Eternal Blues is a free EternalBlue vulnerability scanner. It helps finding the blind spots in your network, these endpoints that are still vulnerable to EternalBlue.
Just hit the SCAN button and you will immediately start to get which of your computers are vulnerable and which aren’t. That’s it.
If you wish, you can switch networks, or edit your own (yeah, you can also scan the world wide web if you wish). Please use it for good cause only. We have enough bad guys already…
Follow for latest updates 
Was this tool tested in real networks?
Oh yeah. Obviously I cannot say which, but with almost every network I connected to, there were a few vulnerable computers.
IMPORTANT: It does *not* exploit the vulnerability, but just checks whether it is exploitable.
July 12, 2017: Worldwide statistics are available
August 7, 2017: Stats explained
Yet another vulnerability scanner?
There are many vulnerability scanners out there. So… why did I create another? Mainly for the ease of use. The majority of latest WannaCry, NoPetya (Petya, GoldenEye or whatever) victims, are not technical organizations and sometimes just small business who don’t have a security team, or even just an IT team to help them mitigate this. Running NMap, Metasploit (not to mention more commercial products) is something they will never do. I aimed to create a simple ‘one-button’ tool that tells you one thing and one thing only – which systems are vulnerable in your network.
Notes
This is a free tool provided for your benefit & security. I don’t charge for it. It is here to help you and also to help me getting worldwide statistics. Learn more about it.
Tips
- If you’re about to run it in your working environment, please update the IT/Security team in advance. You don’t want to cause (IDS/IPS/AV) false alarms
-
If vulnerable systems were found – please take a Windows update asap
- For God’s sake, please disable SMBv1 already. Whether your systems are patched or not. This protocol was written over 3 decades ago…!
- If you would like to enjoy the tool but disallow sending anonymous statistics (which is so uncool), disable access to my website
Final words
I really hope this can help people and organizations protecting against the next attack.
This is a no-guarantees-use-at-your-own-risk tool.
Special thanks to Jonathan Smith for his contribution!
Please share your feedback –
Hi, thank you for providing such an easy method to check the local LAN. It would be great, however, if you could elaborate a little more in your blogpost on how exactly it checks for vulnerable systems.
It doesn’t work for w2003s. They are patched but it said they are vulnerable
Thanks for reporting. I’ll check that.
Seems to be OK now with latest version (0.0.0.5).
Thanks for your effort in making this! I’m wondering if you can tell us how intrusive this is on the network? What is the probability of knocking over an XP or 2003 machine using your tool?
Not intrusive. It just checks for the vulnerability existence.
Tech guys: SMBv1 – Negotiate, Session Setup, Tree Connect, Peek Named Pipe –> looking for STATUS_INSUFF_SERVER_RESOURCES. I’ll blog about it soon.
More technical details here – Eternal Blues – Day 4 (important update)
Thanks your tool, i just test and it working.
Désactivating Samba V1 make eternal test safe :
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Thank you so much for sharing this utility ; )
Greetings, and Thank You for spending your time creating this useful tool!
Hi, does it available on github for learning purposes?
I checked few machines reported vulnerable by this tool however they had the latest CU installed, and other tools are not reporting them vulnerable.
On some cases, there was an issue with detection. Starting with version 0.0.0.5 (already uploaded) you will probably get the same results as with other tools. Please report if you don’t.
I’ll blog with some more details about it in a few hours.
I tried the latest version and its working fine. Thanks for fixing the issues. I had one other recommendation but saw someone else has already requested for it, running the scan on a different subnet without closing and re-launching the app.
One more request 🙂
Is it possible to schedule the scan using a script so that it scans the machines which were offline during the initial run and sends an email?
These are good to have features not necessarily needed, the tool you have made is serving its purpose. Thanks again.
Is it possible to add a new column for nslookup value so that it makes it easy to identify the machine?
Great idea, sure! Added it in v0.0.0.8.
Thank you for adding this option, this really helps in reporting.
Did you check this tool is whitelisted by AV?
