Eternal Blues

Eternal Blues is a free EternalBlue vulnerability scanner. It helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue.

Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t. That’s it.

EternalBlues_0.0.0.8

If you wish, you can switch networks, or edit your own (yeah, you can also scan the world wide web if you wish). Please use it for good cause only. We have enough bad guys already…

DOWNLOAD HERE

Follow for latest updates twitterbird_RGB

 

Was this tool tested in real networks?

Oh yeah. Obviously I cannot say which, but with almost every network I connected to, there were a few vulnerable computers.

IMPORTANT: It does *not* exploit the vulnerability, but just checks whether it is exploitable.

July 12, 2017: Worldwide statistics are available
August 7, 2017: Stats explained

Yet another vulnerability scanner?

There are many vulnerability scanners out there. So… why did I create another? Mainly for the ease of use. The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this. Running NMap, Metasploit (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.

 

Notes

This is a free tool provided for your benefit & security. I don’t charge for it.  It is here to help you and also to help me getting worldwide statistics. Learn more about it.

 

Tips

  • If you’re about to run it in your working environment, please update the IT/Security team in advance. You don’t want to cause (IDS/IPS/AV) false alarms
  • If vulnerable systems were found – please take a Windows update asap

  • For God’s sake, please disable SMBv1 already. Whether your systems are patched or not. This protocol was written over 3 decades ago…!
  • If you would like to enjoy the tool but disallow sending anonymous statistics (which is so uncool), disable access to my website

 

Final words

I really hope this can help people and organizations protecting against the next attack.

This is a no-guarantees-use-at-your-own-risk tool.

Special thanks to Jonathan Smith for his contribution!

Please share your feedback -

  • Twitter: Omerez
  • LinkedIn: Elad Erez
  • Email: EternalBlues!omerez.com (replace ‘!’ with ‘@’)
  • Comment below

DOWNLOAD HERE (Learn more in version history)

83 thoughts on “Eternal Blues”

  1. Hi, thank you for providing such an easy method to check the local LAN. It would be great, however, if you could elaborate a little more in your blogpost on how exactly it checks for vulnerable systems.

  2. Thanks for your effort in making this! I’m wondering if you can tell us how intrusive this is on the network? What is the probability of knocking over an XP or 2003 machine using your tool?

    1. Not intrusive. It just checks for the vulnerability existence.
      Tech guys: SMBv1 – Negotiate, Session Setup, Tree Connect, Peek Named Pipe –> looking for STATUS_INSUFF_SERVER_RESOURCES. I’ll blog about it soon.

  3. I checked few machines reported vulnerable by this tool however they had the latest CU installed, and other tools are not reporting them vulnerable.

    1. On some cases, there was an issue with detection. Starting with version 0.0.0.5 (already uploaded) you will probably get the same results as with other tools. Please report if you don’t.
      I’ll blog with some more details about it in a few hours.

      1. I tried the latest version and its working fine. Thanks for fixing the issues. I had one other recommendation but saw someone else has already requested for it, running the scan on a different subnet without closing and re-launching the app.

        1. One more request :)
          Is it possible to schedule the scan using a script so that it scans the machines which were offline during the initial run and sends an email?
          These are good to have features not necessarily needed, the tool you have made is serving its purpose. Thanks again.

    1. Yes. Currently only 1 out of 61 reports it is not safe. Probably a bug with SentinelOne (Static ML) detection.

      1. Update: Symantec today warned about it with their heuristic scan. I submitted it as a false-positive. They analyzed it (in less than 40 minutes!!) and approved it as wrong detection. It’ll take them up to 24 hours to update their products.
        Amazing service by Symantec.

  4. Thank you for this tool. Can you add an option to scan the current machine only? This will be helpful for home users, like me, who has only 1 Windows machine on the network.

    Thank you.

    Keep up the good work.

    1. Good idea. I will definitely add it soon.
      In the meantime, you can achieve that by setting the IP range to your host’s address, just like this:

      Scanning current host

  5. Using version 0.0.0.3, the IP sub-net mask of the current PC is not computed correctly. For instance, on a /25 sub-net, the tool reports /24 and therefore generates probes to IP addresses outside the local infrastructure.

