Scanning for CVE-2017-0143 (EternalBlue) using nmap (MS17-010)

With both WannaCry and NotPetya using MS17-010 for propagation it is important to be able to detect servers which are vulnerable.
This vulnerability has been assigned CVE-ID CVE-2017-0143. The vulnerability is also often nicknamed EternalBlue.
This page explains how you can scan for it from a Windows machine using nmap.

The SMBv1 server in many Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability."
This vulnerability is actively being exploited.

An nmap script has been developed that allows to detect whether a server is vulnerable for CVE-2017-0143.

The following steps explain how you can use nmap to scan a server for the availability of CVE-2017-0143 (EternalBlue). We assume that you already have installed nmap on your machine.

  1. Download the nmap NSE script to scan for CVE-2017-0143. The file to download is https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse and you should save it in the scripts subfolder of the directory in which you installed nmap.
  2. Run the following command to update the NSE script rule database: nmap --script-updatedb

Note that if you are using nmap 7.50 (that was released in mid-June 2017), then the script is already packaged with name. So you don't need to download it seperately.

Now nmap is ready to scan for CVE-2017-0143 on your machines. Attention Windows 7 and 8 users: you have to run the nmap command as Administrator. So I recommend to start a DOS Command Prompt as administrator (right-click and then select "Run as administrator") and to start nmap from within this window.

The nmap command-line to scan for CVE-2017-0143 (EternalBlue) is the following:
nmap.exe -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 -oN ms17-010 192.168.1.17

The command-line options that we specify mean the following:

  • -Pn: Treat all hosts as online -- skip host discovery
  • -p445: This indicates the port that we want to scan. Here we only scan port 445 which is the smb file sharing port.
  • --script smb-vuln-ms17-010: This indicates that the MS17-010 script should be executed on every found open port.
  • -oN ms17-010: Output scan in normal format to the given filename (in this case the filename will be ms17-010.nmap
  • 192.168.1.17: This indicates the machine to scan.
  • --open: Only show open (or possibly open) ports.
  • --max-hostgroup 3: Parallel host scan group size is set to 3. It has been found that this is the ideal setting when using this script.

If nmap detects that a machine is vulnerable for CVE-2017-0143 (EternalBlue), then the output will look as follows:

C:\Tools\nmap-7.50>nmap.exe -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.1.17

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-01 10:00 Romance Summer Time
Nmap scan report for 192.168.1.17
Host is up (0.22s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds

If nmap detects that a machine is not vulnerable for CVE-2017-0143 (EternalBlue), then the output will look as follows:

C:\Tools\nmap-7.50>nmap.exe -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 192.168.1.17

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-01 10:00 Romance Summer Time
Nmap scan report for 192.168.1.17
Host is up (0.0020s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds

Additional links:

Tags: 

You might also be interested in...