Nmap Development mailing list archives
[NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010
From: Tinker Fairy <nmap () tinkerfairy net>
Date: Fri, 19 May 2017 19:17:16 -0500
Robert, I have encountered two difficulties that cause the behavior you are describing: 1) newer windows versions default to DisableStrictNameChecking = false which requires the server name on SMB requests. I have opened a pull request with a feature addition to be compatible with this new default. https://github.com/cldrn/nmap-nse-scripts/pull/7 2) there is some kind of bug with newer Windows and the SPNEGO code in the SMB library. As a temporary workaround you can set sp_nego=true on line 1319 of nselib/smb.lua With both of those issues taken care of, I've scanned tens of thousands of mixed version windows servers from 2003 to 2016. Good luck! -TinkerFairy
Date: Fri, 19 May 2017 16:03:59 -0700 From: Robert Strom <robert.strom () gmail com> To: dev () nmap org Subject: [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Message-ID: <CAACgKan3CnGT0gOvTvb5yT=A9FA8Nhz8xfNzhsdxSc24G7B36Q () mail gmail com> Content-Type: text/plain; charset="utf-8" Hello, I've been playing around with the smb-vuln-ms17-010.nse script and found some strange results for Server 2012 systems. All 2012, regardless of whether or not they are patched, firewall on or off I get this message Could not connect to 'IPC$' which does not tell me whether or not the system is vulnerable or not. I have also checked whether or not these systems are running SMBv1, they definitely are. Any explanation for this behavior? See attached files of Nmap scan using v 7.40 on Windows against Server 2012 with FW on and FW off. Thanks, Robert
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 19)
- <Possible follow-ups>
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Tinker Fairy (May 19)
- [NSE] smb-vuln-ms17-010.nse: Script to detect ms17-010 Robert Strom (May 24)