Skip to content

Instantly share code, notes, and snippets.

@Neo23x0

Neo23x0/nmap-cmdline

Last active March 19, 2020 17:10
Show Gist options
  • Star 50 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save Neo23x0/60268852ff3a5776ef66bc15d50a024a to your computer and use it in GitHub Desktop.
Save Neo23x0/60268852ff3a5776ef66bc15d50a024a to your computer and use it in GitHub Desktop.
Download ZIP
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
Raw
nmap-cmdline
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX - /opt/local/share/nmap/scripts/
#
# Note:
# I had to use "--max-hostgroup 3", otherwise the script misses vulnerable hosts using nmap 7.30 on OS X
# Don't use "-T4", this also caused the script to miss vulnerable hosts
#
# Find a test range via ShodanHQ
# https://www.shodan.io/search?query=port%3A445+os%3A%22Windows+Server+2003%22
nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/X
@gsphan
Copy link

gsphan commented May 17, 2017

Hello all,
I known why the output is " smb-vuln-ms17-010: Could not connect to 'IPC$' " when scan smbv1. It is because we disable smb version 1 on that PC. So to check the patch update is ok or not, reopen smbv1 on it and run script againt

Rgs,

@serwolff
Copy link

serwolff commented May 17, 2017
edited

Hello, I made a script in linux to search the network, I hope it helps you, you can modify whatever you want.

#/bin/bash
#######################################################################################################

Author: Sergio Wolf

Description: Search the net on vannacry - MS17-010

Date: 05-16-2017

#######################################################################################################

Requirements:

OS: CENTOS v.7 or others linux

NMAP: Nmap version 7.40 using smb-vuln-ms17-010.nse

#######################################################################################################

To run create the file list_range_ip.txt and include the network or the ips that will be searched.

After 10 minutes you will do a new search.

The result will be in the virus directory, it will be the ip that should be analyzed.

The ips that you do not want to be searched for should be included in the blacklist.txt file.

Modify the script as you wish and use it.

Executing nmap with super-user.

#######################################################################################################
resul=tmp/result.txt # File temporary
blacklist=blacklist.txt # File blacklist
range_ip=list_range_ip.txt # List range or ips for scan

mkdir -p virus tmp

IFS=$'\t\n'
while true
do

Find ranges

for range in $(cat $range_ip)
do
echo "Processing range: $range"
for linha in $(nmap -sn $range | grep "^Nmap" | grep -v seconds)
do
linha=$(echo $linha | sed -e 's/(//g')
linha=$(echo $linha | sed -e 's/)//g')

   valor1=$(echo $linha | cut -d' ' -f6)
   valor2=$(echo $linha | cut -d' ' -f5)

   if [ "$valor1" = "" ]; then
      # no have hostname
      IP=$valor2
   else
      IP=$valor1
   fi

   echo "Processing range: $range - $IP"
     
   # Convert IP in hostname
   hostname=$(host $IP | cut -d" " -f5)
   if [ "$hostname" = "" -o "$hostname" = "3(NXDOMAIN)" ]; then
      hostname=$IP
   fi

   # Find in blacklist
   black=$(grep -w "$hostname" $blacklist | wc -l)
   if [ "$black" = "0" ]; then
      nmap -sC -p445 --script smb-vuln-ms17-010.nse $IP > $resul
      # Check for vulnerability
      valida=$(grep "State: VULNERABLE" $resul | wc -l)
      if [ "$valida" != "0" ]; then
         echo $IP >> virus/$IP
      fi
      rm $resul
   else
      echo "$IP is blacklist"
   fi

done
done
sleep 6000 # Wait for new search
done

END SCRIPT

Example files:
list_range_ip.txt
10.10.100.0/23
10.10.102.31
10.10.102.160
10.10.102.3
10.10.105.74

blacklist.txt
nehdh33-5049.cbd.net.bz
10.48.8.168
10.48.8.218
10.48.8.247
jonae83u-5002.xbd.net.bz

You can change "nmap -sn" to "nmap -sL" to search all addresses.

Rgs,

@dmah6
Copy link

dmah6 commented May 26, 2017

Lua 5.2's string library doesn't support pack and unpack and that's why you get:

/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: attempt to call field 'pack' (a nil value)

You can use string.char and string.byte to replace these with some work. Be careful with the number of bytes when packing.

Older versions of nmap don't have the stdnse.debug[12] calls:

smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared

You can replace those with nmap.log_write("stdout", string.format calls.

@pescepescetarian
Copy link

pescepescetarian commented Jan 3, 2020
edited

I am currently doing this in a local lab and experienced the "could not connect to ipc$" error. To confirm that my system was indeed patched I executed the following steps (NOT recommended if you are running a production instance) -

  1. Enable file and printer sharing
  2. Disable firewall
  3. Allowed Guest logon for SMB share
  4. Enabled SMB v1 (this is disabled by default). Run the following command to enable it.

Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

That helped me the following result:

smb-vuln-ms17-010: This system is patched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment