Categories: vuln, safe
Attempts to detect missing patches in Windows systems by checking the uptime returned during the SMB2 protocol negotiation.
SMB2 protocol negotiation response returns the system boot time pre-authentication. This information can be used to determine if a system is missing critical patches without triggering IDS/IPS/AVs.
Remember that a rebooted system may still be vulnerable. This check only reveals unpatched systems based on the uptime, no additional probes are sent.
Ignore OS detection results and show results
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
nmap -O --script smb2-vuln-uptime <target>
nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>
| smb2-vuln-uptime: | VULNERABLE: | MS17-010: Security update for Windows SMB Server | State: LIKELY VULNERABLE | IDs: ms:ms17-010 CVE:2017-0147 | This system is missing a security update that resolves vulnerabilities in | Microsoft Windows SMB Server. | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147 |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
License: Same as Nmap--See https://nmap.org/book/man-legal.html