nanog mailing list archives
Re: Please run windows update now
From: Royce Williams <royce () techsolvency com>
Date: Mon, 15 May 2017 13:06:09 -0800
On Fri, May 12, 2017 at 10:30 AM, Royce Williams <royce () techsolvency com> wrote:
My $0.02, for people doing internal/private triage: - If your use of IPv4 space is sparse by routes, dump your internal routing table and convert to summarized CIDR. - Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan randomizes targets, so destination office WAN links won't saturate, but local/intermediate might if you're not careful, so tune): sudo masscan -p445 --rate=[packets-per-second safe for your network] -iL routes.list -oG masscan-445.out - Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the python2 one, or the Metasploit one if you can use that internally) to detect vuln. the python one is not* a parallelized script, so consider breaking it into multiple parallel runners if you have a lot of scale.
Note - I've learned that the detection rate for the Python script above is *much* lower than this nmap script. I recommend using the nmap script instead: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
- If you're using SCCM/other, verify that MS17-010 was applied - but be mindful of Windows-based appliances not centrally patched, etc. Trust but verify. - In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely. Royce 1. https://github.com/robertdavidgraham/masscan
Current thread:
- Re: Please run windows update now, (continued)
- Re: Please run windows update now Carl Byington (May 16)
- Re: Please run windows update now John Levine (May 17)
- Re: Please run windows update now Brad Knowles (May 15)
- Re: Please run windows update now J. Oquendo (May 15)
- Re: Please run windows update now Brad Knowles (May 15)
- Re: Please run windows update now J. Oquendo (May 15)
- Re: Please run windows update now Brad Knowles (May 15)
- RE: Please run windows update now Phillip White (May 15)
- Re: Please run windows update now LHC (k9m) (May 16)
- Re: Please run windows update now Jorge Amodio (May 15)
- Re: Please run windows update now Royce Williams (May 15)
- Re: Please run windows update now Josh Luthman (May 12)
- Re: Please run windows update now Andrew Kerr (May 15)
- Re: Please run windows update now Nathan Fink (May 15)
- Re: Please run windows update now Josh Luthman (May 15)
- RE: Please run windows update now timrutherford (May 15)
- RE: Please run windows update now timrutherford (May 15)
- RE: Please run windows update now Keith Medcalf (May 15)
- Re: Please run windows update now Keith Stokes (May 15)
- RE: Please run windows update now timrutherford (May 15)