Using Fuzzbunch, EternalBlue & DoublePulsar to get a meterpreter session.

Hi There,

I wanted to try out the NSA tools as they’re meant to be very similar to metasploit.

For those who don’t know both tools where created by the NSA and leaked by a group of hackers known as The ShadowBrokers. They originally wanted payment for the tools which they never got so they released them into the public domain which so far has allowed thousands of systems to compromised.

1st Where do get hold of these tools? well here and here.

2nd You need to install on the attacking windows system python 2.6 and have PyWin32 v2.12.

If you haven’t set up python before I recommend reading their document here.

My Lab setup

1.Windows Server 2008r2 192.168.0.33

2.Windows 7 (This will run Fuzzbunch) 192.168.0.23

3.Kali (This will run empire) 192.168.0.12

  • Empire – Allows powershell agents to be run without powershell.
  • EternalBlue – smbv1 exploit.
  • DoublePulsar – DLL injector.
  • Fuzzbunch – Toolkit NSA’s equivalent of the Metasploit

Once you have installed python and downloaded the files and are ready to go you need to edit fb.py which is in the shadow-broker-master/windows folder. You may need to change the view on folder to show hidden files to see the file. Remove or comment out the line “ListingPost” the problem with this line is the folder has nothing in it so the script fails. If you setup python path’s correctly you should be able to double click the file and start the script.

 

 

You should now see the script running which is always a good sign.

Now I’ll enter the target IP address into Fuzzbunch as 192.168.0.33 and the listen address 192.168.0.23 if you have used metasploit it’s very much the same process. The only changes I needed was put no to redirect and the location off the logs.

You are then dropped into a command prompt enter and run EternalBlue.  I wanted to try hitting tab to see if it would suggest other exploits which it does. It seems well put together and again very similar to metasploit. You can accept all the default settings the only one you need to change is the delivery mechanism you need to pick 1 for Fuzzybunch.

At first the script shows me it’s failing I’m thinking to myself here we go but on the third go it succeeds.

Great stuff! Now over to the Kali box start empire.

Lets setup a listener.

We now need to create a DLL then inject it into the target.Once it is created I will copy it to the device running Fuzzbunch.

Back on the Fuzzbunch machine we are going to run DoublePulsar to inject our dll.

Select all the default except the below.

Select the correct architecture it was defaulted to 32bit the system I was attacking was 64bit.

Select the correct function, in our case it will be 2 for DLL ,then give the path to where you put the dll file.

Looks good!

Now to move it to Meterpreter

Use the multi/handler with a payload of windows/meterpreter/reverse_https I made the mistake of using tcp and never got a shell. According to the document you need to always run it under reverse_https. Run the module code_execution/invoke_shellcode and set the lhost and lport to the same as you did for multi/handler.

Conclusion

A month before the tools where leaked to the public Microsoft did issue patches to fix most of the exploits but whether system admins have been able to roll out updates is another story. Overall they are a nice set of tools as you would expect coming from the NSA I like the fact they are written in python too. I would expect some of the exploit’s to turn up in metersploit anyway. Overall it was nice and easy.

 

 

Reference

exploit-db

 

 

TS Hijacking

Hi There,

For this test I’m going to use windows 7 although I have tested on server 2012 rc2 and the result was the same. I also tested the PC version with a user who just locks their desktop.

If your going to test this on windows 7 or 10 you may need to make changes to termsrv.dll file to allow more then one user to connect via rdp.

We are connected to the PC via RDP with the account test (rdp-tcp#0) test2 is a disconnected session with the ID 1 and this is the account we want to take over.

To take over the disconnected session you need to run the command under the system account to achieve this for testing this you can create a service although there are other methods to test this but basically anyway you can get a system account.

The syntax on tscon can be found here obviously don’t enter a password.

OK lets run the service and see what we get.

We are then connected to the disconnected session depending on your settings such as “end disconnected session timings” remote desktop users tend to just disconnect their sessions thinking they are logging out.

Don’t forget to clean up afterwards. I found with the pc hijack if the user came back to unlock their PC it would show you connected even if you had logged out by end tasking remotely logonUI.exe  would refresh the screen.