Nmap Development mailing list archives
Re: dev Digest, Vol 146, Issue 16
From: Robert Strom <robert.strom () gmail com>
Date: Sun, 21 May 2017 08:57:08 -0700
I have added the suggested line to the smb.lua file as seen below -- check what kind of security blob we were given in the negotiate protocol request local sp_nego = false if ( smb['security_blob'] and #smb['security_blob'] > 11 ) then local pos, oid = bin.unpack(">A6", smb['security_blob'], 5) sp_nego=true -- sp_nego = ( oid == "\x2b\x06\x01\x05\x05\x02" ) -- check for SPNEGO OID 1.3.6.1.5.5.2 end I have a Server 2016 VM that is only patched to 11/2016 that I am using as a test system. I have turned off the firewall on all profiles, I am using the system name, not the IP address, and I have added the DisableStrictNameChecking registry key entry (just as a final test) - https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias I am still getting the Could not connect to 'IPC$' response. Did I miss something? Do somethihng wrong? Thanks, Robert On Sat, May 20, 2017 at 12:00 PM, <dev-request () nmap org> wrote:
Send dev mailing list submissions to dev () nmap org To subscribe or unsubscribe via the World Wide Web, visit https://nmap.org/mailman/listinfo/dev or, via email, send a message with subject or body 'help' to dev-request () nmap org You can reach the person managing the list at dev-owner () nmap org When replying, please edit your Subject line so it is more specific than "Re: Contents of dev digest..." Today's Topics: 1. [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 (Tinker Fairy) ---------------------------------------------------------------------- Message: 1 Date: Fri, 19 May 2017 19:17:16 -0500 From: Tinker Fairy <nmap () tinkerfairy net> To: dev () nmap org Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Message-ID: <C780BBC2-B9EA-437D-A561-FBB4AEA363ED () tinkerfairy net> Content-Type: text/plain; charset=us-ascii Robert, I have encountered two difficulties that cause the behavior you are describing: 1) newer windows versions default to DisableStrictNameChecking = false which requires the server name on SMB requests. I have opened a pull request with a feature addition to be compatible with this new default. https://github.com/cldrn/nmap-nse-scripts/pull/7 2) there is some kind of bug with newer Windows and the SPNEGO code in the SMB library. As a temporary workaround you can set sp_nego=true on line 1319 of nselib/smb.lua With both of those issues taken care of, I've scanned tens of thousands of mixed version windows servers from 2003 to 2016. Good luck! -TinkerFairyDate: Fri, 19 May 2017 16:03:59 -0700 From: Robert Strom <robert.strom () gmail com> To: dev () nmap org Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Message-ID: <CAACgKan3CnGT0gOvTvb5yT=A9FA8Nhz8xfNzhsdxSc24G7B36Q () mail gmail com> Content-Type: text/plain; charset="utf-8" Hello, I've been playing around with the smb-vuln-ms17-010.nse script and found some strange results for Server 2012 systems. All 2012, regardless of whether or not they are patched, firewall on oroffI get this message Could not connect to 'IPC$' which does not tell me whether or not the system is vulnerable or not. I have also checked whether or not these systems are running SMBv1, they definitely are. Any explanation for this behavior? See attached files of Nmap scan using v 7.40 on Windows against Server2012with FW on and FW off. Thanks, Robert------------------------------ Subject: Digest Footer _______________________________________________ dev mailing list dev () nmap org https://nmap.org/mailman/listinfo/dev ------------------------------ End of dev Digest, Vol 146, Issue 16 ************************************
Attachment:
server2016_MS17-010_test.txt
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: dev Digest, Vol 146, Issue 16 Robert Strom (May 21)