Nmap Development mailing list archives
[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
From: Robert Strom <robert.strom () gmail com>
Date: Fri, 19 May 2017 16:03:59 -0700
Hello, I've been playing around with the smb-vuln-ms17-010.nse script and found some strange results for Server 2012 systems. All 2012, regardless of whether or not they are patched, firewall on or off I get this message Could not connect to 'IPC$' which does not tell me whether or not the system is vulnerable or not. I have also checked whether or not these systems are running SMBv1, they definitely are. Any explanation for this behavior? See attached files of Nmap scan using v 7.40 on Windows against Server 2012 with FW on and FW off. Thanks, Robert On Mon, May 15, 2017 at 6:36 AM, <dev-request () nmap org> wrote:
Send dev mailing list submissions to dev () nmap org To subscribe or unsubscribe via the World Wide Web, visit https://nmap.org/mailman/listinfo/dev or, via email, send a message with subject or body 'help' to dev-request () nmap org You can reach the person managing the list at dev-owner () nmap org When replying, please edit your Subject line so it is more specific than "Re: Contents of dev digest..." Today's Topics: 1. [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) (Paulino Calderon) 2. Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) (Paulino Calderon) 3. Wai Tuck's GSOC status report #1 of 16 (Wong Wai Tuck) 4. CVE 2017-3599 (Oracle MySQL remote unauthenticated DoS) (Loganaden Velvindron) ---------------------------------------------------------------------- Message: 1 Date: Sun, 14 May 2017 20:37:59 -0500 From: Paulino Calderon <paulino () calderonpale com> To: Nmap-dev <dev () nmap org> Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Message-ID: <72480D0C-8386-406B-84A1-09CDBF224D48 () calderonpale com> Content-Type: text/plain; charset=us-ascii Hey list, I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 authentication protocols with signing enabled). Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. Cheers! smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/ scripts/smb-vuln-ms17-010.nse description = [[ Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms2017-010). The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against CVE2017-010. Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with signing enabled. References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/ customer-guidance-for-wannacrypt-attacks/ * https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://github.com/rapid7/metasploit-framework/blob/ master/modules/auxiliary/scanner/smb/smb_ms17_010.rb ]] Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com ------------------------------ Message: 2 Date: Sun, 14 May 2017 21:22:23 -0500 From: Paulino Calderon <paulino () calderonpale com> To: Nmap-dev <dev () nmap org> Subject: Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Message-ID: <FB95AB9D-277A-4D04-A9F9-9E762EA51E0C () calderonpale com> Content-Type: text/plain; charset="utf-8" Hehe forgot to attach the file. I know you can get it from github but I?m sending it for the archive anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: smb-vuln-ms17-010.nse Type: application/octet-stream Size: 6081 bytes Desc: not available URL: <https://nmap.org/mailman/private/dev/attachments/ 20170514/52690973/attachment.obj> -------------- next part -------------- Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.comOn May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com>wrote:Hey list, I need some help testing the script smb-vuln-ms17-010. I tested it on avulnerable win7 machine and it works as expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 authentication protocols with signing enabled).Don't forget to send me packet captures if you run into servers that areincorrectly marked as not vulnerable.Cheers! smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nsedescription = [[ Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remotecodeexecution vulnerability (ms2017-010). The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against CVE2017-010. Tested on a vulnerable Windows 7. We might have some issues with v2protocols withsigning enabled. References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/* https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb]] Paulino Calderon Pale || @calderpwn on Twitter ||http://www.calderonpale.com------------------------------ Message: 3 Date: Mon, 15 May 2017 12:56:32 +0000 From: Wong Wai Tuck <wongwaituck () gmail com> To: dev () nmap org Subject: Wai Tuck's GSOC status report #1 of 16 Message-ID: <CAP9R1M_MXBWMxzGQAkV3HB2_4u-7LFeL9J_Poo+-sxhpqbHBhw@mail. gmail.com> Content-Type: text/plain; charset="utf-8" Hey everyone, This is my first status report as well as message to this list, so I would like to introduce myself. My name is Wong Wai Tuck (Wai Tuck in short) and I'm currently a sophomore at the Singapore Management University, reading Information Systems with a second major in Applied Statistics. I will be continuing my junior year and further studies in August at Carnegie Mellon University under a joint programme with SMU, and will later be doing a MSc in Information Security at CMU. I currently lead the information security club, Whitehat Society, in SMU (we just concluded the qualifiers this weekend for our competition, CrossCTF). Professionally, I have interned at a government agency and Ernst & Young. I am also OSCP certified. I have been using Nmap for a long time so it is exciting to be able to contribute back to the project. My mentor is George Chatzisofroniou and I will be working on the following 3 areas for NSE in the Google Summer of Code. 1) Exploitation Scripts 2) Password profiling in brute library 3) Service-based automatic vulnerability assessment This is my GSOC weekly report: This week: * Added myself to all relevant mailing lists for the project * Read documentation * Compiled Nmap from source * Met my mentor online to discuss project scope, deliverables and priorities Next week: * Refresh memory on Lua scripting, writing basic scripts * Take a look at the MS17-010 script that was posted on the mailing list by Paulino * Work on design plan for proposed changes Thank you all and have a great week ahead. With Regards Wai Tuck -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://nmap.org/mailman/private/dev/attachments/ 20170515/25dd3ee3/attachment.html> ------------------------------ Message: 4 Date: Mon, 15 May 2017 17:36:15 +0400 From: Loganaden Velvindron <loganaden () gmail com> To: dev () nmap org Subject: CVE 2017-3599 (Oracle MySQL remote unauthenticated DoS) Message-ID: <CAOp4FwRp0WTE75Y8N9RNJFRQA1j3ycKYPRif7+9oTbXC2kOCjg@mail. gmail.com> Content-Type: text/plain; charset="UTF-8" Hello All, Please have a look at https://github.com/nmap/nmap/pull/877, and let me know what I can improve. I've also included output of mysqld crashing. Thanks & Kind regards, //Logan C-x-C-c ------------------------------ Subject: Digest Footer _______________________________________________ dev mailing list dev () nmap org https://nmap.org/mailman/listinfo/dev ------------------------------ End of dev Digest, Vol 146, Issue 10 ************************************
Attachment:
nmap_MS17-010_results_fw_on.txt
Description:
Attachment:
nmap_MS17-010_results_fw_off.txt
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 19)
- <Possible follow-ups>
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Tinker Fairy (May 19)
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 24)