Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode

[Daniel Miller <bonsaiviking () gmail com>]

Can we make this general-purpose as well? I'm picturing output like:

smb2-time:
|  Date: 2017-07-20T01:59:33Z
|  Boot: 2016-12-22T15:03:39Z
|  Uptime: 209d19h7m59s
|  Missing patches:
|_   ms17-010

A table lookup of release dates for high-severity SMB-related patches could
be included. Use stdnse.format_timestamp and stdnse.format_difftime to
format the output. This could even be a default script if it doesn't do
more than begin a connection and hang up (Check event logs to see if it
leaves anything).

Dan

On Thu, Jul 20, 2017 at 1:29 AM, Paulino Calderon <paulino () calderonpale com>
wrote:

> Hey list,
>
> I came across a great idea today (https://twitter.com/breakersall/status/
> 880496571581857793). Basically, SMB2 returns the system boot time
> pre-authentication during the dialect negotiation process and we can use
> this information to determine if systems aren't patched for ms17-010
> because this patch requires a system reboot. This is also great for evading
> IDS/AVs/IPs as signatures already exists for the transaction check with FID
> 0. If the system has been booted after March 14th, 2017, the test is
> inconclusive as we can't tell if the system is patched without sending more
> probes. Although I would like to keep this check as safe and sneaky as
> possible!
>
> I'm sharing the script now but I would like to keep developing this idea
> before merging to extend the check for other vulnerabilities as the same
> technique can be applied for other advisories. I will create the PR on
> github when it's ready!
>
> description = [[
> Attempts to detect if a Microsoft SMBv2 server is missing the patch for
> ms17-010 by checking if the system has not been rebooted since March 14th,
> 2017.
>
> SMB2's COM_NEGOTIATE command returns the system boot time pre
> authentication.
> This information can be used to determine if a system is missing critical
> patches without triggering IDS/IPS/AVs.
>
> All the credit goes to Matt Kelly (@breakersall) for this great idea!
>
> References:
> * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
> * https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks/
> * https://msdn.microsoft.com/en-us/library/ee441489.aspx
> * https://twitter.com/breakersall/status/880496571581857793
> ]]
>
> ---
> -- @usage nmap -p445 --script smb2-vuln-ms17-010 <target>
> -- @usage nmap -p445 --script vuln <target>
> --
> -- @output
> -- Host script results:
> -- | smb2-vuln-ms17-010:
> -- |   VULNERABLE:
> -- |   Missing patch for ms17-010
> -- |     State: VULNERABLE
> -- |     IDs:  CVE:CVE-2017-0143
> -- |     Risk factor: HIGH
> -- |     This system is missing the patch ms17-010 and is affected by
> remote code
> -- |     execution vulnerabilities.
> -- |
> -- |     Disclosure date: 2017-03-14
> -- |     References:
> -- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
> -- |       https://technet.microsoft.com/en-us/library/security/ms17-
> 010.aspx
> -- |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/
> customer-guidance-for-wannacrypt-attacks/
> --
>
>
> smb2-vuln-ms17-010 script: https://github.com/cldrn/nmap/
> blob/smb2-vuln-ms17-010/scripts/smb2-vuln-ms17-010.nse
> smb2.lua: https://github.com/cldrn/nmap/blob/smb2-vuln-
> ms17-010/nselib/smb2.lua
> smb2-vuln-ms17-010 branch: https://github.com/cldrn/nmap/
> tree/smb2-vuln-ms17-010
>
>
> Paulino Calderon Pale || @calderpwn on Twitter ||
> http://www.calderonpale.com

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/