Last week the whole world, and especially the information security community, has been buzzing around the massive ransomware attacks that infected thousands of computers in hundreds of countries.
But how did all started? Many of you know the story, but let’s summarize it once again:
NSA had developed some secret exploits that took advantage of zero-day vulnerabilities in Windows machines. Among these exploits, ETERNALBLUE was used to take over Windows machines (via an SMB vulnerability) by uploading a backdoor tool called DOUBLEPULSAR.
A hacking group, called “the Shadow Brokers”, stole the NSA exploits and started leaking some of them to the Internet.
Hackers took advantage of the SMB vulnerability and using the ETERNALBLUE exploit they crafted an attack which uploads Ransomware malware to unpatched systems.
So basically instead of uploading the DOUBLEPULSAR backdoor, the recent attack uploads malicious Ransomware code to Windows machines taking advantage of the SMB MS17-010 vulnerability.
The most devastating effect of this Ransomware attack is that it’s capable to propagate to other vulnerable systems in the network (“worm” type). Also, it encrypts all files of the local machine and asks for ransom in order to unlock the files.
Traditional Ransomwares infect a system and stay on the system without propagating. However, the latest attack tries to spread itself to the whole network.
How to Protect your Network and Systems
There must be two conditions for the vulnerability to be exploited:
1) Vulnerable machine (unpatched).
2) Accessible SMB port 445.
The first priority of course is to patch all Windows machines in your network for the MS17-010 weakness.
Microsoft issued updates for this vulnerability from March 2017 and even for unsupported OS versions (such as WinXP and Server2003).
If for any reason you can’t update your systems, the second priority is to block port 445 (either on the local Windows firewall or on your network firewall).
A big mistake ofcourse is to have SMB port 445 exposed on the Internet. This increases the attack surface tremendously.
How to Quickly Scan your Network for MS17-010
There are several ways to scan your Windows machines, using both free and paid tools and scripts.
I have used three different methods to scan our company networks:
- Using a Metasploit scanner plugin. (free)
- Using an NSE NMAP script. (free)
- Using a NESSUS scan (paid tool).
The quickest and easiest option is the NMAP script which I will describe first:
Scan for MS17-010 with NMAP
Step 1: First download and install Nmap if you don’t have it already (works both on Windows and Linux machines).
Step 2: Download this NSE script from Github which scans for the specific vulnerability.
Step 3: Save the script above in the “scripts” folders of the Nmap installation.
- For Windows: C:\Program Files (x86)\Nmap\scripts
- For Linux: /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
Step 4: Scan your network
Assuming the NSE script filename you have downloaded above is :
And the network subnet you want to scan is 192.168.10.0/24
Then run the following nmap command:
The command above will scan the whole Class C network 192.168.10.0/24 on port 445 for the SMB vulnerability and will write the results in file “output.txt”
Here is the message you will get if the tool finds a vulnerable machine:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-17 13:18 Central Daylight Time
Nmap scan report for 192.168.10.17
Host is up (0.014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
Scan for MS17-010 with Metasploit Scanner
This is also a great method to scan your network but requires that you have Metasploit installed (for example on a Linux machine, KALI distribution etc).
You need to use the following scan module:
Step 1: Start metasploit
Step 2: Use the specific scanner module above as shown below
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.10.0/24
msf auxiliary(smb_ms17_010) > set THREATS 10
msf auxiliary(smb_ms17_010) > run
The advantage of using the Metasploit method above is that the specific scanner module will identify vulnerable machines for MS17-010 and if the machine is vulnerable it will go a step further and check to see if the DOUBLEPULSAR backdoor is also installed on the machine.
So, go ahead and start scanning and patching immediately !!