Sunday, April 16, 2017

ShadowBrokers PCAPs, etc.

I spent some time enjoying Easter Sunday by analyzing the Shadowbrokers EternalBlue attacks vs. a Windows 7 system. It is a service-side attack vs. TCP port 445. On Monday I analyzed EternalRomance and DoublePulsar.

I will update this post as I test other exploits and victim operating systems.

EternalBlue is the 2017 version of MS08-067, which was the last universal service-side vulnerability in Windows systems. EternalRomance is a similar SMB exploit.

I created EternalBlue PCAPs showing successful compromise vs. an unpatched system, reconnecting to a previously-infected system (using DoublePulsar), plus failed compromise vs. a patched system. I just added successful EternalRomance exploits.

PCAPs are here:

  • eternalromance-success-2008r2.pcap (new)
  • eternalromance-doublepulsar-meterpreter.pcap (new)
  • eternalblue-success-unpatched-win7.pcap
  • eternalblue-failed-patched-win7.pcap
  • doublepulsar-backdoor-connect-win7.pcap
VirusTotal PCAP analysis (Includes both Snort and Suricata alerts):
I confirmed that MS17-010 mitigates this attack. Patch now!

Default Windows event logging shows nothing. Neither EMET nor Applocker stopped EternalBlue.

Promising Wireshark display filters to detect EternalBlue (unconfirmed; there may be false positives):
  • EternalBlue: smb.mid == 65
  • DoublePulsar: smb.mid == 81
I disabled SMB1 on Windows 7, which stopped EternalBlue with default settings. I need to test more since EternalBlue can allegedly use SMB2. EternalRomance appears to be SMB1-only.

SMB1 is awful, and should be disabled regardless (be sure to test).

It appears Windows 2003 and XP will be vulnerable forever, barring a change in policy by Microsoft.

DoublePulsar is the backdoor (which listens via SMB or RDP) installed by both EternalBlue and EternalRomance. It allows you to inject other DLLs or code. I used it to inject Metasploit's Meterpreter payload, which will probably be a common approach once attacks take off in the wild.

No comments: