Let's talk about the very famous vulnerability MS17-010 most popularly called with several names viz. etternalblue, etternalsynergy, etternalromance, etternalchampion. This vulnerability which is related to SMB-V1 is pretty straightforward to give an attacker Administrative privileges for remote code execution (RCE) specially for Microsoft Server 2012 R2 and Server 2016 leading to a massive compromise. Apart from these, even Windows 7 and Windows 10 also comes into this list, but still Server is Server. In short an attacker can own the System by sending specially crafted packets to the Server which the server fails to handle those requests correctly.
Common vulnerabilities and exposures lists (CVE Details) are CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
Well SMB-V1 is old and now there is SMB-V2 available, even though as per my personal interaction with Feroze Ashraff, who is one of the experienced IT Professional in New Zealand concluded that due to compatibility issues frequently, SMB-V1 wins the race to be still continued in most of the organisations.
Apart from this, regarding the patch for this vulnerability play's a critical role as patching this vulnerability is only available through Windows Updates and is not easy. Below is the screenshot of the HotFixID for the patch for Server 2012 all editions :
As mentioned above, patching this vulnerability is not that easy as you need to go through some other patch re-installations. Below is the screenshot showing the issues of patching this vulnerability with error information :
Best way to check for the patch in the system is to use the shell command :
wmic qfe get Description,Caption,HotFixID,InstalledOn
Below screenshot shows the vulnerability critical reference given by Microsoft :
So far, I have highlighted the basic info on this vulnerability showing the level of critical. Moreover, Ransomware is also using one of this vulnerability.
In addition to this vulnerability, as per my knowledge, there are two more things either of which is at least required for the exploit to work. These are -
- Anonymous login to NAMED PIPES disabled or at least one NAMED PIPE mentioned in the anonymous login list under local security policy.
- At least a Non-Admin user credentials.
I will be discussing on these above mentioned points with a practical video for better understanding in the coming section.
In the next section, I will be showing the reconnaissance and different modules of MS17-010 exploit to break into a Server 2012 R2/Server 2016 with detailed explanations. Let's do a penetration test using Kali Linux on server 2012 R2.
In this scenario, I am going to take Microsoft Server 2012 R2 on virtual machine as a target. I will be using NMap, Metasploit and Medusa for exploiting the Server 2012 R2. Lets, break this into parts, First lets check what NMap shows about the target machine.
As you can see the port 445 is open for SMB services, now we can check for more options to do. One thing can be done is to do a dictionary attack or brute force attack on this service to get the Administrator password, but basically not recommended as you will be logged a lot. But for this article lets do it before we get into another section called as NAMED PIPES and further exploitation techniques.
So below is the video for password cracking using Medusa :
Now, as far now we just found the password for the Administrator, but lets keep this apart as we need to check for more options if we fail to crack the password and although its not that recommended as it's been logged.
If we don't have the password or we fail to crack the password for Administrator or any non-admin credentials, what else we can search for? Here the NAMED PIPES comes into the role. Basically by default anonymous access to the NAMED PIPES are not allowed, but still there is an option where you can just include some pipe's in the list which can be accessed anonymously as shown in the below screenshot :
In the following video we will be using Metasploit to check for the available pipe's which can give access to the Server remotely, and also we will be checking the MS17-010 modules for various purposes. Before that lets see what NAMED PIPES are from the below shown screenshot :
Now, I guess you got my point why NAMED PIPES are like goldmine for an attacker. OK now its time to make our hands a bit dirty. Let me take you to Metasploit Framework and show the exploit for this famous vulnerability step by step using Kali Linux...
Till now you might have got a clear picture how we can break into a Server using either Named Pipes or using any credentials. Now in the next section we gonna cover what all we can do once we are into the Server 2012 R2. Lets write out some things we can do :
- Administrator password change and other account related things
- Using shell commands to open up port and service for Remote Desktop (RDP)
- Netcat installation for persistence (optional)
- Cracking hashes using John the ripper(JTR) for other users if any
- Pivoting into other host machines (Advanced)
- Upload/Download files, uploading Ransomware and running remotely
- There are so many things but it's gonna take a lot of time so am gonna show basic things ONLY...
- LOT MORE......AS NOW THE SERVER IS YOUR'S
Following is the video of information gathering and scanning of Server 2012 R2. In this scenario we will not be using any credentials, instead we gonna assume that we failed to brute force the credentials and we don't know any user and their passwords but the server left behind a named pipe using which we will be taking the foothold on the target.
Perfect, We got the basic information and requirements to exploit the target machine. In the following video I will show the exploitation of target machine using these information.
Well, till now we got the success to break into target and steal the hashes, in the next final video I am gonna show to crack the hashes using JTR and some more things to prove what privileges we have in to the target machine.
Basically, I guess as per the information we got, I don't think I need to show mimikatz, kiwi and all other modules, but yeah we can use kiwi module to change the main Administrator password. Let's go and own the Server
So, what are the lessons learned ??
- Check for the named pipes list under local security policy
- Keep strong and complex passwords and frequently change them
- Don't get into any social engineering attacks to disclose your credentials
- Always update and upgrade your systems
- Continuous monitoring of the server's is a must
Thanks, stay tuned for more articles.
No comments: