Quick-and-dirty to find vulnerable systems

Anderson Johnston andy at umbc.edu
Sun Jul 29 22:54:29 GMT 2001

If you're on a big network, chances are you barely know who is in charge
of the systems on any given subnet, let alone what systems are actually
there.  Below, I've outlined my first cut at finding potential Code Red
fodder through the network.

If anyone has another method, please share.

1.) Run nmap to check your network for port 80 and Windows systems.

nmap -sS -O -p 80 -n -oM nmap.out <your network)


2.) When that's finished:

grep "80/open" nmap.out | grep Wind | cut -d" " -f2 | iis_scan >vuln.out

Where iis_scan is that nice perl script whose author I can't find in the
postings (who are you?).  It is included below.

(If you have a scanner you like better, substitute it here and modify the
next step as appropriate.  Oh, yeah, and post it's name and location.)


3.)And now:

grep UNPATCHED vuln.out | cut -d" " -f 1,2,3,4,5

gets you a list of IP's with unpatched and possibly unpatched IIS.


Send it to every admin on your network that you can think if and ask them
to do the same.

That Nice Perl Script

use IO::Socket;
use IO::Select;


while(<>) {     # Take a list of hosts to scan on stdin.
  push(@hosts, $_);

sub sendtest($) {
  my $host=shift;
  print "$host: contacting...\n";

  eval {
    local $SIG{ALRM}=sub { die("$host: TIMEOUT on connect\n")};
    if($fd=IO::Socket::INET->new(PeerAddr => "$host",
                                 PeerPort => 80,
                                 Proto=>"TCP")) {
      $fd->send("GET /NULL.ida?".("x"x200)."=X HTTP/1.1\nHost: OCCS-test\n\n");
      } else {
        die("$host: Failed to connect: $!\n");
  unless($@) {
    } else {
      print "$@\n";
sub recvtest($) {
   my $fd=shift;
   print "$hosts{$fd}: receiving...\n";
   $msg=~s/\s/ /g;
   if($msg=~/Microsoft-IIS\/(\d+\.\d+)/) {
     if($msg=~/0x80040e14/) {
       print "$hosts{$fd}: patched IIS $ver: $msg\n";
     elsif($msg=~/The IDQ file NULL.ida could not be found./) {
       print "$hosts{$fd}: UNPATCHED IIS $ver: $msg\n";
     elsif($msg=~/404 Object Not Found/ && ($ver ne "5.0")) {
       print "$hosts{$fd}: Possibly UNPATCHED IIS $ver: $msg\n";
     else {
       print "$hosts{$fd}: UNKNOWN IIS $ver: $msg\n";
     } else {
       print "$hosts{$fd}: Unknown Response: $msg\n";
   delete $hosts{$fd};
   delete $timeouts{$fd};


while(@hosts) {
  while(($s->handles)<$parallel && @hosts) {

  foreach $fd ($s->handles) {
    $next=$timeouts{$fd} if($timeouts{$fd}<$next);

  if(@ready) {
    foreach $fd (@ready) {

  foreach $fd ($s->handles) {
    if(time>$timeouts{$fd}) {
      print "$hosts{$fd}: TIMEOUT on read\n";
      delete $hosts{$fd};
      delete $timeouts{$fd};

** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **

More information about the unisog mailing list