Introducing WannaPry SMB1

A quick PowerShell script to remove SMB 1.0 from a domain

Published

By now, you've all heard about the WannaCry attack. It's more than your run-of-the-mill ransomware, as it's also a worm, powered by the EternalBlue exploit that was developed by the NSA and released by The Shadow Brokers in .

WannaCry is not just ransomware, but also a worm, capable of spreading itself from computer to computer. To spread, it takes advantage of a flaw in version 1 of the SMB/CIFS file sharing protocol, which was the de facto method of accessing network files from Windows for Workgroups 3.11 in 1992, up until it was obsoleted with the release of Windows Vista in . However, to maintain compatibility with older devices, has kept this feature not only present in current versions of , but enabled out of the box (UPDATE: it should be off by default in Windows 10's Fall Creators Update).

, Ned Pyle, the Principal Program Manager on Microsoft's Windows Server and High Availability Storage Group, begged the Internet to stop using the 25-year-old file sharing protocol. Did we? Not really. (I mean, there are still Web servers vulnerable to Heartbleed.)

Fortunately, I keep Windows Update set to automatic, so , I could just kick back and monitor the situation. Still, this was not the first attack on SMB1, and I knew for a fact that most of the networks I manage all support SMB2 or SMB3. A little research and later, I came up with some to pry off an entire .

You can find the source code to WannaPry SMB1 at GitHub. Here's how it works:

  1. Run WannaPry SMB1 on a computer with the Active Directory PowerShell module installed. It uses Get-ADComputer to find all computer accounts in the domain.
  2. It checks the operating system of each computer and determines the best Microsoft-approved way to disable and/or remove the SMB1 server:
    • On Windows 8, Windows Server 2012, and newer, a call to Set-SMBServerConfiguration immediately disables SMB1.
    • On Windows 8.1, Windows Server 2012 R2, and newer, the feature can be removed with Disable-WindowsOptionalFeature (client) or Uninstall-WindowsFeature (server) and a reboot.
    • On Windows Vista, Windows 7, and the Windows Server 2008 family, we can set a registry value to disable SMB1 on the next reboot.
  3. Finally, the script attempts to connect to the target computer via PowerShell remoting, and when connected, runs the code. For my users' sakes, the computers are not automatically rebooted.

Obviously, anyone with an MCSE in Windows Server knows about Desired State Configuration, which is a far cleaner way to handle this if you've taken the time to set it up beforehand. You can also remove roles and features like SMB 1.0/CIFS File Sharing Support from a Windows image by using Sysprep or DISM.

Metadata and license information
Property Value
Author Me, wearing a purple shirt, tie, and a jacket. Colin Cogle

MCSE, Cloud Platform & Infrastructure
MCSE, Server Infrastructure
MCSA, Windows Server 2012

License

This blog post is licensed under Creative Commons License 4.0 CC-BYCreative Commons Attribution 4.0 International License.

See GitHub for WannaPry SMB1 license information.

Content Rating None
Encoding text/html; charset=UTF-8
Permalinks
Search keywords AD DS, CIFS, code, , EternalBlue, , , Shadow Brokers, SMB, SMB1, SMBv1, SMB 1.0, Wana, WanaCrypt, WannaCrypt,
Summary WannaPry SMB1 is quick and dirty PowerShell script to disable and/or remove the vulnerable SMB 1.0 protocol from an entire domain.
Word count 462 words

Creative Commons License 4.0 CC-BY This blog post is licensed under a Creative Commons Attribution 4.0 International License. The full text of the license is available online at https://creativecommons.org/licenses/by/4.0

Links

This article:
https://rhymeswithmogul.com/wannapry
WannaPry SMB1:
https://github.com/rhymeswithmogul/wannapry-smb1
Information about the WannaCry ransomware attack:
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
How to disable SMB1 (or SMB2/SMB3) on Windows:
https://aka.ms/disablesmb1