Nmap Development mailing list archives
Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 20 Jul 2017 10:15:48 -0500
Can we make this general-purpose as well? I'm picturing output like: smb2-time: | Date: 2017-07-20T01:59:33Z | Boot: 2016-12-22T15:03:39Z | Uptime: 209d19h7m59s | Missing patches: |_ ms17-010 A table lookup of release dates for high-severity SMB-related patches could be included. Use stdnse.format_timestamp and stdnse.format_difftime to format the output. This could even be a default script if it doesn't do more than begin a connection and hang up (Check event logs to see if it leaves anything). Dan On Thu, Jul 20, 2017 at 1:29 AM, Paulino Calderon <paulino () calderonpale com> wrote:
Hey list, I came across a great idea today (https://twitter.com/breakersall/status/ 880496571581857793). Basically, SMB2 returns the system boot time pre-authentication during the dialect negotiation process and we can use this information to determine if systems aren't patched for ms17-010 because this patch requires a system reboot. This is also great for evading IDS/AVs/IPs as signatures already exists for the transaction check with FID 0. If the system has been booted after March 14th, 2017, the test is inconclusive as we can't tell if the system is patched without sending more probes. Although I would like to keep this check as safe and sneaky as possible! I'm sharing the script now but I would like to keep developing this idea before merging to extend the check for other vulnerabilities as the same technique can be applied for other advisories. I will create the PR on github when it's ready! description = [[ Attempts to detect if a Microsoft SMBv2 server is missing the patch for ms17-010 by checking if the system has not been rebooted since March 14th, 2017. SMB2's COM_NEGOTIATE command returns the system boot time pre authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs. All the credit goes to Matt Kelly (@breakersall) for this great idea! References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/ customer-guidance-for-wannacrypt-attacks/ * https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://twitter.com/breakersall/status/880496571581857793 ]] --- -- @usage nmap -p445 --script smb2-vuln-ms17-010 <target> -- @usage nmap -p445 --script vuln <target> -- -- @output -- Host script results: -- | smb2-vuln-ms17-010: -- | VULNERABLE: -- | Missing patch for ms17-010 -- | State: VULNERABLE -- | IDs: CVE:CVE-2017-0143 -- | Risk factor: HIGH -- | This system is missing the patch ms17-010 and is affected by remote code -- | execution vulnerabilities. -- | -- | Disclosure date: 2017-03-14 -- | References: -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 -- | https://technet.microsoft.com/en-us/library/security/ms17- 010.aspx -- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/ customer-guidance-for-wannacrypt-attacks/ -- smb2-vuln-ms17-010 script: https://github.com/cldrn/nmap/ blob/smb2-vuln-ms17-010/scripts/smb2-vuln-ms17-010.nse smb2.lua: https://github.com/cldrn/nmap/blob/smb2-vuln- ms17-010/nselib/smb2.lua smb2-vuln-ms17-010 branch: https://github.com/cldrn/nmap/ tree/smb2-vuln-ms17-010 Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 08)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 10)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 12)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 19)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 10)