POC – EternalBlue and Doublepulsar in Kali 2017.1 – Exploiting SMB Service in Windows 7


This article is educational, using proof of concept in uncontrolled environments or without prior authorization may be illegal

On April 14, 2017, the ShadowBrokers team leaked a new hacking toolkit that has put many organizations in check; this is the five that is done by the hacking team called “Lost in Translation.” To better understand the situation, below we will see a summary of the leaks that have been occurring through this group of hackers.

Shadow Brokers is a group of hackers that first appeared in the summer of 2016. They were responsible for making several leaks that contained some of the hacking tools that the National Security Agency (NSA) used internally, including several 0days. In this leak, the products that were affected were the firewall, antivirus products, and Microsoft products.

First Filtration: “Equation Group Cyber Weapons Auction – Invitation.”

Apparently, the leak began in August and occurred around the 13th, according to the information that was published on Twitter and on the Pastebin page, the link of published tools is still available since downloading through mega, or the next Link from GitHub.

Second Filtration: “TrickOrTreat”

The second leak was not much later, around October 2016, we can find more information here, and here, the password is payus.

Third Filtration: “Black Friday / Cyber Monday Sale.”

The next filtering contained 60 folders that referred to the tools they used in Equation Group, although this filtering did not show executable files but rather screenshots of the tool file structure. While the leak might be a false positive, the general cohesion between the past and future leakages and references, as well as the work required to falsify screen captures, lends credence to the theory that reference tools are real.

The original message read as follows:

“We auction best files to the highest bidder.” “Auction files are better than stuxnet,” he said. “The auction is better than the auction,” he said. When you send bitcoin you add additional output to transaction.You add OP_Return output.In Op_Return output you put your (bidder) contact info.We suggest use bitmessage or I2P-bote email address. Publicly. “Do not believe unsigned messages. We will contact Winner with decryption instructions.” Winner can do with files as they please, we do not release files to public.

Fourth Filtration: “Don’t Forget Your Base”

They filtered part of the files that theoretically reveal more tools of the NSA.

Fifth Filtration: “Lost in Translation”

On April 14, 2017, the Twitter account used by The Shadow Brokers posted a Tweet with a link to a Steemit story. The general content is based on three folders: “oddjob”, “swift” and “windows”. The fifth leak suggests that the released material could affect many systems. The leak includes, among other things, the tools and exploits codenamed: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY , which we will see in another example as you can leave a windows 7 or Windows 2008 attacking your SMB service.

Some of these vulnerabilities are for the Windows operating system and were patched in a Microsoft security bulletin on March 14, 2017, a month before the leak occurred. However, all of us who are dedicated to this, we know that many systems have not been updated yet and probably take the time to do so. In addition to the systems out of support are still many that remain operative in various organizations and these tools allow a user to do with the control of them, without much effort.

Exploits Package

The toolkit contains exploits targeting Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, and Microsoft Exchange. The relationship between most of the vulnerabilities found is that they are used to attack a Windows vulnerability. Unlike previous ShadowBrokers leaks to the network infrastructure and Linux, this time is more focused on the Windows system.

SMB Exploits

This vulnerability highlights the vulnerabilities that point to the Server Message Block (SMB) service and the NetBios protocol. SMB is a network file exchange protocol that allows applications to read and write to files and request services from server programs on a Microsoft network. It’s basically the default way that computers are remotely managed in any environment, so a vulnerability has a big impact. It even compares some vulnerabilities that were a headache like the vulnerability MS08-067 that was exploited massively by Conficker. If anything has been positive this time regarding that occasion, it is that previously Microsoft had patched the vulnerabilities (suspected that they were warned before the publication of the tools).

After some rapid studies through Shodan you can see more than 15,000 systems (Windows XP, 7 and 8) currently with public SMB on the internet, although it is said that the amount can reach two million.

Figure 1 – Microsoft patches 


The downloaded content folder structure is as follows:

Figure 2 – Folder structure 

One of the data dumps of ShadowBrokers, is Fuzzbunchm, a tool that can be compared with Metasploit, but that has been developed in Python. This tool is simple to use and its purpose is to launch the exploits. FuzzBunch contains several ready-to-use exploits that are available when downloading content, each for specific types of targets.

