Blog

SMB Vulnerability MS17-010 NSE – Script to detect MS17-010 (WannaCry Ransomware)

Posted on by jeff

This is taken from the nmap seclist page.  A script for nmap has been written that should allow you to scan your network to determine if its vulnerable.  It may not be perfect but I am sure it will help someone out there.

http://seclists.org/nmap-dev/2017/q2/79
Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 

Cheers!

smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com

WannaCrypt Ransomware Part 2

Posted on by jeff

It seems the initial wave has been stopped by Researchers, and then we had another one as detailed in the link below.

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

More good information and I suggest reading through it all if you have not done so already.  This is a bad weekend for business and infrastructure that is using older systems, but its been a good weekend for the infosec community in coming together and helping and sharing alot of good information with each other.

 

There is a tool you can run on a host that will stop the ransomware from encrypting your machine, however it will still attempt to spread over your network.

Download Here

 

 

wcrypt activity map

 

WannaCrypt Ransomware

Posted on by jeff

In what has been big news over the past 24 hours.  Especially here in the UK is that the NHS has been hit with a large ransomware attack.

http://www.bbc.co.uk/news/technology-39901382

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

This is a pretty good write up of what was known at the time.

There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.

Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.

Few more articles that contain good information about these events.

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Also of note.

wannadecrypt

 

If you use intitle:”index of” “@WanaDecryptor@.exe” as a search on google, at the time of this update there are 67 results.

Not a good weekend for the world of IT admins.

The github link referenced below is being kept up today and contains some very good and useful information.

 

 

Protecting customers and evaluating risk – Microsoft

Posted on by jeff

In what feels like perfect timing from Microsoft, it seems they had already released patches for some if not all of the exploits released these past few days by the file dump by the ShadowBrokers.

 

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

 

This has been taken straight from the Microsoft Blog.

Regardless how this happens does not matter, it is just good to know that most if not all of these issues released are patched.

***On 17th April, we have a news article on the BBC that actually covers this story by Microsoft

http://www.bbc.co.uk/news/technology-39620534

It is good to see that we are getting better as an industry to fix and patch these exploits.

 

 

NSA Tools in the Wild

Posted on by jeff

Further apparent NSA tools have been released and this time there is alot more information contained with the files.  This tool in particular looks quite similar to metasploit.

@hackerfantastic have been investigating these tools and posting their findings, I believe there are going to be fun times in the next week or so!

EQGRP-Auction-Files Password Released.

Posted on by jeff

The ShadowBrokers have released the password for the EQGRP files.

There is a repository on github that has downloaded and starting to delve deeper into the contents of these files.

https://github.com/x0rz/EQGRP

These list various exploits, I’ve not had the chance to look through much of these yet, but over the next few days, I will be having a read and a play around with these files to see what things can be learnt from them.

The password for the original file leak is – CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN

Currently you can download the files from here.

Now that these have been released, the patches for many of these exploits should follow – if not so already patched.