Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX - /opt/local/share/nmap/scripts/
#
# Note:
# I had to use "--max-hostgroup 3", otherwise the script misses vulnerable hosts using nmap 7.30 on OS X
# Don't use "-T4", this also caused the script to miss vulnerable hosts
#
# Find a test range via ShodanHQ
# https://www.shodan.io/search?query=port%3A445+os%3A%22Windows+Server+2003%22
nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/X

lotoju commented May 15, 2017

the script fail in function 'check_ms17010'
example here in debug mode (-d)

nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.2.20

Starting Nmap 7.00 ( https://nmap.org ) at 2017-05-15 13:29 CEST
Discovered open port 445/tcp on 192.168.2.20
Completed SYN Stealth Scan at 13:29, 0.02s elapsed (1 total ports)
Overall sending rates: 54.50 packets / s, 2397.82 bytes / s.
NSE: Script scanning 192.168.2.20.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 13:29
NSE: Starting smb-vuln-ms17-010 against 192.168.2.20.
NSE: [smb-vuln-ms17-010 192.168.2.20] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.2.20] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.2.20] LM Password:
NSE: [smb-vuln-ms17-010 192.168.2.20 SMB: Extended login to 192.168.2.20 as WORKGROUP\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 192.168.2.20 LM Password:
NSE: [smb-vuln-ms17-010 192.168.2.20] SMB: Invalid NTLM challenge message: unexpected signature.
NSE: [smb-vuln-ms17-010 192.168.2.20 Connected to IPC$ share
NSE: smb-vuln-ms17-010 against 192.168.2.20 threw an error!
/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: attempt to call field 'pack' (a nil value)
stack traceback:
/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: in function 'check_ms17010'
/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:163: in function </usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:141>
(...tail calls...)

Completed NSE at 13:29, 0.02s elapsed

is it "SMB: Invalid NTLM challenge message: unexpected signature." could itbe the problem with SMB2 signed signature ?
then if it fails does it proove that smb1 is disabled ?
How can I simply smb1 enabled with nmap ?

regards

Same error here, with nmap 6.40 Lua 5.2 ubuntu 14.04

kainzjoh commented May 15, 2017

please make sure you're using an up-to-date version of nmap and lua5.3
ex:
Nmap version 7.40 ( https://nmap.org ) Platform: x86_64-apple-darwin16.3.0 Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 libpcap-1.8.1 nmap-libdnet-1.12 ipv6

lotoju commented May 15, 2017

Updated my nmap package from 7.00-1.fc23 to 7.12-1.fc23, same problem, does this script needs 7.40 ?
updated lua-5.3.2-2.fc23 to 5.3.3-1.fc23

Starting Nmap 7.12 ( https://nmap.org ) at 2017-05-15 14:47 CEST
NSE: Using Lua 5.2.

strange that nmdap lua usage doesn't shows 5.3 !?

Anyway, I am not convince it is a version pb , but rather an smb2 check ?
does anyone succeded running that script ?

I was able to run it in my lab using nmap 7.40 with Lua 5.3. (running on osx installed with brew)

premax commented May 15, 2017

Confirm - not working on Ubuntu 14.04 LTS with all updates (nmap v6.40, liblua-5.2.3)

I used Zenmap 7.40 and a freshly compiled Nmap 7.40 on Debian Jessie, it works fine their. I just have to note that it could be abit more verbose on non-vulnerable Systems.

I am trying to scan my network which mainly contains Windows clients. When I am running the script it marks some of the clients as vulnerable and some clients returns the error "Could not connect to 'IPC$'" which appears to be an permission issue. I am running nmap as domain administrator so I think the permission shouldn't be an issue.
When I browser the client it get the permission error. Anyone else seeing this?

That IPC$ error will appear if the client does not have file and print sharing enabled regardless of who you are logged in as. It's the windows firewall on the client.

Hi CrazySeajay

I checked and one of the clients who have the error does have "File and Print Sharing" enabled under "Advanced sharing settings" under the profile which is current.

I even tried to disable and enable it again but that does not solve the issue.

FYI, this a Windows 2012R2 client.

Any other ideas?

