Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

W32 Wannacry €? How To Disable SMB v1

11 views
Skip to first unread message

Dede Demart

unread,
Dec 2, 2023, 5:08:03 AM12/2/23
to
Title: WannaCry Ransomware Impacts
SBS Presenter: Chad Knutson and Jon Waldman
Price: $159
View Recording:
-wannacry-ransomware-impacts-sp17
This webinar is done in partnership with GSB.
a. Disable SMBv1 on all nodes where it is not a critical function. It can be disabled manually or using SCCM/GPO. See here for details: -us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
W32 Wannacry – how to disable SMB v1
Download Zip https://t.co/cGiZticfua
b. For nodes on which SMBv1 cannot be disabled, it is recommended to set up a dedicated closed segment. Connections to this segment via the SMB protocol should be allowed only from nodes with the security update and invulnerable to attack.
Disabling the SMB protocol - If you have no requirement for the SMB protocol to be utilised, this can be disabled via registry changes. Disabling SMB requires a server restart, SMB is required for certain server functionality, please contact our support team before proceeding with any changes to live systems.
For further guidance, refer to the following Microsoft blog article which references an emergency patch that was issued for customers who are running unsupported operating systems: -guidance-for-wannacrypt-attacks/
If for whatever reason you are unable to install all Windows updates, then you must at least install the updates discussed in Microsoft Security Bulletin MS17-010. Security researcher Bart also recommends that you disable SMBv1 as it is not necessary to use it in modern Windows. Instructions on how to disable SMBv1 can be found in the MS17-010 bulletin as well.
The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system's settings to work out the user's language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim's attention.
For unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.
This is the ms17-010.nasl nessus plugin source code. This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.#%NASL_MIN_LEVEL 70300## (C) Tenable Network Security, Inc.#include('deprecated_nasl_level.inc');include('compat.inc');if (description) script_id(97833); script_version("1.29"); script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/07"); script_cve_id( "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148" ); script_bugtraq_id( 96703, 96704, 96705, 96706, 96707, 96709 ); script_xref(name:"EDB-ID", value:"41891"); script_xref(name:"EDB-ID", value:"41987"); script_xref(name:"MSFT", value:"MS17-010"); script_xref(name:"IAVA", value:"2017-A-0065"); script_xref(name:"MSKB", value:"4012212"); script_xref(name:"MSKB", value:"4012213"); script_xref(name:"MSKB", value:"4012214"); script_xref(name:"MSKB", value:"4012215"); script_xref(name:"MSKB", value:"4012216"); script_xref(name:"MSKB", value:"4012217"); script_xref(name:"MSKB", value:"4012606"); script_xref(name:"MSKB", value:"4013198"); script_xref(name:"MSKB", value:"4013429"); script_xref(name:"MSKB", value:"4012598"); script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03"); script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/10"); script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15"); script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/27"); script_name(english:"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)"); script_set_attribute(attribute:"synopsis", value:"The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value:"The remote Windows host is affected by the following vulnerabilities : - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148) - An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY arefour of multiple Equation Group vulnerabilities and exploits disclosedon 2017/04/14 by a group known as the Shadow Brokers. WannaCry /WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,and EternalRocks is a worm that utilizes seven Equation Groupvulnerabilities. Petya is a ransomware program that first utilizesCVE-2017-0199, a vulnerability in Microsoft Office, and then spreadsvia ETERNALBLUE."); # -us/security-updates/SecurityBulletins/2017/ms17-010 script_set_attribute(attribute:"see_also", value:" "); # -customers-and-evaluating-risk/ script_set_attribute(attribute:"see_also", value:" "); # -ransomware-worm-targets-out-of-date-systems/?source=mmpc script_set_attribute(attribute:"see_also", value:" "); # -guidance-for-wannacrypt-attacks/ script_set_attribute(attribute:"see_also", value:" "); script_set_attribute(attribute:"see_also", value:" -using-smb1/"); # -us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and