-
-
Save Neo23x0/60268852ff3a5776ef66bc15d50a024a to your computer and use it in GitHub Desktop.
| # Scan for CVE-2017-0143 MS17-010 | |
| # The vulnerability used by WannaCry Ransomware | |
| # | |
| # 1. Use @calderpwn's script | |
| # http://seclists.org/nmap-dev/2017/q2/79 | |
| # | |
| # 2. Save it to Nmap NSE script directory | |
| # Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/ | |
| # OSX - /opt/local/share/nmap/scripts/ | |
| # | |
| # Note: | |
| # I had to use "--max-hostgroup 3", otherwise the script misses vulnerable hosts using nmap 7.30 on OS X | |
| # Don't use "-T4", this also caused the script to miss vulnerable hosts | |
| # | |
| # Find a test range via ShodanHQ | |
| # https://www.shodan.io/search?query=port%3A445+os%3A%22Windows+Server+2003%22 | |
| nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/X |
I have been through the list and it appears only to be related to Windows 2012/2012R2 and Windows 8/8.1/10. So something here might have changed regarding the IPC$.
I did update to thelatest nmap and lua on a fedora 25 probe . Now the script seems to run fine but failed also on "Could not connect to 'IPC$'"
does this mean that the scan client is safe ?
nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.2.63
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 16:38 CEST
NSE: Using Lua 5.3.
Discovered open port 445/tcp on 192.168.2.63
Initiating NSE at 16:38
NSE: Starting smb-vuln-ms17-010 against 192.168.2.63.
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Extended login to 192.168.2.63 as \guest failed (NT_STATUS_NOT_SUPPORTED)
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Extended login to 192.168.2.63 as <blank> failed (NT_STATUS_NOT_SUPPORTED)
NSE: [smb-vuln-ms17-010 192.168.2.63] Could not connect to IPC$
NSE: Finished smb-vuln-ms17-010 against 192.168.2.63.
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 128
Host script results:
|_smb-vuln-ms17-010: Could not connect to IPC$
Final times for host: srtt: 31854 rttvar: 34949 to: 171650
what does the script should return when the scan host is vulnerable ?
A postivie/vulnerable scan will result in the following:
Initiating NSE at 09:46
NSE: Starting smb-vuln-ms17-010 against 10.1.1.86.
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Extended login to 10.1.1.86 as DS003\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 10.1.1.86] Connected to share 'IPC$'
NSE: [smb-vuln-ms17-010 10.1.1.86] Valid SMB_COM_TRANSACTION response received
NSE: [smb-vuln-ms17-010 10.1.1.86] STATUS_INSUFF_SERVER_RESOURCES response received
NSE: [smb-vuln-ms17-010 10.1.1.86] This host is missing the patch for ms17-010!
NSE: Finished smb-vuln-ms17-010 against 10.1.1.86.
Completed NSE at 09:46, 0.26s elapsed
Nmap scan report for 10.1.1.86
Host is up, received echo-reply ttl 126 (0.0017s latency).
Scanned at 2017-05-15 09:46:11 CDT for 5s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 126
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Final times for host: srtt: 1692 rttvar: 3955 to: 100000
ok, in your case the script did "Connected to share 'IPC$'"
does my "Could not connect to IPC$" means I'am safe or it's only because some kind of network setting is not set properly the scanned host ?
I had the vulnerability message like in scog's post. I updated the host and then I had the "could not connect to 'IPC$' when I tried to scan it again.
So I guess that it means it's not vulnerable and that you are safe.
ok, now I found this host where I did connected to IPC$ , but script doesn't mention "This host is missing the patch for ms17-010"
Packet capture filter (device tun0): dst host 10.91.21.21 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.1.51 or src host 192.168.1.52 or src host 192.168.1.53)))
Discovered open port 445/tcp on 192.168.1.52
Completed SYN Stealth Scan at 18:23, 0.24s elapsed (3 total ports)
Overall sending rates: 20.34 packets / s, 894.84 bytes / s.
NSE: Script scanning 3 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:23
NSE: Starting smb-vuln-ms17-010 against 192.168.1.52.
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.1.52] LM Password:
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: WARNING: the server appears to be Unix; your mileage may vary.
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Extended login to 192.168.1.52 as ASOK\guest failed, but was given guest access (username may be wrong, or system may only allow guest)
NSE: [smb-vuln-ms17-010 192.168.1.52] Connected to IPC$ share
NSE: [smb-vuln-ms17-010 192.168.1.52] Valid SMB_COM_TRANSACTION response received
NSE: Finished smb-vuln-ms17-010 against 192.168.1.52.
