How to scan your company for MS17–010 WannaCry Ransomware at scale with free tools

Disclaimer: this is assuming you have permission and rights to perform scans within your company network.

tl;dr: masscan on port 445 (or 139). nmap discovered host + MSF scan discovered host. patch. repeat.

Sysads, Operations and yourself within your org have been patching your systems and now you want to validate the patching performed or even reveal additional endpoints that may be vulnerable within your organization.

The following short article will highlight how to quickly validate that machines have been patched appropriately or to discover machines that are vulnerable.

Before beginning, ensure that you’re also scanning from a privileged network where firewalls wont restrict your access to servers to the SMB and Netbios port 445 and 139.

You need the following tools:

masscan, nmap, Metasploit on Kali Linux.

You can certainly run Metasploit as a standalone, but I personally prefer to run it on Kali Linux because it comes nicely preinstalled. However you decide to configure your environment is up to you.

  1. Download masscan here.

Scan your network for port 445 with 1k packets / second and output the results to output.xml. Filter the results into a list of IP addresses.

$./masscan -p445 x.x.x.x/16 --rate=1000 -oX output.xml
$ cat ./output.xml | grep addr | cut -d "\"" -f4 > ips.txt

2. Download the following nmap script that will check for the vulnerability:

$ nmap -p445 --script ./smb-vuln-ms17-010.nse -iL ./ips.txt > nmap_results.txt 

Vulnerable machines will output with VULNERABLE which you’ll be able to grep through.

However, we did not have much luck with this script as it often complained with errors and false negatives (not reporting vulnerable servers). Others have reported success, however we didn’t have much time to dig into our issue. I recommend taking a second pass with Metasploit’s auxiliary scanner.

Again, we choose to run Metasploit on Kali Linux from a VM.

Update Metasploit’s database and start it’s console. Enter the following commands to run the auxiliary scanner:

Vulnerable machines will show up as

[+] XXXXX:445 — Host is likely VULNERABLE to MS17–010! (Windows 7 Enterprise 7601 Service Pack 1)

Rinse and repeat!

The process of checking isn’t new and can be generally applied to spot check for other specific vulnerabilities outside of MS17–010.