How vulnerable could the internet be - From BGP perspective

The internet that we know of is an interconnection of networks. The networks - managed by organizations, giant corporate, internet service providers (ISP), network service providers (NSP), cross countries internet exchange points (IXP) and various Regional Internet Registry (RIRs). The network traffic that flows across inside, through those various organizations, providers and points are generally managed, delivered and/or received and is generally handled through the protocol - a set of rules, usually known to the world as the Border Gateway Protocol (BGP). If someone with a malicious intent would try to break and/or manipulate this specific protocol (BGP) then that malicious attacker/party can possibly manipulate the traffic flowing in the internet as a whole.

BGP is basically used to interconnect, exchange routes and sharing reach ability information as a standardized exterior gateway routing protocol. Each entity is uniquely identified by it’s Autonomous System (AS) number. Technically, BGP works based on the best path selection algorithm to select the exact match although there are various different criteria such as weight, local preferences, neighbor count etc. For example let’s say Google is using 172.168.0.0/20 to announce the world that it is their network and on the other hand Someone is using 172.168.0.0/24 to announce the world that it is their network. So now, the traffic destined for 172.16.15.14 would go to Someone instead of Google if the information sent by Someone is accepted by the neighboring network and also if the information is further propagated across the internet. When the communication between different AS is either misconfigured or at cases hijacked, this specific chaotic scenario is then known to the world as Prefix hijacking and/or can be interpreted as BGP hijacking. The above example simply is not just a hypothetical scenario, these types of threats do exist in the internet. The case of AS 7007 incident in 1997, Pakistan hijacking the entire YouTube network in 2008, Chinese ISP hijacking the entire internet in 2010, Canadian ISP hijacked to heist Bitcoin and other cryptocurrency in 2014, Russian telecommunication companies hijacking the network of US tech giant companies multiple times including the MasterCard and Visa card network in 2017 and lately the incident of Google Cloud’s traffic being routed to Russia by the Nigerian ISP. A simple misconfiguration and/or a malicious intent in just a single protocol can create a chaos in the internet. According to some sources various state sponsored hackers, government agencies and private organizations have been found to have been doing so (traffic hijacking) for performing large scale man in the middle attack, traffic monitoring and/or for censorship.

Although security experts argue that BGP is never secure, instead a new protocol should somehow be introduced. Nevertheless, there are techniques like using RPKI (Resource Public Key Infrastructure) to sign the AS numbers with a cryptographic signatures, using Resource Origination Authorization (ROA) to associate the address prefix to the AS numbers and various others. As long as the technologies are not used and tuned properly, placing fancy technologies in place and not making use of them would never guarantee security and would always break the Confidentiality, Integrity and Availability of the system and/or Authenticity of the traffics across the network as a whole.

A lazy night CTF party - Vulnhub - (box Matrix: 1)

Okay so, I had downloaded this (Matrix 1) box a week back or so but due to some random busy-ness I just could not start to give it a shot. Also the thing is that, I usually don't engage myself more into CTF's but when I feel extremely bored - like super bored then I just try to give myself a chance to engage into something interesting and learn new techniques. Anyways, let the story begin.

It all started with a virtual boot up of the recently downloaded virtual machine's OVA file.

As described in the release information for this box, it said "Matrix is a medium level boot2root challenge." Furthermore, "Difficulty: Intermediate" and "Your Goal is to get root and read /root/flag.txt". Intermediate level - Sounds good to me, lets continue.

A quick SYN scan of my network with 'nmap -Pn -sS 192.168.1.0/24 -v' gave me  an information of the host running on port 22, 80 and 31337. Looking further down those port with '-sV' option gave me more detailed information on the services running on those ports. So, it seemed like an OpenSSH and Python SimpleHTTPServer was running.

Opened the browser, on the host IP on the web (HTTP - port 80) - showed me a simple looking web page with not much information but with some fancy looking Matrix message that said "Follow the White Rabbit" "Welcome to the real world, Neo. I'm glad you're here." I thought for a while, Okay! So, where's my White Rabbit? A Quick CTRL + U and I got to see something like '<div class="service"><img src="assets/img/p0rt_31337.png"/ width="15">'

This information here seemed interesting! I knew earlier that the port eleet was open, should be something related! For a couple of minutes I thought that this PNG here could have some hidden information (maybe something to do with steganography?) But no, my conscience was wrong.

I followed the White Rabbit for now and jumped to the port 31337 from my browser. Now, I see a new page with some other fancy looking message. Just by looking at the heading 'Cypher' I had in mind that this could now have something to do with deciphering the message or so. I then performed a quick CTRL + U and now there's that! '<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p-->' My instincts were right! "A long fancy looking text that ended on an equal to (=) sign could be a base64 encoding or so." - I said to myself. It indeed was a base64 encoding. The message was "echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix"

This made me feel like, "something is echoed into Cypher.matrix" and then I sent a GET request to /Cypher.matrix and yes, something was there. I was indeed following down the rabbit hole.

Inside the Cyher.matrix was a complete chaos, a disaster, all the operators, operands, brackets and signs were floating around in-front of my eyes. A quick search on regarding the use of these characters "+, -, <, >, [, ], (, )" took me down to information leading to Brainfuck. Sorry, did I said something inappropriate? No, let's continue.

So, it was basically an Esoteric programming language. After getting an insight of this information. I decoded the message that said "You can enter into matrix as guest, with password k1ll0rXXNote: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password." Okay so, seems like we are now getting deeper inside the rabbit hole! But we still don't have the full password to the system.

So, I used the command as "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 2 > char-file" that would generate 2 characters long alphanumeric characters and output the list of all those characters inside the char-file. And from that file, I created a dictionary file for my bruteforce since we already knew that the SSH port was open.

"awk '{print "k1ll0r"$0}' char-file > password-list" would now create a password file that would be helpful for bruteforce.

I knew that metasploit is helpful in this case and fired up a shell and used msfconsole and used 'auxiliary/scanner/ssh/ssh_login' module. Username guest,  my dictionary file and a wait for couple of minutes and bang! We now have a matching password and a session opened for us. An interaction with the session we just established as 'sessions -i 1'. A python spawn shell and we're in! We now have a working shell in the box!

I then listed the present working directory from the shell and saw that there's one unusual directory prog. 'Prog is a short for Programs, it probably should have an executable program and maybe I can reverse that program and spawn a root. Or maybe the executable has misconfigured access permission or something as such' is what I thought at the moment after noticing the Prog directory.

Excuse me, did I just saw a vi? 'vi is a text editor, it has always helped people to get down a root shell, am I getting luckier? or is the white rabbit calling me?' is what I thought again. I then opened a vi editor. ":/bin/bash -i" and bam! I then get a full fledged guest shell on the box from my python spawn shell.

Our goal is to root the box, collect the flag and move on. So looking for the allowed sudoers command with 'sudo -l' showed something like "(ALL) ALL". How cool is that? "sudo /bin/bash" - enter the guest password that we previously found and bingo! We're now root and officially pwn the box.

Cat the flag and we've got it!

Anyways, Matrix1 was interesting. I hope to follow the white rabbit more deeper down the path in the upcoming days. Thanks unknowndevice64 for building the matrix!

'I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here: Why oh why didn't I take the BLUE pill?' or 'Perhaps we are asking the wrong questions.'

Our information in this era is in a perilous state! - (PageUp Security Breach)

We have heard a lot of gossip about the latest security breach suffered by companies like PageUP and Flightradar24 last month. The cyber havoc suffered by the human resource management company or so as to say ‘Cloud based Software-as-Service’ provider pageup is now on a limelight.

As mentioned in the official page of 'PageUp', "PageUp delivers HR software that helps your employees reach their full potential, anywhere in the world." So, various industrial sectors including corporate organizations, financial organizations, universities, healthcare group and other such organizations which included Reserve Bank of Australia, Commonwealth Bank, National Australia Bank(NAB), Australia Post, Australian Broadcasting Corporation (ABC), Medibank, Australian Red Cross, Bupa, University of new south wales (USNW), Australia National University(ANU), Macquarie University, Charles Sturt  University (CSU), Lindt, Australian Gas Light (AGL), Tatts group, Aldi, Wesfarmers group’s acquisition including Coles, Kmart, Target, Officeworks and various other such organizations were dependent on the HR management service provided by the PageUP and were a part of the security incident that occured on May.

The immense use of online internet based systems has made our work easier and time saver at most of the cases. These types of online based systems have gave us many opportunities and made our work efficient, however they have always lacked something or the other and in this case, it was ‘Security’. The ‘Trust’ that the users have on these type of online based system is tremendously high. People feel safe and share their private informations with some third party thinking that their information is in the right hands and these companies would safeguard their information. Nevertheless, this has not been the case. Private and crucial information including email id, passwords, date of birth, phone number, physical home address, nationality, passport numbers, driving license numbers, card details, bank details, tax file number, superannuation details, past and present employment history and others such information could have been exposed to the cyber criminals in the recent breach.

Any information that we hold and share about us is very critical either it be our date of birth, home address, phone number, email id, personally identifiable information(PII) including citizenship id number, passport number, license number, tax file numbers, bank account details and others such information could be used against us to cause a harm either physically or virtually.

So, what would cyber criminals do with my personal information?

This could be the curious question that most of us might have in mind. Well, the cyber crooks are surely to generate huge sum of money from such compromised personal information. Phishing, vishing or smishing scamers are mostly likely willing to get such information for various fraudulent activities. Advertising companies might want to get such information to target their advertisement to a specific group of people living on certain locality or such. Criminals might use such financial information to extract money online or physically. Cyber crooks might sell such data to criminal gangs and create identity theft and cause severe catastrophe on an individual's life. If such similar evilness would happen then, sky's the limit for those crooks.

Technically speaking, such critical personal information of an individual on the dark web is worth nothing more than five dollars, and yes there are peoples who are interested in buying these informations.

People might be able to change their usernames, passwords, email id, people might change their bank card details but information like date of birth, mothers maiden name, their working history(resume informations) these are like the biometrics - fingerprints; nothing can be done neither can be changed, once it is gone is gone forever. Until and unless we do not create a cyber aware netizens, make use of proper technologies in a proper manner, these sort of activities would never stop from happening.

In conclusion, PageUP was just another example. There could be thousands of such similar organizations that provide such services and hold critical personal information of millions of people. Still, hundreds of them could be vulnerable to similar hack. Lets not forget that, Ashley madison, Equifax, Cambridge Analytica and others such breach were once a history. If even after all these years of lessons we have learned and cannot safeguard the information of individuals who completely trust and provide their details to such companies, and in the end
their trust gets exploited into the blue then all of our presence in this virtual world of computer networks could be doomed.

Are other such companies, private and government organization working hard to protect their netizens private data?

Finally, the question is that “Is our information in this era, in a perilous state?”

Cyber kill chain - Oh what a fancy thing it is!

Lets say, I manage a network. My system was publicly accessible and someone has managed to exploit the vulnerability in the system using a MS17-010 (EternalBlue) exploit. I, as a network manager, I can see some egress traffic on my SMB port and now found that my system is communicating with an external IP address (possibly someones Command and Control server).

The question is, What do i do now?
Should I call the Incident response team that does not even exist? Should I shut down the whole network? Should I start to read my organizational policy so as to figure out what am I supposed to do or Should I  start to cry since the attacker could be planning to inject WannaCry or so into the network?

That's exactly when you would require a Cyber Kill chain.

So, What exactly is it?

Cyber kill chain is basically a framework that is part of the intelligence driven defense model for identifying and preventing the cyber intrusion activity. It is also commonly refered to as a cyber attack lifecycle that would help identify and prevent the intrusion. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is commonly used for identification and prevention of cyber intrusions.

Should I even care about the Cyber kill chain?

If you are an organization/individual that maintains and manages the in and out flow of the data... In short, ya; sorta!

Lets get back to the thrill, the Insight of an attack:

Usually, every attack starts with passive recon, active recon and then the real attack happens then after, the attacker then expands the attack surface, exploits, starts the post exploitation phase, creates backdoor, exfiltrates the data and clears the track. Lockheed martin defines these phases as Reconnaissance, Weaponize, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.

Source: Lockheed Martin

As said earlier, in the imaginary network that I manage, as the successive events the attacker then creates a new backdoor, and is now scanning the internal network for their lateral movement. The attacker gets access to my internal database server or so, exfiltrates the data, tries cleaning the trace and run away fulfilling their need for now since they already have backdoor which they can now access at anytime they want.

This is just a simple idea of what could happen here, there could be hundreds or maybe thousands of possibilities on what the attacker might be doing or wanting to do depending on what information the organization/individual hold and as per the motive of an attacker.

At some cases, sophisticated attackers as in APT attacks, the attackers do not follow these steps, they sometime skip the steps or add their own steps making the real attack just a diversion and finding the real attacker information would be like a needle in a haystack. For example, a ddos attack could be used by attackers as a diversionary manoeuvre for creating immense amount of events in the log making the actual event harder to find.

The cyber kill chain helps to prevent and suggest preventive measures depending on these different stages. To break the chain, if there is an event or if there is anything that seems suspicious, start digging onto it. If you feel that it is a genuine attack that is happening then triage the incident. Figure out how the attacker got inside the system or maybe how the attacker is trying to get inside the system. To stop the possible future damage, gather the forensics investigation / incident report and try figuring out the way to stop these type of future attacks. There are certain technologies that help in killing the attack chain like antispam, web filtering, intrusion prevention and detection, antivirus, SIEM, DBAM, next generation firewalls, data loss prevention technologies and others such.

Again, my question to you; Should you care about the kill chain?

You may say: I do not own any information, I do not have any data as such, or I do not have anything at all. So, why should I care!

For example at most of the cases, the attackers might not be interested in a large scale data or high profile servers or anything as such. These small compromised resources can be used to commit advertisement fraud, spread misleading information/news or send out spam, extort the company for ransom or sell the data that they have acquired on the black market, or even rent out hijacked infrastructure to other criminals as in sell these servers for providing ransomware as service, DDOS as service or others such.

The goal here is not just to know the 'Cyber kill chain'. You know it, great! What are you waiting for? Implement it.. follow the kill chain model and gotta catch them all!

PS: To stop an attack, you need to think like an attacker.

A little bird once told, "Know the enemy and know yourself."

SMBloris is in the town and Microsoft won't provide a patch for it!

SMB is having a very hard time lately. NSA’s exploit under codename Eternalblue/Double pulsar, Wannacry Ransomware, Uiwix Ransomware, Adylkuzz and others were all taking advantage of the SMB exploit. The new exploit for SMB was released at this DEFCON25 by security researchers zerosum0x0 and JennaMagius as a zero day. This security vulnerability is named as SMBLoris which is named after the Apache Web server bug exploited by Slowloris in 2009. Both SMBloris and Slowloris attacks can use a single machine to crash or freeze a much more powerful server, however Slowloris unlike SMBloris targets webservers. As of now, Microsoft has refused to update any patch for this specific vulnerability saying that it was just a moderate issue and also would likely never be fixed. This bug allows an attacker to remotely crash Windows server with only about 20 lines of Python code and a portable system such as Raspberry Pi.

What exactly is the bug?

The vulnerability exists in the way SMB packets are processed and system allocates the memory for the process. SMBloris is basically a memory-handling bug which if exploited forces a server hosted on the Internet or at the local network to remotely allocate 128KiB of non-paged physical memory that has to be reserved and can't be swapped out for every connection to the service. An attacker execute this attack by sending three bytes to the SMB service with the 17-bit NetBIOS Session Service (NBSS) length field set to the maximum. The kernel keeps the connection open for 30 seconds and then gives up. So for every 30 seconds, 128KiB of memory is tied up for every connection attempted.

Although, the well known TCP port for NBSS traffic is 139 an attacker now execute a connection request for every single TCP port which are possible i.e. up to 65,535 ports and thus potentially consume up to 8GiB of non-paged RAM for half a minute which would then directly hamper the performance of the machine since the kernel is forced to clean the system for any free memory as more allocations arrive. Now, if an attacker launches this attack on IPv4 and IPv6, the memory burden rises to 16GiB, and if an attack then comes from just two IP addresses, it can fill upto 32GiB and so on. Eventually, the target system/server would not be able to allocate memory and hence would freeze and would needs a manual reboot. It would not even crash or show up the blue screen of death (BSOD) since it would have no resource left to show up the blue screen, therefore it will freeze and would never return back from the frozen state untill rebooted forcefully.

Which versions of Windows are affected?

