EternalBlue Vulnerability Scanner Finds Exposed Hosts Worldwide

Orome1 quotes Help Net Security:After the recent massive WannaCry ransomware campaign, Elad Erez, Director of Innovation at Imperva, was shocked at the number of systems that still sported the Microsoft Windows SMB Server vulnerabilities that made the attack possible. So, he decided to do something about it: he created Eternal Blues, an easy-to-use vulnerability scanner that he made available for download for free... The statistics collected by the tool, as well as the total number of downloads, show that after the NotPetya attack, people's awareness of the threat did increase... Over 8 million IP addresses were scanned, and a total of 60,000 vulnerable hosts were identified (out of ~537,000 that were responsive). Of the ~537,000 responsive hosts, some 258,000 still had SMBv1 enabled.
One organization in France found two vulnerable hosts after scanning over 13,000 IP addresses, and Erez believes that without his tool, "finding those two needles in the haystack would have been an almost impossible mission... Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement."

Why not patch

Why not use the scanner to exploit + patch the systems.

Re:Why not patch

[Z00L00K]

And in addition to this - segment your darn networks in your companies - that will contain any intrusion to a limited number of clients.

Re:Why not patch

[eneville]

If by segment you mean have separate DC's and airgaps, then yes. Or use a less vulnerable and more robust OS.

Re: Why not patch

Yes but your segments will still have to talk to each other somehow and often that does imply SMB communication. Blocking all traffic would presumably solve the issue but it will also impact productivity.

Re:Why not patch

1. Because that's illegal.

2. Because you don't know what critical, possibly even life-supporting systems you may break in the process, regardless of the fact they shouldn't be vulnerable.

Re:Why not patch

Worth considering - look through the post for the one from APK with the necessary REGISTRY SETTINGS (you don't even need to update binaries) to do this.

Re:Why not patch

[Z00L00K]

At least separate DCs, not necessarily air gaps and then use a less sloppy protocol than SMB to exchange needed information between servers, possibly using gateways that sanitizes any data exchanged.

The problem with many of the Microsoft protocols is that they are a "catch-all" for any operation the user or application may perform.

Re: Why not patch

[Z00L00K]

If you segment the right way productivity won't suffer. You rarely want HR to share data with software development.

But today many company networks are world-wide monolithic networks.

Protect vs. WannaCry easily many ways

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(IMPORTANT: Finally, THIS HAS BEEN PATCHED by MS but you can protect this way too & it works...)

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

Re:Protect vs. WannaCry easily many ways

[Poingggg]

Wow, how lucky Windows users are, not having to use all sorts of obscure command line instructions!.... Oh wait...

Re:Protect vs. WannaCry easily many ways

Thank you! I was exposed according to the tool in the FA and this closed the vulnerability. The microsoft patch did not!

Re:Protect vs. WannaCry easily many ways

LOL, there is a UI for both.

Stick to your hunt and pecking.

Re:Protect vs. WannaCry easily many ways

[Motherfucking+Shit]

The one time I actually want to upvote an APK post, and I don't have mod points! All I can do is say thanks for your contribution.

Re:Protect vs. WannaCry easily many ways

I tried this. Result: DFS no longer works, users don't get networked drives. Windows 10 users, no XP or older!

Malware tool

So this free tool not only scans for vulnerabilities but it collects 'statistics' and phone homes that data to the tool maker's server where it is collected, analyzed and sold? to interested third-parties? How is this not malware itself??

Re: Malware tool

[daveb]

That was my first thought too.

Re:Malware tool

Apparently because he says so:

Pattern match: http://www.iec.ch,Pattern match: http://omerez.com/repository/pages/eternalblues-report.html?id=
Pattern match: https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe/
Pattern match: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack/
Pattern match: https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/
Heuristic match: mailto:eternalblues@omerez.com
Pattern match: http://omerez.com/eternalblues/?update=
Pattern match: https://twitter.com/Omerez_com
Heuristic match: Hello dear reverser. Just checking the existence of the EternalBlue vulnerability. No malicious code here. Seriously,I'm from the good guys. For a safer world,Elad Erez | Omerez.com
Pattern match: http://omerez.com/repository/eternalblues-version.txt
source:https://www.hybrid-analysis.com/sample/21cc36e60e661613f0c05e73b9496bf2d456931686b0693112842d91d7e64e78?environmentId=100

Anyway. I ran it in a virtual network and didn't find an old samba server running SMBv1. So don't know how reliable it is even if not allegedly were collecting vulnerable systems info.

More incompetence

Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement.

A one-off vulnerability scanner does not do risk analysis or enforces policy. What it does do is make the situation worse by exposing vulnerabilities to an outside entity, anyone that breaches Imperva's security, anyone working at Imperva, and anyone listening to network traffic to and from Imperva. What Impervia managed to do is make the whole problem worse while creating news that is a thinly-veiled advertisement.

Yet another story written by people that do not understand security so other people that do no understand security can argue endlessly about security.

Vulnerabilities?!

[ckatko]

I know clients still running Windows 2003 for their websites and e-mail.

Re:Vulnerabilities?!

[eneville]

But now they're running websites for free customers they don't know they have.

Can you fucking stop scanning port 445 then?

What's your statistic on how many people lock their doors, or don't you go from house to house turning door knobs?

Percentages

So assuming there are 1 billion Winders machines, then 100 million still run SMB1 on the public internet?

I contributed a working fix (have you?)

It's ez via regedit.exe to edit areas of the registry involved OR putting this into a text file w/ a .reg extention:

---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]

"SMB1"=dword:00000000
"SMB2"=dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

"SMB2"=dword:00000001
"SMB2"=dword:00000000

---

(Use what's between the 2 "---" I put in as division bounds for the .reg file (you can name it as you wish, e.g. - FixSMB1SecurityIssue.reg)).

& via sc.exe as noted per Microsoft...

APK

P.S.=> See subject & answer the question - seems to have done well by this AC who also answered here (found it odd the MS patch didn't work for him, but THIS all did) https://it.slashdot.org/comments.pl?sid=10865637&cid=54814977/ that also got me a +2 INFORMATIVE rated post thusfar... apk

Re:I contributed a working fix (have you?)

[Poingggg]

Nope, I did not commit a fix and (s)he did,
I was just commenting on the fact that most Windows adepts always go on about how easy Windows is supposed to be, contrary to Linux, where "everything has to be done by typing obscure stuff on the command line". That's all, no offense :-).

WHOOPS, small correction!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]

"SMB1"=dword:00000000
"SMB2"=dword:00000001

* That['s ALL you'd need for this (my 'cut & paste' on the 2nd part, wholly unneeded, undoes the SMB2 'on'...) - my bad!

APK

P.S.=> Apologies for those of you that save this in a .reg file for future use... apk

Did you reboot after patching?

Thanks & SEE SUBJECT (just curious) - It's networking related & Windows' networking post Windows NT doesn't FULLY init TCP/IP by default until users make requests 1st!

(That's for IP, lanman/netbios might not be the case as shares can be made to "relink" on a LAN/WAN using MS networking)

HOWEVER: You CAN reset it to fully init @ bootup PRE userlogon (they did it this way to speedup bootup, copying it from APPLE believe it or not...) for the IP stack to FULLY initialize pre-logon...

THUS imo a reboot SHOULD BE REQUIRED for the patch to take (full cold boot power down & power up again, imo) no matter HOW you did it (MS windows update ones OR the .reg settings I posted).

* Still - I am GLAD it worked for you (there's many ways illustrated for you to use in it) & DO NOT THANK ME - thank Microsoft for finally patching it (hopefully you're not right about this sorry to say, or MS has more work to do, OR the scanner is erroneous) + providing the settings that I didn't !

(I did the ones in my 'p.s.' @ the end of my posts for 'standalone-non-lan setup' systems that ARE online via TCP/IP alone).

APK

P.S.=> "Onwards & UPWARDS"... apk

That's ok & did you CATCH THIS correction?

