CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Eternalblue with Metasploit

Eternalblue is the vulnerability behind major attacks such as Wannacry and NotPetya attacks. Currently it is being incorporated into major ransomware and other types of attacks.


Eternalblue is able to be patched using CVE-2017-0143 to CVE-2017-0148. It originally exposed vulnerabilities in Microsoft SMBv1. Windows XP to Windows 10 may be vulnerable due to specific settings or open ports.


My lab is setup in the following configuration:


Kali Linux (172.30.1.90)

Firewall (interface1: 172.30.1.99, interface2: 192.168.99.1)

Windows 7 unpatched for EternalBlue (192.168.99.100)


You can see from our ruleset that the firewall is completely open and basically acting as a router.



The first thing we want to do is perform a scan to see if the system is vulnerable to Eternalblue. There a few ways to do this, but in my opinion the easiest way is to scan for a specific CVE vulnerability. I will use the SANS article as a reference posted at:

https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+MS17010+CVE20170143+EternalBlue/22574/


On your Kali Linux system download the Paulino Calderon NMAP NSE script located at:

https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

Next, we will copy the script to our NMAP scripts directory at /usr/share/nmap/scripts/

by issuing the command cp smb-vuln-ms17-010.nse.




Then we will run the NMAP command to run script and scan for our host:

nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 <ip_address(es)>




Let’s take some time to go through a few details of that command:


-Pn specifies we are going to assume all hosts are all online and skip host discovery

-p445 means we will only scan specified ports

--open means we only want to see open ports

--max-hostgroup 3 – NMAP can scan multiple hosts at the same time


NMAP will typically scan 5 hosts at the same time. Increasing this number increases the efficiency of NMAP, but the results cannot be provided until the whole group is finished. This creates a delay in real-time reporting.


We are actually limiting the size of this host group. I am not 100% sure why, but it was recommended in the link above. I am guessing the script works better with a smaller host group.


--script – we specify our external script here


<IP> - We enter the IP address, IP range, or netblock we want to scan

After running the command you can see that the system is vulnerable to this CVE.





Our next step is going to exploit the system using Metasploit. This step is pretty easy thanks to the good people at Rapid7 who documented the process at:


https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

Let’s start by launching Msfconsole from our terminal.





We will then load the exploit module by entering the command use exploit/windows/smb/ms17_010_eternalblue.





At this point I like to issue the show options command to understand what I need to enter to make the exploit work.





You can see there are several settings that are required, however most of them have a default value except for two options:


· The first option is RHOSTS which is means Remote Hosts, or our victim.

· The second option is target ID, and there is only one option right now to choose from.

We will enter these options:

Set RHOSTS 192.168.99.100

Set TARGET 0




We are now ready to run the attack by typing exploit.


The script will take around 30 seconds to run and if successful, we will have an open shell session to the victim system.





When I did this I noticed my Windows 7 system would occasionally reboot, but it seemed pretty random when it occurred.





Now let’s turn on some protection and see what happens.

We are going to add the basic IPS default policy on the external interface of the firewall. This is the interface facing the (potentially) hostile hosts, or in my case my outside interface where my attacker machine is located.





As you can see from the screenshot below the only thing that has changed is the addition of the default IPS policy on the external interface.




Now I want to run the exploit again. Since I am already configured in Metasploit msfconsole I can just simply type in exploit again. If I am not sure if I am still configured correctly I could always type in show options to double check my settings.





You can see this time my exploit fails. Let’s look at the log on our firewall.




You can see the firewall detected the attack and blocked it. All good!



SOCIALS 

SUBSCRIBE 

 Keeping you informed | Latest News 

© 2018 Dr. Chaos 

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM