Saturday, May 13, 2017

WannaCry: Finding where SMB is allowed in AWS

WannaCry is the latest ransomware to sweep the internet and cause lots of excitement. As occasionally happens with well publicized security events like this I got to hear a former firewall admins favorite words: "Can you please take away a bunch of network access?" What fun!

I love blocking traffic as much as the next guy, but it's not a great idea to just change firewall rules willy nilly. You should always spend a little time thinking about the impacting and looking at what access it's prudent to remove. In this post I'll list a couple of the commands I used to poke around our AWS Security groups and find where SMB was allowed.

Because time was a factor, I decided to do all of this in the AWS Powershell tools. As usual, you'll need to set default credentials and an AWS region before running any of these commands.

The first one is pretty straightforward. The sequence of commands will spit out any security groups in your region that allow SMB traffic inbound in the default ports (137-139 and 445).

Fun fact, apparently AWS built this section of the powershell tools before you could control egress permissions in a group. The inbound rules are named "IpPermissions" while the outbound rules have the more describe "IpPermissionsEgress". Other places (like cloudformation templates) name inbound rule sets "Ingress" to match the outbound version.

get-ec2securitygroup | foreach {foreach ($ingress in $_.ippermissions) {if(($ingress.fromport -le 445 -and $ingress.toport -ge 445) -or $ingress.fromport -le 137 -and $ingress.toport -ge 139) -or $ingress.ipprotocol -eq -1){$_.GroupName}}} | select-object  -unique

I apologize for the length of this single line, but it should show you anywhere your instances are accepting SMB, including rules that allow all traffic.

Next it can also be helpful to look for rules allowing SMB outbound. You might want to restrict this traffic too. This command is almost the same as the first

PS C:\Users\bolson\Documents\AWS> get-ec2securitygroup | foreach {foreach ($egress in $_.ippermissionsegress) {if(($egress.fromport -le 445 -and $egress.toport -ge 445) -or ($egress.fromport -le 137 -and $egress.toport -ge 137) -or $egress.ipprotocol -eq -1){$_.GroupName}}} | select-object  -unique

Now that you've got a listing of where SMB is allowed in your AWS account, you may want to remove specific security groups from instances. If you're looking to do one or two instances, that can be done pretty easily through the console. If you're looking to pull a few security groups off of every instance, you can use the example below, updating the security group IDs.

We used this example for removing a "temp setup" group that we use in our environment to allow extra access for configuring a new instance.

set-defaultawsregion us-east-1
set-awscredentials -profilename PHI
(Get-EC2Instance -filter @( @{name='';values="sg-11111","sg-22222"})).instances | foreach {
    write-host "Instance Name: $(($_.tags | where {$_.key -eq "Name"}).value) - $($_.InstanceId)";
    $finalGroups = @();
    $finalGroupNames = @();
    foreach ($group in $_.SecurityGroups) {
        write-host $group.groupid
        if($group.groupid -ne "sg-11111" -and $group.groupid -ne "sg-22222") {
            write-host "$($group.groupid -ne 'sg-333333')"
            $finalGroups += $group.groupid;
            $finalGroupNames += $group.groupname
    Edit-EC2InstanceAttribute -InstanceId $_.InstanceId -group $finalGroups
    write-host "Finalgroups: $($finalGroupNames)"

Hopefully that helps you do some analysis in your environment!