Completed NSE at 18:23, 0.82s elapsed
Nmap scan report for asok.int-evry.fr (192.168.1.52)
Host is up, received user-set (0.021s latency).
Scanned at 2017-05-15 18:23:08 CEST for 1s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 63
Final times for host: srtt: 21259 rttvar: 21259 to: 106295
if that's safe ?
it would be easier to return "This host is safe it has patch for ms17-010"
what do you think of that host ? safe or not ?
After mucking about for a couple of hours trying to make it work on Ubuntu Server 16.04, Mint 18.1, and Kali 2017.1, I've decided to actually make an account and post because I can't be the only one. I have upgraded to latest LUA and NMAP, although the script is using LUA 5.2 for some reason.
Debug output:
xxxx@vm52 ~/ $ sudo nmap -p445 --script smb-vuln-ms17-010.nse 10.2.220.34 -d
Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-15 10:53 MDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
Completed NSE at 10:53, 0.00s elapsed
Initiating ARP Ping Scan at 10:53
Scanning 10.2.220.34 [1 port]
Packet capture filter (device enp0s3): arp and arp[18:4] = 0x080027BE and arp[22:2] = 0xCC63
Completed ARP Ping Scan at 10:53, 0.22s elapsed (1 total hosts)
Overall sending rates: 4.59 packets / s, 192.63 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 10:53
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:53, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:53
Scanning bxed0303.true.dom (10.2.220.34) [1 port]
Packet capture filter (device enp0s3): dst host 10.2.220.17 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.2.220.34)))
Discovered open port 445/tcp on 10.2.220.34
Increased max_successful_tryno for 10.2.220.34 to 1 (packet drop)
Completed SYN Stealth Scan at 10:53, 0.22s elapsed (1 total ports)
Overall sending rates: 9.23 packets / s, 406.15 bytes / s.
NSE: Script scanning 10.2.220.34.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
NSE: Starting smb-vuln-ms17-010 against 10.2.220.34.
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 10.2.220.34] LM Password:
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Extended login to 10.2.220.34 as TRUE\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 10.2.220.34] LM Password:
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Invalid NTLM challenge message: unexpected signature.
NSE: [smb-vuln-ms17-010 10.2.220.34] Connected to share 'IPC$'
NSE: smb-vuln-ms17-010 against 10.2.220.34 threw an error!
smb-vuln-ms17-010.nse:91: attempt to call field 'pack' (a nil value)
stack traceback:
smb-vuln-ms17-010.nse:91: in function 'check_ms17010'
smb-vuln-ms17-010.nse:160: in function smb-vuln-ms17-010.nse:138
(...tail calls...)
Completed NSE at 10:53, 0.03s elapsed
Nmap scan report for bxed0303.true.dom (10.2.220.34)
Host is up, received arp-response (0.00035s latency).
Scanned at 2017-05-15 10:53:44 MDT for 0s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 128
MAC Address: 64:51:06:34:7B:4D (Hewlett Packard)
Final times for host: srtt: 352 rttvar: 2830 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
Completed NSE at 10:53, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
$
Can we talk about this? I will post my output...
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 12:54 EDT
Nmap done: 256 IP addresses (10 hosts up) scanned in 5.55 seconds
my input ...
nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.0/24
Can we talk about this? I will post my output...
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 12:54 EDT
Nmap done: 256 IP addresses (10 hosts up) scanned in 5.55 seconds
my input ...
nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.0/24
I am not even in a networked environment(server centralized) so maybe I am not vulnerable?
so I got _smb-vulb-ms17-010 IPC$ in some computers, others just 445/tcp open, and some with the whole
Host script results:
smb-vuln-ms17-010:
VULNERABLE:
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
State: VULNERABLE
I went to some IPC$ which I am assuming it means they cannot connect to the share hidden C$ "as guest" which is good, all patches were installed prior to scan.
I will run nmap again when I patch some of the PC with error and I will update my finding.
But I am assuming that IPC$ means that it cannot connect to the hidden c$. and it is more likely that the patch has been installed but I will update later when I can test more systems.
Thanks for the script.
Regards,
Well, this didn't work. Guess I'll find something else.
Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-15 12:49 CDT
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:254: /usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:1: unexpected symbol near '{'
stack traceback:
[C]: in function 'assert'
/usr/bin/../share/nmap/nse_main.lua:254: in function 'loadscript'
/usr/bin/../share/nmap/nse_main.lua:582: in function 'new'
/usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1249: in main chunk
[C]: in ?
