Mapping attack surface for Ransomware / Cryptolocker

With all the ransomware hitting everyone, everywhere, I decided to share my scripts on how I map the attack surface of internal threats, and subsequently ransomware / cryptolocker. It is not fully automated yet, but hopefully sharing this will give people the right ideas, and perhaps some might even automate it. For now, this only works for file sharing using Windows default file sharing. PS: I realize this is far from perfect, and probably should all be doable with a simple nmap script, however this is what I use in conjunction with some other work.

A typical scenario for using these scripts and commands are for users that should not have access to a bunch of files on your file-servers. Close down those shares and permissions before the inevitable happens, and the files are stolen and encrypted.

We start off with scanning every host who has port 445 open (Microsoft SMB):

    nmap -p 445 -T4 -oG 445.txt 192.168.1.1-254 

Replace the IP address range with whatever suits your network. Next, we grep out the hosts which are relevant for checking which file shares they expose.

    cat tmp/445.txt  | grep “445/open” | cut -d ” ” -f 2 > hosts.txt

With the relevant hosts in a separate file, lets use enum4linux to enumerate all the potential shares on these servers. Remember to add the username and password of the account you want to use for the mapping.

    cat hosts.txt | while read in; do enum4linux -S -u -p “$in”;done > shares.txt

This produces a file shares.txt containing potential shares we want to investigate and close down. Now we’ll edit the following script and put it in a bat file, and then let it work. Remember to add the necessary credentials and domain information.

    @echo off
    for /f “tokens=*” %%a in (input.txt) do (
    echo Mapping Disk:%%a
    net use Z: %%a /USER:DOMAIN\account password
    echo %%a >> log.txt
    dir /s /b /o:gn Z: >> log.txt
    net use Z: /DELETE
    echo. >> log.txt
    echo. >> log.txt
    echo. >> log.txt
    )
    pause

The log.txt file should then slowly but surely accumulate file paths and and the respective shares where those files are available, hopefully allowing you to know where to reduce and limit access.


Posted

in

,

by

Looking to get in touch?