At least please check and command in VT link on this tool.
Yes. Currently only 1 out of 61 reports it is not safe. Probably a bug with SentinelOne (Static ML) detection.
Update: Symantec today warned about it with their heuristic scan. I submitted it as a false-positive. They analyzed it (in less than 40 minutes!!) and approved it as wrong detection. It’ll take them up to 24 hours to update their products.
Amazing service by Symantec.
Thank you for this tool. Can you add an option to scan the current machine only? This will be helpful for home users, like me, who has only 1 Windows machine on the network.
Thank you.
Keep up the good work.
Good idea. I will definitely add it soon.
In the meantime, you can achieve that by setting the IP range to your host’s address, just like this:
Thank you ELAD EREZ ! <3 From Malaysia 🙂
Using version 0.0.0.3, the IP sub-net mask of the current PC is not computed correctly. For instance, on a /25 sub-net, the tool reports /24 and therefore generates probes to IP addresses outside the local infrastructure.
The default is /24. You can easily change that manually in the “from” and “to” text boxes.
And please use version 0.0.0.5, it includes a detection fix.
Great tool, thank you for taking the time to make it.
I wish I could find something as simple to tell me if anything on my network is using SMBv1.
This is such a great idea, thanks! I’ve just added it with version 0.0.0.6 –
OMG! That is so awesome, thank you so much.
I’ve jumped into the deep end with NMap last week to try and figure this out, but I’m not far enough along with it to identify what is actually running SMBv1.
I’m much happier plugging the holes this found and then spending the time to get up to speed with NMap.
Unfortunately, my AV forbids me from downloading this. 🙁
Can you please specify which one so I’ll notify about their wrong detection? According to VT there’s only one AV with FP (SentinelOne (Static ML)) out of 61 which approve EternalBlues.exe – EternalBlues.exe (0.0.0.6) scan results with 61 AVs
Thanks for the tool!
What credentials is using the program? Null?
I think that should be a parameter: User/Password/Domain)ñ
Otherwise you can have false negatives.
No credentials are required. You’re welcome to read more about the exploit – How this tool works?
Thank You Elad ! 🙂
NO RESPONSE means? Port closed? firewalled?
With version 0.0.0.6, it can be both, as well as: IP not in use at all (meaning, no host for this IP).
Adding to my TODO: “NO RESPONSE” reason (IP/port). Thanks.
Thank you! It seems our prevention configuration on Kaspersky personal firewall is working.
I do the scan wich work very well. Stupid question. The tool found 36 workstations with SMBV1 Enable but It’s say “NO (SMBv1 enabled), this mean that even if the workstation has the SMBv1 enable it is not exploitable? or just saying that in case of infection it can spread by this protocol?
Thanks in advance
Not a stupid question at all. It means these hosts are *not* vulnerable to the EternalBlue vulnerability.
However, SMBv1 is a very old protocol and likely to be exploited. So if possible, my recommendation will be to completely disable it.
I’ll add recommendations within the tool soon.
Thank You, Also tested the response of the antivirus SEP.
Thank 🙂
thanks for a great tool!
Performing an additional scan without having to restart the app would be great though 🙂
I agree with m o, starting another scan without closing the app would be good.
Secondly, need to advise people that if they have a local IDS/firewall they need to turn it off or create an exception else the scans all show good.
Thanks for a neat tool.
hello,thanks for a great tool
i try download from you link and i look the version is 0.0.0.3
where i can get new version
Latest version available here.
Nice tool
I tried it on my network of 4 computers , Three of them are running Windows Ten and one Windows 7 I was surprised at the results all three of the Windows Ten and the Windows 7 had SMB 1 enabled but not vulnerable .
I could of swore that I read that Windows 10 disabled SMB 1 by default.
I believe that Microsoft has said starting with the Fall version 2017, Windows 10 will default to no SMB1 but even that’s for new installs, not upgrades.
Obrigado pela ótima ferramenta!
Embora eu não entenda o português, agradeço o seu comentário 😉
Nice but this also just gave every cybercriminals a heads up on which country to hit.
