EternalBlue Exploit Tutorial - Doublepulsar With Metasploit (MS17-010) Video Lecture | Get to know Ethical Hacking (English) - Software Development

[Music]
hey guys hackers Floyd here back again
with another video and welcome to the
eternal blue exploitation guide alright
so again this is also another requested
video that was a long time in the making
I just didn't have time to completely
cover it and some of you pointed that
out so I'm gonna be following this video
requests as they were posted and this
was one of them so let me start off by
saying or let me start off by explaining
what eternal blue is how the exploit
works and how it all came to be alright
so let me just start off by saying the
eternal blow exploit was developed by
the NSA which is the National Security
Agency in the United States and
essentially what happened or how it was
released is that there was a there were
a few testimonies from NSA employees and
it was a leaked by the shadow brokers
hacker group if you remember on April 14
2017 so it's around about out for a year
now and it was then utilized worldwide
for the wanna cry ransomware attack so
it was used to to share the ransomware
all around the world all right it was
then also used to carry out the 2017 not
petty a cyber attack that took place you
know in June 2017 and then was was used
to in a few banks to do to spread
trojans around about September all right
so that's what the exploit is now
talking about how it works it's really
very simple to understand how it works
is firstly it is it's an exploit that is
based or exploits Microsoft alright and
I said it's Microsoft all right now what
does it exploit well it exploits SMB the
SMB protocol which is as you know is a
server message block that's what it
stands for it's a server message block
protocol and the the exploit is denoted
under the the entry CVE 2017 0 144 and
essentially what happens is the
vulnerability exploits the SMB version 1
which
is exists in various in the different
versions of Windows and essentially what
it does is it mishandles especially
crafted packets and that are being sent
from the remote hackers and essentially
allowing this allows the hackers to
execute arbitrary code on the target
computer alright so we are here in Cali
Docs and we are going to be using
Metasploit to exploit the eternal blue
vulnerability now most of you guys might
be asking can you tell us more about
what type of criteria it works under
well essentially it's going to work with
with Metasploit that's how you would
perform the exploit and you can perform
this on any Linux computer running
Metasploit or as many of you have
pointed through the Metasploit framework
alright so when it comes down to what
type of requirements you need is
obviously you need the latest version of
Metasploit so hopefully you have updated
the database you then need to have wine
32-bit installed and you need to have
the 32-bit architecture installer and
kali linux so that you can install
32-bit pieces of software alright so
make sure you have one installed now
again you might be asking what versions
of Windows does it work on well as far
as I am concerned it works on all these
service packs on Windows 7 it works on
both architectures 32-bit and 64-bit and
furthermore it works on Windows Server
2008 now I'm not too sure because I'm
not 100% confident that a lot of people
are using Windows Server 2008 most
people are using Linux servers but the
real danger of this attack comes in him
in the in the in the form of Windows 7
and some of you might be thinking well
how does that really work out I don't
use Windows 7 so how does it how is it
commonly as well the truth is most
damage is done to organizations and most
organizations that I know at least are
running Windows 7 so you can see the
threat that this poses and again that's
what was targeted during the ransomware
attacks it was used to target
organizations not individuals so usually
what would happen is you'd connect to a
network of computers and spread out the
ransomware using the eternal boo exploit
which i'll show you how extremely easy
it is to exploit now I'm running a
seven virtual machine it is I think the
32-bit I'm sorry 64-bit service pack 3
so you can see it's working now again a
lot of you guys are going to really bash
me for not running a genuine version of
Windows but that's because I don't have
the serial key and I've already
activated my computer my laptop actually
that's running Windows 7 I used it as a
media server that being said it'll not
affect anything here so as you can see
it's running the service pack 3 and if I
just open up my command prompt and I
type in ipconfig just to get the local
like the address you can see it's
running on my local area network has one
eighty two point one sixty eight point
one point 105 this exploit will work
computers are own computers outside your
local network if you set up port
forwarding by the way that's going to be
the next video coming right up because
it was also a very highly requested
video showing you how to set up port
forwarding so you can perform attacks
like this with Metasploit and rats
remote access tools alright so back in
to Kali Linux and I have a few links
opened up here the links will be in the
description first and foremost I have
the rapid7
exploit the the exploit name and it's a
in it's in the database sorry about that
so as you can see it falls under the
exploit modules our exploit windows SMB
and the microsoft 1710 eternal blue
alright so you can just go ahead and
read through what this does it
essentially uses the buffer overflow it
exploits the buffer overflow and we'll
be looking at that in a few seconds but
