Nmap Development mailing list archives

Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010)

From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 23 May 2017 00:03:42 -0500

Hey everyone,

Thanks a lot for your feedback and help debugging the problem. (Specially to Tinkerfairy! ) The attached patch seems to 
make the script work in Windows 8.1 and Windows 10 too. Please report any problems you see in your environments. 

I’ve also added an error check to determine conclusively if a system is patched. I’ve observed that patched systems 
return the error STATUS_ACCESS_DENIED so I’ve incorporated that into the script.

Files:
smb.lua: https://github.com/cldrn/nmap-nse-scripts/blob/master/nselib/smb.lua
smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

I posted a few notes (mostly common questions) about this script here: 
https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010

Attachment: smb.lua
Description:

Attachment: smb-vuln-ms17-010.nse
Description:



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com

On May 14, 2017, at 8:37 PM, Paulino Calderon <paulino () calderonpale com> wrote:

Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 

Cheers!

smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 14)
- Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 14)
- Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 22)
  - Re: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Paulino Calderon (May 27)
- <Possible follow-ups>
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (smb-vuln-ms17-010) Robert Strom (May 24)