Script smb2-vuln-uptime

Script types: hostrule
Categories: vuln, safe
Download: https://svn.nmap.org/nmap/scripts/smb2-vuln-uptime.nse

Script Summary

Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.

SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.

Remember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent.

References:

• https://twitter.com/breakersall/status/880496571581857793

Script Arguments

smb2-vuln-uptime.skip-os

Ignore OS detection results and show results

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

• nmap -O --script smb2-vuln-uptime <target>

• nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>
  

Script Output

| smb2-vuln-uptime:
|   VULNERABLE:
|   MS17-010: Security update for Windows SMB Server
|     State: LIKELY VULNERABLE
|     IDs:  ms:ms17-010  CVE:2017-0147
|       This system is missing a security update that resolves vulnerabilities in
|        Microsoft Windows SMB Server.
|
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Requires

• os
• datetime
• smb
• vulns
• stdnse
• string
• smb2
• table

---

Author:

• Paulino Calderon <calderon()calderonpale.com>

License: Same as Nmap--See https://nmap.org/book/man-legal.html