Re: WannaCry Script - MS17-010

[Paulino Calderon <paulino () calderonpale com>]

Hello Tim,
Thanks for reporting this. There are a few different reasons why the script
might not be able to detect if a host is vulnerable :
-Anonymous access to IPC is required. Configurations that block IPC$ will
require users to provide smb credentials to get this work with the script
arguments smbuser and smbpass
-AV products might be detecting the probe and blocking the host response.
-SMBv1 could be disabled
-One user reported that some hosts weren't being marked as vulnerable  when
scanning large networks. I tried reproducing this with no luck.  Did you
try using a single host as a target? Please let me know if you experience
different results.

On the other hand, I'm not familiar with what the nessus check does but
packet captures of these hosts will help me compare the difference.  I did
test it against Windows 2012 and it worked as expected in my lab so please
share with me (privately if you want)  more information to troubleshoot
this.

Cheers.

El 13 jun. 2017 4:46 PM, "Tim Naami" <tnaami () gmail com> escribió:

I'm using the MS17-010 script as discussed here:
http://seclists.org/nmap-dev/2017/q2/79

It appears to miss a number of systems that are not patched.  A quick NMAP
scan will show systems are not vulnerable but my Nessus scanner says they
are.

Based on reboot date I know the systems have not been patched.

I believe the possibility is related to Server 2012 R2 as it seems those
are the ones Nessus says are vulnerable but NMAP does not.  Yet NMAP is
catching others not patched.

TIA

Tim


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/