First post! | Tryhackme #1 "Blue". | EternalBlue

Hello friends, for my first writeup I have decided to complete the "Blue" room from Tryhackme.

This room covers basic reconnaissance and compromising a Windows 7 machine that is vulnerable to Eternalblue (MS17-010 / CVE-2017-0144). Eternalblue is a vulnerability in Microsofts implementation of Server Message Block (SMB) version 1, the exploit utilises a buffer overflow to allow the execution of remote code.

To begin with we will perform a scan of the machine to get an idea of what ports are open and also the target OS.

We know the machines IP is 10.10.7.17 which is all the information we have to work off, with the exception of information provided by the lab.

We will start with a Nmap scan using the following command "sudo nmap 10.10.7.17 -A -sC -sV", the break down of this command is as follows; -A specifies OS detection, version detection, script scanning, and traceroute which provides us more information from the scan. -sC runs default scripts from nmap which can give us more insight depending on the scripts that run. -sV will provide us the version numbers of any software running on the port which is important for us, as we may be able to identify vulnerable versions of software and get an idea of how frequently the device is updated and maintained.

Our scan has come back and we can see the target device is running Windows 7 Professional service pack 1 (which means it should be vulnerable to Eternalblue which we will confirm shortly) we also get a lot more information about the target.

From our initial scan we now have the following information;

Operating system and version (Win 7 Pro SP1) Hostname is Jon-PC Device is in a workgroup and not a domain Ports 135,139,445,3389 are open. 

Of interest to us currently is ports 445 and 3389. 445 is SMB which is what Eternalblue targets and 3389 which is Remote Desktop Protocol which allows remote connection and control on a Windows device.

With this being an easy room with a known exploit lets move on to gaining access to the machine, first we will start up Metasploit which is a framework that contains modules which we can use to interact with and eventually gain control of our target device using.

Metasploit has a built in search function, using this I have searched for Eternalblue and loaded the first result (exploit/windows/smb/ms17_010_eternalblue).

With the exploit selected I now open up the options for the payload and module and configure the following;

RHOSTS (remote host / target) RPORT (remote port, automatically filled with 445 as this is an SMB exploit) VERIFY_TARGET (doesn`t need to be configured but by default it is enabled, this will check if the target is vulnerable before commiting the exploit) LPORT (local port to use on my machine) LHOST (local address or interface) in my case I will set this to the tun0 interface on my machine as I am connected over a VPN, as identified by running "ifconfig".

The only change I make is to set the payload to payload/windows/shell_reverse_tcp to provide a non-meterpreter reverse shell as I find this gives me better results.

With these set we run the exploit and after less than a minute I get a success message and a reverse shell, as we can see our terminal is now displaying "C:\Windows\system32" and running a "whoami" command it returns "nt authority\system".

We now have a reverse shell on the target with the highest permissions possible as we are running as the system, from here we can move around the system and gather the "flags" for the lab and complete the rest of the questions so lets do that!

First of we need to upgrade our shell to a meterpreter shell, we will background our current shell with ctrl+z and make a note of the session number which is 6 (we`ll need this later).

To upgrade our shell we will need another module from metasploit, in this case a "post" module. These are post exploitation modules to help with various tasks, in our case we want to upgrade our regular reverse shell to a meterpreter shell which will provide us more options, some are shown below to give you an idea!

The module for this is post/multi/manage/shell_to_meterpreter

The only option we need to set is the session number of our existing shell, which was 6, once we run this we can confirm that our meterpreter shell is now created by running "sessions" which will list our current sessions.

From here we can run "sessions -i 7" to swap to session 7 in our terminal. Now we are in our meterpreter shell, we can use "help" to list what extra commands we have, but more importantly we need to migrate our shell to a stable process with system privileges still. We will list all running proccesses using the "ps" command, identify a process such as "spoolsv.exe". We will migrate to this using its Process ID, so we will enter "migrate 1224" to migrate to this process.

Next we need to dump the SAM database which will provide us all the hashed passwords on the computer so we can crack them.

We will use the convenient command "hashdump" from our meterpreter shell to achieve this for us, this provides us the following password hashes;

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

The question wants us to crack the password for Jon, for ease of use and to keep this writeup on the short side we will use crackstation.net, we take the last part of the Jon hash "ffb43f0de35be4d9917ac0cc8ad57f8d" and enter it into the website, this will match the hash against a database as this is a weak password.

We could have used Hashcat or John the Ripper to crack the password, which we will do in the future as this website can only manage a few hash types.

The final step is finding the flags to complete the lab so we will hunt these down, however with this being a writeup I will obfuscate the flags.

The first is at C:\ and is "flag{********_the_machine}".

The second is where the SAM database resides C:\Windows\system32\config and is "flag{*******_database_elevated_access}".

The third is a good place to check for valuable information, which is user directorieis especially if they hold a technical position or a elevated position at the target site. The flag is located in C:\Users\Jon\Documents and is "flag{admin_****_can_be_valuable}".

I hope you found this helpful or interesting at least! I aim to upload writeups slowly as I get myself back into the swing of things again!

Until next time

Lilith

[Media] ​​MS17-010 Exploit Code

​​MS17-010 Exploit Code This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010. https://github.com/3ndG4me/AutoBlue-MS17-010 #exploit #cybersecurity #infosec

Wannacry açığını Microsoft iki ay önce yamadı

WannaCry, zararlı yazılımının istismar ettiği MS17-010 güvenlik açığının yamalanmasının üzerinden neredeyse iki ay geçti. Bu ve farklı kurumlar arasında yaşanan derin hasar farkları gösteriyor ki, eksiksiz ve periyodik bir yazılım güncelleme pratiğinin benimsenmesi gerekiyor.

Geçtiğimiz Cuma günü uzun zamandır görülmemiş çapta büyük bir virüs salgını yaşandı. Neredeyse her ülkeden kurumların…

View On WordPress

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second. 

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.

Sources:

How to Accidentally Stop a Global Cyber Attacks,  MalwareTech

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware, Troy Hunt

City banks plan to hoard bitcoins to help them pay cyber ransoms, The Guardian

2018年6月のマルウェアレポートをキャノンITソリューションズが公開 - Windowsプロトコル「SMB」の脆弱性を悪用する攻撃が増加傾向

2018年6月のマルウェアレポートをキャノンITソリューションズが公開 - Windowsプロトコル「SMB」の脆弱性を悪用する攻撃が増加傾向 #Windows #脆弱性 #SMB #ServerMessageBlock #セキュリティ更新プログラム #MS17-010

SMB (Server Message Block)ねぇ。

Windows でファイル共有なんてするときに使われている。

この脆弱性の悪用が、増えていると。

ちなみに、すでに MS17-010 として、セキュリティパッチが出ているので、適用しておいたほうが良いかも。

2018年6月のマルウェアレポートを公開～Windowsプロトコル「SMB」の脆弱性を悪用する攻撃が増加傾向～ キヤノンITソリューションズ株式会社

キヤノンマーケティングジャパングループのキヤノンITソリューションズ株式会社（本社：東京都品川区、代表取締役社長：足立 正親、以下キヤノンITS）は、2018年6月のマルウェア検出状況に関するレポートを公開しました。

2018年6月のマルウェアレポートを公開～Windowsプロトコル「SMB」の脆弱性を悪用する攻撃が増加傾向～

■2018年6月のマルウェア検出状況に関するレポー…

View On WordPress

Powershell Script To Check for MS17-010 Hotfixes [EternalBlue]

Powershell Script To Check for MS17-010 Hotfixes [EternalBlue]

The below PowerShell script will check for all Microsoft KB patches associated to MS17-010.

EternalBlue  is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack

Exploits include WannaCry, EternalRomance,…

View On WordPress

'WannaCry' Malware Attack

‘WannaCry’ Malware Attack

By now many of you have read reports on various news channels, blog posts, etc… This flaw was patched in Microsoft’s March 2017 update cycle (MS17-10).

The ‘WannaCry’ (‘WannaCrypt’, ‘WCRY’) was reported worldwide on May 12th 2017 as a ransomeware worm targeting out-of-date systems.  WannaCry is leveraging vulnerabilities that were previously fixed on systems that have been updated.  Unfortunately…

View On WordPress

Microsoft disponibiliza patch para resolução de falha explorada pelo WannaCrypt também para versões Windows já sem suporte

Microsoft disponibiliza patch para resolução de falha explorada pelo WannaCrypt também para versões Windows já sem suporte

Ontem, empresa e utilizadores foram alvo de um ataque malicioso à escala mundial e dirigido a PCs e Servidores com sistema operativo Windows.

