Detect "Microsoft SMB Server Remote Code Execution Vulnerability and Shadow Brokers" (MS17-010) (Qualys ID 91345) (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148, CVE-2017-0147) (BugTraq 96703 , 96704 , 96705 , 96707 , 96709 , 96706 ) with Qualys Vulnerability Management.
See The Shadow Brokers Release Zero Day Exploit Tools for more background information on this.
If you already have a Qualys account and have been scanning during the past couple of weeks, please see Report on MS17-010 with Qualys or guidance on how to produce reports from these scans.
Alternatively, you can use AssetView to produce a dashboard from the scan results, see Qualys AssetView Dashboards For WannaCry and Shadow Brokers Configuration How-To.
What you'll need:
- access to a Qualys service account with Vulnerability Management
- a physical or virtual scanner appliance able to reach your target systems
Add a Virtual Appliance to your account:
- go to "Scan" > "Appliances"
- select "New" > "Virtual Scanner Appliance" > "Start Wizard"
- complete the form by giving the Virtual Appliance a name, e.g. VS-MacBook-A, and choosing the right technology
- download the Virtual Appliance image and start the virtual machine with it
- click "Next" in the Wizard in your Qualys account to see the "Personalization Code"
- enter the Personalization Code
- in the Qualys web UI, click "Check Connection"
- the Appliance will briefly complete it's update cycle once connected
The Virtual Appliance should now be ready to use on your system.
Add your targets to your account:
- go to "Assets" > "Host Assets"
- click "New" > "IP Tracked Hosts"
- enter the network address range where your targets are, e.g. "192.168.73.0/24", then "Add"
Create a name for the targets:
- go to "Assets" > "Asset Groups" > "New" > "Asset Group"
- give the Asset Group a name, e.g. "Target Systems"
- go to "IPs" and add the IPs you just added to your account, either by typing the range again, or using "Select IPs"
Launch a Scan:
- go to "Scan" > "Scans"
- click "New" > "Scan"
- give the scan a name, e.g. "Target Systems"
- you can use the default Option Profile, "Initial Options"
- use the Scanner Appliance that is needed to reach the target systems
- select the perimeter to scan using the Asset Group you just created, "Target Systems" in this example
- launch the scan
Now you wait for the scan to complete.
Once done, see Report on MS17-010 with Qualys or Qualys AssetView Dashboards For WannaCry and Shadow Brokers Configuration How-To to get actionable data from Qualys.
(Edited to add information about AssetView)