top of page


"blogger, InfoSec specialist, super hero ... and all round good guy" 



Eternalblue with Metasploit

Eternalblue is the vulnerability behind major attacks such as Wannacry and NotPetya attacks. Currently it is being incorporated into major ransomware and other types of attacks.

Eternalblue is able to be patched using CVE-2017-0143 to CVE-2017-0148. It originally exposed vulnerabilities in Microsoft SMBv1. Windows XP to Windows 10 may be vulnerable due to specific settings or open ports.

My lab is setup in the following configuration:

Kali Linux (

Firewall (interface1:, interface2:

Windows 7 unpatched for EternalBlue (

You can see from our ruleset that the firewall is completely open and basically acting as a router.

The first thing we want to do is perform a scan to see if the system is vulnerable to Eternalblue. There a few ways to do this, but in my opinion the easiest way is to scan for a specific CVE vulnerability. I will use the SANS article as a reference posted at:

On your Kali Linux system download the Paulino Calderon NMAP NSE script located at:

Next, we will copy the script to our NMAP scripts directory at /usr/share/nmap/scripts/

by issuing the command cp smb-vuln-ms17-010.nse.

Then we will run the NMAP command to run script and scan for our host:

nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 <ip_address(es)>

Let’s take some time to go through a few details of that command:

-Pn specifies we are going to assume all hosts are all online and skip host discovery

-p445 means we will only scan specified ports

--open means we only want to see open ports

--max-hostgroup 3 – NMAP can scan multiple hosts at the same time

NMAP will typically scan 5 hosts at the same time. Increasing this number increases the efficiency of NMAP, but the results cannot be provided until the whole group is finished. This creates a delay in real-time reporting.

We are actually limiting the size of this host group. I am not 100% sure why, but it was recommended in the link above. I am guessing the script works better with a smaller host group.

--script – we specify our external script here

<IP> - We enter the IP address, IP range, or netblock we want to scan

After running the command you can see that the system is vulnerable to this CVE.

Our next step is going to exploit the system using Metasploit. This step is pretty easy thanks to the good people at Rapid7 who documented the process at:

Let’s start by launching Msfconsole from our terminal.

We will then load the exploit module by entering the command use exploit/windows/smb/ms17_010_eternalblue.

At this point I like to issue the show options command to understand what I need to enter to make the exploit work.

You can see there are several settings that are required, however most of them have a default value except for two options:

· The first option is RHOSTS which is means Remote Hosts, or our victim.

· The second option is target ID, and there is only one option right now to choose from.

We will enter these options:



We are now ready to run the attack by typing exploit.

The script will take around 30 seconds to run and if successful, we will have an open shell session to the victim system.

When I did this I noticed my Windows 7 system would occasionally reboot, but it seemed pretty random when it occurred.

Now let’s turn on some protection and see what happens.

We are going to add the basic IPS default policy on the external interface of the firewall. This is the interface facing the (potentially) hostile hosts, or in my case my outside interface where my attacker machine is located.

As you can see from the screenshot below the only thing that has changed is the addition of the default IPS policy on the external interface.

Now I want to run the exploit again. Since I am already configured in Metasploit msfconsole I can just simply type in exploit again. If I am not sure if I am still configured correctly I could always type in show options to double check my settings.

You can see this time my exploit fails. Let’s look at the log on our firewall.

You can see the firewall detected the attack and blocked it. All good!

Recent Posts

See All


Commenting has been turned off.
bottom of page