The vulnerability exists in all modern versions of Windows. It exists in at least from Windows 2000 through Windows 10. No matter if all versions of SMB are disabled, all systems are still vulnerable.

Is Samba affected?

Samba is a free software which is re-implementation and an alternative to SMB for other operating systems. It is also vulnerable in a default installation however, it has a workaround.

Workaround: Setup 'max smbd processes = 1000' in smb.conf (normally found under /etc/samba).

What could go wrong?

Cyber criminals in the black market working to provide DDOSaaS (Distributed Denial of Service-as-a-Service) could benefit from this zeroday. Since, they would not even need a botnet or any such large scale resources. All they would require is about 20 lines of python code and a portable system to execute the code. However, no such devastating incident have been recorded or discovered yet.

Recommendation

For now, we highly recommend you to disable ports 445 and 139 in the Internet facing systems. If you are having a thought about using it on your internal LAN, make sure that your business critical systems have these two ports disabled.

My experience at npNOG-2 and SANOG-XXX

It all started with a thirst for knowledge and a will to learn new thing every single day!

While I started into networking and security I was always curious about breaking stuffs. I always wanted to learn more and more about this fascinating networks, how we communicate inside the network and of course the security thing. Untill now, I was just aware of the upper part of the iceberg but I never thought that there was such a huge amount of knowledgeable material deep down there.

To say the truth, I only knew about these type of community driven NOG's some months back. After finding out about them, I scratched the web, saw the past contents, presentation slides, learning materials provided by them and really thought that I had missed a lot. Long story short, I found about the fellowship programs, applied for it, got selected, went for these NOG's and now here I am sharing my experience.

So, basically Network Operators Groups (NOG’s) are usually an informal and more of open idea exchange platform. It is either country or region based where network operators come under a same roof to discuss topics of mutual interest and exchange their ideas as well as express their viewpoints for the betterment of operational, robust, secure and stable network. Usually these type of forums have their supporting members from Internet Service Provider (ISP), Internet Exchange Point (IXP), Regional Internet Registry (RIR), Internet Protocol version 6 (IPv6) operators, Domain Name System (DNS) and root zone operators, operational security communities and other network operations communities and discussion among these members are truly an influential one.

npNOG2 started (on 15th of June 2017) with three days of workshop on three different tracks which included: IPv4/6 Routing, Network Management and Monitoring and Optical Fiber Network and ended with a one day conference just after the three days of workshop. I attended the three days workshop on IPv4/IPv6 routing. The workshop gave an insight of IPv6, routing protocols like OSPF and BGP where we had intensive three days of hands on lab exercises. Apart from breaking the lab (Hint: Route Leak!) on the last day, everything went just fine! In fact, I was so curious that I simulated the lab environment and even tried some twists and tricks after getting back from the program. The four days journey was a knowledgeable one! Overall, it was truly a marvelous opportunity to become a part of the second edition of the npNOG (Nepal Network Operators Group), such a brilliant and knowledgeable folks in the community with great instructors. It was really a great learning and networking opportunity.

SANOG-XXX started (on 10th of July 2017) with two days of conference, two days tutorials and five days of workshop on three different tracks which included: IPv4/6 Routing, Network Security and DevOps 101 for Network Engineers. The talks on conference and tutorials were interesting and knowledgeable. I was actually thinking to attend IPv4/6 Routing since, this time it would cover IS-IS (The routing protocol!), BGP, multi-homing, traffic engineering and other cool stuffs but later I decided to attend Network Security.

Why Network Security? Well, Security stuffs got me on that! I thought, Why not utilize some of my Network Security knowledge and expand more knowledge on security stuffs too! So then I decided to attend Network Security. Indeed! Network Security Workshop was fun, Well! at least for me and I  hope others surely enjoyed it too. The workshop contained topics such as: Cryptography, Cryptographic applications such as SSH, VPN's, SSL/TLS, PGP and also DNS, DNSSEC, Network/Server hardening best practices and other cool stuffs. The instructors were truly amazing. Everything went fine this time, apart from some random hacks for fun and for knowledge of course! Such a knowledgeable and talented participants.

Overall, both the NOG's were great and knowledgeable one. All the Fellows were great! We had such a memorable, knowledgeable and great time with sharing of knowledge and ideas.