not what you will require is you will
require the scanner the auxilary scanner
for this exploit i'll be posting the
github repository down below and you
will need the 11 parts eternal blue
double pulse Metasploit exploit that
works exclusively to exploit windows as
you can see i have it on my desktop so
what you want to do is you you don't
need to clone this this is essentially
the scanner that will test your target
operating system to see whether it's
vulnerable and I'll show you how to use
it right now and then finally you have
the exploit which you need to download
and once you have downloaded make sure
just download it to your desktop first
OH
recommended one is to download it to
your root your root directory where the
Metasploit folder lies so once you have
downloaded copy the depths folder and
the eternal blue dot Ruby exploit here
and just copy them and you want to go
into your root so I'd recommend that
your in your root directory so I'm going
to go into my computer here and I want
to go into my root and we're looking for
the Metasploit the Metasploit folder
here and you then want to go into
modules exploits windows SMB and you
want to paste it in here as I have done
all right now if this folders do not
exist you might want to connect your
database but if you'd still don't want
to do that you you just need to create
exploits windows and and the SMB folder
and paste three the depths and the
eternal Blue Dog pulsar script here
alright so once you've done that you
should be able to use this script now
for the scanner well you can essentially
just close this but before we get
started make sure that you have let me
just open up a new terminal here make
sure that you have updated your
distribution make sure that you've
installed wine 32-bit so I have to get
installed wine 32-bit make sure the
install wine 32-bit and then you want to
make sure that you can actually use wine
sorry so to use wine what you would do
is if I just open up the help menu here
oops
wine help and what you want to do is run
the program wine program and you would
provide the arguments but for me I've
not provided any arguments and I've
actually not used the correct syntax so
essentially what you need to do is just
write just run wine program to create
the wine folder for you if I just go to
home and as you can see I have the wine
folder here just make sure that this
wine folder is created alright it's very
important because wine is very mandatory
for this alright so now we're gonna go
into the Metasploit framework and
remember you need to have the IP where
the local or or public IP address for
your target and we are firstly going to
use the scanner all right so the scanner
is really very simple or all you need to
do is because it's an auxilary you just
need to go here and it's an auxilary
scanner SMB alright so
use oops of ciliary auxilary scanner and
we want to make sure it's auxilary
scanner SMB and we select these the name
there so SMB scanner SMB and we give the
name which is the the SMB ms7 ms 1710
all right so I'm just gonna copy that
there and we're just gonna paste that
and then I'm gonna hit enter and as you
can see it's gonna give me the options
and it's successfully showing me that I
can use it let me just expand this and
let me clear everything out so this is
the scanner that will test your target
to see whether it's vulnerable to the
eternal blue exploit so I'm just gonna
show options if you remember the
Metasploit syntax and as you can see the
only thing you need to change is our
hosts and the reason it's our host is
because you can scan the entire network
range for example if you're trying to
test the entire network for this
vulnerability so but in this case I'm
only testing one computer so I'll say
set our hosts our hosts and my local IP
for the target Windows 7 operating
system is 192.168.1.1 o 5 now if you
have set up port forwarding then you
should post the local IP here and the
airport is 4 4 but the airport is 4 4 5
just in case you know that that is the
default SMB port as I'm sure most of you
already know if you want to provide a
Windows domain to use forth
authentication you can do again you can
use a password and user name if that's
what you want as well alright so I'm
just gonna hit enter and I'm gonna hit
run or scan
oops sorry run my bad and it's gonna run
and as you can see host is likely
vulnerable to the DMS 1710 windows 7 oh
and it is running Service Pack 1 anyway
it's running the 32-bit and there we are
so host is likely infected with double
pulse our architecture 32-bit so we do
know that it is vulnerable and now what
we need to do is we now need to use the
exploit so you might be asking how do we
use the exploit well it's really very
simple remember we saved it in our
exploits folder under the Metasploit the
Metasploit folder so Metasploit by the
way if you can't find these files make
sure you have enabled show hidden files
or you can do it with
through your terminal or using the
Nautilus launcher so Metasploit modules
exploits so it's in exploits so we say
use exploits use exploits windows SMB
use exploit windows SMB and we want to
select the eternal blue double pulsar
alright so eternal blue underscore
double pulsar and once that is done hit
enter and as you can see it should
accept it that if you've saved it to
your local directory there we are so no
we should all be good and now we just
need to set our settings or our options
so options and let me just expand that
so we can see what we need to set so let
me just do that again because I just
want to make sure you can see everything
alright so the things you need to
confirm are that it's got the double
