Powershell Empire and FuzzBunch: exploiting the notorious ETERNALBLUE vulnerability

On April 14, 2017, a new dump from a group of hackers calling themselves The Shadow Brokers was published. Among other things, the dump contains the FuzzBunch framework, which allows you to exploit the dangerous RCE vulnerabilities of the Windows operating system almost automatically. The vulnerability has been fixed with the release of the MS17-010 patch: it fixes six Windows SMB Server problems, five of which allow to execute arbitrary code through the creation of a special Server Message Block (SMB) 1.0 package. In this article, we will look at how attackers could exploit the ETERNALBLUE vulnerability.

The article is research in nature. When writing it used publicly available information. The use of the described techniques or methods, or their parts in illegal and unlawful actions is prohibited. Observe legislation.

By default, the Kali Linux arsenal allows for many attacks on machines running Windows, but it lacks two modern tools. This article focuses on the tools Empire and FuzzBunch, which should complement your distribution, to significantly expand the possibilities for operating and post-operating Windows systems on the network.
')

Powershell Empire

Powershell Empire provides a modular post-operation platform using the power of Windows PowerShell automation.

Empire agents work completely in RAM and are difficult to detect with means of protection, i.e. Antivirus software and intrusion prevention systems due to the fact that they are written in a scripting language and at runtime between the agent and the antivirus software is an interpreter of the scripting language, in contrast to the classic payload compiled into an assembler and executable file.

Installation

Download Empire from github github.com/EmpireProject/Empire
Run the Empire / setup / install.sh script to install dependencies into the system.
Next, run the script to initialize the Empire / setup / setup_database.py database
Installation completed.

Startup and Basic Setup

We start the framework with the script ./empire and get to the main menu



The basic concepts that we will encounter are listener, stager and agent.
Listener - local IP address and port to which the agent should connect if successfully performed on the victim's side.

With the listeners command, we switch to the configuration mode of the slider and create a new listner at 192.168.1.3 : 8080



As you can see, the port is now listening:



Stager is a Powershell Empire agent delivery method on a victim's machine. By analogy with the Metasploit framework, there is a stage0 and stage1, where we assume that stage0 is the Empire's delivery method for the agent, and stage1 is the agent itself. In fact, the delivery process is somewhat more complicated, as can be read in detail on the official website.

Using the usestager command, you can select the following options for stage0 (hereinafter referred to the stager):



The most common stager is the launcher, select it and configure it to connect to the test listener we created in the previous step.



Further, you can configure some parameters for the stager:



In particular, the default Proxy option is set to default, which means using the system proxy settings on the victim side.

The generate command creates a launcher steager.



It is a powers64-encoded base64 command that must be executed on the victim’s side.
An alternative way to generate stage0 commands for a launcher pager is the command
launcher [namelist] from the listeners menu.

There are other layers that can be used depending on the situation. We list the main ones.

• launcher_bat - the agent is delivered to the victim's machine when the bat file is launched.
• launcher_vbs - the agent is delivered to the victim's machine during the execution of the vbs-script.
• macro - a code will be generated for a macro that can be embedded in an MS Office document.
• dll - launching powershell agent inside a process other than powershell.exe using the Reflective DLL technique loading.

Steager dll allows Empire to integrate with Metasploit framework and other modern tools. With the help of an exploit, it is required to inject a malicious DLL into the attacked process, after which the Empire agent will be loaded into the RAM of the victim’s machine and executed.

Run the generated code of our launcher pager on the victim machine:



On the attacker's machine in the Empire interface we see the message:



This means that the connection between the attacker’s machine and the victim’s machine is now established and the agent is ready to receive commands.

For convenience, you can rename the agent:



Next, to switch to the interaction mode, execute the interact command and using the help command, we will see the available options:

Post-operation

After receiving an active session with the agent, we are available to many teams. Documentation on all the capabilities of the framework can be found on the official website powershellempire.com.



All modules are divided into groups. As an example, we will demonstrate the work of several modules.
A credentials / powerdump module for collecting user hashes.





Starting mimikatz from the Empire Agent menu



Received the password in clear text from the supplier WDijest

Fuzzbunch

On April 14, 2017, a new dump from a group of hackers calling themselves The Shadow Brokers was published. Among other things, the dump contains the FuzzBunch framework, which allows you to exploit the dangerous RCE vulnerabilities of the Windows operating system almost automatically. The main portion of the disclosed vulnerabilities is described in Microsoft bulletin MS17-010. Also for the exploitation of vulnerabilities, promulgated by The Shadow Brokers, modules for the Metasploit framework have already been created.

Installation

To install FuzzBunch, you will need either a 32-bit Windows machine, or Kali Linux with the Wine environment installed. We will use the second option so that both tools, Empire and FuzzBunch, are in the same distribution. Download files to your Kali Linux machine from github

git clone github.com/fuzzbunch/fuzzbunch.git

For FuzzBunch to work. We need Python 2.6 and, in order not to clutter up your main Wine environment, I recommend creating a new one. First, install / update Wine, if you haven't done it yet.

apt-get instal wine winbind 

Create and initialize a new environment:

 mkdir ~/.wine_fuzzbunch WINEPREFIX="/root/.wine_fuzzbunch/" winecfg 

We leave everything unchanged:



export WINEPREFIX = / root / .wine_fuzzbunch /
We check that the environment was created successfully:



Add the required directories to the PATH
wine regedit.exe



Set fuzzbunch to the Wine environment:

 mkdir -p ~/.wine_fuzzbunch/drive_c/nsa/windows cd ~/.wine/drive_c/nsa/windows cp -R [___fuzzbunch]/* . wget https://www.python.org/ftp/python/2.6/python-2.6.msi wget https://downloads.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.6.exe?r=&ts=1493192168&use_mirror=netcologne 

Install Python

 wine msiexec /i python-2.6.msi 

Install pywin32

 wine pywin32-219.win32-py2.6.exe 

Post installation:

 wine cmd.exe cd C:\Python26\Scripts python pywin32_postinstall.py -install cd C:\nsa\windows mkdir listeningposts 

Startup and operation MS17-010

From the Wine environment, execute the following command:



We will attack the 64-bit Windows 7 machine with the IP address 192.168.1.10, while the attacking machine has the IP address 192.168.1.3.

We set these parameters at startup.

To execute malicious code, we will use a vulnerability in the SMB protocol called Eternalblue.

use Eternalblue

We answer affirmatively to the question about checking the parameters:



We leave everything unchanged, except for the item on the method of delivery. Here we choose FB.



In the end, we launch the module for execution and see the message Eternalblue Succeeded.

Post-exploitation in conjunction with Powershell Empire

Create a new listener:



As an agent delivery mechanism, we use this time dll. If you used Empire on a separate machine, then for delivering the pager to the machine with FuzzBunch, it would be convenient to save it to the web server directory and then download over the network.



If you have Powershell Empire and FuzzBunch on the same machine, as in my case, then save the file to the root of the C drive of the Wine environment.



Go back to FuzzBunch, where the session is open with the victim's machine, and use the DoublePulsar module.

 use DoublePulsar 

Choose a 64-bit architecture:



As a payload, we will inject a DLL created in Empire.



Specify the full path to the DLL:



C: \ launcher.dll
Execute the module:



In the Empire interface, we get a new session and execute Mimikatz.



Get user logins and passwords.





At the same time, the victim’s operating system does not detect attacks. In Microsoft Security Essentials logs is empty, the system is stable. Thus, our distribution Kali Linux has acquired two modern tools for operating and post-operating the Windows OS.

Protective measures

As a means of protection, it is recommended to update the Windows system (if you have not done this for some reason), use a means of detecting and blocking attacks — a firewall, etc.

For example, this can be done using the following commands:

 netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135" 

 netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"