O ransomeware Wannacrypt para além de proceder à encriptação dos ficheiros dos utilizadores, aproveita uma vulnerabilidade do SMBv1 para se propagar ainda mais rapidamente nas redes. Esta falha afecta principalmente os sistemas operativos Windows XP,…

View On WordPress

Wana Decrypt0r Ransomware verbreitet sich weltweit und nutzt fortgeschrittene Angriffs- und Infektionsvektoren Einführung Es vergeht kaum ein Tag, an dem nicht über eine neue Ransomware-Variante berichtet wird, aber die heute (12.

Ispy - Eternalblue / Bluekeep Scanner And Exploiter

Ispy - Eternalblue (MS17-010) / Bluekeep (CVE-2019-0708) Scanner And Exploit #automation #Bluekeep #CVE20190708

[sc name=”ad_1″]

ispy : Eternalblue(ms17-010)/Bluekeep(CVE-2019-0708) Scanner and exploiter ( Metasploit automation )

How to install :

git clone https://github.com/Cyb0r9/ispy.git cd ispy chmod +x setup.sh ./setup.sh

Screenshots :

      Tested On :

Parrot OS

Kali linux

Tutorial ( How to use ispy )

info

GitHub profile : https…

View On WordPress

Easybee exploit

#Easybee exploit update#

#Easybee exploit software#

#Easybee exploit code#

#Easybee exploit license#

2.3.8 Configuring the usage of Microchip ICD2.

2.3.6 Runtime stack checking exceptions.

2.3.4 Source files composing an application.

2.3.3 Printing the commands executed (verbose mode).

2.3.1 Avoid the generation of dependency files.

#Easybee exploit software#

2.3 Writing software for dsPIC using Erika Enterprise.

2.2 Setting up the compiling environment for the PIC30 architecture.

2.1 ERIKA Enterprise and RT-Druid Design Flow.

1.1 Erika Enterprise and RT-Druid for Microchip dsPIC (R) DSC.

User can add checks for custom named pipes. NAMEDPIPETOUCH Utility to test for a predefined list of named pipes, mostly AV detection. IISTOUCH check if the running IIS version is vulnerableĭOPU used to connect to machines exploited by ETERNALCHAMPIONS SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCEĮRRATICGOPHERTOUCH Check if the target is running some RPC PASSFREELY utility which “Bypasses authentication for Oracle servers” ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendorsĮAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release

#Easybee exploit code#

Metapackages, containers with custom scripts within!ĮARLYSHOVEL RedHat 7.0 – 7.1 Sendmail 8.11.x exploitĮBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.ĮCHOWRECKER remote Samba 3.0.x Linux exploit.ĮASYBEE appears to be an MDaemon email server vulnerabilityĮASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6ĮASYPI is an IBM Lotus Notes exploit that gets detected as StuxnetĮWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2ĮXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoorĮTERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)ĮDUCATEDSCHOLAR is a SMB exploit (MS09-050)ĮMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)ĮMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2ĮNGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client’s side to send an email to other usersĮPICHERO 0-day exploit (RCE) for Avaya Call ServerĮRRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003ĮTERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)ĮTERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)ĮSKIMOROLL is a Kerberos exploit targeting 2000, 2003, 20 R2 domain controllersĮSTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003ĮCLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)ĮTRE is an exploit for IMail 8.10 to 8.22ĮTCETERABLUE is an exploit for IMail 7.04 to 8.05įUZZBUNCH is an exploit framework, similar to MetaSploit

over 50 new SQL Injection tools updated.

#Easybee exploit update#

Offers the stability of a windows system and it offers the hacking part with a Cerberus Linux system! You can run both and it just works!Īny update for Cerberus Linux will be available from apt update & apt upgrade for the windows user and Linux users! It has managed to implement Cerberus os within windows. It supports windows apps and Linux apps, GUI and terminal apps! It comes with a tone off hacking tools plus all the tools that are included with the latest release of Cerberus Linux!

#Easybee exploit license#

The system comes activated with a digital license for Windows enterprise! Black Window 10 Enterprise is the first windows based penetration testing distribution with Linux integrated !

Snagit activation key

#Snagit activation key how to

#Snagit activation key full version

#Snagit activation key serial number

#Snagit activation key full crack

#Snagit activation key install

#Snagit activation key full version

, microsoft access 2016 unrecognised database format free, readdle pdf expert help free ,adobe dreamweaver cs3 price freeĪutodesk maya 2011 product key free, windows 8.1 enterprise upgrade to 10 free, microsoft office 2013 professional 64 bit full version free

#Snagit activation key serial number

, windows 7 home premium cannot change display language free, windows server 2012 foundation serial free ,windows 10 pro activator kmsauto freeĬorel motionstudio 3d 1.0 serial number free, microsoft office 2016 pro plus trial free, windows 7 not starting free Microsoft windows 10 home 32/64-bit - usb flash drive free, adobe acrobat xi pro setup interrupted free, logic pro x news 2019 free , microsoft office powerpoint 2007 free, windows 10 pro bagas31 free ,eplan p8 electric manual free Microsoft word 2016 windows 10 free, microsoft office word 2019 for pc free, pixelmator app help free , notability vs goodnotes vs pdf expert free, windows 10 enterprise ltsb vs education free ,snagit 11 instructions free Windows 7 features list blank free, windfree, microsoft office powerpoint presentation 2007 free full version free , microsoft visio 2016 professional key free, autodesk inventor 2018 forum free ,parallels desktop 14 features free Midi controller logic pro x free, autodesk revit live 2019 free, hazelnut tree 3d model free , microsoft access 2016 basics unit 1 free, autodesk revit 2016 student version free ,microsoft office 2016 installation error 1935 windows 10 free , windows 7 home premium sims 4 free, logic pro x automation trim relative free ,windows 10 pro hyper-v freeĪutodesk revit 2019 crack xforce free, microsoft office professional plus 2013 crack 32 bit free, windows 10 freeupgrade end date free , microsoft office 2016 release history free, microsoft powerpoint 2016 freefor laptop free ,windows 10 home usb boot freeĪutodesk 3ds max 2014 activator free, windows 10 pro os freefree, sony vegas pro 13 free windows 7 free , apa itu microsoft office access 2007 free, windows 10 pro retail key cheap free ,microsoft visio 2013 freetrial freeĪutodesk inventor 2015 crack free free, autodesk revit architecture 2018 essentials pdf free, upgrade windows server 2012 r2 datacenter to 2016 standard free Other word for book collector free, windows 10 product key generator free, windows 7 100 cpu usage at startup free , microsoft visio 2016 64 bit free, microsoft windows 10 home 64 bit iso free ,windows 7 ultimate ms17-010 free , windows 10 key kopen tweakers free, it luggage hazel 26.4 4 wheel luggage free ,windows 7 drivers package freeĮxpert pdf ultimate 9.0.270 + keygen free, pixelmator gradient mask free, change language windows 7 japanese to english free Kmspico microsoft office 2016 professional plus free, windows 7 professional games free free, microsoft office 2016 book free , windows 8.1 64 bit free full version free, gpt disk windows 7 error free ,windows 10 set environment variable shortcut free Microsoft office 2016 tools key free, windows 7 64 bits free, freeplugins for adobe premiere pro cc 2018 free

#Snagit activation key full crack

, windows 10 home vs windows 10 64 bit free, autodesk inventor professional 2014 full crack free ,microsoft office 2016 buy online free Windows 8.1 enterprise to windows 8.1 pro downgrade free, microsoft office word 2013 windows 7 64 bit free, windows 7 home premium cannot find gpedit.msc free , microsoft powerpoint 2019 for windows 7 free, does windows 10 home include word free ,sony vegas pro 11 plugins pack free , windows 8.1 enterprise end of life free, windows 10 home version 1809 iso free ,windows 10 pro end of life date freeĬoreldraw 11 bagas31 free, apple store logic pro x workshop free, microsoft office 2019 professional plus full version free free

#Snagit activation key install

Windows 10 enterprise evaluation activation crack free, microsoft office powerpoint 2007 install free, windows 7 amd pro graphics card free , acer windows 7 laptop forgot password free, microsoft office 2010 myanmar ebook free ,affinity designer freetrial free Windows server 2012 standard service pack free, cd key microsoft office 2007 home and student free, windows 10 control panel missing mail free , microsoft office 2013 language pack 64 bit free free, windows 8.1 enterprise lite x86 fr free ,windows 10 version 1903 stuck free

#Snagit activation key how to

, how to repair microsoft office outlook 2007 pst file free, parallels desktop 13 product key free ,windows 10 home vs pro vs enterprise size freeĪpple logic pro 9 vs x free, windows 7 ultimate genuine key free, internet explorer 9 for windows 7 professional 32 bit free free

​Win7Blue Scan & Exploit - #EternalBlue MS17-010 - Windows 7 x86 & x64. Tested...

​Win7Blue Scan & Exploit - #EternalBlue MS17-010 - Windows 7 x86 & x64. Tested On: 1. Kali 2. Parrot 3. Debian 4. Ubuntu Requirements: 1. Python3 2. Python2.7 3. Msfvenom 4. Impacket 5. Netcat https://github.com/d4t4s3c/Win7Blue

-

Petya Ransomeware – полная блокада системы

По словам источников, в Интернете появился новый вариант вируса-вымогателя, известного как Петя или Petwrap.

Это происходит в связи с возникшим хаосом во всем мире, закрытия бизнеса и источников финансирования во Франции, Великобритании, Индии, Украине и Европе. Теперь нужно платить уже в биткойнах, чтобы файлы были разблокированы.

Точно так же, как WannaCry Windows SMBv1 упростило распространение вируса Petya быстрее, чем WannaCry. Петя, как часть источника вымогательства, работает совсем по-другому от любых других вредоносных программ. В отличие от других традиционных вымогательств, Петя не зашифровывает файлы по целевой системе один за другим.

Интересно, что Ransomware Petya отличается от своего предшественника, так как он не шифрует файлы в вашей системе. Вместо этого система жертвы перезагружается и происходит блокирование таблицы основных файлов (MFT) и главной загрузочной записи (MBR).

В результате заражения, пользователь не может получить доступ к системе, так как пораженный участок захватывает физический диск. Петя заменяет MFT и MBR собственным набором вредоносного кода, который отображает информацию о выкупе. К сожалению, жертва не может перезагрузить систему. Обследование по безопасности показало набор цифр, сославшись на то, что только несколько антивирусных компаний могут обнаружить систему выкупа Рети.

Нефтяной гигант «Роснефть» (Россия) уже столкнулась с основной задачей «Петя», а затем «Укрэнерго» — украинский государственный поставщик электроэнергии. «На нас напали! Два часа назад нам пришлось отключить ��се наши компьютеры. Мы ждем разрешения Службы безопасности Украины (СБУ) на их повторное включение », — заявили панически в пресс-службе «Киевэнерго».

Как Petya Ransomware позволяет быстро заражать системы?

Как уже было сказано, WannaCry и Петя использует преимущества SMBv1 Eternal Blue, т.е. незагруженные машины Windows, но которые все еще используются.

Неудивительно, что даже после того, как вы узнали о проблеме WannaCry за довольно приличное время, крупные корпорации и компании еще не приняли надлежащие меры безопасности для защиты от такой угрозы.

Не удивительно, что, несмотря на все это и крик, связанный с уязвимостью Windows, которая позволяла WannaCry распространять вирус, большинство корпораций и компаний не могут учиться из прошлого и быть уязвимыми от таких кибератак.

«Petya ransomware успешна в распространении, потому что она сочетает в себе как атаку на стороне клиента (CVE-2017-0199), так и сетевую угрозу (MS17-010), систему безопасности, использующую утилиту Twitter».

Как защитить вашу систему от Ransomware Attacks?

И последнее, как рекомендуют сео-компании, главное сделать обновления от EternalBlue (MS17-010) и отключить протокол хранения файлов Windows SMBv1, которому уже более 30 лет.

Еще раз, будьте осторожны с нежелательными или подозрительными файлами и документом, которые вы получаете через электронные письма. Не нажимайте ссылки, если вы не доверяете источнику.

Не загружайте неизвестный freeware, так как они, как правило, содержат скрытые коды с вирусами.

Не загружайте подозрительные плагины и расширения, которые якобы предоставляют дополнительные возможности совершенно бесплатно, а на самом деле загружают на ваш компьютер или сайт вредоносное программное обеспечение.

Храните ваши драгоценные данные на отдельном жестком диске. Рекомендуется регулярно сохранять резервные копии на внешнем устройстве хранения.