pulse our route kept correctly the
directory sorry so this make sure it
belongs or it lies in the root folder
under the eternal blue double pulse or
Metasploit folder alright so as you can
see all of these settings are required
and by default most of them have been
set for you the only thing we need to
set is the our host here and the process
inject which we are going to change to
the Windows Explorer dot exe all right
that's because we once we exploit that
it's going to create a reverse
meterpreter shell that will give us a
reverse access a shell or reverse
accesses of just method as I've just
mentioned part on me all right so the
first thing we're going to do is we're
going to set our our host which is the
target IP 192.168.1.1 o v and we hit
enter we then want to set the process
inject which is set process inject
process inject and we're going to change
that to Explorer dot exe I'm pretty sure
you know what Explorer dot exe is if you
have been using Windows for a long time
we're gonna set enter you can set it to
whatever process injection you want to
but this is the one that would work you
then want to change your target
architecture if that's what you want as
well now I'm not sure what mine is
because it gave me a few weird changes
here so it is running the 32-bit the
service pack 1 properties and yeah it is
32-bit so we leave it as default
and what we need to set now is if make
sure that your wine path is set to the
root wine and the drive see that's very
important and I think that's all the
options so let me just check the options
here and as you can see if you look at
the ID here it gonna tell you Windows 7
all service packs a 32-bit or 64-bit so
it doesn't matter what service pack
you're using it should work so now I'm
just gonna hit run and hopefully it
exploits it for us and gives us the
reverse shell alright so I'm going to
run and give it a few seconds it should
show you some results directly there we
are generating the payload DLL launching
eternal blue backdoor is already
installed and the meterpreter session 1
is open and there we are we have the
metadata session and there you are you
have successfully you have successfully
updated whoops actually should have
launched it I should have actually given
my comments directly anyway that being
said I'll actually show you that it it
does actually work so what I was talking
about is you can imagine the potential
damage that this can cause on an
enterprise level for example you know
hacking a company on Wi-Fi or on land if
you just have access to the to the
network am talk you know and this is not
only applies to businesses but imagine
if you were to do this on your College
Network not that I am encouraging that
in fact I'm going to pass out the
disclaimer right now that I am NOT going
to be held responsible for any of the
damage that that you know can be done so
I've heard many stories of students
hacking into their school network and
copying the you know the exam papers and
that stuff and you can definitely do it
and for those of you who are still
skeptical as to how this attack is how
this attack is so bad well I can just
show you something here if you know the
material commands you know that you can
run the LS command here and that will
display all the files in the directory
and we're inside the windows directory
so I'm just going to go back a few
directories and we should be able to see
yeah there we are we in program blame
the seat drive right now and we can
change into users and you can go to the
desktop users documents you can explore
the entire drive you can delete files
you can download files from there into
your entire working directory and I'm
pretty sure you know download file
really very simple you just leave it
download I'll be I'll be making a video
on how to use the interpreter if you
guys are not to show so meanwhile we can
just say download but first let me just
explore the users because I haven't used
this virtual machine anyway so CD users
oops users and we can list the files in
there so CP Alexis so there were CD
Alexis and we list the files in there we
can see that we have let's go into the
desktop so CD Alexis desktop list of
files in there nothing really desktop
dot ini' so you can just hit download
and once you download remember to
specify the DD C Drive and then sorry
that's backslash backslash and then you
select your users so for example users
and you can then select your users
Alexis
desktop and then again desktop not any
desktop not any and still I can't get
through it but anyway as I said it's
probably going to be the reason because
we have launched this from the explorer
dot exe directory which lies in the
system 32 so you probably have to launch
the you probably have to select the
directory from that directory being the
root directory alright that being said
you can see that you can go ahead and
change the files you want to edit you
can execute a exe files if you want to
on that computer and by default you can
see if we just launched the Windows 7
operating system that is currently
working just fine
so there you have it guys for those of
you asking for the eternal blow exploit
here it is I'll be posting all the links
in the description and it's really very
very simple a very simple procedure for
exploiting a system and yeah that's
gonna be it for this video guys if you
have any questions or suggestions let me
know in the comment section on my social
networks or you can post a question on
my website I hope you found value in
this video if you did please leave a
like down below that would be really
appreciated and I'll be seeing you in
the next video P
[Music]