[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010

[Robert Strom <robert.strom () gmail com>]

Hello,

I've been playing around with the smb-vuln-ms17-010.nse script and found
some strange results for Server 2012 systems.

All 2012, regardless of whether or not they are patched, firewall on or off
I get this message

Could not connect to 'IPC$'

which does not tell me whether or not the system is vulnerable or not.

I have also checked whether or not these systems are running SMBv1, they
definitely are.

Any explanation for this behavior?

See attached files of Nmap scan using v 7.40 on Windows against Server 2012
with FW on and FW off.

Thanks,

Robert


On Mon, May 15, 2017 at 6:36 AM, <dev-request () nmap org> wrote:

> Send dev mailing list submissions to
>         dev () nmap org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://nmap.org/mailman/listinfo/dev
> or, via email, send a message with subject or body 'help' to
>         dev-request () nmap org
>
> You can reach the person managing the list at
>         dev-owner () nmap org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev digest..."
>
>
> Today's Topics:
>
>    1. [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>       (smb-vuln-ms17-010) (Paulino Calderon)
>    2. Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>       (smb-vuln-ms17-010) (Paulino Calderon)
>    3. Wai Tuck's GSOC status report #1 of 16 (Wong Wai Tuck)
>    4. CVE 2017-3599 (Oracle MySQL remote unauthenticated DoS)
>       (Loganaden Velvindron)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 14 May 2017 20:37:59 -0500
> From: Paulino Calderon <paulino () calderonpale com>
> To: Nmap-dev <dev () nmap org>
> Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>         (smb-vuln-ms17-010)
> Message-ID: <72480D0C-8386-406B-84A1-09CDBF224D48 () calderonpale com>
> Content-Type: text/plain; charset=us-ascii
>
> Hey list,
>
> I need some help testing the script smb-vuln-ms17-010. I tested it on a
> vulnerable win7 machine and it works as expected but I suspect there might
> be some issues with newer Windows versions and certain smb configurations
> (v2 authentication protocols with signing enabled).
>
> Don't forget to send me packet captures if you run into servers that are
> incorrectly marked as not vulnerable.
>
> Cheers!
>
> smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/
> scripts/smb-vuln-ms17-010.nse
> description = [[
> Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote
> code
>  execution vulnerability (ms2017-010).
>
> The script connects to the $IPC tree, executes a transaction on FID 0 and
>  checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
>  determine if the target is not patched against CVE2017-010.
>
> Tested on a vulnerable Windows 7. We might have some issues with v2
> protocols with
>  signing enabled.
>
> References:
> * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> * https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks/
> * https://msdn.microsoft.com/en-us/library/ee441489.aspx
> * https://github.com/rapid7/metasploit-framework/blob/
> master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
> ]]
>
>
>
> Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 14 May 2017 21:22:23 -0500
> From: Paulino Calderon <paulino () calderonpale com>
> To: Nmap-dev <dev () nmap org>
> Subject: Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
>         (smb-vuln-ms17-010)
> Message-ID: <FB95AB9D-277A-4D04-A9F9-9E762EA51E0C () calderonpale com>
> Content-Type: text/plain; charset="utf-8"
>
> Hehe forgot to attach the file. I know you can get it from github but I?m
> sending it for the archive anyway.
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smb-vuln-ms17-010.nse
> Type: application/octet-stream
> Size: 6081 bytes
> Desc: not available
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170514/52690973/attachment.obj>
> -------------- next part --------------
>
>
> Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com
>
>
>
> > On May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com>
> wrote:
> > Hey list,
> >
> > I need some help testing the script smb-vuln-ms17-010. I tested it on a
> vulnerable win7 machine and it works as expected but I suspect there might
> be some issues with newer Windows versions and certain smb configurations
> (v2 authentication protocols with signing enabled).
> > Don't forget to send me packet captures if you run into servers that are
> incorrectly marked as not vulnerable.
> > Cheers!
> >
> > smb-vuln-ms17-010: https://github.com/cldrn/nmap-
> nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
> > description = [[
> > Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote
> code
> > execution vulnerability (ms2017-010).
> >
> > The script connects to the $IPC tree, executes a transaction on FID 0 and
> > checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
> > determine if the target is not patched against CVE2017-010.
> >
> > Tested on a vulnerable Windows 7. We might have some issues with v2
> protocols with
> > signing enabled.
> >
> > References:
> > * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> > * https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks/
> > * https://msdn.microsoft.com/en-us/library/ee441489.aspx
> > * https://github.com/rapid7/metasploit-framework/blob/
> master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
> > ]]
> >
> >
> >
> > Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 15 May 2017 12:56:32 +0000
> From: Wong Wai Tuck <wongwaituck () gmail com>
> To: dev () nmap org
> Subject: Wai Tuck's GSOC status report #1 of 16
> Message-ID:
>         <CAP9R1M_MXBWMxzGQAkV3HB2_4u-7LFeL9J_Poo+-sxhpqbHBhw@mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey everyone,
>
> This is my first status report as well as message to this list, so I would
> like to introduce myself.
>
> My name is Wong Wai Tuck (Wai Tuck in short) and I'm currently a sophomore
> at the Singapore Management University, reading Information Systems with a
> second major in Applied Statistics. I will be continuing my junior year and
> further studies in August at Carnegie Mellon University under a joint
> programme with SMU, and will later be doing a MSc in Information Security
> at CMU. I currently lead the information security club, Whitehat Society,
> in SMU (we just concluded the qualifiers this weekend for our competition,
> CrossCTF). Professionally, I have interned at a government agency and Ernst
> & Young. I am also OSCP certified.
>
> I have been using Nmap for a long time so it is exciting to be able to
> contribute back to the project. My mentor is George Chatzisofroniou and I
> will be working on the following 3 areas for NSE in the Google Summer of
> Code.
>
> 1) Exploitation Scripts
> 2) Password profiling in brute library
> 3) Service-based automatic vulnerability assessment
>
>  This is my GSOC weekly report:
>
> This week:
> * Added myself to all relevant mailing lists for the project
> * Read documentation
> * Compiled Nmap from source
> * Met my mentor online to discuss project scope, deliverables and
> priorities
>
> Next week:
> * Refresh memory on Lua scripting, writing basic scripts
> * Take a look at the MS17-010 script that was posted on the mailing list by
> Paulino
> * Work on design plan for proposed changes
>
> Thank you all and have a great week ahead.
>
> With Regards
> Wai Tuck
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://nmap.org/mailman/private/dev/attachments/
> 20170515/25dd3ee3/attachment.html>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 15 May 2017 17:36:15 +0400
> From: Loganaden Velvindron <loganaden () gmail com>
> To: dev () nmap org
> Subject: CVE 2017-3599 (Oracle MySQL remote unauthenticated DoS)
> Message-ID:
>         <CAOp4FwRp0WTE75Y8N9RNJFRQA1j3ycKYPRif7+9oTbXC2kOCjg@mail.
> gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello All,
>
> Please have a look at https://github.com/nmap/nmap/pull/877, and let
> me know what I can improve. I've also included output of mysqld
> crashing.
>
> Thanks & Kind regards,
> //Logan
> C-x-C-c
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> dev mailing list
> dev () nmap org
> https://nmap.org/mailman/listinfo/dev
>
>
> ------------------------------
>
> End of dev Digest, Vol 146, Issue 10
> ************************************

Attachment: nmap_MS17-010_results_fw_on.txt
Description:

Attachment: nmap_MS17-010_results_fw_off.txt
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/