Tech Solvency - The Story So Far

SMB exploitation 2017

< Return to The Story So Far (list of notable security events)


Refs for ExternalRocks / MicroBotMassiveNet:


* Scan for SMB in your environment.

- If your use of IPv4 space is sparse by routes, dump your internal routing table and convert to summarized CIDR.

- Feed your CIDRs to masscan:

    ... to quickly scan for internal SMB ports. Masscan randomizes targets so that destination office 
    WAN links won't saturate - but local/intermediate might if you're not careful, so tune:

    sudo masscan -p137,139,445,U:137,U:138 --rate=[packets-per-second safe for your network] -iL routes.list -oG masscan-smb.list

- Feed that list of SMB-speaking hosts to a scanner that scans for the vulnerability. 

    Option 1:

    sudo nmap -T5 -p137,139,445,U:137,U:138 --script smb-vuln-ms17-010.nse -iL masscan-smb.list -oA nmap-smb-vuln

    NOTE: You will need a modern nmap, 7.40+ is best
    Option 2: (the python2 one, or 
    the Metasploit one if you can use that internally) to detect vuln. the python one is *not* 
    a parallelized script, so consider breaking it into multiple parallel runners if you have a lot of scale)

- If you're using SCCM/other, verify that MS17-010 was applied - but be mindful of Windows-based 
    appliances not centrally patched, etc. Trust but verify.

- In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.

* Apply IOCs to all systems that support them. Potential sources:

* Block both Tor exit nodes and web/Tor gateways, on all firewalls (pfSense,Check Point,ASA,Sonicwall,Palo,etc.)
    * Per Blue Coat docs, "an SSL license is required to effectively block Tor"

* Fast-alert (email-to-SMS?) on any attempts to avoid proxy controls (by DNS, web filtering category, etc.)
    * SIEM, snort, DNS monitoring, full-packet-capture systems, etc.

* Verify blocks with antivirus vendors and prioritize AV updates

* Uses default (wide open) install of DOUBLEPULSAR backdoor, so continue scanning for DOUBLEPULSAR

* Consider spawning a process that locks this mutex: BaseNamedObjects \ {8F6F00C4-B901-45fd-08CF-72FDEFF}


Blocking exit nodes: 

Getting lists: two different methods:

2. wget -q -O- | grep ExitAddress | cut -f 2 -d ' ' | sort -n > exit-nodes.txt





Prerequisites : ASA botnet Traffic licence for ASA. For more information: Botnet ASA license

Example configuration:

(config)# dns domain-lookup outside
(config)# dns server-group DefaultDNSServers
(config)# name-server
(config)# name-server
(config)# domain-name pc.local
(config)# dynamic-filter updater-client enable
(config)# dynamic-filter use-database
(config)# access-list dynamic-filter_acl extended permit ip any any
(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
(config)# class dynamic-filter_snoop_class
(config-cmap)# match port udp eq domain
(config-cmap)# exit
(config)# policy-map dynamic-filter_snoop_policy
(config-pmap)# class dynamic-filter_snoop_class
(config-pmap-c)# inspect dns dynamic-filter-snoop
(config-pmap-c)# exit
(config-pmap)# exit
(config)# service-policy dynamic-filter_snoop_policy interface outside

Blue Coat

Note: an SSL license is required to effectively block Tor.

Other refs:

WannaCrypt Map

Return to The Story So Far (list of notable security events)