summaryrefslogtreecommitdiffstats
path: root/scripts/p2p-conficker.nse
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/p2p-conficker.nse651
1 files changed, 651 insertions, 0 deletions
diff --git a/scripts/p2p-conficker.nse b/scripts/p2p-conficker.nse
new file mode 100644
index 0000000..4e45783
--- /dev/null
+++ b/scripts/p2p-conficker.nse
@@ -0,0 +1,651 @@
+local ipOps = require "ipOps"
+local math = require "math"
+local nmap = require "nmap"
+local os = require "os"
+local smb = require "smb"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Checks if a host is infected with Conficker.C or higher, based on
+Conficker's peer to peer communication.
+
+When Conficker.C or higher infects a system, it opens four ports: two TCP
+and two UDP. The ports are random, but are seeded with the current week and
+the IP of the infected host. By determining the algorithm, one can check if
+these four ports are open, and can probe them for more data.
+
+Once the open ports are found, communication can be initiated using
+Conficker's custom peer to peer protocol. If a valid response is received,
+then a valid Conficker infection has been found.
+
+This check won't work properly on a multihomed or NATed system because the
+open ports will be based on a nonpublic IP. The argument
+<code>checkall</code> tells Nmap to attempt communication with every open
+port (much like a version check) and the argument <code>realip</code> tells
+Nmap to base its port generation on the given IP address instead of the
+actual IP.
+
+By default, this will run against a system that has a standard Windows port
+open (445, 139, 137). The arguments <code>checkall</code> and
+<code>checkconficker</code> will both perform checks regardless of which
+port is open, see the args section for more information.
+
+Note: Ensure your clock is correct (within a week) before using this script!
+
+The majority of research for this script was done by Symantec Security
+Response, and some was taken from public sources (most notably the port
+blacklisting was found by David Fifield). A big thanks goes out to everybody
+who contributed!
+]]
+
+---
+-- @args checkall If set to <code>1</code> or <code>true</code>, attempt
+-- to communicate with every open port.
+-- @args checkconficker If set to <code>1</code> or <code>true</code>, the script will always run on active hosts,
+-- it doesn't matter if any open ports were detected.
+-- @args realip An IP address to use in place of the one known by Nmap.
+--
+-- @usage
+-- # Run the scripts against host(s) that appear to be Windows
+-- nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 <host>
+-- sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -vv -T4 -p U:137,T:139 <host>
+--
+-- # Run the scripts against all active hosts (recommended)
+-- nmap -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 <host>
+--
+-- # Run scripts against all 65535 ports (slow)
+-- nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args=checkall=1,safe=1 -vv -T4 <host>
+--
+-- # Base checks on a different ip address (NATed)
+-- nmap --script p2p-conficker,smb-os-discovery -p445 --script-args=realip=\"192.168.1.65\" -vv -T4 <host>
+--
+-- @output
+-- Clean machine (results printed only if extra verbosity ("-vv")is specified):
+-- Host script results:
+-- | p2p-conficker: Checking for Conficker.C or higher...
+-- | Check 1 (port 44329/tcp): CLEAN (Couldn't connect)
+-- | Check 2 (port 33824/tcp): CLEAN (Couldn't connect)
+-- | Check 3 (port 31380/udp): CLEAN (Failed to receive data)
+-- | Check 4 (port 52600/udp): CLEAN (Failed to receive data)
+-- |_ 0/4 checks: Host is CLEAN or ports are blocked
+--
+-- Infected machine (results always printed):
+-- Host script results:
+-- | p2p-conficker: Checking for Conficker.C or higher...