    1. The default is /24. You can easily change that manually in the “from” and “to” text boxes.
      And please use version 0.0.0.5, it includes a detection fix.

  6. Great tool, thank you for taking the time to make it.

    I wish I could find something as simple to tell me if anything on my network is using SMBv1.

      1. OMG! That is so awesome, thank you so much.

        I’ve jumped into the deep end with NMap last week to try and figure this out, but I’m not far enough along with it to identify what is actually running SMBv1.

        I’m much happier plugging the holes this found and then spending the time to get up to speed with NMap.

  7. Thanks for the tool!

    What credentials is using the program? Null?

    I think that should be a parameter: User/Password/Domain)ñ

    Otherwise you can have false negatives.

    1. With version 0.0.0.6, it can be both, as well as: IP not in use at all (meaning, no host for this IP).
      Adding to my TODO: “NO RESPONSE” reason (IP/port). Thanks.

  8. I do the scan wich work very well. Stupid question. The tool found 36 workstations with SMBV1 Enable but It’s say “NO (SMBv1 enabled), this mean that even if the workstation has the SMBv1 enable it is not exploitable? or just saying that in case of infection it can spread by this protocol?
    Thanks in advance

    1. Not a stupid question at all. It means these hosts are *not* vulnerable to the EternalBlue vulnerability.
      However, SMBv1 is a very old protocol and likely to be exploited. So if possible, my recommendation will be to completely disable it.

      I’ll add recommendations within the tool soon.

    1. I agree with m o, starting another scan without closing the app would be good.

      Secondly, need to advise people that if they have a local IDS/firewall they need to turn it off or create an exception else the scans all show good.

      Thanks for a neat tool.

  9. hello,thanks for a great tool
    i try download from you link and i look the version is 0.0.0.3
    where i can get new version

  10. Nice tool

    I tried it on my network of 4 computers , Three of them are running Windows Ten and one Windows 7 I was surprised at the results all three of the Windows Ten and the Windows 7 had SMB 1 enabled but not vulnerable .

    I could of swore that I read that Windows 10 disabled SMB 1 by default.

    1. I believe that Microsoft has said starting with the Fall version 2017, Windows 10 will default to no SMB1 but even that’s for new installs, not upgrades.

    1. Not sure I get your point.
      Do you have a better alternative for TCP? I guess not.
      Do you have a better alternative for SMBv1? Yes, you do. Anyway, also Microsoft recommends on disabling it.

      1. NOT what is wrong with SMBv1, but what is wrong with anything below MS’s latest Win10. All his improvements are only going into v3 even though v2 is still in support. Gee, I wonder why?

        Wake up and smell the self-serving FUD. Best advice: don’t put MS computers directly on the net. MS’s networking was originally designed for a low threat environment. Better to put them behind a gateway running another OS (ex: linux or Bsd).

        If MS wanted to demonstrate they were serious about security, and if SMBv3 is so much better, then they’d release it as a security update to v2 for Win7+8. Right now, it looks repetitious marketing about how bad the “last OS was” and “how much more secure our new OS is, so please update to our newest version”…

  11. P.s. — tool doesn’t allow a rescan (wanted to boot another computer), but asks if user wants to exit when they try to exit.

    The tool has no further function or use (since rescan is disabled), so why wouldn’t someone want to exit? Even if rescan were not disabled, why 2nd guess the user — an idea promulgated by MS from 20-25 years ago, that users expressed dislike for.

    How can someone use a disliked popup dialog yet advise not using a liked protocol based on age?

    FWIW — MS boxes shouldn’t be on the net. MS-networking products were designed for a trusted local network — not a hostile internet. Given that constraint — what’s wrong with SMBv1 (besides being slower)?

  12. Hi, this tool is wonderfull.
    I wonder how could I scan for certain IP addresses only (like from a txt file) instead of the full range of the company’s network? I only want to check for servers (around 1.400) spread around in hundreds of subnets.

    1. Thank you!
      It is not possible and not going to be since it opens a door for malicious actors automation. You know, bad actors usually won’t use a GUI-based app, but a one that can be automated.
      However, I recommend on cloning the EXE to different folders, then run it multiple times (simultaneously) on different ranges.

  13. The tool is very great, it help me monitor the network machine has not updated this vulnerability. However, the tool has a weakness that is, if i want to scan again, then i must to exit the program and then run exe again. So inconvenient!
    Thanks!

      1. is portable or is an installer yr tool?
        is useful for a desktop pc with win 10 home 64bit creators update vers 1703?
        thxs!
        cheers!
        :)

  14. I had an older machine on our network (Win Server 2003) that I was sure was patched. Testing with this software it said it was vulnerable. Everything else on our network showed ok (or that smbv1 exists but not vulnerable).

    I thought the test was incorrect for that one old machine. Elad was very helpful and guided me though other tests. Amazing support considering the tool is free!

    We determined in the end that our patching had not worked and the machine was indeed vulnerable (by using a local check tool). Reapplied the specific MS patch, rebooted, and then both tools (local + this one) showed it no longer vulnerable!

    Thanks Elad for bearing with us and ensuring we really did check the machine. All good now.

    I think what Elad is doing here is noble!

    Alan

  15. Elad, thanks for the tool. I think it’s awesome. That being said, I’ve got a couple of comments.

    1. It does not seem to reach all the computers on my network (just a small home network). I can ping all the computers in question. The ones that it does not seem to reach are either laptops on WiFi or they are a bit far away (physically) with two or three switches between. The tool just says “no response.” I have to run them on those machines to run the tool. One machine, a laptop running Win 7 Pro, still won’t provide anything other than “no response.” Weird. Perhaps the tool is timing out too quickly?

    2. Regarding SMB v1 disabling, there’s the server side and the workstation side. I initially incorrectly did the workstation side on W7 computers so that only the server side was disabled, but that was enough for the tool to declare that SMB v1 was disabled. Is it only checking the server side?

    Thanks,

    Mike

    1. Hi Mike,
      Thanks for the feedback.

      As for timing out too quickly – there are some rare cases of (super) slow networks, which Eternal Blues timed out before getting a response. I’ve just increased the timeout with version 0.0.0.9. If you still think there are issues, please contact through email so we can pinpoint the problem.

      As for disabling the SMBv1 server side – you actually did the right thing. ETERNALBLUE exploits the server side – cases where a host has the SMB port opened and it is listening (and accepting) SMBv1 messages from remote clients. Once again, you did the right thing.

  16. Great tool, helped me analyze my network and shut down SMBv1 on all devices which don’t need it, thanks!

    FYI, it was interesting how it interacted with Symantec Endpoint Protection on our workstations. I first had to disable Symantec on mine (the workstation I was running the scan tool from), then the ones that still had SMBv1 enabled, even though the were patched with the Microsoft patch, Symantec popped up on them that there was a MS17-010 vulnerability scan attack taking place and blocked my workstation from connecting to those workstations for 600 seconds (the default value for Symantec). So if I understand that behavior correctly Symantec should be able to protect my network from SMBv1-based attacks. But better to disable it entirely! ;-)

    1. Thanks for sharing :)
      Well, I wouldn’t say Symantec protect you from (all) SMBv1-based attacks. It definitely do the job for EternalBlue-based attacks. The best will be just to disable SMBv1 completely.

  17. thxs!
    ..i see lots of vers in a month…june-july..
    then since 25 july no new vers ..why…?
    and Avira tells about a trojan droppen virus even i click yr linked versions’ page..
    and of course also if i dl yr tool..
    why…??
    cheers!

    1. There are no new updates since the tool does its job well and all known bugs got fixed. Most of the feature requests were delivered long time ago.
      As for Avira – according to Virus Total scan from moments ago – it appears clean. Please email me your Avira version and exact user flow so I’ll report them (once again).

      10x!

Leave a Reply to Sanjay Nayak Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>