Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010

From: Tinker Fairy <nmap () tinkerfairy net>
Date: Fri, 19 May 2017 19:17:16 -0500
Robert,

I have encountered two difficulties that cause the behavior you are describing:
1) newer windows versions default to DisableStrictNameChecking = false which requires the server name on SMB requests. 

I have opened a pull request with a feature addition to be compatible with this new default. 
https://github.com/cldrn/nmap-nse-scripts/pull/7

2) there is some kind of bug with newer Windows and the SPNEGO code in the SMB library. As a temporary workaround you 
can set sp_nego=true on line 1319 of nselib/smb.lua

With both of those issues taken care of, I've scanned tens of thousands of mixed version windows servers from 2003 to 
2016.

Good luck!

-TinkerFairy



Date: Fri, 19 May 2017 16:03:59 -0700
From: Robert Strom <robert.strom () gmail com>
To: dev () nmap org
Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
Message-ID:
   <CAACgKan3CnGT0gOvTvb5yT=A9FA8Nhz8xfNzhsdxSc24G7B36Q () mail gmail com>
Content-Type: text/plain; charset="utf-8"

Hello,

I've been playing around with the smb-vuln-ms17-010.nse script and found
some strange results for Server 2012 systems.

All 2012, regardless of whether or not they are patched, firewall on or off
I get this message

Could not connect to 'IPC$'

which does not tell me whether or not the system is vulnerable or not.

I have also checked whether or not these systems are running SMBv1, they
definitely are.

Any explanation for this behavior?

See attached files of Nmap scan using v 7.40 on Windows against Server 2012
with FW on and FW off.

Thanks,

Robert



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: