ETERNALBLUE, conducting a history lesson in exploitation

The City of Baltimore was hit with ransomware several weeks ago and a stolen NSA exploit tool called ETERNALBLUE was blamed for it. I have some problems with the journalism in these articles so I figured it would be better to explain what ETERNALBLUE is and how it works. One thing to keep in mind is ETERNALBLUE is limited in target allocation. It only works on Windows 7 and Windows server 2008 R2. ETERNALCHAMPION was more than likely used due to its ubiquity in target size. It works on all OS’s up to server 2016. I will explain more below on the differences between these two exploits. Here are two separate news articles blaming the NSA exploits on the ransomware outbreaks.

Before we go through how exploitation works with ETERNALBLUE I feel as though I should provide a history lesson on how we got here in the first place.

In the summer of 2016 a hacking group called the shadow brokers stole a very large cache of tools used by the NSA to hack into systems. These tools (Sorry I’m not calling them cyberweapons) were largely zero day exploits used by the NSA’s Tailored Access division. TAO (Now designated as Computer Network Operations) works under the Signals Intelligence Directorate and is one of the largest hacking units the U.S. Government employs. Initially when the Shadow Brokers popped up they were using a PGP key to encrypt certain parts of the exploits they had stolen and allowed users to download encrypted caches of the exploits for what I assume was a fail safe if the group ever got caught. To my knowledge nobody knows who the shadow brokers was and they never have been caught.

Over time the Shadow brokers allowed people to decrypt certain parts of the stolen exploits for analysis because they were trying to sell these exploits for over 1 million USD.

The timeline between patch and global exploitation:

March 2017: Microsoft issues a patch for Windows Operating Systems for a critical SMB flaw. At this point when this was released I don’t think this was attributed back to the stolen NSA tools although I think Microsoft was fully aware of where this came from.

On May 12th 2017 a ransomware outbreak that originally started in the Ukraine goes global. This outbreak was directly attributed to ETERNALBLUE. You can read more about that here:

May 19th 2017: Rapid 7 introduces a scanner and metasploit module that had been reverse engineered to exploit MS17–10 using Eternal Blue. The Module worked with targeted 2008R2/Win7 systems.

June 2018 a metasploit module for ETERNALCHAMPION is introduced. This module was much more efficient as it works on all OS’s up to server 2016.

So what is the difference between ETERNALBLUE vs ETERNALCHAMPION?

These all affected SMB and were ported at the same event from the Shadow Brokers Leak.. EternalChampion does not use kernel shellcode to stage Meterpreter like ETERNALBLUE does. Named PIPES were also accessible via Anonymous logins (This makes the tool very dangerous as you can gain direct access to a domain controller unauthenticated) The metasploit module is also preferred over ETERNALBLUE as it is more reliable. That is my take on the differences.

So today I am going to exploit a 2008 R2 Domain controller that is unpatched for ETERNALBLUE. Keep in mind MS17–010 patch was issued over two years ago.

In Metasploit there are three different modules for MS17–10. I am going to use the original release which directly uses eternal blue for exploitation over SMB. Below you will notice that this can only target Windows 7 and Server 2008 R2.

Its important that I point out that the domain, password, and user accounts are optional for this exploit but not needed. My target host is a 2008 R2 domain controller that has the IP address of 172.16.2.2

At this point I have successfully dropped into the shell of this 2008 R2 domain controller using the exploit command to the eternalblue module. Notice the first fail when I try and run the exploit. ETERNALBLUE can be unreliable at times and may require you to re-run the exploit on the targeted system if a shell is not achieved.

Also you can see at this point I am running as NT Authority\System. Since I am running as system I pretty much own the box.

By invoking a “control z” I am going to background my session. Since I ran this a couple of times my session background is #3.

Next I need to upgrade this shell to a meterpreter shell. This is needed so I can start dumping all hashes on the domain controller via a post exploitation module by pointing it to my meterpreter session. Since I have a windows shell on session 3 I am going to point to that session using the shell_to_meterpreter multi handler exploit.

At this point I now have a Windows shell and a meterpreter session.

I am going to interact with my meterpreter session. I need to look for an x64 process to migrate to so I can preform a domain hashdump post exploitation module.

In the next screenshot I migrate to a powershell process running on a x64 session and I am able to migrate sucessfully.

Finally I am going to gather domain hash dumps off the domain controller using a gather module that is very handy in backing up active directory and dumping hashes.

The gather module is running and at this point has copied of the NTDS database.

I have hashes now for the Administrator and krbtgt account. Since I have the krbtgt account hash I can go back into my meterpreter session and run a module called KIWI and forge a golden ticket if needed to maintain long term persistence.

So next lets take a look at exploiting the same box with ETERNALCHAMPION. Below are all the options for ETERNALCHAMPION. As I stated earlier it makes use Named pipes.

This is a list of every named pipe that this exploits checks for

As you can see below the exploit takes less time to execute on the host and I’m immediately put into meterpreter. From this point I’m better positioned to exploit access to this domain controller with less steps.

So why exploit a domain controller first? If the domain is immediately owned first then you are positioned to spread malware through SMB faster instead of infecting several client machines and laterally move through the network to gain additional access until you find an account that has admin access to workstations/servers.

Remediation:

As I explained before this exploit was patched two years ago. I get it. Every org is strapped to do more with less resources and less budget.

  1. Start with patching. Deploy a WSUS server in your infrastructure so you can start getting inventory on patch levels on member servers and workstations.
  2. Use NMAP and go hunting on your network taking inventory on network protocols used in your environment.
  3. Disable SMB1. There are tons of resources on how to do this.

https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server

https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/SMB1-Product-Clearinghouse/ba-p/426008

4. Patch your domain controllers and turn off SMB1. This should be done at all costs to protect your domain and forest. Rebuilding a forest is not a good look for anyone.

5. Deploy Microsoft LAPS. LAPS is a tool to rotate local administrator accounts in domain environments.

ShadowBrokers (Where are they today)

Currently their site looks like this:

Along with signed PGP txt file from an August Announcement

They also have a copy of their public PGP Key on their site as well. It was generated on 7/31/2016 and it does not have an expiration.

The august annoucement on the website is also legitmately signed by them.

Aside from this message the account has been dormant but are positioned to re-activate if needed. They are operating on a decentralized internet service that runs over TOR called ZeroNet.

Until next time folks…