The recent WannaCry & Petya ransomware utilize the EternalBlue exploit to own machines and load malware.
EternalBlue is a remote code exploit targeted at a vulnerability in SMBv1 and NBT over TCP ports 445 and 139.
SMB provides support for what are known as SMB Transactions. Using SMB Transactions enables atomic read and write to be performed between an SMB client and server. If the message request is greater than the SMB MaxBufferSize, the remaining messages are sent as Secondary Trans2 requests. This vulnerability affects the srv2.sys kernel driver and is triggered by malformed Secondary Trans2 requests.
The following is a brief tutorial on how to exploit a Windows machine via EternalBlue.
The attacker starts by opening a terminal and performing an nmap scan on the target machine to identify open ports and the service running on each.
We can see that the target machine located at 10.10.10.xx has both ports 139 and 445 open.
The attacker then uses metasploit to load the exploit and set the options for the payload and exploit.
This is done by selecting the exploit to use, remote host IP, listener IP, and the port to listen on.
Then setting the payload to return a reverse tcp shell.
Once the options are set, the attacker then issues the command to exploit and return a shell on the target machine.
The image below shows the details of the exploit as well as a reverse windows shell now available to the attacker.
Once the attacker has shell access, the command “whoami” can be executed to verify the user.
At this point, post exploitation techniques are used to escalate privileges, load malware, and further enumerate the target machine. The possibilities for an attacker are endless at this stage.
At-least 50% of Windows 7 machines remain un-patched and vulnerable to this attack.
This attack exploits Windows operating systems (XP to Windows Server 2012 & now Windows 10 machines).
Eternalblue will most likely be encountered on penetration tests for many years to come. Home and small business users often have automatic updates enabled and therefore installed the critical patches. Computers and servers in larger businesses are more likely to have automatic updates disabled. System administrators generally roll out updates manually after testing for compatibility. Another commonly overlooked issue in larger organizations are those workstations and servers running legacy operating systems and software inherited from past era’s. These systems are often not maintained anymore and become instantly vulnerable to exploits in the Eternal series.
The following windows software should be updated with Microsoft Security Bulletin MS17-010 – Critical
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2 and R2 SP1
Microsoft Windows 7
Microsoft Windows 10
Microsoft Windows 8.1
Microsoft Windows RT 8.1
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows XP
Microsoft Windows Server 2003.
Basic security advice such as not clicking on suspicious email links or opening links and attachments from unknown senders is also a good way to prevent harmful to your network.
For more information on how you can protect your network from attacks like EternalBlue and email filtering services, contact Ethical Tech Support by clicking the button below: