Eternal Blue exploit!
Welcome back to another exploit tutorial! This tutorial will be more of a POC as the exploit will not be successful. I will show and explain this in the tutorial as we go. So a lot of people have questions on how to exploit a remote IP address. You can read tutorials online on how modules work on internal networks but usually, no one goes into external. So let's say we are hired as a pentester for a company and they want us to exploit them remotely or test and see if it can be done? How would we go about doing this? Well, one example we can give is using a VPS as the external target. First off, we are going to be using the Metasploit module for Eternal blue SMB located here. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb
We are going to load this module into Metasploit, or in the newest Kali version, it should be in there already.
In this tutorial, our remote IP address will be 5.XX.XX.41 and our local IP will be 207.XX.XX.182. I have blocked out the full ip for security if you notice in the pictures.
The first thing we'll do turn off Windows firewall on the VPS and then ping the remote IP 5.XX.XX.41 to see if it's alive. We successfully receive a response back and see in the picture below of the ping coming through on the VPSon network miner.
So we know we can see the remote IP/VPS. Great! Lets setup the exploit.
Now we will fire the exploit at the remote VPS!
We can see the exploit module shows us the exploit was successful, but we don't have a return tcp session back to our computer. Whats going on with that!? Let's do some investigation.....
Let's run a nmap scan on the remote IP 5.XX.XX.41
Now we can see that port 445, which uses the SMB vulnerability is in a filtered state. Also, network miner picked up a lot of traffic when you scan intensely with nmap looking for any ports open on the remote ip.
If you want to scan specifically for port 445 instead of all open ports you can run the following command in the picture below.
Well, my friends, this exploit is not going to work as the VPS has secured down port 445. This is a good thing actually because we know the VPS provider is securing ports properly. If this port is coming back as filtered then a firewall or IPS is dropping packets, meaning you won't be receiving any response from the VPS server.
Happy pen testing!