The big news right now is the remote code exploit in Samba that could allow an attacker to run arbitrary code on a linux machine as root. This is a big ugly and I wouldn't be surprised to see exploit code coming soon that does more than the current proof of concepts do.
Linux has a way of being in a lot of places even when you don't expect it to be. Embedded devices are an example of machines that might be running linux and might not get patched as frequently as they should. So we need a way to identify the machines that are running Samba versions that are vulnerable to this exploit. Here is my first attempt.
Since I have a large IP space to scan, I decided to approach the problem in multiple passes. In the first pass I used nmap to get fast results even though the results will not be detailed enough to answer my question. Here is the command that I used:
nmap -PN -T5 -p445 -sV -oG /tmp/nmap-output.txt 10.0.0.0/16
That will create a list of machines that are running anything on port 445. Now let's trim that down to just a list of the ip addresses of machines that are running some version of samba.
grep Samba /tmp/nmap-output.txt | cut -d" " -f2 > /tmp/samba-list.txt
For the second pass around the network I decided to use the smb_version module in metasploit. It's not well known, but you can pass a file instead of an ip address into the rhosts option. Here are the options that I set:
So there's my quick and dirty trick to find the work that still needs to be done.