+-- | Check 1 (port 18707/tcp): INFECTED (Received valid data)
+-- | Check 2 (port 65273/tcp): INFECTED (Received valid data)
+-- | Check 3 (port 11722/udp): INFECTED (Received valid data)
+-- | Check 4 (port 12690/udp): INFECTED (Received valid data)
+-- |_ 4/4 checks: Host is likely INFECTED
+--
+-----------------------------------------------------------------------
+
+author = "Ron Bowes (with research from Symantec Security Response)"
+copyright = "Ron Bowes"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"default","safe"}
+
+
+-- Max packet size
+local MAX_PACKET = 0x2000
+
+-- Flags
+local mode_flags =
+{
+ FLAG_MODE = 1 << 0,
+ FLAG_LOCAL_ACK = 1 << 1,
+ FLAG_IS_TCP = 1 << 2,
+ FLAG_IP_INCLUDED = 1 << 3,
+ FLAG_UNKNOWN0_INCLUDED = 1 << 4,
+ FLAG_UNKNOWN1_INCLUDED = 1 << 5,
+ FLAG_DATA_INCLUDED = 1 << 6,
+ FLAG_SYSINFO_INCLUDED = 1 << 7,
+ FLAG_ENCODED = 1 << 15,
+}
+
+---For a hostrule, simply use the 'smb' ports as an indicator, unless the user overrides it
+hostrule = function(host)
+ if ( nmap.address_family() ~= 'inet' ) then
+ return false
+ end
+ if(smb.get_port(host) ~= nil) then
+ return true
+ elseif(nmap.registry.args.checkall == "true" or nmap.registry.args.checkall == "1") then
+ return true
+ elseif(nmap.registry.args.checkconficker == "true" or nmap.registry.args.checkconficker == "1") then
+ return true
+ end
+
+ return false
+end
+
+-- Multiply two 32-bit integers and return a 64-bit product. The first return
+-- value is the low-order 32 bits of the product and the second return value is
+-- the high-order 32 bits.
+--
+--@param u First number (0 <= u <= 0xFFFFFFFF)
+--@param v Second number (0 <= v <= 0xFFFFFFFF)
+--@return 64-bit product of u*v, as a pair of 32-bit integers.
+local function mul64(u, v)
+ -- This is based on formula (2) from section 4.3.3 of The Art of
+ -- Computer Programming. We split u and v into upper and lower 16-bit
+ -- chunks, such that
+ -- u = 2**16 u1 + u0 and v = 2**16 v1 + v0
+ -- Then
+ -- u v = (2**16 u1 + u0) * (2**16 v1 + v0)
+ -- = 2**32 u1 v1 + 2**16 (u0 v1 + u1 v0) + u0 v0
+ assert(0 <= u and u <= 0xFFFFFFFF)
+ assert(0 <= v and v <= 0xFFFFFFFF)
+ local u0, u1 = (u & 0xFFFF), (u >> 16)
+ local v0, v1 = (v & 0xFFFF), (v >> 16)
+ -- t uses at most 49 bits, which is within the range of exact integer
+ -- precision of a Lua number.
+ local t = u0 * v0 + (u0 * v1 + u1 * v0) * 65536
+ return (t & 0xFFFFFFFF), u1 * v1 + (t >> 32)
+end
+
+---Rotates the 64-bit integer defined by h:l left by one bit.
+--
+--@param h The high-order 32 bits
+--@param l The low-order 32 bits
+--@return 64-bit rotated integer, as a pair of 32-bit integers.
+local function rot64(h, l)
+ local i
+
+ assert(0 <= h and h <= 0xFFFFFFFF)
+ assert(0 <= l and l <= 0xFFFFFFFF)
+
+ local tmp = h & 0x80000000
+ h = h << 1
+ h = h | (l >> 31)
+ l = l << 1
+ if tmp ~= 0 then
+ l = l | 1
+ end
+
+ h = h & 0xFFFFFFFF
+ l = l & 0xFFFFFFFF
+
+ return h, l
+end
+
+
+---Check if a port is Blacklisted. Thanks to David Fifield for determining the purpose of the "magic"
+-- array:
+-- <http://www.bamsoftware.com/wiki/Nmap/PortSetGraphics#conficker>
+--
+-- Basically, each bit in the blacklist array represents a group of 32 ports. If that bit is on, those ports
+-- are blacklisted and will never come up.