Final words

These kind of knowledge sharing communities are growing and should definitely keep on growing so that the experienced folks could share and transfer their knowledge, experiences and ideas to new startup engineers, students and networking enthusiast so that the new generation could benefit more.

I would highly recommend anyone working on Networking or Security domain to participate actively among such communities and share their ideas and experiences. Organizations working on these domains should also highly motivate, encourage and truly support their staff members to participate and contribute to such communities.

Finally, I would like to thank all the Instructors, Sponsors, my fellow Friends, Seniors and all the folks who were in touch with me on the event. Thanks to all the team, for making my first NOG's knowledgeable and amazing one! I hope that I would also get an opportunity to share some of my ideas and knowledge to the community in near future.

A note to remember: "Do not read books, read RFC's! That's where the beauty of a true knowledge is."

SMB in the limelight – WannaCry and more!

Days before WannaCry came into the spotlight, there were already some other ransomware and malware taking advantage of the SMB exploit (published under the codename ETERNALBLUE/DOUBLEPULSAR) following shadow brokers dump (NSA exploit targeting windows file sharing protocol). So far, WannaCry ransomware has infected more than 150 countries causing widespread panic. Although WannaCry distribution may have been stopped, the widespread of ransomware and similar malware distribution has not stopped yet.

Other Variants

UIWIX is an entirely new variant and has also been spotted in the wild. Like WannaCry, this ransomware program is also built under ETERNABLUE. It has ability to infect machines without writing files to permanent storage and hence, making it extremely harder to detect through conventional forensics. This ransomware renames files with ‘.uiwix’ extension and drops a text file called ’_DECODE_FILES.txt’ which contains requirements for decryption and payment address and mode of payment. Uiwix however poses an even bigger threat than WannaCry ransomware since it does not include any kill switch domains.
 

Another program using the same SMB vulnerability to exploit the system using EternalBlue and DoublePulsar is Adylkuzz. Adylkuzz exploits the SMB vulnerability to mine an obscure cryptocurrency called Monero.

Basically, Monero is a cryptocurrency similar to the Bitcoin but with enhanced anonymity capabilities. A major of underground website known to sell drugs, stolen credit cards and counterfeit items make use of monero. However, unlike WannaCry, Adylkuzz does not have the ability to self-propagate.

It has been found that Adylkuzz started exploiting the same vulnerability somewhere between 24th April and 2nd May i.e. weeks before WannaCry came into the scene. It infects the system taking an advantage of SMB vulnerability and shuts down SMB networking for further infection of the system with other malwares including WannaCry ransomware worm, detects the public IP address of the system, downloads the mining instructions, cryptominer and other cleaner tools. Therefore, we can easily predict that there are huge number of systems being infected with this very malware than that of WannaCry ransomware worm. Adylkuzz did not caused the same chaos as that of WannaCry since it was not shutting down computers or was not sending some ransom notes, all it did was perform Monero mining operation in the background. Although it is not catastrophic enough to raise an alarm and remained undected and hidden until the WannaCry came into the limelight gaining much more public attention.

Who is behind the current attack?
It has been found that WannaCry’s code shares some portion of the code to the Lazarus APT group who was responsible heavily for the Sony Wiper attack (Sony Pictures Entertainment being hacked using wiper malware), the Bangladesh bank heist ($81 million heist from SWIFT network using Dridex malware) and the DarkSeoul operations (Backdoor Trojan, dubbed as Duuzer, Brambul and Joanap malware targeting south Korean organizations, institutions and industries). Lazarus APT group was found to have conducted multiple attacks worldwide and was found to have a direct link between Bluenoroff and North Korea. So, there could be a possible clue that North Korea could probably be behind the current WannaCry attack. However, it is still too early to determine who exactly is behind this attack since, the repetition of the code could also be a false flag.

Final Words
It is therefore, highly recommended that you update your systems for MS17-010 and if you do not use SMB then it is also recommended that you disable the SMB version one.

To disable SMB follow the following steps:

1. Open Control Panel.
2. Click Programs.
3. Click Turn Windows features on or off (under the Programs).
4. Make sure that your ‘SMB 1.0/CIFS File Sharing Support’ is not ticked.

If you are a PowerShell user make sure that you disable SMB version one by typing the following command with administrator privilege:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 -Force

That's it, you are protected for now.