Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010)

[Paulino Calderon <paulino () calderonpale com>]

Hey everyone,

My last two commits (r36764 and r36765) include the required library patches and the new version of 
smb-vuln-ms17-010.nse that now I have confirmed to work as expected against Win XP, 2003, 2008, 2012, 7, 8, 8.1 and 10. 

Most important, a bug preventing our smb scripts from working against modern versions of windows was fixed in r36764. 
Not every day I get to fix 4 pending issues with 1 commit so I wanted to post more information here for future 
reference:
* smb.lua and msrpc.lua now use fully qualified path names when accessing shares. In older versions of Windows, 
accessing by name worked but newer versions seem to require the fully qualified path.
* OID fields in newer versions of Windows seem to have an additional padding. This issue prevented scripts from 
authenticating correctly against modern versions of Windows. 
* The information level requested by NetShareGetInfo was reduced to 1 (From 2). Newer versions are more strict and the 
call failed. It also seems to be more nicely with Samba implementations as it also fixed a problem when reading open 
shares.
* Listing share contents now work as expected, previously it was broken due to connection initialization problems and 
probably others issues with FQPNs.

Issues that should be fixed now:
https://github.com/nmap/nmap/issues/704
https://github.com/nmap/nmap/issues/266
https://github.com/nmap/nmap/issues/238
https://github.com/nmap/nmap/issues/883

If you come across any issues with these changes, please let me know and send me your packet captures.

Cheers.

Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com



> On May 23, 2017, at 12:03 AM, Paulino Calderon <paulino () calderonpale com> wrote:
>
> Hey everyone,
>
> Thanks a lot for your feedback and help debugging the problem. (Specially to Tinkerfairy! ) The attached patch seems 
> to make the script work in Windows 8.1 and Windows 10 too. Please report any problems you see in your environments. 
>
> I’ve also added an error check to determine conclusively if a system is patched. I’ve observed that patched systems 
> return the error STATUS_ACCESS_DENIED so I’ve incorporated that into the script.
>
> Files:
> smb.lua: https://github.com/cldrn/nmap-nse-scripts/blob/master/nselib/smb.lua
> smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
>
> I posted a few notes (mostly common questions) about this script here: 
> https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010
>
> <smb.lua><smb-vuln-ms17-010.nse>
>
> Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
>
>
>
> > On May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com> wrote:
> >
> > Hey list,
> >
> > I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
> > expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
> > authentication protocols with signing enabled).
> >
> > Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 
> >
> > Cheers!
> >
> > smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
> > description = [[
> > Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
> > execution vulnerability (ms2017-010).
> >
> > The script connects to the $IPC tree, executes a transaction on FID 0 and
> > checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
> > determine if the target is not patched against CVE2017-010.
> >
> > Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
> > signing enabled.
> >
> > References:
> > * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> > * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
> > * https://msdn.microsoft.com/en-us/library/ee441489.aspx
> > * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
> > ]]
> >
> >
> >
> > Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/