Удаляйте временные файлы, записи реестра и др. через регулярные промежутки времени.

Наконец, сохраняйте данные в отраслевом антивирусном программном обеспечении с технологией Advance Threat Protection and Containment.

🎯 Если Вам нужны услуги по внутренней оптимизации сайта и техническая поддержка обращайтесь в нашу веб-студию SEO MASTER.

📢 Понравилась статья? Присоединя��ся к нам в социальной сети 👍 Вконтакте и Facebook, а также смотрите наш канал в 👉 YouTube. Получайте интересные статьи и новости сразу в свою ленту!

⚠ Вы хотите проверить качество сборки Вашего сайта? 🔝 Вас не устраивает скорость работы, безопасность и прочие технические параметры, которые тормозят продвижение Вашего сайта в Google и Яндексе. 👉 Тогда Вам необходим комплексный аудит Вашего сайта, — ✍🏻 напишите нам 📨 на электронный адрес или наберите в ♻ WhatsApp наш номер ☎ +7 (916) 450-04-71, и мы Вам поможем.

📌 И, пожалуйста, поделитесь своими наблюдениями в комментариях к данной статье или сделайте репост в социальных сетях.

Hack the WanaCry off the system

WannaCry and WanaCrypt0r is so 2017, as MS17-010 should be patched like zillions of weeks ago, but there are always some hidden unofficial, often abandoned systems being vulnerable for EternalBlue on the corporate network. They once got WanaCryptor and since then they are scanning the network against potential victims trying to infect further.

In order to get rid of them, I first installed a dionaea SMB honeypot into the network and waited the infected hosts to appear. After a while I had a nice list of IPs scanning the network for SMB shares. The idea was to stop them spreading the malware without causing any service interruption. Solutions like changing the default gateway to drive them against the wall, or to shutdown or crash the system are not feasible. DoS is a no-go.

When I was younger I often cleaned infected machines manually, just by finding the malware process, suspend or kill it, remove the executable, remove the persistence etc. I was curious if it can be done remotely, so I launched msfconsole on my kali box, loaded the exploit and the correct payload:

Targeted an IP from the honeypot report and run the exploit gave me a nice reverse meterpreter session:

Ok, now let’s have a look on the network activity of this system:

Look at that! It is scanning the network against tcp/445 smb connections. The masked IPs are random IP addresses. Note the scanning process name, mssecsvc.exe. Some google research confirmed that this is the worm that spreads the WanaCrypt0r. Enumerating services shows that the service name is “mssesvc2.0″:

It seems to be stoppable, so let us stop it:

Very good. The network status can show if it have stopped its malicious activity:

Hey, look at that! It stopped scanning. Excellent. Now the next step is to make sure that it will not be started again. Removing the service or the executable will be no solution, because it will be infected again. They executable should be staying on where it is, but it must not run. So I will ruin it by overwriting its content with an arbitrary string. In this example I will put a “1″ into the exe file.

The executable was not visible at first, but I remembered from the golden age of manual cleaning of infected computers that files can be protected from modification and even from showing up in dir listings using the attrib command. Running attrib *.exe revealed that the mssecsvc.exe and tasksche.exe have the S flag set, which renders them system files. It also means that I will not be able to overwrite them:

Exactly as I expected. Fortunately I have nt/system privileges, so the system flag can be removed using the attrib command:

It is now a regular file and it is displayed with the dir command as well. Look at the file size and the creation date. This host was infected at 12/03/2018. Ok, quickly corrupt this file and make it unusable:

Seems much better. Now it’s time to put back all the protections in order to avoid reinfection:

R,S,H flags mean Read Only, System and Hidden. As you can see, I am not able to write the file any more. Finally let’s try if the service can be started:

Wonderful! The worm has been disabled on this system. However, the MS17-010 hole is still open, so when an infected host tries to spread the worm, it will not be able to overwrite the corrupted executable file. Due to this file is hardcoded into the worm, it will not be able to infect this computer again.

Don’t forget to corrupt the other S-flagged executable, the “tasksche.exe” as well, which is the ransomware itself. It is disabled by the DNS kill-switch, but it is definitely not a good idea to keep it runnable on the filesystem.

Depending on the OS version it is also possible to disable the usage of SMBv1 in order to mitigate the vulnerability. And you can always leave a nice message on the desktop of all users, in order to make the system patched.