Networks Training

You are here: Home / Network Security / How to Scan your Network for MS17-010 SMB Eternalblue Vulnerability

How to Scan your Network for MS17-010 SMB Eternalblue Vulnerability

Written By

ms17-010 vulnerability

Last week the whole world, and especially the information security community, has been buzzing around the massive ransomware attacks that infected thousands of computers in hundreds of countries.

But how did all started? Many of you know the story, but let’s summarize it once again:

NSA had developed some secret exploits that took advantage of zero-day vulnerabilities in Windows machines. Among these exploits, ETERNALBLUE was used to take over Windows machines (via an SMB vulnerability) by uploading a backdoor tool called DOUBLEPULSAR.

A hacking group, called “the Shadow Brokers”, stole the NSA exploits and started leaking some of them to the Internet.

Hackers took advantage of the SMB vulnerability and using the ETERNALBLUE exploit they crafted an attack which uploads Ransomware malware to unpatched systems.

So basically instead of uploading the DOUBLEPULSAR backdoor, the recent attack uploads malicious Ransomware code to Windows machines taking advantage of the SMB MS17-010 vulnerability.

The most devastating effect of this Ransomware attack is that it’s capable to propagate to other vulnerable systems in the network (“worm” type). Also, it encrypts all files of the local machine and asks for ransom in order to unlock the files.

Traditional Ransomwares infect a system and stay on the system without propagating. However, the latest attack tries to spread itself to the whole network.

How to Protect your Network and Systems

There must be two conditions for the vulnerability to be exploited:

MORE READING:  7 Types of Firewalls Technologies (Software/Hardware) Explained

1) Vulnerable machine (unpatched).
2) Accessible SMB port 445.

The first priority of course is to patch all Windows machines in your network for the MS17-010 weakness.

Microsoft issued updates for this vulnerability from March 2017 and even for unsupported OS versions (such as WinXP and Server2003).

If for any reason you can’t update your systems, the second priority is to block port 445 (either on the local Windows firewall or on your network firewall).

A big mistake ofcourse is to have SMB port 445 exposed on the Internet. This increases the attack surface tremendously.

How to Quickly Scan your Network for MS17-010

There are several ways to scan your Windows machines, using both free and paid tools and scripts.

I have used three different methods to scan our company networks:

  1. Using a Metasploit scanner plugin. (free)
  2. Using an NSE NMAP script. (free)
  3. Using a NESSUS scan (paid tool).

The quickest and easiest option is the NMAP script which I will describe first:

Scan for MS17-010 with NMAP

Step 1: First download and install Nmap if you don’t have it already (works both on Windows and Linux machines).

Step 2: Download this NSE script from Github which scans for the specific vulnerability.

Step 3: Save the script above in the “scripts” folders of the Nmap installation.

  • For Windows: C:\Program Files (x86)\Nmap\scripts
  • For Linux: /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/

Step 4: Scan your network

Assuming the NSE script filename you have downloaded above is :

smb-vuln-ms17-010.nse

MORE READING:  Protecting the Telnet VTY Lines of Cisco Devices

And the network subnet you want to scan is 192.168.10.0/24

Then run the following nmap command:

nmap -Pn -p445 –script smb-vuln-ms17-010 192.168.10.0/24 -oN output.txt

The command above will scan the whole Class C network 192.168.10.0/24 on port 445 for the SMB vulnerability and will write the results in file “output.txt”

Here is the message you will get if the tool finds a vulnerable machine:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-17 13:18 Central Daylight Time
Nmap scan report for 192.168.10.17
Host is up (0.014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
 
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
[OUTPUT OMITTED]
 

Scan for MS17-010 with Metasploit Scanner

This is also a great method to scan your network but requires that you have Metasploit installed (for example on a Linux machine, KALI distribution etc).

You need to use the following scan module:

auxiliary/scanner/smb/smb_ms17_010

Step 1: Start metasploit

Step 2: Use the specific scanner module above as shown below

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.10.0/24
msf auxiliary(smb_ms17_010) > set THREATS 10
msf auxiliary(smb_ms17_010) > run

The advantage of using the Metasploit method above is that the specific scanner module will identify vulnerable machines for MS17-010 and if the machine is vulnerable it will go a step further and check to see if the DOUBLEPULSAR backdoor is also installed on the machine.

So, go ahead and start scanning and patching immediately !!

Related Posts

Filed Under: Network Security

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  5. maddy says

    dear sir i try to scan my network throug nmap and copy the vulnerible smb code to notepad and change the extension to nse and copy it to the script folder although i have infected ransomeware computer but it didnt work for me thanks to symantic endpoint protection it catch up the infected system.can you please suggest something i am missing?

    i execute the following code:

    nmap -Pn -p445 –script test 172.172.0.0/24 -oN output.txt

  6. Harris Andrea says

    make sure the “script” command has two consecutive dashes (–script) . What error do you get?

  8. Harris Andrea says

    Cliff,

    Yes there are two consecutive dashes (–) at the “script” command.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx