-
-
Save Neo23x0/60268852ff3a5776ef66bc15d50a024a to your computer and use it in GitHub Desktop.
| # Scan for CVE-2017-0143 MS17-010 | |
| # The vulnerability used by WannaCry Ransomware | |
| # | |
| # 1. Use @calderpwn's script | |
| # http://seclists.org/nmap-dev/2017/q2/79 | |
| # | |
| # 2. Save it to Nmap NSE script directory | |
| # Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/ | |
| # OSX - /opt/local/share/nmap/scripts/ | |
| # | |
| # Note: | |
| # I had to use "--max-hostgroup 3", otherwise the script misses vulnerable hosts using nmap 7.30 on OS X | |
| # Don't use "-T4", this also caused the script to miss vulnerable hosts | |
| # | |
| # Find a test range via ShodanHQ | |
| # https://www.shodan.io/search?query=port%3A445+os%3A%22Windows+Server+2003%22 | |
| nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/X |
So I got the script, but get an error trying to run it.
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:57 Pacific Daylight Time
Fetchfile found C:\Program Files (x86)\Nmap/nmap-services
Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
NSE: Using Lua 5.3.
Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua
Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db
NSE: Arguments from CLI:
Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse
NSE: Script smb-vuln-ms17-010.nse was selected by file path.
NSE: failed to initialize the script engine:
C:\Program Files (x86)\Nmap/nse_main.lua:255: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'
stack traceback:
[C]: in function 'assert'
C:\Program Files (x86)\Nmap/nse_main.lua:255: in upvalue 'loadscript'
C:\Program Files (x86)\Nmap/nse_main.lua:597: in field 'new'
C:\Program Files (x86)\Nmap/nse_main.lua:820: in local 'get_chosen_scripts'
C:\Program Files (x86)\Nmap/nse_main.lua:1271: in main chunk
[C]: in ?
QUITTING!
Is it saying it doesn't like line one?
@intelnavi you need the latest version of nmap
Um, it's 7.4. I downloaded it this AM from the nmap site, latest stable.
@CrazySeajay, did you put the script on the parent directory c:\Program Files (x86)\Nmap, it works fine on my end
I did and still get the same error. Is this the correct script?
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
Apparently the script had an error, it got updated an hour ago and now works.
Hi Guys,
I am also getting the same errors as @CrazySeajay.
I am fully up to date and have the latest script mentioned. Any pointers as to what i am doing wrong? Im using windows..
Here is the output from nmap
NSE: failed to initialize the script engine:
C:\Program Files (x86)\Nmap/nse_main.lua:259: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:1: unexpected symbol near '<\239>'
stack traceback:
[C]: in function 'assert'
C:\Program Files (x86)\Nmap/nse_main.lua:259: in upvalue 'loadscript'
C:\Program Files (x86)\Nmap/nse_main.lua:601: in field 'new'
C:\Program Files (x86)\Nmap/nse_main.lua:824: in local 'get_chosen_scripts'
C:\Program Files (x86)\Nmap/nse_main.lua:1310: in main chunk
[C]: in ?
QUITTING!
Looks to maybe be a problem with the packaged nmap scripts? Any help appreciated.
Thanks
Getting error while executing on Debian Jessie
Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-16 10:04 -03
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Script Arguments seen from CLI:
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 10:04
Scanning 10.56.7.187 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x0023AE8A and arp[22:2] = 0xBEDD
Completed ARP Ping Scan at 10:04, 0.21s elapsed (1 total hosts)
Overall sending rates: 4.64 packets / s, 194.68 bytes / s.
mass_rdns: Using DNS server 10.56.7.231
mass_rdns: Using DNS server 10.56.7.232
Initiating Parallel DNS resolution of 1 host. at 10:04
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:04
Scanning 2-cmo-marcos.sedur.intranet (10.56.7.187) [1 port]
Packet capture filter (device eth0): dst host 10.56.7.200 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.56.7.187)))
Discovered open port 445/tcp on 10.56.7.187
Increased max_successful_tryno for 10.56.7.187 to 1 (packet drop)
Completed SYN Stealth Scan at 10:04, 0.24s elapsed (1 total ports)
Overall sending rates: 8.27 packets / s, 364.00 bytes / s.
NSE: Script scanning 10.56.7.187.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-vuln-ms17-010 against 10.56.7.187.
Initiating NSE at 10:04
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: LM Password:
NSE: SMB: Extended login to 10.56.7.187 as SEDUR\guest failed (NT_STATUS_ACCOUNT_DISABLED)
NSE: LM Password:
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: smb-vuln-ms17-010 against 10.56.7.187 threw an error!
smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nselib/strict.lua:80: in function '__index'
smb-vuln-ms17-010.nse:88: in function 'check_ms17010'
smb-vuln-ms17-010.nse:163: in function <smb-vuln-ms17-010.nse:141>
(...tail calls...)
Completed NSE at 10:04, 0.12s elapsed
Nmap scan report for 2-cmo-marcos.sedur.intranet (10.56.7.187)
Host is up, received arp-response (0.00027s latency).
Scanned at 2017-05-16 10:04:14 -03 for 0s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: C8:9C:DC:C4:95:EF (Elitegroup Computer System CO.)
Final times for host: srtt: 269 rttvar: 2852 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Does anyone know a reputable place to download old versions of nmap for windows? Their own site is quite hard to navigate.
Thanks
Hi,
Would anyone be willing to help me for a fee? please DM me and we can discuss.
Judging by the "<\239>" appearing, I wonder if you saved the link to the github page, not the file itself.
Try this one (raw output):
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse
Either Save it, or copy and paste its contents into a file.
@corycorycorycory - You were right! Thanks alot! Great spot...
what dose that mean?
Host script results:
|_smb-vuln-ms17-010: Could not connect to IPC$
Hello all,
I have the same issue, event that my pc alreadly up to date all windows update
Regards
HIEUPT
Hello all,
I known why the output is " smb-vuln-ms17-010: Could not connect to 'IPC$' " when scan smbv1. It is because we disable smb version 1 on that PC. So to check the patch update is ok or not, reopen smbv1 on it and run script againt
Rgs,
Hello, I made a script in linux to search the network, I hope it helps you, you can modify whatever you want.
#/bin/bash
#######################################################################################################
Author: Sergio Wolf
Description: Search the net on vannacry - MS17-010
Date: 05-16-2017
#######################################################################################################
Requirements:
OS: CENTOS v.7 or others linux
NMAP: Nmap version 7.40 using smb-vuln-ms17-010.nse
#######################################################################################################
To run create the file list_range_ip.txt and include the network or the ips that will be searched.
After 10 minutes you will do a new search.
The result will be in the virus directory, it will be the ip that should be analyzed.
The ips that you do not want to be searched for should be included in the blacklist.txt file.
Modify the script as you wish and use it.
Executing nmap with super-user.
#######################################################################################################
resul=tmp/result.txt # File temporary
blacklist=blacklist.txt # File blacklist
range_ip=list_range_ip.txt # List range or ips for scan
mkdir -p virus tmp
IFS=$'\t\n'
while true
do
Find ranges
for range in $(cat $range_ip)
do
echo "Processing range: $range"
for linha in $(nmap -sn $range | grep "^Nmap" | grep -v seconds)
do
linha=$(echo $linha | sed -e 's/(//g')
linha=$(echo $linha | sed -e 's/)//g')
valor1=$(echo $linha | cut -d' ' -f6)
valor2=$(echo $linha | cut -d' ' -f5)
if [ "$valor1" = "" ]; then
# no have hostname
IP=$valor2
else
IP=$valor1
fi
echo "Processing range: $range - $IP"
# Convert IP in hostname
hostname=$(host $IP | cut -d" " -f5)
if [ "$hostname" = "" -o "$hostname" = "3(NXDOMAIN)" ]; then
hostname=$IP
fi
# Find in blacklist
black=$(grep -w "$hostname" $blacklist | wc -l)
if [ "$black" = "0" ]; then
nmap -sC -p445 --script smb-vuln-ms17-010.nse $IP > $resul
# Check for vulnerability
valida=$(grep "State: VULNERABLE" $resul | wc -l)
if [ "$valida" != "0" ]; then
echo $IP >> virus/$IP
fi
rm $resul
else
echo "$IP is blacklist"
fi
done
done
sleep 6000 # Wait for new search
done
END SCRIPT
Example files:
list_range_ip.txt
10.10.100.0/23
10.10.102.31
10.10.102.160
10.10.102.3
10.10.105.74
blacklist.txt
nehdh33-5049.cbd.net.bz
10.48.8.168
10.48.8.218
10.48.8.247
jonae83u-5002.xbd.net.bz
You can change "nmap -sn" to "nmap -sL" to search all addresses.
Rgs,
Lua 5.2's string library doesn't support pack and unpack and that's why you get:
/usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:94: attempt to call field 'pack' (a nil value)
You can use string.char and string.byte to replace these with some work. Be careful with the number of bytes when packing.
Older versions of nmap don't have the stdnse.debug[12] calls:
smb-vuln-ms17-010.nse:88: variable 'debug1' is not declared
You can replace those with nmap.log_write("stdout", string.format calls.
I am currently doing this in a local lab and experienced the "could not connect to ipc$" error. To confirm that my system was indeed patched I executed the following steps (NOT recommended if you are running a production instance) -
- Enable file and printer sharing
- Disable firewall
- Allowed Guest logon for SMB share
- Enabled SMB v1 (this is disabled by default). Run the following command to enable it.
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
That helped me the following result:
smb-vuln-ms17-010: This system is patched.
Well, this didn't work. Guess I'll find something else.
Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-15 12:49 CDT
--------------- Timing report ---------------
hostgroups: min 1, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
NSE: Using Lua 5.2.
NSE: Arguments from CLI:
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:254: /usr/bin/../share/nmap/scripts/smb-vuln-ms17-010.nse:1: unexpected symbol near '{'
stack traceback:
[C]: in function 'assert'
/usr/bin/../share/nmap/nse_main.lua:254: in function 'loadscript'
/usr/bin/../share/nmap/nse_main.lua:582: in function 'new'
/usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1249: in main chunk
[C]: in ?
QUITTING!