I have been through the list and it appears only to be related to Windows 2012/2012R2 and Windows 8/8.1/10. So something here might have changed regarding the IPC$.

lotoju commented May 15, 2017

I did update to thelatest nmap and lua on a fedora 25 probe . Now the script seems to run fine but failed also on "Could not connect to 'IPC$'"
does this mean that the scan client is safe ?

nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.2.63

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 16:38 CEST
NSE: Using Lua 5.3.
Discovered open port 445/tcp on 192.168.2.63
Initiating NSE at 16:38
NSE: Starting smb-vuln-ms17-010 against 192.168.2.63.
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Extended login to 192.168.2.63 as \guest failed (NT_STATUS_NOT_SUPPORTED)
NSE: [smb-vuln-ms17-010 192.168.2.63] SMB: Extended login to 192.168.2.63 as <blank> failed (NT_STATUS_NOT_SUPPORTED)
NSE: [smb-vuln-ms17-010 192.168.2.63] Could not connect to IPC$
NSE: Finished smb-vuln-ms17-010 against 192.168.2.63.
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 128
Host script results:
|_smb-vuln-ms17-010: Could not connect to IPC$
Final times for host: srtt: 31854 rttvar: 34949 to: 171650

what does the script should return when the scan host is vulnerable ?

scog commented May 15, 2017

A postivie/vulnerable scan will result in the following:

Initiating NSE at 09:46
NSE: Starting smb-vuln-ms17-010 against 10.1.1.86.
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 10.1.1.86] SMB: Extended login to 10.1.1.86 as DS003\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 10.1.1.86] Connected to share 'IPC$'
NSE: [smb-vuln-ms17-010 10.1.1.86] Valid SMB_COM_TRANSACTION response received
NSE: [smb-vuln-ms17-010 10.1.1.86] STATUS_INSUFF_SERVER_RESOURCES response received
NSE: [smb-vuln-ms17-010 10.1.1.86] This host is missing the patch for ms17-010!
NSE: Finished smb-vuln-ms17-010 against 10.1.1.86.
Completed NSE at 09:46, 0.26s elapsed
Nmap scan report for 10.1.1.86
Host is up, received echo-reply ttl 126 (0.0017s latency).
Scanned at 2017-05-15 09:46:11 CDT for 5s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack ttl 126

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|       
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Final times for host: srtt: 1692 rttvar: 3955  to: 100000

lotoju commented May 15, 2017

ok, in your case the script did "Connected to share 'IPC$'"
does my "Could not connect to IPC$" means I'am safe or it's only because some kind of network setting is not set properly the scanned host ?

@lotoju,

I had the vulnerability message like in scog's post. I updated the host and then I had the "could not connect to 'IPC$' when I tried to scan it again.
So I guess that it means it's not vulnerable and that you are safe.

lotoju commented May 15, 2017

ok, now I found this host where I did connected to IPC$ , but script doesn't mention "This host is missing the patch for ms17-010"

Packet capture filter (device tun0): dst host 10.91.21.21 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.1.51 or src host 192.168.1.52 or src host 192.168.1.53)))
Discovered open port 445/tcp on 192.168.1.52
Completed SYN Stealth Scan at 18:23, 0.24s elapsed (3 total ports)
Overall sending rates: 20.34 packets / s, 894.84 bytes / s.
NSE: Script scanning 3 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 18:23
NSE: Starting smb-vuln-ms17-010 against 192.168.1.52.
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.1.52] LM Password:
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: WARNING: the server appears to be Unix; your mileage may vary.
NSE: [smb-vuln-ms17-010 192.168.1.52] SMB: Extended login to 192.168.1.52 as ASOK\guest failed, but was given guest access (username may be wrong, or system may only allow guest)
NSE: [smb-vuln-ms17-010 192.168.1.52] Connected to IPC$ share
NSE: [smb-vuln-ms17-010 192.168.1.52] Valid SMB_COM_TRANSACTION response received
NSE: Finished smb-vuln-ms17-010 against 192.168.1.52.
Completed NSE at 18:23, 0.82s elapsed
Nmap scan report for asok.int-evry.fr (192.168.1.52)
Host is up, received user-set (0.021s latency).
Scanned at 2017-05-15 18:23:08 CEST for 1s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 63
Final times for host: srtt: 21259 rttvar: 21259 to: 106295

if that's safe ?
it would be easier to return "This host is safe it has patch for ms17-010"

what do you think of that host ? safe or not ?

fireanthrax commented May 15, 2017

After mucking about for a couple of hours trying to make it work on Ubuntu Server 16.04, Mint 18.1, and Kali 2017.1, I've decided to actually make an account and post because I can't be the only one. I have upgraded to latest LUA and NMAP, although the script is using LUA 5.2 for some reason.

Debug output:

xxxx@vm52 ~/ $ sudo nmap -p445 --script smb-vuln-ms17-010.nse 10.2.220.34 -d

Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-15 10:53 MDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0

NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
Completed NSE at 10:53, 0.00s elapsed
Initiating ARP Ping Scan at 10:53
Scanning 10.2.220.34 [1 port]
Packet capture filter (device enp0s3): arp and arp[18:4] = 0x080027BE and arp[22:2] = 0xCC63
Completed ARP Ping Scan at 10:53, 0.22s elapsed (1 total hosts)
Overall sending rates: 4.59 packets / s, 192.63 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 10:53
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:53, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:53
Scanning bxed0303.true.dom (10.2.220.34) [1 port]
Packet capture filter (device enp0s3): dst host 10.2.220.17 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.2.220.34)))
Discovered open port 445/tcp on 10.2.220.34
Increased max_successful_tryno for 10.2.220.34 to 1 (packet drop)
Completed SYN Stealth Scan at 10:53, 0.22s elapsed (1 total ports)
Overall sending rates: 9.23 packets / s, 406.15 bytes / s.
NSE: Script scanning 10.2.220.34.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
NSE: Starting smb-vuln-ms17-010 against 10.2.220.34.
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 10.2.220.34] LM Password:
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Extended login to 10.2.220.34 as TRUE\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 10.2.220.34] LM Password:
NSE: [smb-vuln-ms17-010 10.2.220.34] SMB: Invalid NTLM challenge message: unexpected signature.
NSE: [smb-vuln-ms17-010 10.2.220.34] Connected to share 'IPC$'
NSE: smb-vuln-ms17-010 against 10.2.220.34 threw an error!
smb-vuln-ms17-010.nse:91: attempt to call field 'pack' (a nil value)
stack traceback:
smb-vuln-ms17-010.nse:91: in function 'check_ms17010'
smb-vuln-ms17-010.nse:160: in function smb-vuln-ms17-010.nse:138
(...tail calls...)

Completed NSE at 10:53, 0.03s elapsed
Nmap scan report for bxed0303.true.dom (10.2.220.34)
Host is up, received arp-response (0.00035s latency).
Scanned at 2017-05-15 10:53:44 MDT for 0s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 128
MAC Address: 64:51:06:34:7B:4D (Hewlett Packard)
Final times for host: srtt: 352 rttvar: 2830 to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:53
Completed NSE at 10:53, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
$

Can we talk about this? I will post my output...

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 12:54 EDT
Nmap done: 256 IP addresses (10 hosts up) scanned in 5.55 seconds

my input ...

nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.0/24

Can we talk about this? I will post my output...

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 12:54 EDT
Nmap done: 256 IP addresses (10 hosts up) scanned in 5.55 seconds

my input ...

nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.0/24

I am not even in a networked environment(server centralized) so maybe I am not vulnerable?

so I got _smb-vulb-ms17-010 IPC$ in some computers, others just 445/tcp open, and some with the whole
Host script results:
smb-vuln-ms17-010:
VULNERABLE:
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
State: VULNERABLE
I went to some IPC$ which I am assuming it means they cannot connect to the share hidden C$ "as guest" which is good, all patches were installed prior to scan.

I will run nmap again when I patch some of the PC with error and I will update my finding.

But I am assuming that IPC$ means that it cannot connect to the hidden c$. and it is more likely that the patch has been installed but I will update later when I can test more systems.

Thanks for the script.
Regards,

Well, this didn't work. Guess I'll find something else.

Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-15 12:49 CDT
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0

NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:254: /usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:1: unexpected symbol near '{'
stack traceback:
[C]: in function 'assert'
/usr/bin/../share/nmap/nse_main.lua:254: in function 'loadscript'
/usr/bin/../share/nmap/nse_main.lua:582: in function 'new'
/usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1249: in main chunk
[C]: in ?

QUITTING!

