Detecting vulnerabilities using the SMB2/3 boot-time field
Before the Windows Fall Creators Update, it was possible to use the boot-time field returned by SMB2/3 servers during protocol negotiation. Systems that return boot-time information can be fingerprinted for missing security patches. Because the response was part of a valid protocol negotiation before each SMB connection, IDS/IPS/AVs couldn't detect it.
This recipe shows how to detect missing security patches in Windows systems with SMB2/3.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -p445 --script smb2-vuln-uptime <target>
The script will report if a system hasn't been rebooted since a critical patch got released:
| smb2-vuln-uptime: |Â Â Â VULNERABLE: |Â Â Â MS17-010: Security update for Windows SMB Server |Â Â Â Â Â State: LIKELY VULNERABLE |Â Â Â Â Â IDs:Â Â ms:ms17-010Â Â ...