nmap SMBv1 Scan via Script

Approved 2024/02/05 08:36 by psycore (version: 3) | Approver: psycore

nmap SMBv1 Scan via Script

:!: still untested :!:

The following modifications must be made to enable a pure SMBv1 scan using the nmap script:

nmap/nselib/smb.lua

Insert the following function:

function list_smbv1dialect(host, overrides)
  local supported_dialects = {}
  local status, smb1_dialect
  local smbstate
 
  overrides = tableaux.tcopy(overrides or {})
 
  -- Check for SMBv1 first
  stdnse.debug2("Checking if SMBv1 is supported")
  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end
 
  status, smb1_dialect = negotiate_v1(smbstate, overrides)
  if status then --Add SMBv1 as a dialect
    table.insert(supported_dialects, smb1_dialect)
  end
  stop(smbstate) -- Finish SMBv1 and close connection
 
  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end
 
  return true, supported_dialects
end

nmap/scripts/smbv1.nse

local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"
 
description = [[list_smbv1_servers_only._the_script_attempts_to_initiate_a_connection_using_the_dialects:nt_lm_0.12_smbv1_additionally_if_smbv1_is_found_enabled_it_will_mark_it_as_insecure._this_script_is_the_successor_to_the_removed_smbv2-enabled_script]]
 
---
-- @usage nmap -p445 --script smbv1 <target>
-- @usage nmap -p139 --script smbv1 <target>
--
-- @output
-- | smb-protocols:
-- |   dialects:
-- |     NT LM 0.12 (SMBv1) [dangerous, but default]
--
-- @xmloutput
-- <table key="dialects">
-- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
-- </table>
---
 
author = "Paulino Calderon, modded by PsyCore"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
 
hostrule = function(host)
  return smb.get_port(host) ~= nil
end
 
action = function(host,port)
  local status, supported_dialects = smb.list_smbv1dialect(host)
  if status then
    for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
      if v == "NT LM 0.12" then
        supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]"
      end
    end
    if #supported_dialects > 0 then
      local output = stdnse.output_table()
      output.dialects = supported_dialects
      return output
    end
  end
  stdnse.debug1("No dialects were accepted")
  if nmap.verbosity()>1 then
    return "No dialects accepted. Something may be blocking the responses"
  end
end

Start scan

nmap -p139,445 --script smbv1 <target>
en/it-security/nmap-smbv1-scan.txt ยท Last modified: 2024/02/05 08:33
CC Attribution-Noncommercial-Share Alike 4.0 International