QUITTING!
So I got the script, but get an error trying to run it.
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:57 Pacific Daylight Time
Fetchfile found C:\Program Files (x86)\Nmap/nmap-services
Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
NSE: Using Lua 5.3.
Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua
Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db
NSE: Arguments from CLI:
Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse
NSE: Script smb-vuln-ms17-010.nse was selected by file path.
NSE: failed to initialize the script engine:
C:\Program Files (x86)\Nmap/nse_main.lua:255: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'
stack traceback:
[C]: in function 'assert'
C:\Program Files (x86)\Nmap/nse_main.lua:255: in upvalue 'loadscript'
C:\Program Files (x86)\Nmap/nse_main.lua:597: in field 'new'
C:\Program Files (x86)\Nmap/nse_main.lua:820: in local 'get_chosen_scripts'
C:\Program Files (x86)\Nmap/nse_main.lua:1271: in main chunk
[C]: in ?
QUITTING!
Is it saying it doesn't like line one?
@intelnavi you need the latest version of nmap
Um, it's 7.4. I downloaded it this AM from the nmap site, latest stable.
@CrazySeajay, did you put the script on the parent directory c:\Program Files (x86)\Nmap, it works fine on my end
I did and still get the same error. Is this the correct script?
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
Apparently the script had an error, it got updated an hour ago and now works.
Hi Guys,
I am also getting the same errors as @CrazySeajay.
I am fully up to date and have the latest script mentioned. Any pointers as to what i am doing wrong? Im using windows..
Here is the output from nmap
NSE: failed to initialize the script engine:
C:\Program Files (x86)\Nmap/nse_main.lua:259: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'
stack traceback:
[C]: in function 'assert'
C:\Program Files (x86)\Nmap/nse_main.lua:259: in upvalue 'loadscript'
C:\Program Files (x86)\Nmap/nse_main.lua:601: in field 'new'
C:\Program Files (x86)\Nmap/nse_main.lua:824: in local 'get_chosen_scripts'
C:\Program Files (x86)\Nmap/nse_main.lua:1310: in main chunk
[C]: in ?
QUITTING!
Looks to maybe be a problem with the packaged nmap scripts? Any help appreciated.
Thanks
Getting error while executing on Debian Jessie
Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-16 10:04 -03
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 10:04
Scanning 10.56.7.187 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x0023AE8A and arp[22:2] = 0xBEDD
Completed ARP Ping Scan at 10:04, 0.21s elapsed (1 total hosts)
Overall sending rates: 4.64 packets / s, 194.68 bytes / s.
mass_rdns: Using DNS server 10.56.7.231
mass_rdns: Using DNS server 10.56.7.232
Initiating Parallel DNS resolution of 1 host. at 10:04
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:04
Scanning 2-cmo-marcos.sedur.intranet (10.56.7.187) [1 port]
Packet capture filter (device eth0): dst host 10.56.7.200 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.56.7.187)))
Discovered open port 445/tcp on 10.56.7.187
Increased max_successful_tryno for 10.56.7.187 to 1 (packet drop)
Completed SYN Stealth Scan at 10:04, 0.24s elapsed (1 total ports)
Overall sending rates: 8.27 packets / s, 364.00 bytes / s.
NSE: Script scanning 10.56.7.187.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-vuln-ms17-010 against 10.56.7.187.
Initiating NSE at 10:04
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: LM Password:
NSE: SMB: Extended login to 10.56.7.187 as SEDUR\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: LM Password:
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-vuln-ms17-010 against 10.56.7.187 threw an error!
smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nselib/strict.lua:80: in function '__index'
smb-vuln-ms17-010.nse:88: in function 'check_ms17010'
smb-vuln-ms17-010.nse:163: in function <smb-vuln-ms17-010.nse:141>
(...tail calls...)
Completed NSE at 10:04, 0.12s elapsed
Nmap scan report for 2-cmo-marcos.sedur.intranet (10.56.7.187)
Host is up, received arp-response (0.00027s latency).
Scanned at 2017-05-16 10:04:14 -03 for 0s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: C8:9C:DC:C4:95:EF (Elitegroup Computer System CO.)
Final times for host: srtt: 269 rttvar: 2852 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Does anyone know a reputable place to download old versions of nmap for windows? Their own site is quite hard to navigate.
Thanks
Hi,
Would anyone be willing to help me for a fee? please DM me and we can discuss.