So I got the script, but get an error trying to run it.
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:57 Pacific Daylight Time

Fetchfile found C:\Program Files (x86)\Nmap/nmap-services

Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl

The max # of sockets we are using is: 0

--------------- Timing report ---------------

hostgroups: min 1, max 3

rtt-timeouts: init 1000, min 100, max 10000

max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

parallelism: min 0, max 0

max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0


NSE: Using Lua 5.3.

Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua

Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db

NSE: Arguments from CLI:

Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse

NSE: Script smb-vuln-ms17-010.nse was selected by file path.

NSE: failed to initialize the script engine:

C:\Program Files (x86)\Nmap/nse_main.lua:255: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'

stack traceback:

[C]: in function 'assert'

C:\Program Files (x86)\Nmap/nse_main.lua:255: in upvalue 'loadscript'

C:\Program Files (x86)\Nmap/nse_main.lua:597: in field 'new'

C:\Program Files (x86)\Nmap/nse_main.lua:820: in local 'get_chosen_scripts'

C:\Program Files (x86)\Nmap/nse_main.lua:1271: in main chunk

[C]: in ?

QUITTING!

Is it saying it doesn't like line one?

@intelnavi you need the latest version of nmap

Um, it's 7.4. I downloaded it this AM from the nmap site, latest stable.

@CrazySeajay, did you put the script on the parent directory c:\Program Files (x86)\Nmap, it works fine on my end

I did and still get the same error. Is this the correct script?
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

Apparently the script had an error, it got updated an hour ago and now works.

Deepfriedrolos commented May 16, 2017

Hi Guys,

I am also getting the same errors as @CrazySeajay.

I am fully up to date and have the latest script mentioned. Any pointers as to what i am doing wrong? Im using windows..
Here is the output from nmap

NSE: failed to initialize the script engine:

C:\Program Files (x86)\Nmap/nse_main.lua:259: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'

stack traceback:

[C]: in function 'assert'

C:\Program Files (x86)\Nmap/nse_main.lua:259: in upvalue 'loadscript'

C:\Program Files (x86)\Nmap/nse_main.lua:601: in field 'new'

C:\Program Files (x86)\Nmap/nse_main.lua:824: in local 'get_chosen_scripts'

C:\Program Files (x86)\Nmap/nse_main.lua:1310: in main chunk

[C]: in ?

QUITTING!

Looks to maybe be a problem with the packaged nmap scripts? Any help appreciated.

Thanks

Getting error while executing on Debian Jessie

Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-16 10:04 -03
--------------- Timing report ---------------
  hostgroups: min 1, max 3
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 10:04
Scanning 10.56.7.187 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x0023AE8A and arp[22:2] = 0xBEDD
Completed ARP Ping Scan at 10:04, 0.21s elapsed (1 total hosts)
Overall sending rates: 4.64 packets / s, 194.68 bytes / s.
mass_rdns: Using DNS server 10.56.7.231
mass_rdns: Using DNS server 10.56.7.232
Initiating Parallel DNS resolution of 1 host. at 10:04
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:04
Scanning 2-cmo-marcos.sedur.intranet (10.56.7.187) [1 port]
Packet capture filter (device eth0): dst host 10.56.7.200 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.56.7.187)))
Discovered open port 445/tcp on 10.56.7.187
Increased max_successful_tryno for 10.56.7.187 to 1 (packet drop)
Completed SYN Stealth Scan at 10:04, 0.24s elapsed (1 total ports)
Overall sending rates: 8.27 packets / s, 364.00 bytes / s.
NSE: Script scanning 10.56.7.187.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-vuln-ms17-010 against 10.56.7.187.
Initiating NSE at 10:04
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: LM Password: 
NSE: SMB: Extended login to 10.56.7.187 as SEDUR\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: LM Password: 
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-vuln-ms17-010 against 10.56.7.187 threw an error!
smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared
stack traceback:
	[C]: in function 'error'
	/usr/bin/../share/nmap/nselib/strict.lua:80: in function '__index'
	smb-vuln-ms17-010.nse:88: in function 'check_ms17010'
	smb-vuln-ms17-010.nse:163: in function <smb-vuln-ms17-010.nse:141>
	(...tail calls...)

Completed NSE at 10:04, 0.12s elapsed
Nmap scan report for 2-cmo-marcos.sedur.intranet (10.56.7.187)
Host is up, received arp-response (0.00027s latency).
Scanned at 2017-05-16 10:04:14 -03 for 0s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: C8:9C:DC:C4:95:EF (Elitegroup Computer System CO.)
Final times for host: srtt: 269 rttvar: 2852  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

Does anyone know a reputable place to download old versions of nmap for windows? Their own site is quite hard to navigate.

