Nmap’s MS17-010 EternalBlue detection script is a sharp tool for sniffing out a specific, well-known vulnerability in older Windows SMB versions.
The vulnerability lies in how the Server Message Block (SMB) protocol, specifically versions 1.0 and 2.x, handles certain specially crafted packets. When a vulnerable system receives such a packet, it can lead to a buffer overflow, allowing an attacker to execute arbitrary code with kernel-level privileges. This is what "EternalBlue" exploited, famously seen in the WannaCry and NotPetya ransomware attacks.
To detect this, Nmap uses a specialized script (smb-vuln-ms17-010.nse). This script doesn’t just scan for open SMB ports (TCP 445); it actively probes the SMB service with a packet designed to trigger the vulnerable behavior without actually exploiting it. If the target system responds in a way that indicates the buffer overflow condition would occur, Nmap flags it as vulnerable.
Common Causes of False Negatives or Missed Detections
It’s rare for the script itself to be the problem, but your environment or how you’re running it can hide the vulnerability.
-
Firewall Blocking SMB (TCP 445): The most common reason you won’t see a vulnerability is that the SMB traffic isn’t even reaching the target machine.
- Diagnosis: From the machine where you’re running Nmap, try a simple TCP connect scan to port 445 on the target:
nmap -p 445 <target_IP>. If it showsfiltered, a firewall is likely blocking it. - Fix: If you have control over the firewall, allow inbound TCP traffic on port 445 from your scanning IP address. If you don’t, you’ll need to coordinate with network administrators to permit the scan.
- Why it works: This ensures the SMB packets, including the NSE script’s probes, can actually traverse the network and reach the target’s SMB service.
- Diagnosis: From the machine where you’re running Nmap, try a simple TCP connect scan to port 445 on the target:
-
Target System Not Running SMB: The target might be a Windows machine, but it might not be configured to share files or printers, or the SMB service might be disabled.
- Diagnosis: Run a more comprehensive Nmap scan to see if SMB is even advertised:
nmap -sV -p 445 <target_IP>. Look foropen|filteredoropenstates on port 445, and check the service version output formicrosoft-ds(which is SMB). If it’s not there, SMB isn’t running or accessible. - Fix: On the target Windows machine, ensure the "Server" service (LanmanServer) is running. You can check this via
services.mscor remotely with PowerShell:Get-Service LanmanServer | Start-Service. - Why it works: The MS17-010 vulnerability specifically targets the SMB protocol handler. If the SMB service isn’t active, there’s no handler to exploit.
- Diagnosis: Run a more comprehensive Nmap scan to see if SMB is even advertised:
-
Outdated Nmap Script: While less common, the
smb-vuln-ms17-010.nsescript might be an older version that doesn’t correctly identify newer variations or edge cases of the vulnerability.- Diagnosis: Check your Nmap script directory (usually
/usr/share/nmap/scripts/on Linux orC:\Program Files (x86)\Nmap\scripts\on Windows) and compare the timestamp or version ofsmb-vuln-ms17-010.nsewith the latest available from the Nmap Git repository. - Fix: Update your Nmap installation or manually download the latest version of the script and place it in your Nmap scripts directory. On Linux, you can often update via your package manager:
sudo apt update && sudo apt upgrade nmaporsudo yum update nmap. - Why it works: Newer script versions incorporate fixes and updates that account for subtle changes in how the vulnerability manifests or how defensive measures in newer SMB stacks might behave.
- Diagnosis: Check your Nmap script directory (usually
-
SMB Version Mismatch or Protocol Negotiation: The script primarily targets SMBv1 and SMBv2. If a system only supports SMBv3 and has SMBv1/v2 disabled, the script might not find a match. Modern Windows (Windows 10, Server 2016+) disable SMBv1 by default.
- Diagnosis: Use
nmap -p 445 --script smb-enum-versions <target_IP>to see which SMB versions are negotiated. If you only see SMBv3, the MS17-010 exploit (which targets older versions) is unlikely to work. - Fix: This is more of an informational diagnosis than a fix you’d apply to the scanner. If the target must be vulnerable and is running a modern OS, the vulnerability would have to be re-enabled (e.g., by installing an older Windows Server version or manually enabling SMBv1, which is strongly discouraged).
- Why it works: The EternalBlue exploit specifically targets flaws in the SMBv1 and SMBv2 protocol implementations. If the system has moved beyond these versions and disabled them, the exploit vector is gone.
- Diagnosis: Use
-
Target System Patched: The most straightforward reason a system doesn’t report as vulnerable is that it has been patched. MS17-010 was released in March 2017.
- Diagnosis: Run the vulnerability script:
nmap -p 445 --script smb-vuln-ms17-010 <target_IP>. If it returnsSTATE: NOT VULNERABLE, the patch is likely applied. - Fix: Ensure all Windows systems are kept up-to-date with the latest security patches from Microsoft. For systems that cannot be patched (e.g., legacy systems, critical infrastructure), implement compensating controls like network segmentation and intrusion prevention systems.
- Why it works: The MS17-010 patch specifically addresses the buffer overflow vulnerability in the SMB handling code, preventing the exploit from succeeding.
- Diagnosis: Run the vulnerability script:
-
Network Latency or Packet Loss: In unstable network conditions, the specific sequence of packets the Nmap script sends might get lost or arrive out of order, leading to an incorrect
filteredornot vulnerablestate.- Diagnosis: Run the scan multiple times, perhaps with increased timing parameters:
nmap -p 445 --script smb-vuln-ms17-010 -T4 --max-retries 3 <target_IP>. Observe if results are inconsistent. - Fix: Improve network stability between the scanner and the target. If scanning over a WAN or unreliable link, consider running Nmap from a closer network segment or using a more robust network connection.
- Why it works: Reliable delivery of the crafted SMB packets is crucial for the script to correctly assess the target’s response and determine its vulnerability status.
- Diagnosis: Run the scan multiple times, perhaps with increased timing parameters:
If you’ve confirmed SMB is accessible, the target is running an older Windows OS, and you’re using an up-to-date Nmap script, the system is almost certainly patched. The next error you’ll encounter is likely related to other SMB vulnerabilities if you run a broader SMB scan, such as smb-vuln-ms16-075 or smb-vuln-ms17-132.