Monday, May 15, 2017

Scan Intranet for Windows PCs missing MS17-010 / WannaCry / NSA ETERNALBLUE patches

So you have used all you tricks to get MS17-010 fix deployed but how to confirm that every forgotten PC on your network is actually patched?

We'll scan our intranet using Metasploit checking for this particular vulnerability. PCs with local firewall blocking SMB traffic will be missed, but those are not exploitable anyway due same firewall.

I'll keep this short.

- Install virtual machine with Ubuntu 16.04 Server: http://releases.ubuntu.com/16.04/ubuntu-16.04.2-server-amd64.iso
- You can use defaults during install but it's recommended to enable OpenSSH Server for remote access over LAN

- After install is complete login using account you created during install
- Switch to root
   sudo su -
- Apply latest bugfixes and reboot 
   apt-get update && apt-get -y dist-upgrade && reboot

- After reboot login and switch to root
   sudo su -
- Install latest Metasploit nightly
   cd /tmp
   wget -O msfinstall https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb
   chmod a+x msfinstall
   ./msfinstall

- After install is complete launch Metasploit
   msfconsole
- Select module, set IP subnet to scan, number of parallel connections and GO
   use auxiliary/scanner/smb/smb_ms17_010
   set RHOSTS 10.0.0.0/24
   set THREADS 30
   run

And that's about it. You'll soon know how vulnerable you still are.

[-] 10.0.0.54:445        - Host does NOT appear vulnerable.
[-] 10.0.0.10:445        - Host does NOT appear vulnerable.
[+] 10.0.0.92:445        - Host is likely VULNERABLE to MS17-010!  (Windows Server 2008 R2 Standard 7601 Service Pack 1)
[-] 10.0.0.100:445       - Host does NOT appear vulnerable.
[-] 10.0.0.250:445       - Host does NOT appear vulnerable.

P.S. To save Metasploit output to file use command "spool /root/mylog.txt" before typing "run".





No comments:

Post a Comment

Got something to say?!