[194629] in North American Network Operators' Group
Re: Please run windows update now
daemon@ATHENA.MIT.EDU (Royce Williams)
Mon May 15 17:07:26 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CA+E3k93v8_wDEZndYxyW+vWQQ-b7Hjjce281JQ1Xiw3pH1X-rA@mail.gmail.com>
From: Royce Williams <royce@techsolvency.com>
Date: Mon, 15 May 2017 13:06:09 -0800
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, May 12, 2017 at 10:30 AM, Royce Williams <royce@techsolvency.com>
wrote:
> My $0.02, for people doing internal/private triage:
>
> - If your use of IPv4 space is sparse by routes, dump your internal
> routing table and convert to summarized CIDR.
>
> - Feed your CIDRs to masscan [1] to scan for internal port 445 (masscan
> randomizes targets, so destination office WAN links won't saturate, but
> local/intermediate might if you're not careful, so tune):
>
> sudo masscan -p445 --rate=[packets-per-second safe for your network]
> -iL routes.list -oG masscan-445.out
>
> - Use https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the
> python2 one, or the Metasploit one if you can use that internally) to
> detect vuln. the python one is not* a parallelized script, so consider
> breaking it into multiple parallel runners if you have a lot of scale.
>
Note - I've learned that the detection rate for the Python script above is
*much* lower than this nmap script. I recommend using the nmap script
instead:
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse
> - If you're using SCCM/other, verify that MS17-010 was applied - but be
> mindful of Windows-based appliances not centrally patched, etc. Trust but
> verify.
>
> - In parallel, consider investigating low-hanging fruit by OU
> (workstations?) to disable SMBv1 entirely.
>
> Royce
>
> 1. https://github.com/robertdavidgraham/masscan
>
>
