## https://sploitus.com/exploit?id=68923676-0B21-58AA-9B65-AB82A5DF4430
# MS17-010 (EternalBlue) - Windows 7 Exploitation
Technical documentation of a successful Proof of Concept (PoC) targeting the MS17-010 vulnerability on a legacy Windows 7 system.
## **Target Information**
* **Machine Name**: EternalBlue (MS17-010)
* **IP Address**: `192.168.126.129`
## **1. Enumeration & Vulnerability Scanning**
The initial scan using `nmap -A` revealed several open ports, with **Port 445** being the most critical entry point.
| Port | Service | Version | Significance |
| :--- | :--- | :--- | :--- |
| **445** | SMB | Windows 7 Ultimate 7601 SP1 | Highly vulnerable to MS17-010 (EternalBlue) |
| **139** | NetBIOS | Microsoft Windows NetBIOS | Useful for host identification |
### **Key Findings:**
* **OS Detection**: The target is running an unpatched Windows 7 SP1.
* **SMB Security**: Message signing is **disabled**, which facilitates easier exploitation.
* **Vulnerability Validation**: Initial scan confirmed the host is likely vulnerable to MS17-010.
## **2. Exploitation**
Exploitation was carried out using the Metasploit Framework. Manual payload selection was configured to ensure architecture compatibility.
* **Exploit Status**: `ETERNALBLUE overwrite completed successfully`.
* **Payload**: `windows/x64/meterpreter/reverse_tcp`.
* **Session**: Established a stable Meterpreter session with **SYSTEM** privileges.
## **3. Post-Exploitation**
I performed a `hashdump` to extract the local NTLM password hashes from the SAM database for credential analysis.
```
Administrator:500:aad3b435b51404ee...58f5081696f366cdc72491a2c4996bd5
user:1000:aad3b435b51404ee...2b576acbe6bcfda7294d6bd18041b8fe
```
## **4. Mitigation & Remediation**
To secure the system against the MS17-010 (EternalBlue) vulnerability, the following measures are recommended:
* Disable SMBv1 Protocol: Legacy SMBv1 should be disabled across the network as it lacks modern security features and is the primary attack vector for this exploit.
* Apply Security Patch MS17-010: Ensure that the official Microsoft security update (MS17-010) is installed to patch the underlying memory corruption vulnerability in the SMB service.
* Implement Network Filtering: Configure firewalls to block inbound traffic on Port 445, restricting SMB access only to trusted internal devices and preventing exposure to the public internet.
For a detailed step-by-step technical walkthrough and troubleshooting, please refer to walkthrough.md.