+--
+--@param port The port to check
+--@return true if the port is blacklisted, false otherwise
+local function is_blacklisted_port(port)
+ local r, l
+
+ local blacklist = { 0xFFFFFFFF, 0xFFFFFFFF, 0xF0F6BFBB, 0xBB5A5FF3,
+ 0xF3977011, 0xEB67BFBF, 0x5F9BFAC8, 0x34D88091, 0x1E2282DF, 0x573402C4,
+ 0xC0000084, 0x03000209, 0x01600002, 0x00005000, 0x801000C0, 0x00500040,
+ 0x000000A1, 0x01000000, 0x01000000, 0x00022A20, 0x00000080, 0x04000000,
+ 0x40020000, 0x88000000, 0x00000180, 0x00081000, 0x08801900, 0x00800B81,
+ 0x00000280, 0x080002C0, 0x00A80000, 0x00008000, 0x00100040, 0x00100000,
+ 0x00000000, 0x00000000, 0x10000008, 0x00000000, 0x00000000, 0x00000004,
+ 0x00000002, 0x00000000, 0x00040000, 0x00000000, 0x00000000, 0x00000000,
+ 0x00410000, 0x82000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000,
+ 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
+ 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x80000000,
+ }
+
+ r = port >> 5
+ l = 1 << (r & 0x1f)
+ r = r >> 5
+
+ return blacklist[r + 1] & l ~= 0
+end
+
+---Generates the four random ports that Conficker uses, based on the current time and the IP address.
+--
+--@param ip The IP address as a 32-bit little endian integer
+--@param seed The seed, based on the time (<code>floor((time - 345600) / 604800)</code>)
+--@return An array of four ports; the first and third are TCP, and the second and fourth are UDP.
+local function prng_generate_ports(ip, seed)
+ local ports = {0, 0, 0, 0}
+ local v1, v2
+ local port1, port2, shift1, shift2
+ local i
+ local magic = 0x015A4E35
+
+ stdnse.debug1("Conficker: Generating ports based on ip (0x%08x) and seed (%d)", ip, seed)
+
+ v1 = -(ip + 1)
+ repeat
+ -- Loop 10 times to generate the first pair of ports
+ for i = 0, 9, 1 do
+ v1, v2 = mul64(v1 & 0xFFFFFFFF, magic & 0xFFFFFFFF)
+
+ -- Add 1 to v1, handling overflows
+ if(v1 ~= 0xFFFFFFFF) then
+ v1 = v1 + 1
+ else
+ v1 = 0
+ v2 = v2 + 1
+ end
+
+ v2 = v2 >> i
+
+ ports[(i % 2) + 1] = (v2 & 0xFFFF) ~ ports[(i % 2) + 1]
+ end
+ until(is_blacklisted_port(ports[1]) == false and is_blacklisted_port(ports[2]) == false and ports[1] ~= ports[2])
+
+ -- Update the accumulator with the seed
+ v1 = v1 ~ seed
+
+ -- Loop 10 more times to generate the second pair of ports
+ repeat
+ for i = 0, 9, 1 do
+ v1, v2 = mul64(v1 & 0xFFFFFFFF, magic & 0xFFFFFFFF)
+
+ -- Add 1 to v1, handling overflows
+ if(v1 ~= 0xFFFFFFFF) then
+ v1 = v1 + 1
+ else
+ v1 = 0
+ v2 = v2 + 1
+ end
+
+ v2 = v2 >> i
+
+ ports[(i % 2) + 3] = (v2 & 0xFFFF) ~ ports[(i % 2) + 3]
+ end
+ until(is_blacklisted_port(ports[3]) == false and is_blacklisted_port(ports[4]) == false and ports[3] ~= ports[4])
+
+ return {ports[1], ports[2], ports[3], ports[4]}
+end
+
+---Calculate a checksum for the data. This checksum is appended to every Conficker packet before the random noise.
+-- The checksum includes the key and data, but not the noise and optional length.
+--
+--@param data The data to create a checksum for.
+--@return An integer representing the checksum.
+local function p2p_checksum(data)
+ local hash = #data
+
+ stdnse.debug2("Conficker: Calculating checksum for %d-byte buffer", #data)
+
+ data:gsub(".", function(i)
+ local h = hash ~ string.byte(i)
+ -- Incorporate the current character into the checksum
+ hash = (h + h) | (h >> 31)
+ hash = hash & 0xFFFFFFFF
+ end
+ )
+
+ return hash
+end
+
+---Encrypt/decrypt the buffer with a simple xor-based symmetric encryption. It uses a 64-bit key, represented
+-- by key1:key2, that is transmitted in plain text. Since sniffed packets can be decrypted, this is a
+-- simple obfuscation technique.
+--
+--@param packet The packet to encrypt (before the key and optional length are prepended).
+--@param key1 The low-order 32 bits in the key.
+--@param key2 The high-order 32 bits in the key.
+--@return The encrypted (or decrypted) data.
