Find SMBv1 status with Nmap

Question

Is there a ready way with nmap's scripting option to find machines with SMB 1 still enabled server side? It'd be a whole lot faster for me to monitor my remediation if it is available.

I'd rather not have to run a complete OpenVAS scan for this one piece of information.

@schroeder I'm using Alienvault's OSSIM, and their staff haven't figured out how to make scans only using specific plugins even after several requests over the years. — Tim Brigham, Apr 05 '17 at 18:36
Ok, then have you looked at nmap's options? Does it need to be nmap? There are tons of SMB enum scanners that will do this. — schroeder, Apr 05 '17 at 18:38
@schroeder ideally I'd like it to be an nmap script but it strictly isn't necessary. — Tim Brigham, Apr 05 '17 at 18:39

bonsaiviking · Accepted Answer · 2017-08-02T00:00:35.770

9

There is not currently a script to check for this. It would be a trivial change to the existing smbv2-enabled script. Currently, the script has three possible outputs:

No output: SMB of any version failed.
"Server supports SMBv2 protocol": Server supports at least SMBv2, possibly also SMBv1.
"Server doesn't support SMBv2 protocol": Server supports SMBv1 but not SMBv2.

As you can see, there's some ambiguity about whether a SMBv2-enabled host would also support SMBv1. But modifying the script to test each dialect in turn would be pretty simple.

EDIT: This is coming to Nmap soon. https://github.com/nmap/nmap/pull/943

EDIT 2: This is now supported in Nmap 7.60 by the smb-protocols script.

edited Aug 02 '17 at 00:00

answered Apr 05 '17 at 19:11

bonsaiviking

11,316
1
27
50

2

I can't believe someone downvoted one of the core developers of nmap, giving a complete and informative answer to the question. – Royce Williams May 19 '17 at 17:48
1

This answer is complete & accurate, can someone let us know if this still is the same & no modules released yet other than that of SMB detection etc.?? – Shritam Bhowmick May 22 '17 at 06:27
2

@ShritamBhowmick Made a note to implement this and update this answer when done: https://secwiki.org/w/Nmap/Script_Ideas#smb-version – bonsaiviking May 22 '17 at 13:43
1

Nmap 7.60 now includes this feature. https://nmap.org/nsedoc/scripts/smb-protocols.html – bonsaiviking Aug 02 '17 at 00:01

Shritam Bhowmick · Answer 2 · 2017-05-06T01:07:39.457

There's a script called smb-vuln-ms08-067 & smb-vuln-cve2009-3103 contrary to what other answers were. You can use this via nmap -sU --script smb-vuln-ms08-067.nse -p U:137 <host> or nmap --script smb-vuln-ms08-067.nse -p445 <host>

nmap --script smb-os-discovery.nse -p445 127.0.0.1 will detect the host & protocol, you would just need to use grep to see if it's still smbv1 supported.

For the Latest SMBv2 Exploit Detection, use: https://github.com/countercept/doublepulsar-c2-traffic-decryptor

Example Usage

nmap --script smb-vuln-ms08-067.nse -p445 nmap -sU --script smb-vuln-ms08-067.nse -p U:137

Requires

msrpc nmap smb stdnse string table vulns

Reference: https://nmap.org/nsedoc/scripts/smb-vuln-ms08-067.html

Where in the output of smb-os-discovery is SMB version information shown? https://nmap.org/nsedoc/scripts/smb-os-discovery.html — Royce Williams, May 21 '17 at 16:10

score 2 · Answer 3 · answered May 13 '17 at 00:39

I was able to make a semi-functional smbv1-enabled.nse by taking the smbv2-enabled script and removing all the other dialects, leaving only NT LM .12

Remember that SMBv1 is really NT LM .12

Once you do that, you will get one of two results. If SMBv1 is enabled on the server, you'll get a bogus error that the server does not support smbv2; if SMBv1 is disabled, you won't get any message at all (because the SMB handshake fails).

score 0 · Answer 4 · edited Feb 24 '22 at 00:15

0

nmap -p139,445 --script smb-protocols IP-target

edited Feb 24 '22 at 00:15

nobody

11,251
1
41
60

answered Feb 23 '22 at 23:27

Cesar Tantalean

1

Find SMBv1 status with Nmap

4 Answers4

Linked