At the second meeting of the GreyHat Cyber Security Club, I demonstrated the EternalBlue exploit. The EternalBlue exploit uses SMBv1 to do remote code execution on many versions of Windows. However Microsoft released updates that patched this exploit. But not everyone updates regularly 🙂
What is SMB? Well, it is a service for file sharing, often used by home group and windows file sharing stuff. It uses the port 445.
When I was in high-school I discovered that you can actually open port 445 to internet through your router and then if you know your ip address you can access your files on your windows pc! This was an amazing discovery for a 15 year old at that time. I also actually felt really smart for discovering this without following any tutorials or so. However now I see how dumb I was. This exploit probably existed for about 10 years and no one but “reportedly” NSA knew about it. The best way to protect yourself from this exploit is having good firewall rules and manners.
To demonstrate the exploit, I used metasploit framework and MS_17_010.rb exploit from Rapid7. I had a windows 7 virtual machine and a Kali Linux virtual machine running on my Ubuntu PC. The Windows Machine was configured to be in a home network and file sharing was on. (Usually file sharing is on if you are on a home group or a home network).
I launched the metasploit framework and executed the exploit, it was quite simple, after couple of seconds I got shell access to the windows Virtual Machine.
Few important points:
This vulnerability is patched right now. If you update windows, EternalBlue exploit does not work.
Even though you don’t have the latest updates firewall can still block this exploit, if you select your current networks as public, the exploit does not work.
You should be able to reach the port 445 of the computer, if not you can’t deliver the payload. If the PC is behind a firewall (router) and the ports are not open, this does not work.