Nmap Development mailing list archives
[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010)
From: Robert Strom <robert.strom () gmail com>
Date: Wed, 24 May 2017 11:13:17 -0700
Hello, While my testing using VM's worked with the new smb.lua and the updated smb-vuln-ms17-010.nse files it is not behaving the same in the Domain environment. I am still getting the Could not connect to 'IPC$' message when connecting to Server 2012 systems. I have tried the following command lines nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse --script-args=smbusername=<adminuser>,smbpassword=<password> <target> nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse --script-args=smbusername=<adminuser>,smbpassword=<password>,smbbasic=1,smbsign=force <target> nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse --script-args=smbusername=<adminuser>,smbpassword=<password>,smbbasic=1 <target> I also tried both the short domain name (NETBIOS) and the FQDN domain name. All with the same results.Text file with scan results attached. Any comments / suggests / help will be greatly appreciated. Thanks, Robert On Mon, May 22, 2017 at 10:03 PM, <dev-request () nmap org> wrote:
Send dev mailing list submissions to dev () nmap org To subscribe or unsubscribe via the World Wide Web, visit https://nmap.org/mailman/listinfo/dev or, via email, send a message with subject or body 'help' to dev-request () nmap org You can reach the person managing the list at dev-owner () nmap org When replying, please edit your Subject line so it is more specific than "Re: Contents of dev digest..." Today's Topics: 1. Wai Tuck's GSOC status report #2 of 17 (Wong Wai Tuck) 2. Vinamra Bhatia - GSoC Status Report #2 of 17 (Vinamra Bhatia) 3. Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) (Paulino Calderon) ---------------------------------------------------------------------- Message: 1 Date: Mon, 22 May 2017 19:20:13 +0000 From: Wong Wai Tuck <wongwaituck () gmail com> To: "dev () nmap org" <dev () nmap org> Subject: Wai Tuck's GSOC status report #2 of 17 Message-ID: <CAP9R1M_c=z5f=FF5+-ARCRUi5Kbne5o-oreFiPC3MjFk0qyizw@mail.gmail. com> Content-Type: text/plain; charset="utf-8" Hey all, Finally back home in Singapore! Accomplishments: * Signed copyright assignment * Read Programming in Lua book as recommended by my mentor, got a much better understanding of the language and its history * Read NSE chapter of the Nmap book, watched Fyodor's Black Hat 2010 presentation on NSE - I have a clearer idea on how NSE fits into the whole Nmap ecosystem! * Skimmed through the MS17-010 script (I realize there's a number of people working on this already so I didn't focus on this) Priorities: * Finish reading other resources - SVN, the NSE book, current NSE scripts * Make small improvements to current scripts as I read them, get used to the development cycle * Propose exploit scripts to be developed on the dev mailing list and elicit feedback * Discuss design plan and final timeline with mentor Thank you all and have a great week ahead. With Regards Wong Wai Tuck -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://nmap.org/mailman/private/dev/attachments/ 20170522/e49e65b4/attachment.html> ------------------------------ Message: 2 Date: Tue, 23 May 2017 05:29:52 +0530 From: Vinamra Bhatia <vinamrabhatia8 () gmail com> To: dev () nmap org Subject: Vinamra Bhatia - GSoC Status Report #2 of 17 Message-ID: <CAP+gV2x4_4NTpV6_k6YmGRZ3em+_mJ2ez9o6H6G9+dhjfkNmFA@mail. gmail.com> Content-Type: text/plain; charset="utf-8" Hi all, This is my second status report for GSoC 2017. Accomplishments : * Completed the copyright assignment. * Read the book "Mastering the NMAP Scripting Engine". * Solved a minor bug * Had a meeting with the mentor and discussed further on the project. Priorities: * Read up about SMB ( I just have a basic idea right now). * Solve open issues in HTTP and SMB. * Check optimization in existing vulnerabilites. * Read about SVN and fork the SVN repository. That's all for now. Thank you all. Cheers, Vinamra -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://nmap.org/mailman/private/dev/attachments/ 20170523/f345425a/attachment.html> ------------------------------ Message: 3 Date: Tue, 23 May 2017 00:03:42 -0500 From: Paulino Calderon <paulino () calderonpale com> To: Nmap-dev <dev () nmap org> Subject: Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Message-ID: <1F4C0731-684E-4E68-B102-BA96D10104CD () calderonpale com> Content-Type: text/plain; charset="utf-8" Hey everyone, Thanks a lot for your feedback and help debugging the problem. (Specially to Tinkerfairy! ) The attached patch seems to make the script work in Windows 8.1 and Windows 10 too. Please report any problems you see in your environments. I?ve also added an error check to determine conclusively if a system is patched. I?ve observed that patched systems return the error STATUS_ACCESS_DENIED so I?ve incorporated that into the script. Files: smb.lua: https://github.com/cldrn/nmap-nse-scripts/blob/master/ nselib/smb.lua smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/ scripts/smb-vuln-ms17-010.nse I posted a few notes (mostly common questions) about this script here: https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about- smb-vuln-ms17-010 -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.lua Type: application/octet-stream Size: 177647 bytes Desc: not available URL: <https://nmap.org/mailman/private/dev/attachments/ 20170523/7cff42ee/attachment.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: smb-vuln-ms17-010.nse Type: application/octet-stream Size: 6439 bytes Desc: not available URL: <https://nmap.org/mailman/private/dev/attachments/ 20170523/7cff42ee/attachment-0001.obj> -------------- next part -------------- Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.comOn May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com>wrote:Hey list, I need some help testing the script smb-vuln-ms17-010. I tested it on avulnerable win7 machine and it works as expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 authentication protocols with signing enabled).Don't forget to send me packet captures if you run into servers that areincorrectly marked as not vulnerable.Cheers! smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nsedescription = [[ Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remotecodeexecution vulnerability (ms2017-010). The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against CVE2017-010. Tested on a vulnerable Windows 7. We might have some issues with v2protocols withsigning enabled. References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/* https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb]] Paulino Calderon Pale || @calderpwn on Twitter ||http://www.calderonpale.com------------------------------ Subject: Digest Footer _______________________________________________ dev mailing list dev () nmap org https://nmap.org/mailman/listinfo/dev ------------------------------ End of dev Digest, Vol 146, Issue 20 ************************************
Attachment:
MS17-010_nmap_test.txt
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 14)
- Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 14)
- Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 22)
- Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 27)
- <Possible follow-ups>
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Robert Strom (May 24)