By now, if you're reading this blog, you probably have read about WannaCry. If not, please take a moment to review:
- Wanna Decryptor (WNCRY) Ransomware Explained
- Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry)
- WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them
- Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose
With many organizations now taking heed of Microsoft's advice to disable SMBv1, Rapid7 customers have asked: How does this affect my scan capabilities?
Tl;dr If your assets have Windows Management Interface (WMI) enabled and the Windows Management Instrumentation firewall rules enabled, the Scan Engine will use SMB/CIFS credentials to authenticate via WMI. If your assets are not part of a domain and the Scan Engine is not on the same subnet as the assets, the WMI firewall rules need to be updated to permit messages from the Scan Engine.
Read this MSDN article to learn how to setup remote WMI connections and configure Windows Firewall Remote Management.
Checking your configuration
You can verify if you are using SMB credentials in InsightVM by navigating to Administration > Shared Credentials. You may have a Shared Credential that looks like this:
If your organization has disabled SMBv1 on your asset you can use your existing SMB credential. You'll want to configure InsightVM to scan port 135, so first verify your Scan Template(s).
Navigate to Administration > Scan Templates. Select a Scan Template and review the Service Discovery tab.
Take a look at the Additional ports field. Our example above has a range that includes port 135 and yours should too.