May 26, 2017
As pentesters, our job is to demonstrate the risk of unpatched vulnerabilities to the business. The past month, this has largely been an exercise in demonstrating the risk of the eternal blue vulnerability. In order to do this, it is key we as the good guys possess the same tools and capabilities as the bad guys.
The team over at Risk Sense ops has played a key role in providing this capability to the community by reverse engineering eternal blue and developing the MS17_010 metasploit module: https://github.com/RiskSense-Ops/MS17-010. This community developed exploit has allowed us, and other pentest teams, to successfully demonstrate the risk of MS17_010 to many.
There are some situations, however, where running a metasploit module may not be feasible. For example, on many of our red team engagements, we have access to the network through only Empire agents. These agents do not allow port forwarding, and there is not always an easy way to forward traffic from a metasploit instance to the targeted servers. We could of course use a meterpreter shell, or cobalt strike agent, on those servers, but this is not always feasible or desired based on the stealth profile we are trying to achieve.
We ran into several situations where we could have gotten domain admin, or other significantly privileged access if able to run eternal blue, but were unable due to some combination of the above reasons. Internally we called this the ‘Eternal Blues’ and decided we needed to do something to solve it.
Because eternal blue is such a useful exploit for red teams now and into the near future, we developed a powershell port of RiskSense-Ops metasploit module. This port of the exploit is 100% powershell, and can be easily imported and used in Empire, or Cobalt Strike shells.
This powershell port allowed us to better demonstrate the risk of MS17_010 and cured our blues. We hope it has the same affect for you.