EternalBlue: Metasploit Module for MS17-010

2017-05-18T13:32:42
ID RAPID7COMMUNITY:3B0840DA6B7ECCDB93EA8FBE7F118D85
Type rapid7community
Reporter leonardovarela
Modified 2017-05-18T13:32:42

Description

<!-- [DocumentBodyStart:79ed8d2f-1627-4cc4-9657-d9bdf93ceb9e] --><div class="jive-rendered-content"><p>This week's release of <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit" target="_blank">Metasploit</a> includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the <a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7842" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/04/18/the-shadow-brokers-leaked-exploits-faq">Shadow Brokers, disclosed a trove of alleged NSA exploits</a>. Included among them, EternalBlue, <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue" target="_blank">exploits MS17-010</a>, a Windows SMB vulnerability. This week, EternalBlue has been big news again due to attackers using it to devastating effect in a highly widespread ransomware attack, <a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7869" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained">WannaCry.</a> Unless you've been vacationing on a remote island, you probably already know about this; however, if you have somehow managed to miss it, check out <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F" target="_blank">Rapid7's resources</a> on it, including guidance on <a class="jive-link-blog-small" data-containerId="1004" data-containerType="37" data-objectId="7866" data-objectType="38" href="https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose">how to scan for MS17-010 with Rapid7 InsightVM or Rapid7 Nexpose.</a></p><p style="min-height: 8pt; padding: 0px;"> </p><p>The Metasploit module - developed by contributors <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftwitter.com%2Fzerosum0x0" rel="nofollow" target="_blank">zerosum0x0</a> and <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftwitter.com%2Fjennamagius" rel="nofollow" target="_blank">JennaMagius</a> - is designed specifically to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. It does not include ransomware like WannaCry does and it won't be worming its merry way around the internet.</p><p style="min-height: 8pt; padding: 0px;"> </p><p>Metasploit is built on the premise that security professionals need to have the same tools that attackers do in order to understand what they're up against and how best to defend themselves. The community believes in this, and we have always supported it. This philosophy drove the amazing Metasploit contributor community to take on the challenge of <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fzerosum0x0.blogspot.com%2F2017%2F04%2Fdoublepulsar-initial-smb-backdoor-ring.html" rel="nofollow" target="_blank">reverse engineering and recreating the EternalBlue exploit </a>as quickly and reliably as possible, so they could arm defenders with the info they need. We want to say a big thanks to <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fjennamagius" rel="nofollow" target="_blank">JennaMagius</a> and <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fzerosum0x0" rel="nofollow" target="_blank">zerosum0x0</a> for their work on this.</p><p style="min-height: 8pt; padding: 0px;"> </p><p>From a vulnerability management perspective, there are a lot things that security practitioners can do to <a class="jive-link-blog-small" data-containerId="1004" data-containerType="37" data-objectId="7855" data-objectType="38" href="https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits">understand their exposure</a>, however, with Metasploit you can go beyond theoretical risk and show the impact of compromise. Access to systems is more concrete evidence of the problem. Metasploit effectively allows security practitioners to test their own systems and dispel the hype and speculation of headlines with facts.</p><p style="min-height: 8pt; padding: 0px;"> </p><p>From a <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsolutions%2Fpenetration-testing%2F" target="_blank">penetration testing</a> perspective, <a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7793" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/02/08/under-the-hoodie-actionable-research-from-penetration-testing-engagements">research shows</a> that over two thirds of engagements had exploitable vulnerabilities leading to compromise. Metasploit modules such as EternalBlue enable security practitioners to communicate the real impact of not patching to the business.</p></div><!-- [DocumentBodyEnd:79ed8d2f-1627-4cc4-9657-d9bdf93ceb9e] -->