NSA - MS17-010: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Lphanvan (talk | contribs)
Lphanvan (talk | contribs)
Line 21: Line 21:
- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''
- Windows 7 ( To execute NSA tool ): '''192.168.0.106'''


- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.107'''
- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): '''192.168.0.109'''


'''Victim:'''
'''Victim:'''


- Windows 7/SVR2008
- Windows 7/SVR2008 : '''192.168.0.107'''

Revision as of 18:35, 30 April 2017

Microsoft Security Bulletin MS17-010 - NSA Tool leak

Introduction

At last April 8, TheShadowBrokers has published a bunch of tools that was stolen from the NSA Arsenal Hacker Tools. A Github repository is the following: https://github.com/misterch0c/shadowbroker. In this paper, we’ll focus on ETERNALBLUE exploit for Microsoft Windows and the plugin DOUBLEPULSAR. To leverage these “fantastic” codes, we’ll be using FUZZBUNCH, The NSA’s “Metasploit”

Why Eternalblue & DoublePulsar?

ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication. After that, we can use the plugin DOUBLEPULSAR in order that injecting remotely a malicious DLL on the target machine.We wi ll make a malicious DLL using Empire to get a reverse connection from the target to the attacker machine.

Setting up Environment

Attacker:

- Windows 7 ( To execute NSA tool ): 192.168.0.106

- Kali Linux ( To generate DLL file and being a listener https://github.com/EmpireProject/Empire ): 192.168.0.109

Victim:

- Windows 7/SVR2008 : 192.168.0.107