The Shadow Brokers released a massive trove of Windows hacking tools and exploits allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016
A Github repository is the following: https://github.com/misterch0c/shadowbroker
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month’s Patch Tuesday update.
Microsoft team said in a blog post published on April 14, 2017
Among the windows exploits published by TheShadowBrokers, ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication.
For successful exploitation, I will be using FuzzBunch, The NSA’s Metasploit
Here is the Nessus scanner result for MS17-010(SMBv1)
For exploitation MS17-101, I have configured the following in my lab:
- Windows 7 x86 – Target Machine
- Kali Linux –Attacker machine running PowerShell Empire/Metasploit
- Windows XP – Attacker machine running Eternal Blue and DoublePulsar
Open the command prompt and type python fb.py to launch FuzzBunch, Set the target IP address and attacker IP address.
Note: “Callback IP address” is attacker IP
Next step is to select exploit, here I have selected eternalBlue exploits
Now, let’s run the exploit and wait for the result
As expected, the eternal blue exploits has been succeeded
Now, create malicious dll to inject on to the target machine using PowerShell Empire/ Metasploit.
Type use doublepulsar payload in command prompt to use the payload
Configured malicious dll files
Launch the attack on target machine
As expected the payload is successfully injected on target machine
PowerShell empire agent received connections from the target machine
Active agents in Attacker box
Running Mimikatz on target machine
After backdooring double pulsar on target machine. Nessus shows