[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010)

[Robert Strom <robert.strom () gmail com>]

Hello,

While my testing using VM's worked with the new smb.lua and the
updated smb-vuln-ms17-010.nse files it is not behaving the same in the
Domain environment.


I am still getting the Could not connect to 'IPC$' message when connecting
to Server 2012 systems.

I have tried the following command lines

nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse
 --script-args=smbusername=<adminuser>,smbpassword=<password> <target>

nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse
 --script-args=smbusername=<adminuser>,smbpassword=<password>,smbbasic=1,smbsign=force
<target>

nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse
 --script-args=smbusername=<adminuser>,smbpassword=<password>,smbbasic=1
<target>

I also tried both the short domain name (NETBIOS) and the FQDN domain name.

All with the same results.Text file with scan results attached.

Any comments / suggests / help will be greatly appreciated.

Thanks,

Robert


On Mon, May 22, 2017 at 10:03 PM, <dev-request () nmap org> wrote:

> Send dev mailing list submissions to
>         dev () nmap org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://nmap.org/mailman/listinfo/dev
> or, via email, send a message with subject or body 'help' to
>         dev-request () nmap org
>
> You can reach the person managing the list at
>         dev-owner () nmap org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev digest..."
>
>
> Today's Topics:
>
>    1. Wai Tuck's GSOC status report #2 of 17 (Wong Wai Tuck)
>    2. Vinamra Bhatia - GSoC Status Report #2 of 17 (Vinamra Bhatia)
>    3. Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>       (smb-vuln-ms17-010) (Paulino Calderon)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 22 May 2017 19:20:13 +0000
> From: Wong Wai Tuck <wongwaituck () gmail com>
> To: "dev () nmap org" <dev () nmap org>
> Subject: Wai Tuck's GSOC status report #2 of 17
> Message-ID:
>         <CAP9R1M_c=z5f=FF5+-ARCRUi5Kbne5o-oreFiPC3MjFk0qyizw@mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey all,
>
> Finally back home in Singapore!
>
> Accomplishments:
> * Signed copyright assignment
> * Read Programming in Lua book as recommended by my mentor, got a much
> better understanding of the language and its history
> * Read NSE chapter of the Nmap book, watched Fyodor's Black Hat 2010
> presentation on NSE - I have a clearer idea on how NSE fits into the whole
> Nmap ecosystem!
> * Skimmed through the MS17-010 script (I realize there's a number of people
> working on this already so I didn't focus on this)
>
> Priorities:
> * Finish reading other resources - SVN, the NSE book, current NSE scripts
> * Make small improvements to current scripts as I read them, get used to
> the development cycle
> * Propose exploit scripts to be developed on the dev mailing list and
> elicit feedback
> * Discuss design plan and final timeline with mentor
>
> Thank you all and have a great week ahead.
>
> With Regards
> Wong Wai Tuck
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170522/e49e65b4/attachment.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 23 May 2017 05:29:52 +0530
> From: Vinamra Bhatia <vinamrabhatia8 () gmail com>
> To: dev () nmap org
> Subject: Vinamra Bhatia - GSoC Status Report #2 of 17
> Message-ID:
>         <CAP+gV2x4_4NTpV6_k6YmGRZ3em+_mJ2ez9o6H6G9+dhjfkNmFA@mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
>
> This is my second status report for GSoC 2017.
>
> Accomplishments :
>
> * Completed the copyright assignment.
> * Read the book "Mastering the NMAP Scripting Engine".
> * Solved a minor bug
> * Had a meeting with the mentor and discussed further on the project.
>
> Priorities:
>
> * Read up about SMB ( I just have a basic idea right now).
> * Solve open issues in HTTP and SMB.
> * Check optimization in existing vulnerabilites.
> * Read about SVN and fork the SVN repository.
>
> That's all for now. Thank you all.
>
> Cheers,
> Vinamra
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170523/f345425a/attachment.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 23 May 2017 00:03:42 -0500
> From: Paulino Calderon <paulino () calderonpale com>
> To: Nmap-dev <dev () nmap org>
> Subject: Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>         (smb-vuln-ms17-010)
> Message-ID: <1F4C0731-684E-4E68-B102-BA96D10104CD () calderonpale com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey everyone,
>
> Thanks a lot for your feedback and help debugging the problem. (Specially
> to Tinkerfairy! ) The attached patch seems to make the script work in
> Windows 8.1 and Windows 10 too. Please report any problems you see in your
> environments.
>
> I?ve also added an error check to determine conclusively if a system is
> patched. I?ve observed that patched systems return the error
> STATUS_ACCESS_DENIED so I?ve incorporated that into the script.
>
> Files:
> smb.lua: https://github.com/cldrn/nmap-nse-scripts/blob/master/
> nselib/smb.lua
> smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/
> scripts/smb-vuln-ms17-010.nse
>
> I posted a few notes (mostly common questions) about this script here:
> https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-
> smb-vuln-ms17-010
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smb.lua
> Type: application/octet-stream
> Size: 177647 bytes
> Desc: not available
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170523/7cff42ee/attachment.obj>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smb-vuln-ms17-010.nse
> Type: application/octet-stream
> Size: 6439 bytes
> Desc: not available
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170523/7cff42ee/attachment-0001.obj>
> -------------- next part --------------
>
>
> Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com
>
>
>
> > On May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com>
> wrote:
> > Hey list,
> >
> > I need some help testing the script smb-vuln-ms17-010. I tested it on a
> vulnerable win7 machine and it works as expected but I suspect there might
> be some issues with newer Windows versions and certain smb configurations
> (v2 authentication protocols with signing enabled).
> > Don't forget to send me packet captures if you run into servers that are
> incorrectly marked as not vulnerable.
> > Cheers!
> >
> > smb-vuln-ms17-010: https://github.com/cldrn/nmap-
> nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
> > description = [[
> > Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote
> code
> > execution vulnerability (ms2017-010).
> >
> > The script connects to the $IPC tree, executes a transaction on FID 0 and
> > checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
> > determine if the target is not patched against CVE2017-010.
> >
> > Tested on a vulnerable Windows 7. We might have some issues with v2
> protocols with
> > signing enabled.
> >
> > References:
> > * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> > * https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks/
> > * https://msdn.microsoft.com/en-us/library/ee441489.aspx
> > * https://github.com/rapid7/metasploit-framework/blob/
> master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
> > ]]
> >
> >
> >
> > Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com
> >
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> dev mailing list
> dev () nmap org
> https://nmap.org/mailman/listinfo/dev
>
>
> ------------------------------
>
> End of dev Digest, Vol 146, Issue 20
> ************************************

Attachment: MS17-010_nmap_test.txt
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/