Wednesday, April 11, 2012

Detecting machines in need of Samba patching

The big news right now is the remote code exploit in Samba that could allow an attacker to run arbitrary code on a linux machine as root.  This is a big ugly and I wouldn't be surprised to see exploit code coming soon that does more than the current proof of concepts do.

Linux has a way of being in a lot of places even when you don't expect it to be.  Embedded devices are an example of machines that might be running linux and might not get patched as frequently as they should.  So we need a way to identify the machines that are running Samba versions that are vulnerable to this exploit.  Here is my first attempt.

Since I have a large IP space to scan, I decided to approach the problem in multiple passes.  In the first pass I used nmap to get fast results even though the results will not be detailed enough to answer my question.  Here is the command that I used:
nmap -PN -T5 -p445 -sV -oG /tmp/nmap-output.txt

That will create a list of machines that are running anything on port 445.  Now let's trim that down to just a list of the ip addresses of machines that are running some version of samba.
grep Samba /tmp/nmap-output.txt | cut -d" " -f2 > /tmp/samba-list.txt

For the second pass around the network I decided to use the smb_version module in metasploit.  It's not well known, but you can pass a file instead of an ip address into the rhosts option.  Here are the options that I set:
When I run that, I get the specific version number that is running on each machine.  Now when a machine is updated to Samba 3.6 I'll know that I don't have to worry about it anymore.  It is a lot faster to do this in multiple passes because nmap will run through a large network quite a bit faster than the metasploit module (possibly because it is gathering less information).

So there's my quick and dirty trick to find the work that still needs to be done.

1 comment:

Anonymous said...

I think you should scan port 139 instead - not all samba systems listen on 445!