I often want to show customers how a ransomware attack will affect the business. Finding all the network shares that you have write access to as a normal user can take a lot of time to do manually. As a result of this I have created a script that I have called Ransomware simulator. The thought is that you start this script from one of your user’s workstation logged on as a normal user. The script will then find the shares to the hosts you specify and test if it can write to it or not. The script will find normal shares as well as administrative shares ($ shares). You can specify hostnames, ip-addresses or ip-ranges as input to the script. If you need help you can type get-help against the script.
I have copied a lot of code from Matthew Graeber (@mattifestation) and from Will Schroeder (@Harmj0y), so credits to them for their great work.
This release of the script is just the first version; I am currently working on a version that supports multi-threading on the scanning process. I have also created a video that shows the script in action:
The script can be found here: https://github.com/api0cradle/PowershellScripts/tree/master/Security
In order to run the 1.0 version of the script you need to run the script elevated and you need to be on a Windows 8.1 or newer OS that supports the test-netconnection cmdlet. This will change in my next release.
Hope you find this useful.
Thanks for the script, I wanted to run this on all of our stuff over the weekend and can’t seem to get it to run. It looks like you’re on Win 10. Maybe that’s the issue?
I put the output here.
http://pastebin.com/D0pYPNMX
Thanks again for the script. I’ve been looking for something to show us just how vulnerable we are to this and how much of an impact it would have it we were to get hit by this.
Hi SecNoob. I forgot to write in the blogpost that the Powershell script needs to run as local administrator. I will update the post. Did you start the PowerShell prompt elevated? I run W10, but it should work on W8+. I am working on a new version of the script that will be much better. This release is my first release.
I saw that it needed an elevated prompt from the video and ran it that way. I actually ran it from 7 and 8.
I don’t have a win 10 machine in my environment yet. Thanks.
I watched the video but missed the part of the post where it says it needs 8.1+. Sorry bout that.
I’ll try to run it from a 2012 R2 server later this week.
Thanks again for this. If I can get this working, it’ll help us out a lot.
Mo worries. Best of luck. Hope you can provide feedback on how it goes when you get it to run? Really hope you can benefit from it. 🙂
For those running the script on pre-Windows8 boxes, simply update the Find-SMBServers function with this:
function Find-SMBServers
{
Param (
[Parameter(Mandatory = $True)] [String] $Server
)
Try
{
$445ConnectTest = New-Object Net.Sockets.TcpClient $Server, 445
If($445ConnectTest.Connected)
{
#return $True
Write-Verbose “$Server is alive and responding to 445”
$aliveHosts.Add($Server)
}
else
{
#return $false
}
}
Catch
{
Write-Error “Exception trying to discover $Server”
Write-Error $_.Exception.Message;
}
}
It uses .NET instead of Powershell to connect on port 445.
This is coming in the next version of the script. Great tip
Hi, thanks for sharing this script. It should be very useful to work against Ransomware. I am trying to run into a File Server where printers are shared, however I am getting the following error:
Invoke-RansomwareSimulator : FileStream was asked to open a device that was
not a file. For support for devices like ‘com1:’ or ‘lpt1:’, call CreateFile,
then use the FileStream constructors that take an OS handle as an IntPtr.
At line:1 char:1
Have you ever seen something like that? I have tried to change the API modules without success.
Hi Rodolfo. No I have not seen this. I will try to get the same error and fix it. Thanks for leaving me a comment on it.