Judging by the "<\239>" appearing, I wonder if you saved the link to the github page, not the file itself.
Try this one (raw output):
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse
Either Save it, or copy and paste its contents into a file.
@corycorycorycory - You were right! Thanks alot! Great spot...
what dose that mean?
Host script results:
|_smb-vuln-ms17-010: Could not connect to IPC$
Hello all,
I have the same issue, event that my pc alreadly up to date all windows update
Regards
HIEUPT
Hello all,
I known why the output is " smb-vuln-ms17-010: Could not connect to 'IPC$' " when scan smbv1. It is because we disable smb version 1 on that PC. So to check the patch update is ok or not, reopen smbv1 on it and run script againt
Rgs,
Hello, I made a script in linux to search the network, I hope it helps you, you can modify whatever you want.
#/bin/bash
#######################################################################################################
Author: Sergio Wolf
Description: Search the net on vannacry - MS17-010
Date: 05-16-2017
#######################################################################################################
Requirements:
OS: CENTOS v.7 or others linux
NMAP: Nmap version 7.40 using smb-vuln-ms17-010.nse
#######################################################################################################
To run create the file list_range_ip.txt and include the network or the ips that will be searched.
After 10 minutes you will do a new search.
The result will be in the virus directory, it will be the ip that should be analyzed.
The ips that you do not want to be searched for should be included in the blacklist.txt file.
Modify the script as you wish and use it.
Executing nmap with super-user.
#######################################################################################################
resul=tmp/result.txt # File temporary
blacklist=blacklist.txt # File blacklist
range_ip=list_range_ip.txt # List range or ips for scan
mkdir -p virus tmp
IFS=$'\t\n'
while true
do
Find ranges
for range in $(cat $range_ip)
do
echo "Processing range: $range"
for linha in $(nmap -sn $range | grep "^Nmap" | grep -v seconds)
do
linha=$(echo $linha | sed -e 's/(//g')
linha=$(echo $linha | sed -e 's/)//g')
valor1=$(echo $linha | cut -d' ' -f6)
valor2=$(echo $linha | cut -d' ' -f5)
if [ "$valor1" = "" ]; then
# no have hostname
IP=$valor2
else
IP=$valor1
fi
echo "Processing range: $range - $IP"
# Convert IP in hostname
hostname=$(host $IP | cut -d" " -f5)
if [ "$hostname" = "" -o "$hostname" = "3(NXDOMAIN)" ]; then
hostname=$IP
fi
# Find in blacklist
black=$(grep -w "$hostname" $blacklist | wc -l)
if [ "$black" = "0" ]; then
nmap -sC -p445 --script smb-vuln-ms17-010.nse $IP > $resul
# Check for vulnerability
valida=$(grep "State: VULNERABLE" $resul | wc -l)
if [ "$valida" != "0" ]; then
echo $IP >> virus/$IP
fi
rm $resul
else
echo "$IP is blacklist"
fi
done
done
sleep 6000 # Wait for new search
done
END SCRIPT
Example files:
list_range_ip.txt
10.10.100.0/23
10.10.102.31
10.10.102.160
10.10.102.3
10.10.105.74
blacklist.txt
nehdh33-5049.cbd.net.bz
10.48.8.168
10.48.8.218
10.48.8.247
jonae83u-5002.xbd.net.bz
You can change "nmap -sn" to "nmap -sL" to search all addresses.
Rgs,
Lua 5.2's string library doesn't support pack and unpack and that's why you get:
/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: attempt to call field 'pack' (a nil value)
You can use string.char and string.byte to replace these with some work. Be careful with the number of bytes when packing.
Older versions of nmap don't have the stdnse.debug[12] calls:
smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared
You can replace those with nmap.log_write("stdout", string.format calls.
I am currently doing this in a local lab and experienced the "could not connect to ipc$" error. To confirm that my system was indeed patched I executed the following steps (NOT recommended if you are running a production instance) -
- Enable file and printer sharing
- Disable firewall
- Allowed Guest logon for SMB share
- Enabled SMB v1 (this is disabled by default). Run the following command to enable it.
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
That helped me the following result:
smb-vuln-ms17-010: This system is patched.
Hi CrazySeajay
I checked and one of the clients who have the error does have "File and Print Sharing" enabled under "Advanced sharing settings" under the profile which is current.
I even tried to disable and enable it again but that does not solve the issue.
FYI, this a Windows 2012R2 client.
Any other ideas?