-
Notifications
You must be signed in to change notification settings - Fork 372
Notes about smb vuln ms17 010
The script smb-vuln-ms17-010 detects Microsoft SMBv1 servers vulnerable to a remote code execution vulnerability (ms17-010). This is the vulnerability exploited by the worm WannaCry to propagate.
Before anything else, make sure you have a recent version of Nmap (7.x). This script uses Lua 5.3 functionality and older versions of Nmap (6.x) use Lua 5.2. The script will be included as soon as possible in the latest release. However, if you want to help me test it, here are the steps to run it.
Download smb.lua from this repository and place it in your nselib directory:
- Linux - /usr/share/nmap/nselib/ or /usr/local/share/nmap/nselib/
- OSX - /usr/local/share/nmap/nselib/ or /opt/local/share/nmap/nselib/
- Windows - C:\Program Files\Nmap\nselib\
Download the script from this repository and place it in your NSE script directory:
- Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
- OSX - /usr/local/share/nmap/scripts/ or /opt/local/share/nmap/scripts/
- Windows - C:\Program Files\Nmap\scripts\
To install the script in your system
#nmap --script-updatedb
Now you should have the script available from anywhere in the system. To detect if a machine is vulnerable, run the following Nmap command:
$nmap --script smb-vuln-ms17-010 -p445 <target>
The script attempts to connect to the 'IPC$' tree and execute a transaction on FID 0. If the error "STATUS_INSUFF_SERVER_RESOURCES" is returned the machine is vulnerable to ms17-010. Patched systems return the error "STATUS_ACCESS_DENIED".
The script requires access to IPC$. Systems configured to restrict anonymous access to IPC$ need to provide credentials for the vulnerability check.
$nmap --script smb-vuln-ms17-010 --script-args smbuser=<user>,smbpass=<pass> -p445 <target>
A vulnerable host returns the following report:
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
To get the script to report if a system is patched, enable verbosity:
$nmap -v --script smb-vuln-ms17-010 -p445 <target>
You should see the following report:
Host script results:
|_smb-vuln-ms17-010: This system is patched.
There is an official NSE script to check if a system has been infected with the implant DOUBLEPULSAR called smb-double-pulsar-backdoor. If you are running a recent version of Nmap, just run the following command:
$nmap --script smb-double-pulsar-backdoor -p445 <target>
Vulnerable hosts will return the following report:
| smb-double-pulsar-backdoor:
| VULNERABLE:
| Double Pulsar SMB Backdoor
| State: VULNERABLE
| Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| The Double Pulsar SMB backdoor was detected running on the remote machine.
|
| Disclosure date: 2017-04-14
| References:
| https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/
| https://github.com/countercept/doublepulsar-detection-script
|_ https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
I've tested the script against Win7,8.1,10 and it seems to work as expected. If you encounter a problem, false positive or false negative, please send me the pcap!