Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: NMAP & Confiker

  1. #11
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cormega View Post
    Do you have any hints as to how I can get every bit of information from the command line result exported to an xml file? When i use the -oX switch it does not include the Host Script Results for some reason....
    There is a perl script available that may help out.
    http://noh.ucsd.edu/~bmenrigh/nxml_conficker.pl
    The script needs (needs XML::Simple) to parse and report on your conficker/MS08-067 scan results.
    Each host will have a line in the "Host script results" section.


    Why does it have to be xml?
    Because xml is cool!?
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  2. #12
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Yeah, XML is way cool!

    anyway, i found out that if I used the -oA switch, the XML file generated would include the results of the host script results, but the XML file generated by -oX will not ... strange, but either way I got it working..

    Thanks for the feedback though

  3. #13
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cormega View Post
    Yeah, XML is way cool!

    anyway, i found out that if I used the -oA switch, the XML file generated would include the results of the host script results, but the XML file generated by -oX will not ... strange, but either way I got it working..

    Thanks for the feedback though
    Did you give the -oX or -oA a name and proper path ?
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #14
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    yep... i just added -oX /-oA conficker_scan at the end and it generated the files properly.

    However it seems as thoug NMap reports that there are 256 hosts for each net I scan.. first of all that won't be possible as 254 would be the maximum number.. however I know for a fact that some of these nets ony have about 40-50 hosts up, do you have any idea why nmap says this?

    when I check the nmap output it states that the ports on one of these nonexistant hosts are filtered, is there an easy way to rule out these false-positives to make nmap report the correct number of hosts up in each network?

  5. #15
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cormega View Post
    yep... i just added -oX /-oA conficker_scan at the end and it generated the files properly.

    However it seems as thoug NMap reports that there are 256 hosts for each net I scan.. first of all that won't be possible as 254 would be the maximum number.. however I know for a fact that some of these nets ony have about 40-50 hosts up, do you have any idea why nmap says this?

    when I check the nmap output it states that the ports on one of these nonexistant hosts are filtered, is there an easy way to rule out these false-positives to make nmap report the correct number of hosts up in each network?

    Can you print your exact command here for us to look at ?
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  6. #16
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Sure:

    Code:
    nmap -PN -T4 -p139,445 -n -vvv --script=smb-check-vulns --script-args=unsafe=1 172.21.10.0/24 -oA Scan_av_172_21_10_nettet

  7. #17
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    Sure:

    Code:
    nmap -PN -T4 -p139,445 -n -vvv --script=smb-check-vulns --script-args=unsafe=1 172.21.10.0/24 -oA Scan_av_172_21_10_nettet
    Try this.

    Code:
    nmap -PN -T4 -p139,445 -n -vvv --script=smb-check-vulns --script-args=unsafe=1 172.21.10.100-150 -oA Scan_av_172_21_10_nettet
    That will scan 172.21.10.100 to 150. Change it to suit your needs.

    I had to scan only certain ranges here, as I'm very careful that I don't run an nmap scan against certain devices.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #18
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cormega View Post
    Sure:

    Code:
    nmap -PN -T4 -p139,445 -n -vvv --script=smb-check-vulns --script-args=unsafe=1 172.21.10.0/24 -oA Scan_av_172_21_10_nettet
    No idea, I just ran the exact same command in my network which is on 192.
    and it reported the same thing 256 normally 0 and 255 are reserved and are not available for use.
    But whats even funnier is the fact that nmap reports all 256 hosts being up! Again I have no ips in that address range, and it reported about 30 different ones. I don't even have that many IP address in use. Maybe I am missing something.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  9. #19
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    I tried scanning by sequences like streaker suggested.. scanned 50 hosts in whereas only 23 should be up but it still reported 50 hosts up so I'm stuck.

    It's not a big deal, I just got to wondering why nmap would give this reply, maybe it has something to do with it being a new scanning feature in a beta release?

  10. #20
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by cormega View Post
    I tried scanning by sequences like streaker suggested.. scanned 50 hosts in whereas only 23 should be up but it still reported 50 hosts up so I'm stuck.

    It's not a big deal, I just got to wondering why nmap would give this reply, maybe it has something to do with it being a new scanning feature in a beta release?
    I ran some different variations and it is doing the same thing with me.
    The one thing that I do not understand is why/how it would even report a host being available if the network address are not even in use.

    I just contacted Fyodor to let him know what we are experiencing.
    I will post back any info that we get in return.
    EDIT: In the meantime if anyone else experiences this or any other anomalies please post your results.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •