Video and lab - Scanning for WannaCry Ransomware

14 minutes
Share the link to this page
You need to have access to the item to view this lesson.
One-time Fee
List Price:  $139.99
You save:  $40
List Price:  €128.82
You save:  €36.80
List Price:  £109.74
You save:  £31.35
List Price:  CA$191.13
You save:  CA$54.61
List Price:  A$210.68
You save:  A$60.19
List Price:  S$188.83
You save:  S$53.95
List Price:  HK$1,092.95
You save:  HK$312.29
CHF 91.34
List Price:  CHF 127.88
You save:  CHF 36.54
NOK kr1,052.31
List Price:  NOK kr1,473.28
You save:  NOK kr420.96
DKK kr686.58
List Price:  DKK kr961.24
You save:  DKK kr274.66
List Price:  NZ$227.97
You save:  NZ$65.13
List Price:  د.إ514.17
You save:  د.إ146.91
List Price:  ৳16,408.23
You save:  ৳4,688.40
List Price:  ₹11,637.16
You save:  ₹3,325.14
List Price:  RM657.67
You save:  RM187.92
List Price:  ₦206,269.66
You save:  ₦58,938.40
List Price:  ₨38,916.02
You save:  ₨11,119.65
List Price:  ฿5,127.43
You save:  ฿1,465.08
List Price:  ₺4,505.30
You save:  ₺1,287.32
List Price:  B$723.91
You save:  B$206.84
List Price:  R2,571.91
You save:  R734.88
List Price:  Лв252.38
You save:  Лв72.11
List Price:  ₩190,499.14
You save:  ₩54,432.21
List Price:  ₪515.38
You save:  ₪147.26
List Price:  ₱8,140.48
You save:  ₱2,326.02
List Price:  ¥21,963.82
You save:  ¥6,275.82
List Price:  MX$2,336.09
You save:  MX$667.50
List Price:  QR510.10
You save:  QR145.75
List Price:  P1,900.64
You save:  P543.07
List Price:  KSh18,618.67
You save:  KSh5,320
List Price:  E£6,599.78
You save:  E£1,885.78
List Price:  ብር8,037.80
You save:  ብር2,296.67
List Price:  Kz118,908.34
You save:  Kz33,976.24
List Price:  CLP$126,117.11
You save:  CLP$36,036.03
List Price:  CN¥1,014.10
You save:  CN¥289.76
List Price:  RD$8,237.97
You save:  RD$2,353.87
List Price:  DA18,843.53
You save:  DA5,384.25
List Price:  FJ$311.92
You save:  FJ$89.12
List Price:  Q1,086.64
You save:  Q310.49
List Price:  GY$29,266.81
You save:  GY$8,362.54
ISK kr13,793.62
List Price:  ISK kr19,311.62
You save:  ISK kr5,518
List Price:  DH1,395.33
You save:  DH398.69
List Price:  L2,480.56
You save:  L708.78
List Price:  ден7,930.17
You save:  ден2,265.92
List Price:  MOP$1,125.70
You save:  MOP$321.65
List Price:  N$2,570.90
You save:  N$734.59
List Price:  C$5,148.73
You save:  C$1,471.17
List Price:  रु18,603.56
You save:  रु5,315.68
List Price:  S/522.95
You save:  S/149.42
List Price:  K543.64
You save:  K155.33
List Price:  SAR525.05
You save:  SAR150.02
List Price:  ZK3,733.66
You save:  ZK1,066.83
List Price:  L641.14
You save:  L183.19
List Price:  Kč3,187.01
You save:  Kč910.64
List Price:  Ft49,549.41
You save:  Ft14,157.98
SEK kr1,062.40
List Price:  SEK kr1,487.41
You save:  SEK kr425
List Price:  ARS$124,696.09
You save:  ARS$35,630
List Price:  Bs966.60
You save:  Bs276.19
List Price:  COP$540,370.17
You save:  COP$154,402.50
List Price:  ₡71,720.93
You save:  ₡20,493.15
List Price:  L3,457
You save:  L987.78
List Price:  ₲1,052,195.01
You save:  ₲300,648.62
List Price:  $U5,389.29
You save:  $U1,539.90
List Price:  zł547.82
You save:  zł156.53
Already have an account? Log In


Greetings in this short video presentation, we're going to see how we go about scanning our network for the Microsoft 17 dash 010 sm, the external blue vulnerability, or the wanna cry ransomware that was recently launched on May 12 of 2017. So, initial video presentation, we're going to see how we can use n map and a script that was created by an end map user to scan our devices on the network using the Nmap scripting engine to find machines that could be vulnerable to this ransomware attack. So the first thing we're going to do is begin by locating this script and then we're going to copy it to text file up inside of Cali. And then we're going to save it to the Nmap script folder. So inside the lab, you do have the URL for the download of the script. And I've gone there.

And now I'm going to click on the download link for that particular script is going to take me over to an HTML page. Now on this HTML page, we see everything that has to be loaded into the script. So all I'm going to do is I'm going to hold down the Ctrl key. Then I'm going to hit the A key at the same time. Now if I hold down the Ctrl key, and I hit the C key at the same time, that's going to copy everything. Now with all this information that the script needs, copy to my clipboard, I'm going to Go up inside of Cali, I'm going to go to my application launcher.

And I'm going to launch leafpad. This is just a text editor solid is. Now I'm just going to right click inside of the white area, the white text box. And I'm going to right click, and I'm going to select Paste. Now there's the contents of the script that I took from the web page. I'm now going to go to file.

I'm going to do save as. And now I'm going to save this script using a particular name. Now it's important that this name remain consistent. So make sure that you say this name correctly. And what I've done is I've gone into the lab and I have copied the name from the lab instructions. And I'm just going to paste that into this Save As for this particular script name The next thing I have to do is save this script to the end map script folder so that we can call upon it, and then map will know where to find it.

So we're going to begin by going to the file system. We're next going to scroll on down to the US our folder. We're next going to go into the share folder. And from here we're going to scroll on down to where we come to in map. Open that up. And we're going to now open up the Scripts folder.

And this is as far as we have to go. All we have to do now is just click on the Save button and then map will be able to find this particular script when we decided to run it up inside of the terminal and scan our network for wanna cry ransomware vulnerability. So the next thing I want to do is Want to make sure that my callin machine is on the same network as my other devices that need to be scanned for this vulnerability. To do this, I'm going to open up the terminal. And on this terminal, all I'm going to do is type if config. What I'm looking for is the network portion of the IP address.

And that's the first three octets that we see here. So these first three octets make up the network portion of my IP for the network. Now I'm going to go to my Windows XP, and I'm gonna do the same thing. And I'm going to go to the command prompt over here. And I'm going to type in IP config. And what am I looking for?

I'm looking to see that they both share the same three octets 192 dot 168145. If it's anything Other than the first three octets, and your IP address for your network will probably differ. This is the IP for my network, yours could be 150, it could be zero dot something. Regardless, they must both be on the same network for them to be able to see each other and have connectivity. And that's what we're doing here. So back at my Cali machine, I have now cleared my terminal.

And now I'm what I'm going to do is I'm just going to go in here, and I'm going to type in the following command followed by the network, IP, and the subnet mask or the cider so that I can scan my entire network so I'm gonna type in 192168145 Zero, backslash or four slash 24. Now this says I want you to scan all of the devices, or all of the IPS that are available in this class C network. That's what it means. Once I've done this, all I'm gonna have to do is just hit enter, give it a second, and it's going to come back with the results. And if there's a machine on here, with the particular problem of being vulnerable to the ransomware, want to cry, this is what's going to happen, it's going to come back it's going to say that it found a machine that was vulnerable to the vulnerability entitled ms 17 dash 010.

And it talks about why this particular machine is vulnerable because of its running the SMB version one and setup tells me that the risk factor is high and the critical remote execution volume Existing Microsoft SMB version one, which we have running on our Windows XP machine. So I have one machine on my network with the host IP of 129, which for this demonstration is Windows XP machine. But if I was doing this on actual network, it could be 20 or 30 different machines and it doesn't have to just be Windows XP. This vulnerability affects windows seven, Windows 10 and other types of server operating systems as well. So it could be any number of devices that were discovered to have the vulnerability. So I've taken note of the IP address for the machine that was found to be vulnerable.

And I'm going to need this when I go ahead and I'm going to try to exploit this machine with this vulnerability using Metasploit. Now since this is a fairly new vulnerability. It hasn't been around very long. We want to make sure that our Kali has been updated. And then we have the latest packages. And the same thing with medicine toys.

So I'm going to go ahead and ensure that I update both Kali and meta SQLite to ensure that I have all the latest and the greatest exploits and packages so that I don't run into a problem later on not finding this particular vulnerability. So the update has been completed successfully. And I have ensured that I have updated Kali and meta sploit so that we don't have a problem, not finding this vulnerability. The next thing I want to do is just go ahead and launch the management console. So I'm just going to go ahead and hit enter. I've typed in MSF console at the end terminal prompt.

And in just a few moments, I will have misquote up and running. Okay, so now my misquote framework console is up and running. And we're ready to go ahead and see about how we go about scanning the network and exploiting this vulnerability that is present on my Windows XP machine. So the first thing I'm going to do is I'm going to go ahead and just do a search for this particular exploit and see if it actually exists. So using the search feature that is built into misquote, I'm going to now search for this particular vulnerability to make sure that I actually have it so that I don't waste my time. And this is all part of the update process.

And that's why we do this before we get into the actual scanning or trying to attempt to exploit our victim so the database is going to be searched. And we're going to come back up and hopefully we'll we will have the SMB underscore ms 17 underscore 010 exploit available for us. So the search has completed and we do see that we have the SMB exploit available for us. Now the next thing we're going to do is actually run this exploit and ensure that we have machines that are vulnerable for this wanna cry ransomware. So we're going to be using this SMB exploit, what I like to do is just go ahead and highlight like to go ahead and just highlight the path, copy it, and then go back down here to my s, my MSF prompt and I just like to type in the word use like that.

I'm going to right click, and I'm just going to paste it that's a lot easier than have to type it in one line at a time. And that's another reason why I like to search for the exploit. I'm just going to hit hit enter. Notice that the prompt changes to know that we are now using this particular exploit. Now the next thing we have to do is set the remote host. And to do this, I have typed in set space in capital letters, our host, and I've gone and I've used the Pacific IP address, but if I'd want it to scan the entire network, as I did within map, I can just back this off, type in zero slash 24.

Like that. And again, I will scan the entire network for devices that are vulnerable to this particular exploit. I'm just going to go ahead and hit enter. Now let's We know that the our host, remote host has been set. So the next thing we have to do is set the threat level. And that was, that's going to be 10.

And once I have this type thing, I'm just going to hit Enter. And the next thing we, we have to do it just type in run for the exploit to launch. I'm going to type in run, I'm going to hit enter, give it a second, it's going to go out it's going to scan my network just as it did with n map. And it's going to come back and it's going to tell me what machine or what machines are vulnerable for this particular exploit. So after about 20 minutes, the scan that we launched, to confirm that the vulnerability for the external blue and the wanna cry ransomware does exist. I see that I have identified my Windows XP machine 192 dot 168 dot one 5129 as being vulnerable on port 445, and it comes back and it says host is likely vulnerable to this exploit.

So that concludes this lab. But the takeaway from all this should be that you learn how to import a script into the Nmap script folder. And that when something happens out there in the wild, you can be proactive. And you can go out and you can get this these scripts from someone who has written it and posted upon the end map repository. And you can be the one who says that, hey, we got a problem coming our way. It's a new ransomware attack or it's a new network attack of some type.

And you can be the one who can go up on the firewall and you can filter out port in this case 445. All right. So that's all I got for you. If you have any questions don't hesitate to contact your instructor and I will see everybody up inside of the discussions. Thank you.

Sign Up


Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.