I will update this post as I test other exploits and victim operating systems.
EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.
I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.
PCAPs are here: https://cyber.gd/shadowbrokers
Includes:
- eternalromance-success-2008r2.pcap (new)
- eternalromance-doublepulsar-meterpreter.pcap (new)
- eternalblue-success-unpatched-win7.pcap
- eternalblue-failed-patched-win7.pcap
- doublepulsar-backdoor-connect-win7.pcap
I confirmed that MS17-010 mitigates this attack. Patch now!
Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.
Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
- EternalBlue: smb.mid == 65
- DoublePulsar: smb.mid == 81
SMB1 is awful, and should be disabled regardless (be sure to test).
It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.
DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.