Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to CVE-2019-1040 and you can execute the MIC Remove attack with ntlmrelayx.
Note that this does not generate failed login attempts as the login information itself is valid, it is just the NTLM message integrity code that is absent, which is why the authentication is refused without increasing the badpwdcount.
The script requires a recent impacket version. Should work with both python 2 and 3 (Python 3 requires you to use impacket from git).
[*] CVE-2019-1040 scanner by @_dirkjan / Fox-IT - Based on impacket by SecureAuth usage: scan.py [-h] [-target-file file] [-port [destination port]] [-hashes LMHASH:NTHASH] target CVE-2019-1040 scanner - Connects over SMB and attempts to authenticate with invalid NTLM packets. If accepted, target is vulnerable to MIC remove attack positional arguments: target [[domain/]username[:password]@]<targetName or address> optional arguments: -h, --help show this help message and exit connection: -target-file file Use the targets in the specified file instead of the one on the command line (you must still specify something as target name) -port [destination port] Destination port to connect to SMB Server authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH