Question

1.
Demonstrate the use of an Eternal Blue attack on Windows system.

2.
Recommend mitigation against Eternal Blue attacks.

Answer 1

EternalBlue is an exploit most likely developed by the NSA as a former zero-day. It was released in 2017 by the Shadow Brokers, a hacker group known for leaking tools and exploits used by the Equation Group, which has possible ties to the Tailored Access Operations unit of the NSA.

Demonstration:

Find a Module to Use

The first thing we need to do is open up the terminal and start Metasploit. Type service postgresql start to initialize the PostgreSQL database, if it is not running already, followed by msfconsole.

Next, use the search command within Metasploit to locate a suitable module to use.

There is an auxiliary scanner that we can run to determine if a target is vulnerable to MS17-010. It's always a good idea to perform the necessary recon like this. Otherwise, you could end up wasting a lot of time if the target isn't even vulnerable.

Once we have determined that our target is indeed vulnerable to EternalBlue, we can use the following exploit module from the search we just did.

Step 2: Run The Module

Now the target is compromise

B:

According to the U.K. National Cyber Security Center, computer emergency response teams and security experts, businesses and organizations worldwide need to ensure that the following five mitigation strategies are in place:

1. Install MS17-010: Install the MS17-010 fix and all available OS updates issued by Microsoft in March 2017 to prevent getting exploited by the MS17-010 vulnerability. Any systems running a Windows version that did not receive a patch should be removed from all networks.
2. Install emergency Windows patch: Microsoft has issued one-off security fixes for three operating systems that it no longer supports: Windows XP, Windows Server 2003 and Windows 8.
3. Disable SMBv1: If it is not possible to apply either patch, disable SMBv1. Refer to guidance from Microsoft for doing so.
4. Block SMBv1: Block SMBv1 ports on network devices - UDP 137, 138 and TCP 139, 445.
5. Shut down: If none of those options are available, shut down your computer. Propagation can be prevented by shutting down vulnerable systems.