Exploiting Eternalblue & DobulePulsar MS17-010

By -


Exploiting Eternalblue & DobulePulsar MS17-010  (A root behind of Mass attack of WannaCry and Petya malwares)
Brief Description: This exploitation uses the buffer over vulnerability in SMBv1 of windows OS. Without going in detailed technical analysis about the vulnerability, this document shows the exploitation of 32 Bit Windows 7 OS using metaSploit provided within Kali. 
Pre-requisites
       Target Windows 7 32Bit OS with running 445 Port with SMBv1 protocol. (Windows OS runs default with 445 Port)
       Attacker Up-to-date Kali Box with metaSploit with 
1.       smb_ms17_010.rb ruby script to check MS17_010 vulnerability check on target. Download Link: https://github.com/rapid7/metasploitframework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb  
2.       Exploit code Eternalblue-Doublepulsar-Metasploit
Download Link: https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git  
3.       VMWare having above 2 box deployed and running with Network Adaptor set to NAT.
In below demonstration below are the IP configurations of Target and Attacker machines.
Kali Box IP is: 192.168.29.130
Windows Box IP is: 192.168.29.129
Steps to exploit:  In your Kali Box
1.       Firstly run apt-get update && apt-get upgrade on terminal
2.       And then apt-get install wine or wine install (don’t worry about reflected error if any)
3.       Now copy smb_ms17_010.rb file at location root/usr/share/metasploitframework/modules/auxiliary/scanner/smb/
4.       From downloaded Eternalblue-Doublepulsar-Metasploit folder copy  eternalblue_doublepulsar.rb  file at root/usr/share/metasploitframework/modules/exploits/windows/smb/
5.       Now open the  Metasploit framewokr on terminal with commands msfconsole you will be the msf console and run  reload_all command as below
Use use exploit/windows/smb/eternalblue_doublepulsar as below and set target as RHOST 192.168.29.129 and check with options

Hit the run command and result shows target windows machines is vulnerable to smb_ms17_010.
Now for exploiting the target use the exploit module “exploit/windows/smb/eternalblue_doublepulsar” and set all the various options as given below:
Finally run the exploit as below and hurrey….. we got a shell on target machine. 

Further we can run any Post exploitation commands and utility with the available meterpeter session to do anything with the compromised machine.

Comments

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more