Nmap Development mailing list archives
[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
From: Robert Strom <robert.strom () gmail com>
Date: Wed, 24 May 2017 08:43:10 -0700
Hello,
I have downloaded the new NSE script and the smb.lua file and tested against a server 2012 and Server 2016 and it seems to be working with authentication. My question pertains to how the authentication is transmitted. If one supplies the necessary credentials are they sent across the wire in plain text? Thanks, Robert
Message: 3 Date: Tue, 23 May 2017 00:03:42 -0500 From: Paulino Calderon <paulino () calderonpale com> To: Nmap-dev <dev () nmap org> Subject: Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Message-ID: <1F4C0731-684E-4E68-B102-BA96D10104CD () calderonpale com> Content-Type: text/plain; charset="utf-8" Hey everyone, Thanks a lot for your feedback and help debugging the problem. (Specially to Tinkerfairy! ) The attached patch seems to make the script work in Windows 8.1 and Windows 10 too. Please report any problems you see in your environments. I?ve also added an error check to determine conclusively if a system is patched. I?ve observed that patched systems return the error STATUS_ACCESS_DENIED so I?ve incorporated that into the script. Files: smb.lua: https://github.com/cldrn/nmap-nse-scripts/blob/master/nselib /smb.lua smb-vuln-ms17-010 <https://github.com/cldrn/nmap-nse-scripts/blob/master/nselib/smb.luasmb-vuln-ms17-010>: https://github.com/cldrn/nmap-nse-scripts/blob/master/script s/smb-vuln-ms17-010.nse I posted a few notes (mostly common questions) about this script here: https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-s mb-vuln-ms17-010 -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.lua Type: application/octet-stream Size: 177647 bytes Desc: not available URL: <https://nmap.org/mailman/private/dev/attachments/20170523/ 7cff42ee/attachment.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: smb-vuln-ms17-010.nse Type: application/octet-stream Size: 6439 bytes Desc: not available URL: <https://nmap.org/mailman/private/dev/attachments/20170523/ 7cff42ee/attachment-0001.obj> -------------- next part -------------- Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.comOn May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com>wrote:Hey list, I need some help testing the script smb-vuln-ms17-010. I tested it on avulnerable win7 machine and it works as expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 authentication protocols with signing enabled).Don't forget to send me packet captures if you run into servers that areincorrectly marked as not vulnerable.Cheers! smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nsedescription = [[ Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remotecodeexecution vulnerability (ms2017-010). The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against CVE2017-010. Tested on a vulnerable Windows 7. We might have some issues with v2protocols withsigning enabled. References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/* https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb]] Paulino Calderon Pale || @calderpwn on Twitter ||http://www.calderonpale.com------------------------------ Subject: Digest Footer _______________________________________________ dev mailing list dev () nmap org https://nmap.org/mailman/listinfo/dev ------------------------------ End of dev Digest, Vol 146, Issue 20 ************************************
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 19)
- <Possible follow-ups>
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Tinker Fairy (May 19)
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 24)