用NMAP扫描内网Conficker,我写了一个VBScript将结果转成CSV
最近遭遇conficker,正好在cissp forum的mail list看到Brandon说新的NMAP能扫描conficker, Brandon还给了一个Perl脚本将扫描结果进行格式转换。
在网上搜索了一下相关信息,详细信息参见
http://www.net-security.org/secworld.php?id=7252NMAP的下载安装及扫描conficker的命令就不细说了。
我试着安装Perl,结果运行Brandon的那个Perl脚本时候老是报错。于是自己简单写了一个VBScript,贴出来供大家参考,脚本不是很长,就不贴附件了,感兴趣的朋友把相关内容保存成一个文本文件,后缀为VBS就可以。我在XP上运行正常,Vista上不行。
该脚本先打开一个窗口要求指定NMAP扫描结果文件(那个.nmap文件),然后将文件中相应信息抽取出来保存为CSV格式的文件。由于只是简单使用,脚本程序没有什么错误判断。
======= huangyyb的NMAP conficker扫描结果分析脚本 ======
Option ExplicitDim s_input_filename, s_output_filename
Dim objFSO, objInputFile, objOutputFile, objErrorLogFile, objDialog
Dim s_title, strLineReaded, strLine2Write
Dim arrRecord, i
Const ForReading = 1On Error Resume Next
Open File Dialog just work under windows XP, cant work under Vista,
Manually edit input file name and remove scripts of related lines when run this script under vista
s_input_filename = "D:Conficker-Scan20090420-test.nmap"
s_input_filename = ""Set objFSO = CreateObject("Scripting.FileSystemObject")
If s_input_filename = "" Then
Set objDialog = CreateObject( "SAFRCFileDlg.FileOpen" )Note: The dialog will be opened without any file name or
type filter, and in the "current" directory, e.g. as
remembered from the last "SAFRCFileDlg.FileOpen" or
"SAFRCFileDlg.FileSave" dialog!
If objDialog.OpenFileOpenDlg Then
s_input_filename = objDialog.FileName
End IfSet objDialog = CreateObject( "UserAccounts.CommonDialog" )
If objDialog.ShowOpen Then
s_input_filename = objDialog.FileName
End If
End If
If Not (objFSO.FileExists(s_input_filename)) Then
WScript.Echo ("You have not choose a NMAP result file")
Else
open input file
Set objInputFile = objFSO.OpenTextFile(s_input_filename, ForReading)open output file
s_output_filename = s_input_filename + ".csv"
If (objFSO.FileExists(s_output_filename)) Then
Set objOutputFile = objFSO.OpenTextFile(s_output_filename,
Else
Set objOutputFile = objFSO.OpenTextfile(s_output_filename, 2, "True")
End Ifs_title = "IP,MAC,MS08-067,Conficker,regsvc DoS"
objOutputFile.WriteLine s_titleIf objInputFile.AtEndOfStream <> True Then strLineReaded = objInputFile.ReadLine
Do While objInputFile.AtEndOfStream <> True
strLine2Write = ""
If inStr(strLineReaded, "Host ") Then
Column: IP
arrRecord = split(strLineReaded, " ")
strLine2Write = strLine2Write + arrRecord(1)Column: MAC
For i=1 To 4
objInputFile.SkipLine
Next
strLineReaded = Trim(objInputFile.ReadLine)
If strLineReaded = "" Then
This line is empty indicate that the scan may not be run in local Vlan, no MAC
strLine2Write = strLine2Write + ","
Else
strLineReaded = Trim(objInputFile.ReadLine)
strLine2Write = strLine2Write + "," + Trim(Mid(strLineReaded, 13))
objInputFile.SkipLine
End IfobjInputFile.SkipLine
strLineReaded = objInputFile.ReadLineIf inStr(strLineReaded, "Host script results") Then
objInputFile.SkipLine
Column: MS08-067
strLineReaded = objInputFile.ReadLine
arrRecord = split(strLineReaded, ":")
strLine2Write = strLine2Write + "," + Trim(arrRecord(1))Column: Conficker
strLineReaded = objInputFile.ReadLine
arrRecord = split(strLineReaded, ":")
strLine2Write = strLine2Write + "," + Trim(arrRecord(1))Column: regsvc DoS
strLineReaded = objInputFile.ReadLine
strLine2Write = strLine2Write + "," + Trim(Mid(strLineReaded, 16))
End IfobjOutputFile.WriteLine strLine2Write
Else
strLineReaded = objInputFile.ReadLine
End if
LoopobjOutputFile.Close
objInputFile.Close
End If
======= huangyyb的NMAP conficker扫描结果分析脚本 ======********* Brandon的邮件内容 ******************
Fellow security folks,
** For those in a hurry scroll down to how to get the latest release and
the the recommended command ***
Given that this is many peoples first time trying to use Nmap to scan
many thousands of hosts at the same time I figure I should share how
Ive been doing it.
Nmap can easily handle scanning a million+ IPs but it isnt tuned to do
so by default. Seemingly minor options can have a big impact on time
in huge scans.
*** How to get the latest release: ***
You will need the absolute latest release of Nmap (4.85BETA5) which you
can get from:
html">http://nmap.org/download.html
*** For those in a hurry, here is the command I recommend using: ***
sudo nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445
-d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64
-oA conficker_scan <your network(s) here>
*** Interpreting results ***
Each host that is checked will have a line about Conficker in the "Host
script results" section. If you are going to be scanning a very large
network you should use XML output. I have written a perl script (needs
XML::Simple) to parse and report on your Conficker/MS08-067 scan
results available here:
http://noh.ucsd.edu/~bmenrigh/nxml_conficker.pl
Nmap can take CIDR targets so 123.234.0.0/16 is perfectly fine for your
network. You could also do something like 123.234.2-254.2-254 If you
have more than one netblock you can separate them with a space like
123.234.0.0/16 32.64.128.0/24
If you want want to ramp the scan speed up further, increase
the --min-hostgroup and --min-parallelism but keep them in a 4:1 ratio. I
wouldnt recommend more than 4096/1024. You can also change -T4 to -T5
but depending on the network/hosts you are scanning this may or
may not have any speed/accuracy effect.
There are three options in the above command to help cut down on the
amount of work Nmap has to do per host: -n, -p445, and -PN.
* -n turns off reverse name resolution which will be nice on your
nameservers.
* -PN in conjunction with -p445 skips the host up/down detection and
goes straight into scanning port 445. This both increases accuracy and
reduces the per-host work done. The ping process is pretty fast but is
still slower than just checking a single port. Hosts that have a
firewall but exceptions for Windows file sharing would not be caught
without -PN.
It is important to note that scanning for Conficker has the small
chance of crashing an unpatched host. Patched and infected hosts wont
be crashed though. Note that if Conficker scans unpatched hosts they
are even more likely to crash than with this check so the benefits
probably outweigh the drawbacks.
If you have questions about this script/using Nmap drop a note to
nmap-dev_at_insecure.org.
Brandon****************************
补充:软件开发 , Vb ,
