B8IS122 Computer Security: EternalBlue Exploit Simulation

Verified

Added on 2022/08/24

AI Summary

This assignment provides a comprehensive analysis of the EternalBlue exploit, a critical vulnerability that allows attackers to remotely execute malicious code on a system. The project utilizes a Windows 7 and Kali Linux environment to simulate an ARP poisoning attack, exploiting the Samba server vulnerability. The document details the setup, tools used (Metasploit), steps to exploit the vulnerability, and the impact on the victim machine. It includes screenshots and explanations of the attack process, such as setting up the virtual machines, launching Metasploit, searching for the EternalBlue exploit, and achieving ARP poisoning using the arpspoof tool. Furthermore, the assignment covers post-exploitation activities, including system information gathering and clearing logs. The report concludes with recommendations for mitigating the risk of EternalBlue exploitation, such as patching systems, disabling SMBv1, and implementing strong security practices. This practical approach offers valuable insights into network security vulnerabilities and defensive strategies.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: COMPUTER SECURITY
Computer security
Name of the Student
Name of the University
Authors note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1COMPUTER SECURITY
Introduction
For this project a Windows 7 and Kali Linux system is used. The EternalBlue exploit is
used to exploit the windows 7 machine from the Kali linux using the samba server vulnerability
in order to ARP poison the Windows 7 system. This vulnerability allows the attackers to
remotely run arbitrary malicious code on the system in order to gain access to the system or a
network through the use of the specially crafted data packets. The exploit allows the attackers to
compromise and intrude inside an entire network as well as all the devices connected to the
network. Furthermore, if any device is infected by this malware using EternalBlue, each device
inside it becomes at risk. Due to this reason the recovery from this ind of attacks is considered
as difficult. The main reason behind this can be stated as all the devices inside the compromised
network needs to be taken offline for recovering and protecting the data inside it.
Experiment and analysis of attack
Used tool for the exploit
For attacking the windows 7 victim machine, the Metasploit framework in the Kali
Linux OS is used. Using this tool, the EternalBlue exploit is used for exploiting the windows
operating system is exploited. This vulnerability is apparently stolen from NSA (National
Security Agency) in the year 2016. At the later time this vulnerability is leaked on internet in
the year 2017 by the Shadow Brokers groups. The Eternalblue exploits vulnerability in the
Server Message Block (SMB) protocol by the Microsoft’s that mainly uses the port 445.
This Eternal blue and the related exploitation family are capable of exploiting the serious
vulnerabilities in the Microsoft SMBv1 server on the victim machine. This can be done on the
wide variety of systems such as Windows XP, Windows Server 2008, Windows 10 running on
port 445 as well as Windows 7.
The exploits have high impact on the Confidentiality of the victim machine. Through
the use of this tool the attacker can disclose complete information stored in the system by
revealing all the system files. Similarly in case of the Integrity of the system after the attack is
completely in the hands of the attacker as the attacker gets the access by breaking the system
protection, that results in the entirely compromised system by the attacker.

2COMPUTER SECURITY
Availability Impact on the victim machine is also very high as total shutdown can be
achieved by the attacker over the affected victim. In this way the attacker can make the victim
operating system unavailable to the intended user.
Contextually it can stated that the malwares that uses the EternalBlue exploit is capable
of self-propagation inside a network which can help in the drastic increase in the adverse impact
on the workstations or servers residing inside the network. One of the recent examples is the
WannaCry which is a crypto-ransomware. This malware is the first malware that had a drastic
impact throughout the world. WannaCry used the exploit in order to spread across inside a
network while infecting all the available devices and dropping cryptro-ransomware payload on
the connected devices.
This exploit is mainly successful due to the poor security practices of the users as well as
lack of patching of the used operating system by them. This are the reasons due to which
malicious use of Eternal Blue exploit is increasing by leaps and bounds after it was leaked
online in the year 2017.
Following is the attack simulation using two virtual machines by using the exploit.
Setting up the windows 7 victim machine

3COMPUTER SECURITY
IP address of the Victim machine

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4COMPUTER SECURITY
Setting up the kali virtual machine

5COMPUTER SECURITY
Checking if both virtual machines are connected

6COMPUTER SECURITY
From the above picture it can be stated that victim IP is 10.10.63.87 and attacker IP is
10.10.63.91.
As the Metasploit uses the postgresql as the backend database, therefore it is launched
first through following command on the terminal of kali Linux:
$ service postgresql start
After this the Metasploit is launched through the use of the command msfconsole on
terminal.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7COMPUTER SECURITY
Searching for the eternal blue exploit in Metasploit
Now the arp poisoning is achieved using the arpspoof tool available in the kalilinux

8COMPUTER SECURITY
s

9COMPUTER SECURITY
There are total 5 possible exploits matching to our search that can used by the attckers
according to their need and victims.
Loading the eternal blue

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10COMPUTER SECURITY
Scanning for the available targets

11COMPUTER SECURITY
Setting rhost and lhosts

12COMPUTER SECURITY

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13COMPUTER SECURITY
Setting up the payload

14COMPUTER SECURITY
Setting lport

15COMPUTER SECURITY
Successful exploitation of the vulnerability

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

16COMPUTER SECURITY
Compromised system in meterpreter after explotation
After the exploitation it can be seen that using the “sysinfo” the compromised system
details can be found.

17COMPUTER SECURITY
Now the arp poisoning is completd by using the meterpreter sniffer tool by launching it
using the “use_sniffer” command.
ps command executed using
Use of clearev

18COMPUTER SECURITY
CLEAREV
The clearev is very useful after getting control over the system which is capable of
clearing all aystem, application as well as Security logs on the Windows system. for this
command there are no options/arguments needs to be used.
Use of shell command to cmd prompt
The shell command is helpful for the attacker in order to get a standard shell on the
target system.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

19COMPUTER SECURITY
Recommendation to avoid this exploit
In order to avoid or protect the system from the exploitation of the eternal blue exploit
following are the some of the recommendations;
It is important for the users to patch devices with latest Microsoft Windows secutity
updates available from Microsoft for SMB v1.
Potential tools such as the Eset tool can be used in order to check whetherany version of
Windows is vulnerable to this exploit.

20COMPUTER SECURITY
When ever not required it is suggested to disable SMBv1 on the systems while used in
organizational environment and use the latest versions such as SMBv2 or SMBv3 only after
appropriate testing.
Use of Group Policy Objects needs to be encouraged in order to set Windows Firewall
rule which will restrict incoming SMB communication to vulnerable systems. In case the
organization is utilizing alternative host-based intrusion prevention systems then it is suggested
to implement custom modifications in order to control SMB communication through the use of
the Group Policy Objects.
It is always important to follow the Principle of Least Privilege for the work stations or
system services. Most of the software’s should be executed as a non-privileged user without
administrative privileges.