Cyber criminals don’t need this tool, they can use nmap, metasploit, many others to do the same thing
Correct, great comment. Besides, what kind of a hacker will leverage a GUI-based tool for hacking? 😉
No scripting with Eternal Blues, by design.
SMBv1 should be disabled because it is over 30 years old? And how old is TCP?
Not sure I get your point.
Do you have a better alternative for TCP? I guess not.
Do you have a better alternative for SMBv1? Yes, you do. Anyway, also Microsoft recommends on disabling it.
NOT what is wrong with SMBv1, but what is wrong with anything below MS’s latest Win10. All his improvements are only going into v3 even though v2 is still in support. Gee, I wonder why?
Wake up and smell the self-serving FUD. Best advice: don’t put MS computers directly on the net. MS’s networking was originally designed for a low threat environment. Better to put them behind a gateway running another OS (ex: linux or Bsd).
If MS wanted to demonstrate they were serious about security, and if SMBv3 is so much better, then they’d release it as a security update to v2 for Win7+8. Right now, it looks repetitious marketing about how bad the “last OS was” and “how much more secure our new OS is, so please update to our newest version”…
As for the Microsoft-related discussion, I agree with some of your points, but let’s call it a day and try to stick with Eternal Blues related stuff.
P.s. — tool doesn’t allow a rescan (wanted to boot another computer), but asks if user wants to exit when they try to exit.
The tool has no further function or use (since rescan is disabled), so why wouldn’t someone want to exit? Even if rescan were not disabled, why 2nd guess the user — an idea promulgated by MS from 20-25 years ago, that users expressed dislike for.
How can someone use a disliked popup dialog yet advise not using a liked protocol based on age?
FWIW — MS boxes shouldn’t be on the net. MS-networking products were designed for a trusted local network — not a hostile internet. Given that constraint — what’s wrong with SMBv1 (besides being slower)?
Long live the difference between UX and Security…
And, as for what’s wrong with SMBv1?
Ned Pyle, Principal PM @ Microsoft, wrote a great blog – Stop using SMBv1.
Hi, this tool is wonderfull.
I wonder how could I scan for certain IP addresses only (like from a txt file) instead of the full range of the company’s network? I only want to check for servers (around 1.400) spread around in hundreds of subnets.
Thank you!
It is not possible and not going to be since it opens a door for malicious actors automation. You know, bad actors usually won’t use a GUI-based app, but a one that can be automated.
However, I recommend on cloning the EXE to different folders, then run it multiple times (simultaneously) on different ranges.
Wonderful tool. Runs and digs out vulnerable systems like a rabbit.
Thanks!
The tool is very great, it help me monitor the network machine has not updated this vulnerability. However, the tool has a weakness that is, if i want to scan again, then i must to exit the program and then run exe again. So inconvenient!
Thanks!
Thank you for your feedback. In my TODO 😉
avira stop yt tool ..says it is a troyan viruso dopper:
here the report:
TR/Dropper.Gen
why..??
Thanks for reporting. I’ll open a case for Avira. Although I’ve just verified it with VT and it seems fine:
is portable or is an installer yr tool?
is useful for a desktop pc with win 10 home 64bit creators update vers 1703?
thxs!
cheers!
🙂
Not sure about this one – didn’t check with this specific version.
Cheers!
I had an older machine on our network (Win Server 2003) that I was sure was patched. Testing with this software it said it was vulnerable. Everything else on our network showed ok (or that smbv1 exists but not vulnerable).
I thought the test was incorrect for that one old machine. Elad was very helpful and guided me though other tests. Amazing support considering the tool is free!
We determined in the end that our patching had not worked and the machine was indeed vulnerable (by using a local check tool). Reapplied the specific MS patch, rebooted, and then both tools (local + this one) showed it no longer vulnerable!
Thanks Elad for bearing with us and ensuring we really did check the machine. All good now.
I think what Elad is doing here is noble!
Alan
Thank you Alan for the kind words! So glad I was able to help and alert about this (stubborn) blind spot.
yr tool is -portable-??
or not?
creates some wind’s reg keys in the machine we scan?
pls reply clearly!
cheers!
Already replied – “yes”. As for registry keys – I’m not creating any.
Elad, thanks for the tool. I think it’s awesome. That being said, I’ve got a couple of comments.
1. It does not seem to reach all the computers on my network (just a small home network). I can ping all the computers in question. The ones that it does not seem to reach are either laptops on WiFi or they are a bit far away (physically) with two or three switches between. The tool just says “no response.” I have to run them on those machines to run the tool. One machine, a laptop running Win 7 Pro, still won’t provide anything other than “no response.” Weird. Perhaps the tool is timing out too quickly?
2. Regarding SMB v1 disabling, there’s the server side and the workstation side. I initially incorrectly did the workstation side on W7 computers so that only the server side was disabled, but that was enough for the tool to declare that SMB v1 was disabled. Is it only checking the server side?
Thanks,
Mike
Hi Mike,
Thanks for the feedback.
As for timing out too quickly – there are some rare cases of (super) slow networks, which Eternal Blues timed out before getting a response. I’ve just increased the timeout with version 0.0.0.9. If you still think there are issues, please contact through email so we can pinpoint the problem.
As for disabling the SMBv1 server side – you actually did the right thing. ETERNALBLUE exploits the server side – cases where a host has the SMB port opened and it is listening (and accepting) SMBv1 messages from remote clients. Once again, you did the right thing.
Great tool, helped me analyze my network and shut down SMBv1 on all devices which don’t need it, thanks!
FYI, it was interesting how it interacted with Symantec Endpoint Protection on our workstations. I first had to disable Symantec on mine (the workstation I was running the scan tool from), then the ones that still had SMBv1 enabled, even though the were patched with the Microsoft patch, Symantec popped up on them that there was a MS17-010 vulnerability scan attack taking place and blocked my workstation from connecting to those workstations for 600 seconds (the default value for Symantec). So if I understand that behavior correctly Symantec should be able to protect my network from SMBv1-based attacks. But better to disable it entirely! 😉
Thanks for sharing 🙂
Well, I wouldn’t say Symantec protect you from (all) SMBv1-based attacks. It definitely do the job for EternalBlue-based attacks. The best will be just to disable SMBv1 completely.
hi pls show the corrent vers of yr tool on this home page thxs!
i think now is the 0.9 one..am i wrong..?
cheers!
🙂
Hi Sara,
You’re right. All versions are listed here.
Besides, each time you launch Eternal Blues, you will see an update notification in case such one exists.
Cheers! 😉
thxs!
..i see lots of vers in a month…june-july..
then since 25 july no new vers ..why…?
and Avira tells about a trojan droppen virus even i click yr linked versions’ page..
and of course also if i dl yr tool..
why…??
cheers!
There are no new updates since the tool does its job well and all known bugs got fixed. Most of the feature requests were delivered long time ago.
As for Avira – according to Virus Total scan from moments ago – it appears clean. Please email me your Avira version and exact user flow so I’ll report them (once again).
10x!
Wondering if there’s a bug in the tool or in Synology’s firmware. On my Synology NAS devices I have disabled SMB1 and set SMB2 at the minimum. Synology tech support verified this on the latest firmware. But EternalBlues scanner still shows it as responding to SMB1. Could there be a bug in the tool? Or perhaps somehow they still initially respond to SMB1 but don’t process the data? What results have you seen on non-Microsoft embedded devices? Screenshot: https://imgur.com/a/vGl0Y
Actually Michael Horowitz (@defensivecomput) asked me the same question. Eventually he contacted them and got the answer (thanks Michael!).
Michael:
Synology:
I haven’t tested it myself, but I’m pretty sure the issue is not with my scanner. Anyway, if you’re willing to verify this, I’ll be more than happy to assist. Just record the traffic (e.g. Wireshark) and email me the pcap file so I can verify this.