Nmap Development mailing list archives
Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 20 Jul 2017 11:29:03 -0500
Yes! That's exactly what I have in mind. This is great to detect any critical patch that requires a system reboot. The library vulns already supports multiple vulnerabilities in one report too (I think). The only thing is that the script would have to be run with OS detection to check if the system is Windows. Although I've been contemplating that we can also identify Windows machines by the set of supported SMB dialects. It seems this is a very reliable and sneaky method to fingerprint Windows systems. The packet is part of the normal negotiation process so it looks exactly like any other legit connection. We have to thank MS for this is a great feature in SMB2. We lost OS info pre auth in SMB1 but at least we have this hehe. Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
On Jul 20, 2017, at 10:15 AM, Daniel Miller <bonsaiviking () gmail com> wrote: Can we make this general-purpose as well? I'm picturing output like: smb2-time: | Date: 2017-07-20T01:59:33Z | Boot: 2016-12-22T15:03:39Z | Uptime: 209d19h7m59s | Missing patches: |_ ms17-010 A table lookup of release dates for high-severity SMB-related patches could be included. Use stdnse.format_timestamp and stdnse.format_difftime to format the output. This could even be a default script if it doesn't do more than begin a connection and hang up (Check event logs to see if it leaves anything). Dan On Thu, Jul 20, 2017 at 1:29 AM, Paulino Calderon <paulino () calderonpale com> wrote: Hey list, I came across a great idea today (https://twitter.com/breakersall/status/880496571581857793). Basically, SMB2 returns the system boot time pre-authentication during the dialect negotiation process and we can use this information to determine if systems aren't patched for ms17-010 because this patch requires a system reboot. This is also great for evading IDS/AVs/IPs as signatures already exists for the transaction check with FID 0. If the system has been booted after March 14th, 2017, the test is inconclusive as we can't tell if the system is patched without sending more probes. Although I would like to keep this check as safe and sneaky as possible! I'm sharing the script now but I would like to keep developing this idea before merging to extend the check for other vulnerabilities as the same technique can be applied for other advisories. I will create the PR on github when it's ready! description = [[ Attempts to detect if a Microsoft SMBv2 server is missing the patch for ms17-010 by checking if the system has not been rebooted since March 14th, 2017. SMB2's COM_NEGOTIATE command returns the system boot time pre authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs. All the credit goes to Matt Kelly (@breakersall) for this great idea! References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ * https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://twitter.com/breakersall/status/880496571581857793 ]] --- -- @usage nmap -p445 --script smb2-vuln-ms17-010 <target> -- @usage nmap -p445 --script vuln <target> -- -- @output -- Host script results: -- | smb2-vuln-ms17-010: -- | VULNERABLE: -- | Missing patch for ms17-010 -- | State: VULNERABLE -- | IDs: CVE:CVE-2017-0143 -- | Risk factor: HIGH -- | This system is missing the patch ms17-010 and is affected by remote code -- | execution vulnerabilities. -- | -- | Disclosure date: 2017-03-14 -- | References: -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 -- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx -- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ -- smb2-vuln-ms17-010 script: https://github.com/cldrn/nmap/blob/smb2-vuln-ms17-010/scripts/smb2-vuln-ms17-010.nse smb2.lua: https://github.com/cldrn/nmap/blob/smb2-vuln-ms17-010/nselib/smb2.lua smb2-vuln-ms17-010 branch: https://github.com/cldrn/nmap/tree/smb2-vuln-ms17-010 <smb2-boottime.png> Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 08)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 10)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 12)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 19)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Paulino Calderon (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 20)
- Re: [NSE] SMB2/SMB3 library and scripts smb-protocols, smb2-capabilities and smb2-security-mode Daniel Miller (Jul 10)