Disabling SMB

Yockanookany · May 16, 2017, 12:51am

This could be out of fear mongering about updates installing monitoring stuff. People kill updates on internet facing machines because they don't want the updates to install the junk on them either not knowing or not considering the fact the system could be co mrpmoised.

emosun · May 16, 2017, 1:03am

Well as stated the update doesn't install so blowing away the smb is what I'm going to do.

But back to the topic at hand. I supposedly disabled them in power shell , is there a way to check if it worked and smb isn't functioning?

Eden · May 16, 2017, 1:03am

That's my worry and what I'm trying to point out here. That conspiracy if the case here has left these systems vulnerable for no reason. And that there other people's computers is down right irresponsible, even if that's not the intention, that's the outcome. And no matter what you (figuratively) have to take responsibility of the fact that you left people using these computers vulnerable because of the false notion that you think you know better.

And it is a false notion, because this topic was made now and not months ago when the vulnerability was published.

If this has been coming across negatively it's because it is. To many people on the forums have been doing this and putting them and others data at risk because they think they can do it better, but then don't put in the required constant and time consuming effort to keep these systems protected when they are not being patched.

Eden · May 16, 2017, 1:06am

Already said you can test if the machines are still vulnerable by running the ms17-010 module for nmap.

Keep in mind your not protected from the ransomeware. And not protected from any of the other unpatched exploits.

emosun · May 16, 2017, 1:11am

is there a link to this program

Yockanookany · May 16, 2017, 1:14am

You're absolutely right. I typically l roll my eyes at people saying things of this nature but it's time we start speaking up against it .

That said it's a culture that thrives on these forums. Some of it has moved people to linux I'm sure, which is fine, but not patching systems isn't the right approach.

Eden · May 16, 2017, 1:15am

github.com

cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

local smb = require "smb"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms17-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against ms17-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx

This file has been truncated. show original

http://seclists.org/nmap-dev/2017/q2/79

emosun · May 16, 2017, 1:19am

how do you use or run it

emosun · May 16, 2017, 3:16am

does anyone know how to use this?

nakamura · May 16, 2017, 8:19am

Check this page:

Eden · May 16, 2017, 10:20pm

This is probably a good walkthrough. Just spin up a live distro and on you go.

Juggernaut · May 17, 2017, 1:24pm

Yeah, that's not a problem unique to here, or should I say to computer technology. Similar to how fantasy football is just D&D for the people who used to beat up people who played D&D, this community is fundamentally not that different from a car or boat club.

People coming together with a common interest, and a capacity for action breeds a certain DIY attitude. This isn't bad in and of itself, but then gaining knowledge and experience leads to self confidence...which again, is not necessarily a bad thing. However, as success starts building up, it can easily lead to over self confidence.

That is ultimately to say, when you know something, and know it well, it can be easy to forget what you DON'T know.

Yockanookany · May 17, 2017, 1:27pm

Which is why I always tell myself I know almost nothing about tech. Kinda the old adage, the more you learn the less you know kinda thing. I'm a damned good sysadmin/sec analyst but I don't know more than I know.