Thanks

Hi,

Would anyone be willing to help me for a fee? please DM me and we can discuss.

corycorycorycory commented May 16, 2017

@Deepfriedrolos

Judging by the "<\239>" appearing, I wonder if you saved the link to the github page, not the file itself.

Try this one (raw output):
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

Either Save it, or copy and paste its contents into a file.

@corycorycorycory - You were right! Thanks alot! Great spot...

what dose that mean?

Host script results:
|_smb-vuln-ms17-010: Could not connect to IPC$

gsphan commented May 17, 2017

Hello all,
I have the same issue, event that my pc alreadly up to date all windows update

Regards
HIEUPT

gsphan commented May 17, 2017

Hello all,
I known why the output is " smb-vuln-ms17-010: Could not connect to 'IPC$' " when scan smbv1. It is because we disable smb version 1 on that PC. So to check the patch update is ok or not, reopen smbv1 on it and run script againt

Rgs,

serwolff commented May 17, 2017

Hello, I made a script in linux to search the network, I hope it helps you, you can modify whatever you want.

#/bin/bash
#######################################################################################################

Author: Sergio Wolf

Description: Search the net on vannacry - MS17-010

Date: 05-16-2017

#######################################################################################################

Requirements:

OS: CENTOS v.7 or others linux

NMAP: Nmap version 7.40 using smb-vuln-ms17-010.nse

#######################################################################################################

To run create the file list_range_ip.txt and include the network or the ips that will be searched.

After 10 minutes you will do a new search.

The result will be in the virus directory, it will be the ip that should be analyzed.

The ips that you do not want to be searched for should be included in the blacklist.txt file.

Modify the script as you wish and use it.

Executing nmap with super-user.

#######################################################################################################
resul=tmp/result.txt # File temporary
blacklist=blacklist.txt # File blacklist
range_ip=list_range_ip.txt # List range or ips for scan

mkdir -p virus tmp

IFS=$'\t\n'
while true
do

Find ranges

for range in $(cat $range_ip)
do
echo "Processing range: $range"
for linha in $(nmap -sn $range | grep "^Nmap" | grep -v seconds)
do
linha=$(echo $linha | sed -e 's/(//g')
linha=$(echo $linha | sed -e 's/)//g')

   valor1=$(echo $linha | cut -d' ' -f6)
   valor2=$(echo $linha | cut -d' ' -f5)

   if [ "$valor1" = "" ]; then
      # no have hostname
      IP=$valor2
   else
      IP=$valor1
   fi

   echo "Processing range: $range - $IP"
     
   # Convert IP in hostname
   hostname=$(host $IP | cut -d" " -f5)
   if [ "$hostname" = "" -o "$hostname" = "3(NXDOMAIN)" ]; then
      hostname=$IP
   fi

   # Find in blacklist
   black=$(grep -w "$hostname" $blacklist | wc -l)
   if [ "$black" = "0" ]; then
      nmap -sC -p445 --script smb-vuln-ms17-010.nse $IP > $resul
      # Check for vulnerability
      valida=$(grep "State: VULNERABLE" $resul | wc -l)
      if [ "$valida" != "0" ]; then
         echo $IP >> virus/$IP
      fi
      rm $resul
   else
      echo "$IP is blacklist"
   fi

done
done
sleep 6000 # Wait for new search
done

END SCRIPT

Example files:
list_range_ip.txt
10.10.100.0/23
10.10.102.31
10.10.102.160
10.10.102.3
10.10.105.74

blacklist.txt
nehdh33-5049.cbd.net.bz
10.48.8.168
10.48.8.218
10.48.8.247
jonae83u-5002.xbd.net.bz

You can change "nmap -sn" to "nmap -sL" to search all addresses.

Rgs,

dmah6 commented May 26, 2017

Lua 5.2's string library doesn't support pack and unpack and that's why you get:

/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: attempt to call field 'pack' (a nil value)

You can use string.char and string.byte to replace these with some work. Be careful with the number of bytes when packing.

Older versions of nmap don't have the stdnse.debug[12] calls:

smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared

You can replace those with nmap.log_write("stdout", string.format calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment