|
| 1 | +<#PSScriptInfo |
| 2 | +
|
| 3 | +.Version |
| 4 | + 1.0 |
| 5 | +.Guid |
| 6 | + 038a1c05-b1da-48c9-893d-4084b99f831b |
| 7 | +.Author |
| 8 | + Thomas J. Malkewitz @dotps1 |
| 9 | +.Tags |
| 10 | + WannaCry, WannaCrypt, EternalBlue, SMB1, Malware |
| 11 | +.ProjectUri |
| 12 | + https://github.com/dotps1/PSFunctions |
| 13 | +.ExternalModuleDependencies |
| 14 | + NetTCPIP |
| 15 | +.ReleaseNotes |
| 16 | + Refactor of Test-WannaCryVulnerability, uses a CIM Session to gather data, rather then multipule WMI calls. |
| 17 | +
|
| 18 | +#> |
| 19 | + |
| 20 | +<# |
| 21 | +
|
| 22 | +.Synopsis |
| 23 | + Gets EternalBlue vulnerability information. |
| 24 | +.Description |
| 25 | + Test for applicable patches to prevent the WannaCry malware. Tests for SMB1 protocol and component. |
| 26 | +.Inputs |
| 27 | + System.String |
| 28 | + Microsoft.Management.Infrastructure.CimSession |
| 29 | +.Outputs |
| 30 | + System.Management.Automation.PSCustomObject |
| 31 | +.Parameter ComputerName |
| 32 | + System.String |
| 33 | + ComputerName to gather information from. |
| 34 | +.Parameter Credential |
| 35 | + System.Management.Automation.PSCredential |
| 36 | + Credential used to establish a connection. |
| 37 | +.Parameter CimSession |
| 38 | + Microsoft.Management.Infrastructure.CimSession |
| 39 | + Pre established CimSession used to connect. |
| 40 | +.Example |
| 41 | + PS C:\> Get-EternalBlueVulnerabilityStatistics |
| 42 | +
|
| 43 | + PSComputerName : my-win7-rig |
| 44 | + OperatingSystemCaption : Microsoft Windows 7 Professional |
| 45 | + OperatingSystemVersion : 6.1.7601 |
| 46 | + LastBootUpTime : 5/14/2017 3:38:38 PM |
| 47 | + AppliedHotFixID : KB4012212;KB4015546;KB4015549 |
| 48 | + SMB1FeatureEnabled : False |
| 49 | + SMB1ProtocolEnabled : False |
| 50 | + Port139Enabled : True |
| 51 | + Port445Enabled : True |
| 52 | +.Example |
| 53 | + PS C:\> Get-ADComputer -Identity domain-win7-rig | Get-EternalBlueVulnerabilityStatistics |
| 54 | +
|
| 55 | + PSComputerName : domain-win7-rig |
| 56 | + OperatingSystemCaption : Microsoft Windows 7 Professional |
| 57 | + OperatingSystemVersion : 6.1.7601 |
| 58 | + LastBootUpTime : 3/14/2017 3:38:38 PM |
| 59 | + AppliedHotFixID : |
| 60 | + SMB1FeatureEnabled : False |
| 61 | + SMB1ProtocolEnabled : True |
| 62 | + Port139Enabled : True |
| 63 | + Port445Enabled : True |
| 64 | +.Notes |
| 65 | + WannaCry/WannaCrypt (EternalBlue) vulnerability is only applicable to Microsoft Windows 10 1607 and prior, 1702 was not affected. |
| 66 | +.Link |
| 67 | + https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |
| 68 | +.Link |
| 69 | + https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 |
| 70 | +.Link |
| 71 | + https://dotps1.github.io |
| 72 | +.Link |
| 73 | + https://www.powershellgallery.com/packages/Get-EternalBlueVulnerabiltyInforamtion |
| 74 | +.Link |
| 75 | + https://grposh.github.io |
| 76 | +
|
| 77 | +#> |
| 78 | + |
| 79 | + |
| 80 | +#requires -Module NetTCPIP |
| 81 | + |
| 82 | +[CmdletBinding( |
| 83 | + DefaultParameterSetName = "ByComputerName" |
| 84 | +)] |
| 85 | +[OutputType( |
| 86 | + [PSCustomObject] |
| 87 | +)] |
| 88 | + |
| 89 | +param ( |
| 90 | + [Parameter( |
| 91 | + ParameterSetName = "ByComputerName", |
| 92 | + ValueFromPipeline = $true, |
| 93 | + ValueFromPipelineByPropertyName = $true |
| 94 | + )] |
| 95 | + [ValidateScript({ |
| 96 | + if (Test-Connection -ComputerName $_ -Count 1 -Quiet) { |
| 97 | + return $true |
| 98 | + } else { |
| 99 | + throw "Failed to contact '$_'." |
| 100 | + } |
| 101 | + })] |
| 102 | + [Alias( |
| 103 | + "ComputerName" |
| 104 | + )] |
| 105 | + [String[]] |
| 106 | + $Name = $env:COMPUTERNAME, |
| 107 | + |
| 108 | + [Parameter( |
| 109 | + ParameterSetName = "ByComputerName" |
| 110 | + )] |
| 111 | + [System.Management.Automation.PSCredential] |
| 112 | + $Credential = [PSCredential]::Empty, |
| 113 | + |
| 114 | + [Parameter( |
| 115 | + ParameterSetName = "ByCimSession", |
| 116 | + ValueFromPipeline = $true, |
| 117 | + ValueFromPipelineByPropertyName = $true |
| 118 | + )] |
| 119 | + [Microsoft.Management.Infrastructure.CimSession[]] |
| 120 | + $CimSession |
| 121 | +) |
| 122 | + |
| 123 | +begin { |
| 124 | + $hotFixIDs = @( |
| 125 | + "KB3205409", |
| 126 | + "KB3210720", |
| 127 | + "KB3210721", |
| 128 | + "KB3212646", |
| 129 | + "KB3213986", |
| 130 | + "KB4012212", |
| 131 | + "KB4012213", |
| 132 | + "KB4012214", |
| 133 | + "KB4012215", |
| 134 | + "KB4012216", |
| 135 | + "KB4012217", |
| 136 | + "KB4012218", |
| 137 | + "KB4012220", |
| 138 | + "KB4012598", |
| 139 | + "KB4012606", |
| 140 | + "KB4013198", |
| 141 | + "KB4013389", |
| 142 | + "KB4013429", |
| 143 | + "KB4015217", |
| 144 | + "KB4015438", |
| 145 | + "KB4015546", |
| 146 | + "KB4015547", |
| 147 | + "KB4015548", |
| 148 | + "KB4015549", |
| 149 | + "KB4015550", |
| 150 | + "KB4015551", |
| 151 | + "KB4016635", |
| 152 | + "KB4019215", |
| 153 | + "KB4019216", |
| 154 | + "KB4019472" |
| 155 | + ) |
| 156 | + |
| 157 | + function Get-Data ([Microsoft.Management.Infrastructure.CimSession]$CimSession, [Array]$HotfixIDs) { |
| 158 | + # Operating System Data |
| 159 | + Write-Progress -Activity "Gathering EternalBlue vulnerability information from '$nameValue'" -CurrentOperation "Retrieve operating system information" -PercentComplete 20 |
| 160 | + $osInformation = Get-CimInstance -CimSession $CimSession -ClassName Win32_OperatingSystem -Property Caption, LastBootUpTime, Version |
| 161 | + |
| 162 | + # Hotfix Data |
| 163 | + Write-Progress -Activity "Gathering EternalBlue vulnerability information from '$nameValue'" -CurrentOperation "Retrieve operating hotfix id" -PercentComplete 40 |
| 164 | + $appliedHotFixID = (Get-CimInstance -CimSession $CimSession -ClassName Win32_QuickFixEngineering).Where({ |
| 165 | + $_.HotFixID -in $HotfixIDs |
| 166 | + }).HotFixID |
| 167 | + |
| 168 | + # SMB1Feature Data |
| 169 | + Write-Progress -Activity "Gathering EternalBlue vulnerability information from '$nameValue'" -CurrentOperation "Retrieve SMB1 feature state" -PercentComplete 60 |
| 170 | + $smb1Feature = (Get-CimInstance -CimSession $CimSession -ClassName Win32_OptionalFeature -Property InstallState -Filter "Name = 'SMB1Protocol'").InstallState |
| 171 | + if ($smb1Feature -eq 1) { |
| 172 | + $smb1FeatureEnabled = $true |
| 173 | + } else { |
| 174 | + $smb1FeatureEnabled = $false |
| 175 | + } |
| 176 | + |
| 177 | + # SMB1Protocol Data |
| 178 | + Write-Progress -Activity "Gathering EternalBlue vulnerability information from '$nameValue'" -CurrentOperation "Retrieve SMB1 protocol state" -PercentComplete 80 |
| 179 | + $smb1Protocol = (Invoke-CimMethod -CimSession $CimSession -ClassName StdRegProv -MethodName GetDwordValue -Arguments @{ hDefKey = [uint32]2147483650; sSubKeyName = "SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"; sValueName = "SMB1" }).uValue |
| 180 | + if ($smb1Protocol -eq 0) { |
| 181 | + $smb1ProtocolEnabled = $false |
| 182 | + } else { |
| 183 | + $smb1ProtocolEnabled = $true |
| 184 | + } |
| 185 | + |
| 186 | + # SMB1Port Data |
| 187 | + Write-Progress -Activity "Gathering EternalBlue vulnerability information from '$nameValue'" -CurrentOperation "Retrieve SMB port state" -PercentComplete 100 |
| 188 | + $port139TestConnection = (Test-NetConnection -ComputerName $CimSession.ComputerName -Port 139).TcpTestSucceeded |
| 189 | + $port445TestConnection = (Test-NetConnection -ComputerName $CimSession.ComputerName -Port 445).TcpTestSucceeded |
| 190 | + |
| 191 | + return [PSCustomObject]@{ |
| 192 | + PSComputerName = $CimSession.ComputerName |
| 193 | + OperatingSystemCaption = $osInformation.Caption |
| 194 | + OperatingSystemVersion = $osInformation.Version |
| 195 | + LastBootUpTime = $osInformation.LastBootUpTime |
| 196 | + AppliedHotFixID = $appliedHotFixID -join ";" |
| 197 | + SMB1FeatureEnabled = $smb1FeatureEnabled |
| 198 | + SMB1ProtocolEnabled = $smb1ProtocolEnabled |
| 199 | + Port139Enabled = $port139TestConnection |
| 200 | + Port445Enabled = $port445TestConnection |
| 201 | + } |
| 202 | + } |
| 203 | +} |
| 204 | + |
| 205 | +process { |
| 206 | + switch ($PSCmdlet.ParameterSetName) { |
| 207 | + "ByComputerName" { |
| 208 | + foreach ($nameValue in $Name) { |
| 209 | + try { |
| 210 | + $protocol = "WSMAN" |
| 211 | + $protocolTest = Test-WSMan -ComputerName $name |
| 212 | + if ($null -eq $protocolTest -or $protocol.ProductVersion -contains "Stack: 2.0") { |
| 213 | + $protocol = "DCOM" |
| 214 | + } |
| 215 | + } catch { |
| 216 | + $protocol = "DCOM" |
| 217 | + } |
| 218 | + |
| 219 | + try { |
| 220 | + $sessionParameters = @{ |
| 221 | + ComputerName = $nameValue |
| 222 | + SessionOption = (New-CimSessionOption -Protocol $protocol) |
| 223 | + ErrorAction = "Stop" |
| 224 | + } |
| 225 | + |
| 226 | + $credentialBoundParameter = $PSBoundParameters.ContainsKey( |
| 227 | + "Credential" |
| 228 | + ) |
| 229 | + |
| 230 | + if ($credentialBoundParameter) { |
| 231 | + $sessionParameters.Add( |
| 232 | + "Credential", $Credential |
| 233 | + ) |
| 234 | + } |
| 235 | + |
| 236 | + $session = New-CimSession @sessionParameters |
| 237 | + } catch { |
| 238 | + Write-Error -Message $_.ToString() |
| 239 | + continue |
| 240 | + } |
| 241 | + $output = Get-Data -CimSession $session -HotfixIDs $hotFixIDs |
| 242 | + |
| 243 | + Write-Output -InputObject $output |
| 244 | + |
| 245 | + Remove-CimSession -CimSession $session |
| 246 | + } |
| 247 | + } |
| 248 | + |
| 249 | + "ByCimSession" { |
| 250 | + foreach ($cimSessionValue in $CimSession) { |
| 251 | + $output = Get-Data -CimSession $cimSessionValue -HotfixIDs $hotFixIDs |
| 252 | + |
| 253 | + Write-Output -InputObject $output |
| 254 | + } |
| 255 | + } |
| 256 | + } |
| 257 | +} |
0 commit comments