This Blog is a supplement to my website. Please also visit: www.DavidCocke.com

Saturday, May 20, 2017

Detecting Machines Vulnerable to Eternal Blue (WannaCry)

May 20, 2017

Background
After the recent WannaCry Ransomware scare, we needed a reliable way to scan our customer's networks to show which Windows machines are still vulnerable.

As you may know, the WannaCry Ransomware spreads by taking advantage of a stolen/leaked NSA cyber-weapon known as Eternal Blue.  EternalBlue takes advantage of a flaw in the Windows implementation of SMBv1.  We’ve already had reports that other variants of WannaCry are appearing, and they too are taking advantage of the Eternal Blue SMB vulnerability.  One of the notable variants is called BlueDoom.

First of all, I cannot take credit for the concept of this scanning method, nor the Nmap script used to perform this vulnerability scan.

This article was helpful to me:
https://www.secarma.co.uk/wannacry-worlds-first-global-ransomware-attack/

After trying multiple types of Nmap scripts, I can say this was one that actually worked:
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

Using this method, we found a variety of vulnerable machines including Windows XP, Windows 7, and Windows Server 2012 R2.  The most interesting device we found was an X-Ray Film printer that uses Microsoft Windows 2000 as its operating system.  Before the scan, we had no idea the printer ran on any Windows OS.

How to Scan
Download the latest version of Nmap here (We like ZenMap):
https://nmap.org/zenmap/

Given the connection limit of Windows workstation operating systems, we recommend that you do your scans from a Windows Server OS.

Save the Nmap script found here:
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

To a text file named: smb-vuln-ms17-010.nse
Then copy the smb-vuln-ms17-010.nse file to this folder: 
C:\Program Files (x86)\Nmap\scripts

Execute your Nmap scans from a CMD prompt.

Example of scanning a single Host IP and seeing the results on the screen:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.10.14

Example of scanning an entire subnet and piping the results to a text file:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.10.1-255 >>c:\temp\wannacry.txt

We recommend using Notepad++ to view the file, but whichever text editor you use, search for the word "Vulnerable" to see if the scan discovered any vulnerable machines.




3 comments:

  1. Hey David! Thanks for the excellent post. Can you advise what steps should be taken when a vulnerable device is found on the network?

    Thanks!

    Adam

    ReplyDelete
    Replies
    1. Either patch it with the appropriate Microsoft Patch (preferred) or disable SMBv1.

      Delete