnc-auth-bypass
• robots.txt
• rpcinfo
• skypev2-version
• smb-brute
• smb-check-vulns
• smb-enum-domains
• smb-enum-groups
• smb-enum-processes
• smb-enum-sessions
• smb-enum-shares
• smb-enum-users
• smb-os-discovery
• smb-psexec
• smb-security-mode
• smb-server-stats
• smb-system-info
• smbv2-enabled
• smtp-commands
• smtp-open-relay
• smtp-strangeport
• sniffer-detect
• snmp-brute
• snmp-sysdescr
• socks-open-proxy
• sql-injection
• ssh-hostkey
• sshv1
• ssl-cert
• sslv2
• telnet-brute
• upnp-info
• whois
• x11-access

Libraries

• afp
• base64
• bin
• bit
• citrix
• comm
• datafiles
• dns
• http
• imap
• ipOps
• listop
• match
• msrpc
• msrpcperformance
• msrpctypes
• mysql
• netbios
• nmap
• nsedebug
• openssl
• packet
• pcre
• pop3
• proxy
• shortport
• smb
• smbauth
• snmp
• ssh1
• ssh2
• stdnse
• strbuf
• strict
• tab
• unpwdb
• url

File p2p-conficker

Download: http://nmap.org/svn/scripts/p2p-conficker.nse

User Summary

Check if a host is infected with Conficker.C or higher, based on Conficker's peer to peer communication.

When Conficker.C and higher infect a system, it opens four ports: two TCP and two UDP. The ports are random, but are seeded with the current week and the IP of the infected host. By determining the algorithm, one can check if these four ports are open, and can probe them for more data.

Once the open ports are found, communication can be initiated using Conficker's custom peer to peer protocol. If a valid response is received, then a valid Conficker infection has been found.

This check won't work properly on a multihomed or NATed system -- the open ports will be based on a nonpublic IP. The argument checkall tells Nmap to attempt communication with every open port (much like a version check) and the argument realip tells Nmap to base its port generation on the given ip address instead of the actual ip. See the args section for more information.

By default, this will run against a system that has a standard Windows port open (445, 139, 137). The arguments checkall and checkconficker will both perform checks regardless of which port is open, see the args section for more information.

Note: Ensure your clock is correct (within a week) before using this script!

The majority of research for this script was done by Symantec Security Response, and some was taken from public sources (most notably the port blacklisting was found by David Fifield). A big thanks goes out to everybody who contributed!

Script Arguments

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Requires

• smb
• stdnse
• ipOps

---

categories default safe

author Ron Bowes (with research from Symantec Security Response)

copyright © Same as Nmap--See http://nmap.org/book/man-legal.html

Hostrule

hostrule (host)

For a hostrule, simply use the 'smb' ports as an indicator, unless the user overrides it

Parameters

• host:

Functions

conficker_check (ip, port, protocol)	Checks if conficker is present on the given port/protocol. The ports Conficker uses are fairly standard, so those should generally be used for this check. This can also be sent to any open port on the system.
is_blacklisted_port (port)	Check if a port is Blacklisted. Thanks to David Fifield for determining the purpose of the "magic" array: <http://www.bamsoftware.com/wiki/Nmap/PortSetGraphics#conficker>
p2p_checksum (data)	Calculate a checksum for the data. This checksum is appended to every Conficker packet before the random noise. The checksum includes the key and data, but not the noise and optional length.
p2p_cipher (packet, key1, key2)	Encrypt/decrypt the buffer with a simple xor-based symmetric encryption. It uses a 64-bit key, represented by key1:key2, that is transmited in plain text. Since sniffed packets can be decrypted, this is a simple obfuscation technique.
p2p_create_packet (protocol, do_encryption)	Create a peer to peer packet for the given protocol.
p2p_parse (packet)	Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be parsed properly (likely means the port is being used for something else), but will return successfully without checking the packet's checksum (although it does calculate the checksum). It's up to the calling function to decide if it cares about the checksum.
prng_generate_ports (ip, seed)	Generates the four random ports that Conficker uses, based on the current time and the IP address.
rot64 (h, l)	Rotates the 64-bit integer defined by h:l left by one bit.

Functions

conficker_check (ip, port, protocol)

Checks if conficker is present on the given port/protocol. The ports Conficker uses are fairly standard, so those should generally be used for this check. This can also be sent to any open port on the system.

Parameters

• ip: The ip address of the system to check
• port: The port to check (can be taken from prng_generate_ports, or from unidentified ports)
• protocol:

Return value:

(status, reason, data) Status indicates whether or not Conficker is suspected to be present (

true</code) = 
       Conficker, <code>false

= no Conficker). If status is true, data is the table of information returned by Conficker.

is_blacklisted_port (port)

Check if a port is Blacklisted. Thanks to David Fifield for determining the purpose of the "magic" array: <http://www.bamsoftware.com/wiki/Nmap/PortSetGraphics#conficker>

Basically, each bit in the blacklist array represents a group of 32 ports. If that bit is on, those ports are blacklisted and will never come up.

Parameters

• port: The port to check

Return value:

true if the port is blacklisted, false otherwise

p2p_checksum (data)

Calculate a checksum for the data. This checksum is appended to every Conficker packet before the random noise. The checksum includes the key and data, but not the noise and optional length.

Parameters

• data: The data to create a checksum for.

Return value:

An integer representing the checksum.

p2p_cipher (packet, key1, key2)

Encrypt/decrypt the buffer with a simple xor-based symmetric encryption. It uses a 64-bit key, represented by key1:key2, that is transmited in plain text. Since sniffed packets can be decrypted, this is a simple obfuscation technique.

Parameters

• packet: The packet to encrypt (before the key and optional length are prepended).
• key1: The low-order 32 bits in the key.
• key2: The high-order 32 bits in the key.

Return value:

The encrypted (or decrypted) data.

p2p_create_packet (protocol, do_encryption)

Create a peer to peer packet for the given protocol.

Parameters

• protocol: The protocol (either 'tcp' or 'udp' -- tcp packets have a length in front, and an extra flag)
• do_encryption: (optional) If set to false, packets aren't encrypted (the key '0' is used). Useful for testing. Default: true.

p2p_parse (packet)

Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be parsed properly (likely means the port is being used for something else), but will return successfully without checking the packet's checksum (although it does calculate the checksum). It's up to the calling function to decide if it cares about the checksum.

Parameters

• packet: The packet, without the optional length (if it's TCP).

Return value:

(status, result) If status is true, result is a table (including 'hash' and 'real_hash'). If status is false, result is a string that indicates why the parse failed.

prng_generate_ports (ip, seed)

Generates the four random ports that Conficker uses, based on the current time and the IP address.

Parameters

• ip: The IP address as a 32-bit little endian integer
• seed: The seed, based on the time (floor((time - 345600) / 604800))

Return value:

An array of four ports; the first and third are TCP, and the second and fourth are UDP.

rot64 (h, l)

Rotates the 64-bit integer defined by h:l left by one bit.

Parameters

• h: The high-order 32 bits
• l: The low-order 32 bits

Return value:

64-bit rotated integer, as a pair of 32-bit integers.