smbv1 scanner

All posts tagged smbv1 scanner

Recently, I was asked to test all SMB enabled devices on a fairly large network to find any hosts that still supported SMBv1. This was about a month before Nmap released their SMB version enumeration NSE. I quickly threw together a script using Impacket from CoreImpact ( The initial script was about 10 lines including the imports, it was slow and only allowed for a single set of hardcoded input files. It was also single threaded so it was slow, about 4 seconds per address, it took almost a full day to complete for each iteration. Testing a patch program using this was untenable.

As we’re huge fans of code re-use I wrapped the script in my tried and true threading modules, re-learned argparse and created a function python program to only negotiate SMBv1 connections to a host. By only performing SMBv1 negotiation and not even including the options to enumerate others I didn’t duplicate the functionality from Nmap and don’t have to worry about false positives.

This script will generate a large amount of ARP requests during testing this is per RFC when connecting to port 139. If stealth is important reduce the threads using the -t option. Happy hunting and enjoy scanning for SMBv1.

We have added the repo to our GitHub requires netaddr, pycrypto and impacket
Install with:
 pip install pycrypto
 pip install impacket
 pip install netaddr
python [*options]
usage: smbv1 scanner [-h] [-i INPUT [INPUT ...] | -f FILE] [-t THREADS]
 [-o OUTPUT] [-v]

******* * * * * * * * Check SMB for Version 1 Support * * * * * * * *******

optional arguments:
 -h, --help show this help message and exit
 -i INPUT [INPUT ...], --input INPUT [INPUT ...]
 IP Address in CIDR Notation
 -f FILE, --file FILE file containing list of IPs to check
 -t THREADS, --threads THREADS
 Number of Threads
 -o OUTPUT, --output OUTPUT
 Output File Name
 -v, --version show program's version number and exit

******* * * * * * * * * * * * * * * * * * * * * * * * * *******