Here’s a list:

  • Easybee-1.0.1.exe
  • Easypi-3.1.0.exe
  • Eclipsedwing-1.5.2.exe
  • Educatedscholar-1.0.0.exe
  • Emeraldthread-3.0.0.exe
  • Emphasismine-3.4.0.exe
  • Englishmansdentist-1.2.0.exe
  • Erraticgopher-1.0.1.exe
  • Eskimoroll-1.1.1.exe
  • Esteemaudit-2.1.0.exe
  • Eternalromance-1.3.0.exe
  • Eternalromance-1.4.0.exe
  • Eternalsynergy-1.0.1.exe
  • Ewokfrenzy-2.0.0.exe
  • Explodingcan-2.0.2.exe
  • Eternalblue-2.2.0.exe
  • Eternalchampion-2.0.0.exe

Among all the tools that were launched, this time we will focus on the tools Eternalblue and DoublePulsar to gain access to Systems from XP to Windows 2016, EternalBlue was patched by Microsoft in the bulletin MS17-010. DoublePush is used to launch a second backdoor, allowing us to inject a DLL (Dynamic Link Library), which would compromise the victim and use it for any purpose, such as loading a DLL into the LSASS.EXE process and opening a program.

Preparing the environment with Kali.

The time has come to prepare the Kali environment so we can do our tests in the Hacking Lab lab.

Next, the steps to have everything ready in our environment and to be able to access the server with Windows 7, The version of Kali is 2017.1, updated since the 2016 version.

  • We need a server on the network with Windows 7/2008
  • Kali, the attacker, from where we will launch FuzzBunch with Wine

If we are connected to the laboratory of Hacking Lab, our attack scenario will be the following:

  • Windows 7 SP1 victim –
  • Kali –

Step 1: Install wine (Remember wine32)

The commands to prepare our Kali environment will be:

Because fuzzbunch uses the windows32 libraries, we will configure its own win32 environment, this will also prevent a crash in the wine application that we are using.

Figure 3 – Preparing KALI

Step 2: Add Fuzzbunch to the PATH

The goal now is to configure the environment variables to run fuzzbuch on KALI.

Permanent Changes

The goal of this step is to make the registry changes permanent, so that even if we restart KALI, the environment variables are still loaded and it is easier for us to use the program again.

Figure 4 – Windows Registry Variable

Temporary Changes

This command is temporary and the changes will be removed if we restart the server. The command to execute is as follows:

Step 3: Install Python Python2.6 and pywin32 (winetrick will install both)

The following command allows us to install python for windows in a simple way in KALI, also install the pywin32 package.

Figure 5 – Installing Python y Pywin32

Step 4: Loading Fuzzbunch

Once we have everything ready we can open Fuzzbunch in two ways, from the Linux terminal or by right-clicking on the fb.py program and selecting the python program.

In this step, we will open Fuzzbuch from the terminal so that we verify that the environment variables and the other configurations are correct.

If the result is satisfactory it will open the program correctly and we will have the environment ready to start the attack on our target.

Figure 6 – CMD.exe

The following image shows how python was correctly loaded and the Fuzzbuch program was executed correctly, we already have the environment ready for our tests in the Hacking Lab. Now we connect by VPN to the lab and attack our target with Windows 7 SP1 32 Bits.

Figure 7  – Fuzzbunch loaded

Step 6: Prepare Metasploit

So far we have prepared the environment solely to load Fuzzbunch on our KALI machine, however as we have seen in most of the examples we have online, Empire is used to create the launcher.dll. This DLL is basically a meterpreter that we will load with Doublepulse.

We will directly create the DLL through msfvenum without going through Empire, the steps are really simple and are as follows:


Once we have the shell preaptured to be injected into a Windows process, we proceed to prepare the Metasploit environment to receive the connection.

The following image is a sample of the output of our payload:

Figure 8 – Loaded the DLL on the Doublepulsar

Step 7: Using Fuzzbunch

On this occasion we have opened the tool directly from the folder with right button and selected the application python. Once the application starts, it asks us for some configuration values. These values can then be altered, but basically ask us the log folder, the IP address of the victim and our IP address. The other options can be left by default.

Once we have everything prepared, we can run the Eternalblue exploit, the operation of the console is really similar to Metasploit and very simple.

Figure 9 – Fuzzbunch loaded

Step 8: Load EternalBlue

If the result of the exploit execution is satisfactory, we should receive a message similar to the one below, where “Eternalblue Succeeded”

Figure 10 – Eternalblue loaded

Step 9: Loaded Doublepulsar

The next step allows us to take advantage of the first exploit to exploit a vulnerability and achieve a shell with a meterpreter loaded on the server. To do this we now use Doublepulsar, and this way we will be able to access the server after executing the shell.dll DLL on the server through the LSSAS.exe process

If everything went well, we should receive a message similar to the one shown in the following image.

Figure 11 – Doublepulsar Succeeded

As a result of our well-done work we will have the server shell, with the privileges of SYSTEM. Now I recommend migrating the process so it does not close another system process.

Figure 12 – Shell opened

Colaboration: Jonás Ropero

Video POC – https://youtu.be/gDSq2pVcUVI