Sorry for being 'snappy' (I get attacked a LOT on /. so I am immediately 'suspicious') & SEE SUBJECT + https://it.slashdot.org/comments.pl?sid=10865637&cid=54815671/

* I made a TINY but crucial error in my .reg file... corrected there in response to you (my bad/apologies) since the 2nd UNNEEDED PART turns off the fix (stupid of me, lol - I was in a hurry replying to others).

ALL OS have SOME commandline driven stuff - no way around it really (I don't care personally... as long as it works).

APK

P.S.=> There IS regedit.exe for this manually OR doing the .reg file I noted (by association of regedit.exe & .reg file extensioned files for the 'document-centric' model Windows uses to make this stuff easier to do, automated, even silently for network admins via the regedit.exe FILENAME.reg /s switch) &/or using sc.exe & yes, both are "Commandline driven" but only to a tiny extent... apk

Re: That's ok & did you CATCH THIS correction?

[Brockmire]

Nobody should be doing copy and paste on anything you say. Just provide a link to the information and fuck off.

Creimer! Creimer! Creimer!

I got a Black Amazon Dot, which matches my vintage 2006 Black MacBook.

Not 1st time I posted this, BUT?

See subject: I posted it again for the SAME reasons I do my hosts files posts - to spread around what works to those that may not know of it... then, hopefully via geometric progression, then each tells 2 people & those 2 people tell 2 more etc. ...

* MOST of that is Microsoft you REALLY need to thank (what's in my p.s. which also works in a more limited circumstance, is my own stuff that also works vs. this).

APK

P.S.=> In any event thanks though as it IS 'the thought that counts'... apk

Do you trust the scanner?

[manu0601]

The scanner is provided as a .exe binary for Windows, how can we trust it to only scan?

Re:Do you trust the scanner?

A windows binary coded in .NET framework. How lame can this scanner be? Real programmers would code in C or C++

Eternal BlueS

It's actually called 'Eternal BlueS', and not 'Eternal Blue', as it says in the title and summary.

nice marketing

I guess Imperva's numbers for the year are low.

"Quagmire" (hahahaha) "U MAD BRO'"?

See subject "Quagmire" (lol) & these times I show you're a FAKE NAME for a FAKE LIFE online do-nothing zero https://it.slashdot.org/comments.pl?sid=10606043&cid=54411703/ where you LIE saying my work has a "backdoor" (the only backdoor that got RAMMED HARD was you, especially here->) https://hardware.slashdot.org/comments.pl?sid=10581229&cid=54389041/ & DUSTING YOU ON INTEL AMT THREAT TOO https://yro.slashdot.org/comments.pl?sid=10610229&cid=54416029/ = PRICELESS!

* You're a "do-nothing dildo" QUAGMIRE... & you KNOW it + SHOW IT!

(Since you show nothing of value you've EVER done, lol!)

APK

P.S.=> You know it's all TRUE & easily verified above where I've DUSTED you as I always do "your kind" (weak "ne'er-do-wells") as always, easily - you do it to yourselves - how? You do NOTHING, lol... apk

Protect vs. WannaCry The Better Version

[n329619]

1. Click on random links and install ransomware
2. Pick either pay for the ransom or throw out the computer
3. Repeat step 1 until ran out of cash
4. If ran out of cash, pick either file for bankruptcy or learn how to google
5. If picked learn how to google, search either how to protect against
WannaCry or how to hire high quality IT staffs

security 101

[sad_]

just trust any tool found on the internet claiming (insert claim here).

Older windows in a LAN use SMB1 iirc

Windows XP & below use SMB1 iirc so if you have a "mixed environment" network cutting off SMB1 may not workout for you is all I can say.

* I am surprised the MS link doesn't mention that(does it?)...

(...but w/ say, WinXP or 2k, I can see them NOT having SMB2/3 etc. too but 7 or above do...)

APK

P.S.=> I could see Distributed File System failing out too that way as well (still LanMan link apparently too, not IP/Active Directory based)... apk