## https://sploitus.com/exploit?id=7E1C4035-7CD1-51B6-8D86-4D6BF34F6DDA
# ๐ EternalBlue (MS17-010) Exploitation Research
**Controlled reproduction of CVE-2017-0144 โ the SMB vulnerability behind the WannaCry ransomware outbreak**
> โ ๏ธ Disclaimer: This research was conducted in a fully isolated, controlled lab environment for academic and educational purposes only. No production systems were involved.
---
## Overview
This project reproduced the EternalBlue exploit (CVE-2017-0144, CVSS 9.3) in a sandboxed AWS EC2 environment. The goal was to deeply understand the vulnerability mechanics, capture and analyze the exploit traffic, and map the attack chain to MITRE ATT&CK โ informing both offensive research and defensive hardening strategies.
---
## Lab Architecture
- **Cloud Platform:** AWS EC2
- **Attacker Machine:** Kali Linux
- **Target Machine:** Windows Server 2008 R2 (unpatched, SMBv1 enabled)
- **Network:** Isolated VPC, no internet egress from target
---
## What Was Done
### Exploit Reproduction
- Configured a vulnerable Windows Server 2008 R2 instance with SMBv1 enabled and MS17-010 unpatched
- Used Metasploit Framework to execute the exploit chain
- Achieved remote code execution and SYSTEM-level shell access
### Network Traffic Analysis
- Captured full packet capture using Wireshark during the exploit
- Analyzed SMB negotiation sequence, shellcode delivery, and RCE stages at the packet level
- Identified key indicators of compromise (IOCs) visible in network traffic
### MITRE ATT&CK Mapping
- **T1210** โ Exploitation of Remote Services (Initial Access)
- **T1059** โ Command and Scripting Interpreter (Execution)
- **T1055** โ Process Injection (Defense Evasion / Privilege Escalation)
---
## Key Findings & Mitigations
- SMBv1 enabled by default on legacy systems โ Disable via PowerShell or Group Policy
- MS17-010 patch not applied โ Apply KB4012212 / KB4012215 immediately
- Lateral movement possible post-exploitation โ Network segmentation + host-based firewall rules
- No detection of exploit traffic โ Deploy SMB traffic monitoring in SIEM
---
## Academic Output
Delivered a 35-minute capstone presentation covering:
- Full exploit mechanics and root cause analysis
- Packet-level walkthrough of the attack chain
- Detection strategies and remediation recommendations
---
## Skills Demonstrated
`Metasploit` `Wireshark` `Kali Linux` `AWS EC2` `CVE Analysis` `CVSS Scoring` `MITRE ATT&CK` `SMB Protocol` `Vulnerability Research` `Network Forensics`