+local function p2p_cipher(packet, key1, key2)
+ local i
+ local buf = {}
+
+ for i = 1, #packet, 1 do
+ -- Do a 64-bit rotate on key1:key2
+ key2, key1 = rot64(key2, key1)
+
+ -- Generate the key (the right-most byte)
+ local k = key1 & 0x0FF
+
+ -- Xor the current character and add it to the encrypted buffer
+ buf[i] = string.char(string.byte(packet, i) ~ k)
+
+ -- Update the key with 'k'
+ key1 = key1 + k
+ if(key1 > 0xFFFFFFFF) then
+ -- Handle overflows
+ key2 = key2 + (key1 >> 32)
+ key2 = key2 & 0xFFFFFFFF
+ key1 = key1 & 0xFFFFFFFF
+ end
+ end
+
+ return table.concat(buf)
+end
+
+---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be
+-- parsed properly (likely means the port is being used for something else), but will return successfully
+-- without checking the packet's checksum (although it does calculate the checksum). It's up to the calling
+-- function to decide if it cares about the checksum.
+--
+--@param packet The packet, without the optional length (if it's TCP).
+--@return (status, result) If status is true, result is a table (including 'hash' and 'real_hash'). If status
+-- is false, result is a string that indicates why the parse failed.
+function p2p_parse(packet)
+ local pos = 1
+ local data = {}
+
+ -- Get the key
+ if #packet < 8 then
+ return false, "Packet was too short [1]"
+ end
+ data['key1'], data['key2'], pos = string.unpack("<I4 I4", packet, pos)
+
+ -- Decrypt the second half of the packet using the key
+ packet = string.sub(packet, 1, pos - 1) .. p2p_cipher(string.sub(packet, pos), data['key1'], data['key2'])
+
+ -- Parse the flags
+ if #packet - pos + 1 < 2 then
+ return false, "Packet was too short [2]"
+ end
+ data['flags'], pos = string.unpack("<I2", packet, pos)
+
+ -- Get the IP, if it's present
+ if(data['flags'] & mode_flags.FLAG_IP_INCLUDED) ~= 0 then
+ if #packet - pos + 1 < 6 then
+ return false, "Packet was too short [3]"
+ end
+ data['ip'], data['port'], pos = string.unpack("<I4 I2", packet, pos)
+ end
+
+ -- Read the first unknown value, if present
+ if(data['flags'] & mode_flags.FLAG_UNKNOWN0_INCLUDED) ~= 0 then
+ if #packet - pos + 1 < 4 then
+ return false, "Packet was too short [3]"
+ end
+ data['unknown0'], pos = string.unpack("<I4", packet, pos)
+ end
+
+ -- Read the second unknown value, if present
+ if(data['flags'] & mode_flags.FLAG_UNKNOWN1_INCLUDED) ~= 0 then
+ if #packet - pos + 1 < 4 then
+ return false, "Packet was too short [4]"
+ end
+ data['unknown1'], pos = string.unpack("<I4", packet, pos)
+ end
+
+ -- Read the data, if present
+ if(data['flags'] & mode_flags.FLAG_DATA_INCLUDED) ~= 0 then
+ if #packet - pos + 1 < 3 then
+ return false, "Packet was too short [5]"
+ end
+ data['data_flags'], data['data_length'], pos = string.unpack("<B I2", packet, pos)
+ if #packet - pos + 1 < data.data_length then
+ return false, "Packet was too short [6]"
+ end
+ data['data'], pos = string.unpack(("c%d"):format(data['data_length']), packet, pos)
+ end
+
+ -- Read the sysinfo, if present
+ if(data['flags'] & mode_flags.FLAG_SYSINFO_INCLUDED) ~= 0 then
+ local sysinfo_format = "<I2 BBI2 BB I2 I4 I2I2I4I2I2"
+ if #packet - pos + 1 < string.packsize(sysinfo_format) then
+ return false, "Packet was too short [7]"
+ end
+
+ data['sysinfo_systemtestflags'],
+ data['sysinfo_os_major'],
+ data['sysinfo_os_minor'],
+ data['sysinfo_os_build'],
+ data['sysinfo_os_servicepack_major'],
+ data['sysinfo_os_servicepack_minor'],
+ data['sysinfo_ntdll_translation_file_information'],
+ data['sysinfo_prng_sample'],
+ data['sysinfo_unknown0'],
+ data['sysinfo_unknown1'],
+ data['sysinfo_unknown2'],
+ data['sysinfo_unknown3'],
+ data['sysinfo_unknown4'], pos = string.unpack(sysinfo_format, packet, pos)
+ end
+
+ -- Pull out the data that's used in the hash
+ data['hash_data'] = string.sub(packet, 1, pos - 1)
+
+ -- Read the hash
+ if #packet - pos + 1 < 4 then
+ return false, "Packet was too short [8]"
+ end
+ data['hash'], pos = string.unpack("<I4", packet, pos)
+
+ -- Record the noise
+ data['noise'] = string.sub(packet, pos)
+
+ -- Generate the actual hash (we're going to ignore it for now, but it can be checked higher up)
+ data['real_hash'] = p2p_checksum(data['hash_data'])
+
+ return true, data
+end
+
+---Create a peer to peer packet for the given protocol.
