For more information see in https://blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3
SMBv3 Compression Tester
Multiple scripts and detection tools to check if a Windows machine has SMBv3 protocol enabled with the compression feature.
- NSE script
- Python script
- Snort rules:
- alerting on compressed SMB traffic, and compression-enabled hosts
- alerting on a DoS implementation of the vulnerability
- pcaps - examples of traffic using SMBv3 compression, and implementation of a DoS attack using the vulnerability
Our NSE script is based on
smb2-capabilities.nse which we expanded to detect SMBv3 compression as well. Currently it's a standalone NSE script with a patched lua file but we will PR the nmap repository with those changes.
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-11 18:17 IST Nmap scan report for 18.104.22.168 Host is up (0.00050s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb2-capabilities_patched: | 2.02: | Distributed File System | 2.10: | Distributed File System | Leasing | Multi-credit operations | 3.00: | Distributed File System | Leasing | Multi-credit operations | 3.02: | Distributed File System | Leasing | Multi-credit operations | 3.11: | Distributed File System | Leasing | Multi-credit operations |_ SMBv3 Compression LZTN1 (Negotiation Context) <----------
cd into run
SMBv3Compression (your cwd must be the same as the files) and run:
nmap -p445 --script ./smb2-capabilities_patched.nse IP_ADDR
SMBv3 Compression LZTN1 (Negotiation Context).
Disable SMBv3 compression
You can disable SMBv3 compression with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Apache License 2.0. See the parent directory.
There is no warranty, expressed or implied, associated with this product.