Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2020-0796. Scan HOST/CIDR with nmap script smb-protocols.nse and grep SMB version 3.11.
#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
if [[ $? != 0 ]]; then
echo "There's no SMB v3.11"
fi
@AM8bit

This comment has been minimized.

Copy link

@AM8bit AM8bit commented Mar 11, 2020

ok

@tuantmb

This comment has been minimized.

Copy link

@tuantmb tuantmb commented Mar 11, 2020

I got some bugs and I fixed the script as following:

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi
@mrizkimaulidan

This comment has been minimized.

Copy link

@mrizkimaulidan mrizkimaulidan commented Mar 11, 2020

awesome, thank you so much!

@nikallass

This comment has been minimized.

Copy link
Owner Author

@nikallass nikallass commented Mar 11, 2020

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi

My script outputs only vulnerable hosts. You messed non-vulnerable hosts with vulnerable. So | grep 3.11 is not a bug, it's a feature.

@Saleh7

This comment has been minimized.

Copy link

@Saleh7 Saleh7 commented Mar 11, 2020

CVE-2020-0796

@tuantmb

This comment has been minimized.

Copy link

@tuantmb tuantmb commented Mar 12, 2020

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi

My script outputs only vulnerable hosts. You messed non-vulnerable hosts with vulnerable. So | grep 3.11 is not a bug, it's a feature.

Thanks @nikallass, your new version works well (Tested on Ubuntu 18.04 & Debian 10 with nmap 7.6)! After reviewing each pipe, I found out that the original one used "replace" command which was not installed in my machine. Please update this

replace 'Nmap scan report for' '@'

to (new version fixed)

tr 'Nmap scan report for' '@'
@logopk

This comment has been minimized.

Copy link

@logopk logopk commented Mar 12, 2020

Hi, apparently reports IP also if there is no 3.11 (only 3.0)

@goncalor

This comment has been minimized.

Copy link

@goncalor goncalor commented Mar 13, 2020

I think this would be more clear, with less piping.

nmap -p445 --script smb-protocols -Pn -n $1 | awk -v ORS='' -e '/([0-9]{1,3}\.){3}[0-9]{1,3}/ {print "\n"$0" "} /^\|.[[:space:]]+3.11/ {print $2}' | grep -F " 3.11" | grep -oP '(\d{1,3}\.){3}\d{1,3}'
@nikallass

This comment has been minimized.

Copy link
Owner Author

@nikallass nikallass commented Mar 15, 2020

https://github.com/ollypwn/SMBGhost

We now can use this.
It is more accurate and less shitty-coded than this gist :)

@freb

This comment has been minimized.

Copy link

@freb freb commented Mar 17, 2020

Another option for nmap: https://github.com/pr4jwal/CVE-2020-0796

@hackerpain

This comment has been minimized.

Copy link

@hackerpain hackerpain commented Mar 17, 2020

@nikallass @freb @goncalor @tuantmb getting error

socket_bindtodevice: Protocol not available                                                                             Problem binding to interface , errno: 92  
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.