Detect MS17-010 with Qualys Vulnerability Management

Document created by Leif Kremkow Employee on May 12, 2017Last modified by Leif Kremkow Employee on May 17, 2017
Version 2Show Document
  • View in full screen mode

Detect "Microsoft SMB Server Remote Code Execution Vulnerability and Shadow Brokers" (MS17-010) (Qualys ID 91345) (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148, CVE-2017-0147) (BugTraq 96703 , 96704 , 96705 , 96707 , 96709 , 96706 ) with Qualys Vulnerability Management.

 

See The Shadow Brokers Release Zero Day Exploit Tools for more background information on this.

 

If you already have a Qualys account and have been scanning during the past couple of weeks, please see Report on MS17-010 with Qualys or guidance on how to produce reports from these scans.

 

Alternatively, you can use AssetView to produce a dashboard from the scan results, see Qualys AssetView Dashboards For WannaCry and Shadow Brokers Configuration How-To.

 

What you'll need:

  • access to a Qualys service account with Vulnerability Management
  • a physical or virtual scanner appliance able to reach your target systems

 

Add a Virtual Appliance to your account:

  • go to "Scan" > "Appliances"
  • select "New" > "Virtual Scanner Appliance" > "Start Wizard"
  • complete the form by giving the Virtual Appliance a name, e.g. VS-MacBook-A, and choosing the right technology

  • download the Virtual Appliance image and start the virtual machine with it
  • click "Next" in the Wizard in your Qualys account to see the "Personalization Code"
  • enter the Personalization Code

  • in the Qualys web UI, click "Check Connection"
  • the Appliance will briefly complete it's update cycle once connected

The Virtual Appliance should now be ready to use on your system.

 

 

Add your targets to your account:

  • go to "Assets" > "Host Assets"
  • click "New" > "IP Tracked Hosts"

  • enter the network address range where your targets are, e.g. "192.168.73.0/24", then "Add"

 

Create a name for the targets:

  • go to "Assets" > "Asset Groups" > "New" > "Asset Group"
  • give the Asset Group a name, e.g. "Target Systems"

  • go to "IPs" and add the IPs you just added to your account, either by typing the range again, or using "Select IPs"

 

Launch a Scan:

  • go to "Scan" > "Scans"
  • click "New" > "Scan"
  • give the scan a name, e.g. "Target Systems"
  • you can use the default Option Profile, "Initial Options"
  • use the Scanner Appliance that is needed to reach the target systems
  • select the perimeter to scan using the Asset Group you just created, "Target Systems" in this example

  • launch the scan

 

Now you wait for the scan to complete.

 

Once done, see Report on MS17-010 with Qualys or Qualys AssetView Dashboards For WannaCry and Shadow Brokers Configuration How-To to get actionable data from Qualys.

 

(Edited to add information about AssetView)

3 people found this helpful

Attachments

    Outcomes