How to Scan a Windows Network for Conficker Virus from Mac OS X

Mar 31, 2009 - 5 Comments

Mac users are largely immune to the world of virus and trojans, but it’s not uncommon for you to be a Mac user in a LAN sea of Windows PC’s. The Conficker Virus is Windows only but it’s garnering a lot of attention, so if you’re on a Windows LAN at home, work, or school, you may want to check if the Windows machines are vulnerable or infected with Conficker. You can do this from your immune Mac OS X machine pretty easily with a cool command line utility called nmap. Here are the steps:

1) First you need to install the command line tool nmap, you can download the OS X install package from the official nmap site here. I recommend downloading the latest beta version to have the most up-to-date scanning scripts.

2) Use nmap to search your LAN for vulnerabilities to Conficker by using the following command:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.0.1-254
Note: Be sure to substitute the IP range for your LAN, so this may be something other than the IP range above, like 10.1.1.10-100

3) Examine the output of nmap, you are looking for something like this to tell if you have a problem:
Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE

If you find a Windows PC that is likely infected, you can follow the following two Microsoft knowledge-base articles to help you out: Protection from Conficker for Consumers and Conficker Protection for IT Professionals – we won’t cover the details here because this is a Mac site.

Nobody really knows if Conficker is dangerous or not, but we’ll all likely find out soon as April 1st is some mystery execution date – it could be a joke or the Windows world could explode into calamity, we’ll see. You can read more about the nmap Conficker scan script we reference above here. It’s worth mentioning that you can install nmap with MacPorts, but the version included in MacPorts is nmap 4.60 and does not contain the script we want to use for this scan, which is why I recommend installing the latest beta version (as of now, nmap 4.85b5).

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Bill Ellis in Command Line, Mac OS X, Security, Tips & Tricks, Troubleshooting, Utilities

5 Comments

» Comments RSS Feed

  1. James says:

    DO NO RUN NMAP on your network if it’s professionally managed by IT staff. It’s a port scanner and in some work environments it can be cause for termination! In an enterprise network it will set off alarm bells in the NOC and they will hunt you down quick fast and in a hurry!

    That being said, if your network is unmanaged and you feel you wouldn’t be fired for port scanning computers on the LAN then go ahead.

  2. rb says:

    lol noob, people running this script ARE network admins.

  3. Jose says:

    I wrote a script that parses the nmap output and uses nbtscan to retrieve the netbios name. I wrote it for Linux, but it should be trivial for someone with scripting skills to adept to work with OS X.

    Download here
    http://jdltech.com/conficker/

  4. […] [1]: It’s may be in your network right now. You can help others by using this: How to Scan a Windows Network for Conficker Virus from Mac OS X Share and […]

  5. George says:

    your script gives a lot of false positives. Actually it supposedly finds client on every possible IP address ( which is not the case )

    The following however works quite well with the latest beta ( 4.85Beta7 )
    nmap –script=smb-check-vulns –script-args=safe=1 -p445 -d

    where target is something like 192.168.1.2-254 ( 192.168.1.1 would be the gateway ).

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates