drgreen/coolbins
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
coolbins/system/usr/share/nmap/scripts/smb2-vuln-uptime.nse

158 lines
5.1 KiB
Plaintext
Raw Permalink Normal View History

Migrated stuff in from previous project
2025-01-17 11:41:33 +02:00
local os = require "os"
local datetime = require "datetime"
local smb = require "smb"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
local smb2 = require "smb2"
local table = require "table"
description = [[
Attempts to detect missing patches in Windows systems by checking the
uptime returned during the SMB2 protocol negotiation.
SMB2 protocol negotiation response returns the system boot time
pre-authentication. This information can be used to determine
if a system is missing critical patches without triggering IDS/IPS/AVs.
Remember that a rebooted system may still be vulnerable. This check
only reveals unpatched systems based on the uptime, no additional probes are sent.
References:
* https://twitter.com/breakersall/status/880496571581857793
]]
---
-- @usage nmap -O --script smb2-vuln-uptime <target>
-- @usage nmap -p445 --script smb2-vuln-uptime --script-args smb2-vuln-uptime.skip-os=true <target>
--
-- @output
-- | smb2-vuln-uptime:
-- | VULNERABLE:
-- | MS17-010: Security update for Windows SMB Server
-- | State: LIKELY VULNERABLE
-- | IDs: ms:ms17-010 CVE:2017-0147
-- | This system is missing a security update that resolves vulnerabilities in
-- | Microsoft Windows SMB Server.
-- |
-- | References:
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147
-- |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
--
-- @xmloutput
-- <table key="2017-0147">
-- <elem key="title">MS17-010: Security update for Windows SMB Server</elem>
-- <elem key="state">LIKELY VULNERABLE</elem>
-- <table key="ids">
-- <elem>CVE:2017-0147</elem>
-- <elem>ms:ms17-010</elem>
-- </table>
-- <table key="description">
-- <elem>This system is missing a security update that resolves vulnerabilities in&#xa; Microsoft Windows SMB Server.&#xa;</elem>
-- </table>
-- <table key="refs">
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-0147</elem>
-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>
-- </table>
-- </table>
--
-- @args smb2-vuln-uptime.skip-os Ignore OS detection results and show results
---
author = "Paulino Calderon <calderon()calderonpale.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
hostrule = function(host)
local ms = false
local os_detection = stdnse.get_script_args(SCRIPT_NAME .. ".skip-os") or false
if host.os then
for k, v in pairs(host.os) do -- Loop through OS matches
if string.match(v['name'], "Microsoft") then
ms = true
end
end
end
return (smb.get_port(host) ~= nil and ms) or (os_detection)
end
local ms_vulns = {
{
title = 'MS17-010: Security update for Windows SMB Server',
ids = {ms = "ms17-010", CVE = "2017-0147"},
desc = [[
This system is missing a security update that resolves vulnerabilities in
Microsoft Windows SMB Server.
]],
disclosure_time = 1489471200,
disclosure_date = {year=2017, month=3, day=14},
references = {
'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',
},
},
{
title = 'Microsoft Kerberos Checksum Vulnerability',
ids = {ms = "ms14-068", CVE = "2014-6324"},
desc = [[
This security update resolves a privately reported vulnerability in Microsoft
Windows Kerberos KDC that could allow an attacker to elevate unprivileged
domain user account privileges to those of the domain administrator account.
]],
disclosure_time = 1416290400,
disclosure_date = {year=2014, month=11, day=18},
references = {
'https://technet.microsoft.com/en-us/library/security/ms14-068.aspx'
},
},
}
local function check_vulns(host, port)
local smbstate, status
local vulns_detected = {}
status, smbstate = smb.start(host)
status = smb2.negotiate_v2(smbstate)
if not status then
stdnse.debug2("Negotiation failed")
return nil, "Protocol negotiation failed (SMB2)"
end
datetime.record_skew(host, smbstate.time, os.time())
stdnse.debug2("SMB2: Date: %s (%s) Start date:%s (%s)",
smbstate['date'], smbstate['time'],
smbstate['start_date'], smbstate['start_time'])
if smbstate['start_time'] == 0 then
stdnse.debug2("Boot time not provided")
return nil, "Boot time not provided"
end
for _, vuln in pairs(ms_vulns) do
if smbstate['start_time'] < vuln['disclosure_time'] then
stdnse.debug2("Vulnerability detected")
vuln.extra_info = string.format("The system hasn't been rebooted since %s", smbstate['start_date'])
table.insert(vulns_detected, vuln)
end
end
return true, vulns_detected
end
action = function(host,port)
local status, vulnerabilities
local report = vulns.Report:new(SCRIPT_NAME, host, port)
status, vulnerabilities = check_vulns(host, port)
if status then
for i, v in pairs(vulnerabilities) do
local vuln = { title = v['title'], description = v['desc'],
references = v['references'], disclosure_date = v['disclosure_date'],
IDS = v['ids']}
vuln.state = vulns.STATE.LIKELY_VULN
vuln.extra_info = v['extra_info']
report:add_vulns(SCRIPT_NAME, vuln)
end
end
return report:make_output()
end
Reference in New Issue Copy Permalink