May 152017
 
  1. If you havent already got it, download and install NMAP from https://nmap.org/
  2. Download the script from https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
  3. Save it to Nmap NSE script directory
    1. Windows location is C:\Program Files (x86)\Nmap\scripts
    2. Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
    3. OSX – /opt/local/share/nmap/scripts/
  4. Test the script on a known vulnerable device such as 202.157.185.31 or 64.17.101.90
    1. nmap -sC -p 445 -max-hostgroup 3 -open -script smb-vuln-ms17-010.nse 64.17.101.90
  5. Run against your enviroment

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 10:30 South Africa Standard Time
Nmap scan report for ns.bvtsvc.com (64.17.101.90)
Host is up (0.22s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

 

  7 Responses to “Use NMAP to Scan network for WCRY or WannaCry Ransomware vulnerability”

  1. […] Sorry if this has already been mentioned, but there seems to be an nmap script to test for this vulnerability now – which should indicated whether you've been successful in your patching? Use NMAP to Scan network for WCRY or WannaCry Ransomware vulnerability | CompuDay […]

  2. Can’t get this to work.

    NSE: failed to initialize the script engine:

    C:\Program Files (x86)\Nmap/nse_main.lua:255: C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:7: unexpected symbol near ‘<'

  3. hi i use znmap in win 7 64 bits: it show me

    map scan report for 192.168.0.152

    Host is up (0.0011s latency).

    PORT STATE SERVICE

    445/tcp open microsoft-ds

    MAC Address: D4:85:64:99:EC:83 (Hewlett Packard)

    Host script results:

    |_clock-skew: mean: -1s, deviation: 0s, median: -1s

    |_nbstat: NetBIOS name: xxxxx, NetBIOS user: , NetBIOS MAC: d4:85:64:xxxxx (Hewlett Packard)

    | smb-os-discovery:

    | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)

    | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional

    | Computer name: xxxxx

    | NetBIOS computer name: xxxxx\x00

    | Domain name: xxsr.local

    | Forest name: xxsr.local

    | FQDN: xxxxsr-024.oxxxr.local

    |_ System time: 2017-05-18T19:14:37+02:00

    | smb-security-mode:

    | account_used:

    | authentication_level: user

    | challenge_response: supported

    |_ message_signing: disabled (dangerous, but default)

    |_smbv2-enabled: Server supports SMBv2 protocol

    that machine is ok ????

    Thks

  4. When I try this from windows or linux my results are below. How come I dont see any script results?

    [root@API-DEV ~]# nmap -sC -p 445 -max-hostgroup 3 -open -script /usr/share/nmap/scripts/smb-vuln-ms17-010.nse 10.99.147.235

    Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-18 14:20 EDT
    Nmap scan report for 10.99.147.235
    Host is up (0.0014s latency).
    PORT STATE SERVICE
    445/tcp open microsoft-ds
    MAC Address: F4:8E:38:C0:AF:28 (Unknown)

    Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
    [root@API-DEV ~]#

Leave a Reply