WannaCry vulnerability detection with Metasploit

May 22nd, 2017 Posted by Blog, DevOps 0 thoughts on “WannaCry vulnerability detection with Metasploit”

Follow the instruction to install metasploit or create a Kali Linux Virtual Machine.

Let’s start the metasploit console.

msfconsole
=[ metasploit v4.14.17-dev                         ]
+ --- --=[ 1648 exploits -- 946 auxiliary -- 293 post        ]
+ --- --=[ 486 payloads -- 40 encoders -- 9 nops             ]
+ --- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

Then scan our network to identify hosts with db_nmap to run an Nmap against our targets and our scan results will be stored automatically in our metasploit database.

msf > db_nmap -v -A 192.168.99.0/24
[*] Nmap: Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-21 17:30 CEST
[*] Nmap: NSE: Loaded 143 scripts for scanning.
[*] Nmap: NSE: Script Pre-scanning.
[*] Nmap: Initiating NSE at 17:30
[*] Nmap: Completed NSE at 17:30, 0.00s elapsed
[*] Nmap: Initiating NSE at 17:30

Let’s look at the hosts found with the hosts command.

msf > hosts
Hosts
=====
address         name                os_name            os_flavor
-------         ----                -------            ---------
192.168.99.43  kali.local           Linux                      server
192.168.99.53  metasploitable.local Linux              8.04    server
192.168.99.54                       Microsoft Windows  8       client
192.168.99.55                       Windows 10                 client
192.168.99.66                       Mac OS X           10.7.X  device

Let’s use the auxiliary scanner MS17-010 SMB vulnerability

msf > use auxiliary/scanner/smb/smb_ms17_010

Let’s see the options of the scan.

msf auxiliary(smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       The SMB service port (TCP)
SMBDomain  .                no        The Windows domain to use for authentication
SMBPass                     no        The password for the specified username
SMBUser                     no        The username to authenticate as
THREADS    1                yes       The number of concurrent threads

As we can see the RHOSTS option is required, let’s set it with our windows hosts IPs

msf auxiliary(smb_ms17_010) > set RHOSTS 192.168.99.55, 192.168.99.54
RHOSTS => 192.168.99.55, 192.168.99.54

Let’s run the scan

msf auxiliary(smb_ms17_010) > run
[-] 192.168.99.55:445    -- Host does NOT appear vulnerable.
[*] Scanned 1 of 2 hosts (50% complete)
[+] 192.168.99.54:445    -- Host is likely VULNERABLE to MS17-010!  (Windows 10 Enterprise Evaluation 14393)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

One of our windows host is vulnerable!

Continuous S.A.
Avenue des Hauts-Fourneaux 9
L-4362 Esch-sur-Alzette
Luxembourg

© Continuous S.A. 2017