script_set_attribute(attribute:"see_also", value:" "); # -cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices script_set_attribute(attribute:"see_also", value:" "); # _warns_admins_to_kill_smb_after_shadow_brokers_dump/ script_set_attribute(attribute:"see_also", value:" "); # -shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/ script_set_attribute(attribute:"see_also", value:" "); script_set_attribute(attribute:"see_also", value:" "); # -ransomware-detection-for-the-modern-enterprise script_set_attribute(attribute:"see_also", value:" "); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows Vista, 2008, 7,2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has alsoreleased emergency patches for Windows operating systems that are nolonger supported, including Windows XP, 2003, and 8.For unsupported Windows operating systems, e.g. Windows XP, Microsoftrecommends that users discontinue the use of SMBv1. SMBv1 lackssecurity features that were included in later SMB versions. SMBv1 canbe disabled by following the vendor instructions provided in MicrosoftKB2696547. Additionally, US-CERT recommends that users block SMBdirectly by blocking TCP port 445 on all network boundary devices. ForSMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137/ 138 on all network boundary devices."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0148"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SMB DOUBLEPULSAR Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:"CANVAS"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "smb_v1_enabled_remote.nasl"); script_require_keys("Host/OS", "SMB/SMBv1_is_supported"); script_require_ports(139, 445); exit(0);include("audit.inc");include("misc_func.inc");include("byte_func.inc");include("global_settings.inc");include("smb_func.inc");function smb_get_error_code (data) local_var header, flags2, code; # Some checks in the header first header = get_smb_header (smbblob:data); if (!header) return NULL; flags2 = get_header_flags2 (header:header); if (flags2 & SMB_FLAGS2_32BIT_STATUS) code = get_header_nt_error_code (header:header); else code = get_header_dos_error_code (header:header); return code;function my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount) local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad; npad = pad1 = pad2 = NULL; if (session_is_unicode () == 1) trans = cstring (string:transname); else trans = transname; header = smb_header (Command: SMB_COM_TRANSACTION, Status: nt_status (Status: STATUS_SUCCESS)); p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans); # Unicode transname should be aligned to 2 byte if(session_is_unicode() == 1) npad = crap(data:'\x00', length: (2 - p_offset % 2) % 2); p_offset += strlen(npad); # Parameter is aligned to 4 byte pad1 = crap(data:'\x00', length: (4 - p_offset % 4) % 4); p_offset += strlen(pad1); # Data is aligned to 4 byte d_offset = p_offset + strlen (param); pad2 = crap(data:'\x00', length: (4 - d_offset % 4) % 4); d_offset += strlen(pad2); plen = strlen(param); dlen = strlen(data); slen = strlen(setup); if(isnull(max_pcount)) max_pcount =0xffff; if(isnull(max_dcount)) max_dcount =0xffff; parameters = raw_word (w:plen) + # total parameter count raw_word (w:dlen) + # total data count raw_word (w:max_pcount) + # Max parameter count raw_word (w:max_dcount) + # Max data count raw_byte (b:0) + # Max setup count raw_byte (b:0) + # Reserved raw_word (w:0) + # Flags raw_dword (d:0) + # Timeout raw_word (w:0) + # Reserved raw_word (w:plen) + # Parameter count raw_word (w:p_offset) + # Parameter offset raw_word (w:dlen) + # Data count raw_word (w:d_offset) + # Data offset raw_byte (b:slen/2) + # Setup count raw_byte (b:0); # Reserved parameters += setup; parameters = smb_parameters (data:parameters); dat = npad + trans + pad1 + param + pad2 + data; dat = smb_data (data:dat); packet = netbios_packet (header:header, parameters:parameters, data:dat); return packet;## MAIN## Make sure it's Windows os = get_kb_item_or_exit("Host/OS");if ("Windows" >!< os) audit(AUDIT_HOST_NOT, "Windows"); # Make sure SMBv1 is enabledif (! get_kb_item("SMB/SMBv1_is_supported")) exit(0, "SMB version 1 does not appear to be enabled on the remote host."); if (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');r = NetUseAdd(share:"IPC$");if (r != 1) exit(1, 'Failed to connect to the IPC$ share anonymously.');fid = 0; # Invalid FID setup = raw_word (w:0x23) + raw_word (w:fid); packet = my_smb_trans_and_x (setup: setup, transname:"\PIPE\");ret = smb_sendrecv (data:packet);if (ret) status = smb_get_error_code (data:ret);else status = NULL;NetUseDel();if(! isnull(status)) if(status == STATUS_INVALID_HANDLE else exit(1, "Failed to get response status for an SMB_COM_TRANSACTION request.");
eebf2c3492
0 new messages