How to Detect MS17-010 Vulnerability in Your Systems

Written by JK | Sep 3, 2024 1:25:16 AM

Uncover the critical steps to identify and mitigate the infamous MS17-010 vulnerability that enabled global cyberattacks like WannaCry.

A quick write up to show how to detect the MS17-010 vulnerability using NMAP and to format a report into html readable format

The MS17-010 vulnerability, also known as EternalBlue, has been exploited by some of the most notorious malware, including WannaCry, Petya, and NotPetya. To protect your systems, it is crucial to detect this vulnerability early. One of the most efficient ways to do this is by using NMAP, a powerful network scanning tool.

Begin by downloading and installing NMAP from the official website. Once installed, you can use specific NMAP scripts designed to detect the MS17-010 vulnerability. The command you will use is: `nmap -p445 --script smb-vuln-ms17-010 `. Replace `` with the IP address of the target system you want to scan.

After running the scan, NMAP will provide a report indicating whether the target system is vulnerable to MS17-010. To make this report more accessible and readable, you can format it into HTML. NMAP supports generating output in various formats, including XML, which can then be transformed into HTML using tools like xsltproc. Use the command: `nmap -p445 --script smb-vuln-ms17-010 -oX report.xml `, followed by `xsltproc report.xml -o report.html`.

 

Detailed Steps

Install the NMAP script smb-vuln-ms17-010.nse on KALI

cd /usr/share/nmap/scripts

wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse

Create a shell script to utilise this NMAP script

Use NANO/VIM/VI or whatever your favourite editor is to create this..

 nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse “your ip or subnet to scan” -oX “output xml file”.xml

xsltproc “output xml file”.xml –o”output html file”.html

 Once created make the script executable

 chmod +x “name of script”.sh

Run the script

./”name of script”.sh

 Obviously, omit the double quotes and replace with the parameters you require. Xsltproc will reformat the xml output from NMAP into a nice to read html file.

The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 EternalBlue vulnerabilities.

 

 

 

Double Pulsar

You can also scan for Double Pulsar by downloading the following NMAP script and applying the same process as per above.

https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

Install the NMAP script smb-double-pulsar.nse on KALI

cd /usr/share/nmap/scripts

wget https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 DoublePulsar vulnerabilities.