Categories
Security

EternalBlue

In this post I’m going to do a quick walkthough of EternalBlue, which was developed to exploit a vulnerability in the SMB protocol on Microsoft Windows operating systems leading to remote code execution.

EternalBlue was used in the WannaCry and NotPetya cyber attacks that caused billions of dollars worth of damage.

The purpose of this post is to detail how to determine whether a machine is vulnerable to EternalBlue. Even though EternalBlue was discovered in 2017, it’s still a relevant vulnerability to discuss and protect against.

I already have a Windows 7 virtual machine set up and running on the same virtual network as my Kali Linux machine.

An nmap scan reveals the open ports, in particular we’re concerned with the ports 139 and 445. Also note that nmap identified the Windows version and the SMB information.

I’ll open Metasploit and enumerate SMB to ensure it’s vulnerable to EternalBlue.

It looks like the machine is likely vulnerable to EternalBlue, so I’ll try to exploit it.

Note: Even if the exploit works and we can get a shell, there’s a good chance the machine will crash.

The exploit worked and we got a meterpreter shell. I’ll dump the hashes for later cracking.

The first time I did this machine, even before really knowing how to exploit EternalBlue, it took me only a few minutes. Unfortunately, as I mentioned above the machine crashed pretty quickly due to memory corruption, but the POC is there.

For what it’s worth, if a system is discovered in a real world environment to be vulnerable to EternalBlue it should be patched immediately.