Eternalblue Windows SMB Exploit

Last Friday 14 April ‘The Shadow Brokers’, a group that claimed to have stolen hacking tools from the NSA, has leaked a new set of exploits affecting Windows systems. The latest leak has a size of approximately 300 MB and affects modern Windows systems as well. One of these exploits is named Eternalblue. Eternalblue is a remote exploit that exploits a remote code execution vulnerability via SMBv1 and NBT over TCP ports 445 and 139. The current Eternalblue exploits target Windows operating systems from Windows XP to Windows Server 2012. Newer Windows systems, such as Windows 10 and Windows Server 2016, remain untargeted for the moment. It is most likely a matter of time before the exploits are modified to target these systems as well. A positive but mysterious thing to mention is that the vulnerabilities have been patched by Microsoft in March. This happened exactly one month before the exploits were released to the public which indicates that Microsoft was informed one way or another. Nevertheless patches are available and are addressed by MS17-010.

Eternalblue Patches

Despite that these vulnerabilities have been patched by Microsoft before they were released to the public, Eternalblue will most likely be encountered on penetration tests for many years to come. Home and small business users often have automatic updates enabled and therefore installed the critical patches last month. Computers and servers in larger businesses are more likely to have automatic updates disabled. System administrators generally roll out updates manually after testing for compatibility. Another commonly overlooked issue in larger organizations are those workstations and servers running legacy operating systems and software inherited from past era’s. These systems are often not maintained anymore and become instantly vulnerable to exploits in the Eternal series.

Eternalblue doublepulsar

Successful installation of the backdoor on Win XP using Fuzzbunch, Eternalblue and DoublePulsar.

Testing for Eternalblue in the Virtual Hacking Labs

At the Virtual Hacking Labs we always try to create scenario’s that are similar to real life scenario’s as possible. In some situations this means that we’re not changing anything at all and leave vulnerable machines unpatched. This results in Windows machines that become vulnerable to recently discovered exploits. This is exactly the case with the exploits from the Eternal range, including Eternalblue. This way the Virtual Hacking Labs provides all members and students to practice the usage of Windows exploits in a safe and legal way. Start testing now without the hassle of setting up your own vulnerable machines to practice.

Are you ready for testing Fuzzbunch, Empire and Eternalblue? Sign-up for the Virtual Hacking Labs now!.