Skip to content

Instantly share code, notes, and snippets.

@nikallass
Created March 11, 2020 04:57
Show Gist options
  • Save nikallass/40f3215e6294e94cde78ca60dbe07394 to your computer and use it in GitHub Desktop.
Save nikallass/40f3215e6294e94cde78ca60dbe07394 to your computer and use it in GitHub Desktop.
CVE-2020-0796. Scan HOST/CIDR with nmap script smb-protocols.nse and grep SMB version 3.11.
#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
if [[ $? != 0 ]]; then
echo "There's no SMB v3.11"
fi
@AM8bit
Copy link

AM8bit commented Mar 11, 2020

ok

@tuantmb
Copy link

tuantmb commented Mar 11, 2020

I got some bugs and I fixed the script as following:

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi

@mrizkimaulidan
Copy link

awesome, thank you so much!

@nikallass
Copy link
Author

nikallass commented Mar 11, 2020

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi

My script outputs only vulnerable hosts. You messed non-vulnerable hosts with vulnerable. So | grep 3.11 is not a bug, it's a feature.

@Saleh7
Copy link

Saleh7 commented Mar 11, 2020

CVE-2020-0796

@tuantmb
Copy link

tuantmb commented Mar 12, 2020

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR {Target Specification - Nmap}'
    exit 1
fi

echo "Checking if there's SMB v3.11 in" $1 "..."

nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | tr 'Nmap scan report for' '@' | tr "@" "\n" | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'

if [[ $? != 0 ]]; then
    echo "There's no SMB v3.11"
fi

My script outputs only vulnerable hosts. You messed non-vulnerable hosts with vulnerable. So | grep 3.11 is not a bug, it's a feature.

Thanks @nikallass, your new version works well (Tested on Ubuntu 18.04 & Debian 10 with nmap 7.6)! After reviewing each pipe, I found out that the original one used "replace" command which was not installed in my machine. Please update this

replace 'Nmap scan report for' '@'

to (new version fixed)

tr 'Nmap scan report for' '@'

@logopk
Copy link

logopk commented Mar 12, 2020

Hi, apparently reports IP also if there is no 3.11 (only 3.0)

@goncalor
Copy link

I think this would be more clear, with less piping.

nmap -p445 --script smb-protocols -Pn -n $1 | awk -v ORS='' -e '/([0-9]{1,3}\.){3}[0-9]{1,3}/ {print "\n"$0" "} /^\|.[[:space:]]+3.11/ {print $2}' | grep -F " 3.11" | grep -oP '(\d{1,3}\.){3}\d{1,3}'

@nikallass
Copy link
Author

https://github.com/ollypwn/SMBGhost

We now can use this.
It is more accurate and less shitty-coded than this gist :)

@freb
Copy link

freb commented Mar 17, 2020

@hackerpain
Copy link

@nikallass @freb @goncalor @tuantmb getting error

socket_bindtodevice: Protocol not available                                                                             Problem binding to interface , errno: 92  

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment