Detecting MS17-010 EternalBlue or DoublePulsar WannaCry/Petya/NonPetya etc.
Commercial in Confidence
Document Control
Version
Author John King Version 1.1 Date Created 5/7/2017 Date Last Edited 6/7/2017
Organisations
Name Abbreviation Used Thinking (2014) Limited THINKING
Author
Name Email Organisation John King [email protected] THINKING
Change Control
Date Version Contributor Changes 5/7/2017 1.0 John King Create and release 6/7/2017 1.1 John King Add FW notes
External References
Document Name Author Location www.nmap.org
This document details a statement of work to be conducted and an estimated amount of time and costs associated with the statement of work. Commercial in Confidence 2
Table of Contents
1. Executive Summary ...... 4 2. Process ...... 5 3. Double Pulsar ...... 9
Commercial in Confidence 3
.
1. Executive Summary
A quick write up to show how to detect the MS17-010 vulnerability using NMAP and to format a report into html readable format.
This document does assume the reader has some technical ability with Linux.
Please note to scan remote or protected hosts subnets you will need to ensure any firewalls configured allow port TCP445 and ICMP to reach the destination. Additionally any IPS configured must not block SMBV1 EternalBlue vulnerabilities.
Commercial in Confidence 4
2. Process
Deploy KALI
Download KALI and deploy as per the instructions on the KALI web site. https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
This is the link to the virtual images, you can deploy to numerous platforms to suit your requirements. You could also simply install NMAP to any number of platforms instead; however KALI has the advantage of all the others tools that we use in the this document installed and ready to go with a comprehensive updating method.
If you decide to install NMAP you will need version 7.4 or better.
Commercial in Confidence 5
Set up SSH Access to KALI
Deploy SSH Server if it’s not already done apt-get install openssh-server
Configure SSH to run update-rc.d -f ssh remove update-rc.d -f ssh defaults
Backup SSH Keys cd /etc/ssh/ mkdir default-keys mv ssh_host_* default-keys/
Get new SSH keys dpkg-reconfigure openssh-server
Allow root access to KALI over SSH
Nano /etc/ssh/sshd_config change line PermitRootLogin without-password to be PermitRootLogin yes
No dialogue will be entered into as to the security of this setup – it’s a temporary deployment treat it as such
Restart SSH service ssh restart
Update so that SSH starts after reboot update-rc.d -f ssh enable 2 3 4 5
Login you should be good to go……
Commercial in Confidence 6
Update KALI
Check KALI Release lsb release –a
Update KALI apt-get update
Upgrade KALI Tools apt-get upgrade
Upgrade KALI O/S apt-get dist-upgrade
Commercial in Confidence 7
Scan for MS17-010
Install the NMAP script smb-vuln-ms17-010.nse on KALI cd /usr/share/nmap/scripts wget https://svn.nmap.org/nmap/scripts/smb-vuln-ms17-010.nse
Create a shell script to utilise this NMAP script
Use NANO/VIM/VI or whatever your favourite editor is to create this.. nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse “your ip or subnet to scan” -oX “output xml file”.xml xsltproc “output xml file”.xml –o”output html file”.html
Once created make the script executable chmod +x “name of script”.sh
Run the script
./”name of script”.sh
Obviously, omit the double quotes and replace with the parameters you require. Xsltproc will reformat the xml output from NMAP into a nice to read html file.
The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 EternalBlue vulnerabilities.
Commercial in Confidence 8
3. Double Pulsar
You can also scan for Double Pulsar by downloading the following NMAP script and applying the same process as per above. https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse
Install the NMAP script smb-double-pulsar.nse on KALI cd /usr/share/nmap/scripts wget https://svn.nmap.org/nmap/scripts/smb-double-pulsar-backdoor.nse
The script will throw up a nice big vulnerability message associated with the host IP address if it finds smbv1 DoublePulsar vulnerabilities.
Commercial in Confidence 9