Detecting MS17-010 EternalBlue or DoublePulsar WannaCry//NonPetya etc.

Commercial in Confidence

Document Control

Version

Author John King Version 1.1 Date Created 5/7/2017 Date Last Edited 6/7/2017

Organisations

Name Abbreviation Used Thinking (2014) Limited THINKING

Author

Name Email Organisation John King [email protected] THINKING

Change Control

Date Version Contributor Changes 5/7/2017 1.0 John King Create and release 6/7/2017 1.1 John King Add FW notes

External References

Document Name Author Location www.nmap.org

This document details a statement of work to be conducted and an estimated amount of time and costs associated with the statement of work. Commercial in Confidence 2

Table of Contents

1. Executive Summary ...... 4 2. Process ...... 5 3. Double Pulsar ...... 9

Commercial in Confidence 3

.

1. Executive Summary

A quick write up to show how to detect the MS17-010 vulnerability using NMAP and to format a report into html readable format.

This document does assume the reader has some technical ability with Linux.

Please note to scan remote or protected hosts subnets you will need to ensure any firewalls configured allow port TCP445 and ICMP to reach the destination. Additionally any IPS configured must not block SMBV1 EternalBlue vulnerabilities.

Commercial in Confidence 4

2. Process

Deploy KALI

Download KALI and deploy as per the instructions on the KALI web site. https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/

This is the link to the virtual images, you can deploy to numerous platforms to suit your requirements. You could also simply install NMAP to any number of platforms instead; however KALI has the advantage of all the others tools that we use in the this document installed and ready to go with a comprehensive updating method.

If you decide to install NMAP you will need version 7.4 or better.

Commercial in Confidence 5

Set up SSH Access to KALI

Deploy SSH Server if it’s not already done apt-get install openssh-server

Configure SSH to run update-rc.d -f ssh remove update-rc.d -f ssh defaults

Backup SSH Keys cd /etc/ssh/ mkdir default-keys mv ssh_host_* default-keys/

Get new SSH keys dpkg-reconfigure openssh-server

Allow root access to KALI over SSH

Nano /etc/ssh/sshd_config change line PermitRootLogin without-password to be PermitRootLogin yes

 No dialogue will be entered into as to the security of this setup – it’s a temporary deployment treat it as such

Restart SSH service ssh restart

Update so that SSH starts after reboot update-rc.d -f ssh enable 2 3 4 5

Login you should be good to go……

Commercial in Confidence 6

Update KALI

Check KALI Release lsb release –a

Update KALI apt-get update

Upgrade KALI Tools apt-get upgrade

Upgrade KALI O/S apt-get dist-upgrade

Commercial in Confidence 7

Scan for MS17-010

Install the NMAP script smb-vuln-ms17-010.nse on KALI cd /usr/share/nmap/scripts wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse

Create a shell script to utilise this NMAP script

Use NANO/VIM/VI or whatever your favourite editor is to create this.. nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse “your ip or subnet to scan” -oX “output xml file”.xml xsltproc “output xml file”.xml –o”output html file”.html

Once created make the script executable chmod +x “name of script”.sh

Run the script

./”name of script”.sh

Obviously, omit the double quotes and replace with the parameters you require. Xsltproc will reformat the xml output from NMAP into a nice to read html file.

The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 EternalBlue vulnerabilities.

Commercial in Confidence 8

3. Double Pulsar

You can also scan for Double Pulsar by downloading the following NMAP script and applying the same process as per above. https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

Install the NMAP script smb-double-pulsar.nse on KALI cd /usr/share/nmap/scripts wget https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse

The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 DoublePulsar vulnerabilities.

Commercial in Confidence 9