Sometimes you need to check on the status of your applied updates and quickly. With news of WannaCry, Petya, Nyetya Ransomware spreading via the MS17-010 vulnerability around the globe it’s a good idea to double check that all your updates are applied correctly. Even if you have comprehensive vulnerability management and patching programs there are almost certainly servers that have been missed, whether because they are vendor supported or part of your company's cottage IT. It is important to be able to find those servers and either remediate them or put additional controls in place to protect them.
Save it to Nmap NSE script directory:
- Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
- OSX – /opt/local/share/nmap/scripts/
- Windows ZenMap Install – C:\Program Files (x86)\Nmap\scripts
While detecting SMB is the first step, there are legitimate reasons why a server may have SMB open. For the specific case of finding servers that are vulnerable to MS17-010 we need to dig a bit deeper.
The following is a quick NMAP Execute Script monitor to check for the presence of the fixes needed to mitigate MS17-010:
Using the NSE smb-vuln-ms17-010.nse Script
If you’re using the command line version of NMap on any system, you can run this command (change the IP range to meet your needs):
nmap -sC -p 445 --script smb-vuln-ms17-010.nse 192.168.1.0/24
If you’re using the Windows ZenMap GUI, fill in the Target box with your IP (or IP range) and use this line in the Command box (it should automatically append the IP/Range to the end of this command):
nmap -sC -p 445 --script smb-vuln-ms17-010.nse
Scan Results
When the scan finds a server with SMB open and not vulnerable to MS17-010 then the output looks identical to the previous scan however a vulnerable server will generate additional output.
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-17 13:18 Central Daylight Time
Nmap scan report for 192.168.1.50
Host is up (0.014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds
What to do next
If you find a vulnerable machine, you’ll want to patch it right away. You can use the following references to find information for your Operating System version:
As a general rule, don’t rely on this NMap script to find all of your vulnerable systems, this is only a tool. Stay current on patching workstations and servers.
No comments:
Post a Comment