+--
+--@param protocol The protocol (either 'tcp' or 'udp' -- tcp packets have a length in front, and an extra
+-- flag)
+--@param do_encryption (optional) If set to false, packets aren't encrypted (the key '0' is used). Useful
+-- for testing. Default: true.
+local function p2p_create_packet(protocol, do_encryption)
+ assert(protocol == "tcp" or protocol == "udp")
+
+ local key1 = math.random(1, 0x7FFFFFFF)
+ local key2 = math.random(1, 0x7FFFFFFF)
+
+ -- A key of 0 disables the encryption
+ if(do_encryption == false) then
+ key1 = 0
+ key2 = 0
+ end
+
+ local flags = 0
+
+ -- Set a couple flags that we need (we don't send any optional data)
+ flags = flags | mode_flags.FLAG_MODE
+ flags = flags | mode_flags.FLAG_ENCODED
+ -- flags = flags | mode_flags.FLAG_LOCAL_ACK)
+ -- Set the special TCP flag
+ if(protocol == "tcp") then
+ flags = flags | mode_flags.FLAG_IS_TCP
+ end
+
+ -- Add the key and flags that are always present (and skip over the boring stuff)
+ local packet = string.pack("<I4 I4 I2", key1, key2, flags)
+
+ -- Generate the checksum for the packet
+ local hash = p2p_checksum(packet)
+ packet = packet .. string.pack("<I4", hash)
+
+ -- Encrypt the full packet, except for the key and optional length
+ packet = string.sub(packet, 1, 8) .. p2p_cipher(string.sub(packet, 9), key1, key2)
+
+ -- Add the length in front if it's TCP
+ if(protocol == "tcp") then
+ packet = string.pack("<s2", packet)
+ end
+
+ return true, packet
+end
+
+---Checks if conficker is present on the given port/protocol. The ports Conficker uses are fairly standard, so
+-- those should generally be used for this check. This can also be sent to any open port on the system.
+--
+--@param ip The ip address of the system to check
+--@param port The port to check (can be taken from <code>prng_generate_ports</code>, or from unidentified ports)
+--@return (status, reason, data) Status indicates whether or not Conficker is suspected to be present (<code>true</code) =
+-- Conficker, <code>false</code> = no Conficker). If status is true, data is the table of information returned by
+-- Conficker.
+local function conficker_check(ip, port, protocol)
+ local status, packet
+ local socket
+ local response
+
+ status, packet = p2p_create_packet(protocol)
+ if(status == false) then
+ return false, packet
+ end
+
+ -- Try to connect to the first socket
+ socket = nmap.new_socket()
+ socket:set_timeout(5000)
+ status, response = socket:connect(ip, port, protocol)
+ if(status == false) then
+ return false, "Couldn't establish connection (" .. response .. ")"
+ end
+
+ -- Send the packet
+ socket:send(packet)
+
+ -- Read a response (2 bytes minimum, because that's the TCP length)
+ status, response = socket:receive_bytes(2)
+ if(status == false) then
+ return false, "Couldn't receive bytes: " .. response
+ elseif(response == "ERROR") then
+ return false, "Failed to receive data"
+ elseif(response == "TIMEOUT") then
+ return false, "Timeout"
+ elseif(response == "EOF") then
+ return false, "Couldn't connect"
+ elseif #response < 2 then
+ return false, "Data too short"
+ end
+
+ -- If it's TCP, get the length and make sure we have the full packet
+ if(protocol == "tcp") then
+ local length = string.unpack("<I2", response)
+
+ -- Only try for 2 timeouts to get the whole packet
+ local tries = 2
+ while length > (#response - 2) and tries > 0 do
+ tries = tries - 1
+
+ local status, response2 = socket:receive_bytes(length - (#response - 2))
+ if(status == false) then
+ return false, "Couldn't receive bytes: " .. response2
+ elseif(response2 == "ERROR") then
+ return false, "Failed to receive data"
+ elseif(response2 == "TIMEOUT") then
+ return false, "Timeout"
+ elseif(response2 == "EOF") then
+ return false, "Couldn't connect"
+ end
+
+ response = response .. response2
+ end
+
+ -- Remove the 'length' bytes
+ response = string.sub(response, 3)
+ end
+
+ -- Close the socket
+ socket:close()
+
+ local status, result = p2p_parse(response)
+
+ if(status == false) then
+ return false, "Data received, but wasn't Conficker data: " .. result
+ end
+
+ if(result['hash'] ~= result['real_hash']) then
+ return false, "Data received, but checksum was invalid (possibly INFECTED)"
+ end
+
+ return true, "Received valid data", result
+end
+
+action = function(host)
+ local tcp_ports = {}
+ local udp_ports = {}
+ local response = {}
+ local i
+ local port, protocol
+ local count = 0
+ local checks = 0
+
+ -- Generate a complete list of valid ports
+ if(nmap.registry.args.checkall == "true" or nmap.registry.args.checkall == "1") then
+ for i = 1, 65535, 1 do
+ if(not(is_blacklisted_port(i))) then
+ local tcp = nmap.get_port_state(host, {number=i, protocol="tcp"})
+ if(tcp ~= nil and tcp.state == "open") then
+ tcp_ports[i] = true
+ end
+
+ local udp = nmap.get_port_state(host, {number=i, protocol="udp"})
+ if(udp ~= nil and (udp.state == "open" or udp.state == "open|filtered")) then
+ udp_ports[i] = true
+ end
+ end
+ end
+ end
+
+
+ -- Generate ports based on the ip and time
+ local seed = math.floor((os.time() - 345600) / 604800)
+ local ip = host.ip
+
+ -- Use the provided IP, if it exists
+ if(nmap.registry.args.realip ~= nil) then
+ ip = nmap.registry.args.realip
+ end
+
+ -- Reverse the IP's endianness
+ ip = ipOps.todword(ip)
+ ip = string.pack(">I4", ip)
+ ip = string.unpack("<I4", ip)
+
+ -- Generate the ports
+ local generated_ports = prng_generate_ports(ip, seed)
+ tcp_ports[generated_ports[1]] = true
+ tcp_ports[generated_ports[3]] = true
+ udp_ports[generated_ports[2]] = true
+ udp_ports[generated_ports[4]] = true
+
+ table.insert(response, "Checking for Conficker.C or higher...")
+
+ -- Check the TCP ports
+ for port in pairs(tcp_ports) do
+ local status, reason
+
+ status, reason = conficker_check(host.ip, port, "tcp")
+ checks = checks + 1
+
+ if(status == true) then
+ table.insert(response, string.format("Check %d (port %d/%s): INFECTED (%s)", checks, port, "tcp", reason))
+ count = count + 1
+ else
+ table.insert(response, string.format("Check %d (port %d/%s): CLEAN (%s)", checks, port, "tcp", reason))
+ end
+ end
+
+ -- Check the UDP ports
+ for port in pairs(udp_ports) do
+ local status, reason
+
+ status, reason = conficker_check(host.ip, port, "udp")
+ checks = checks + 1
+
+ if(status == true) then
+ table.insert(response, string.format("Check %d (port %d/%s): INFECTED (%s)", checks, port, "udp", reason))
+ count = count + 1
+ else
+ table.insert(response, string.format("Check %d (port %d/%s): CLEAN (%s)", checks, port, "udp", reason))
+ end
+ end
+
+ -- Check how many INFECTED hits we got
+ if(count == 0) then
+ if (nmap.verbosity() > 1) then
+ table.insert(response, string.format("%d/%d checks are positive: Host is CLEAN or ports are blocked", count, checks))
+ else
+ response = ''
+ end
+ else
+ table.insert(response, string.format("%d/%d checks are positive: Host is likely INFECTED", count, checks))
+ end
+
+ return stdnse.format_output(true, response)
+end
+