exploiting-ms17-010-eternalblue-vulnerability

Original：🇺🇸 English

Translated

2 scripts

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it

1installs

Sourcemukul975/anthropic-cybersecurity-skills

Added on2026-04-20

NPX Install

npx skill4agent add mukul975/anthropic-cybersecurity-skills exploiting-ms17-010-eternalblue-vulnerability

SKILL.md Content

View Translation Comparison →

Exploiting MS17-010 EternalBlue Vulnerability

Overview

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

When to Use

When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

T1210 - Exploitation of Remote Services
T1190 - Exploit Public-Facing Application
T1569.002 - System Services: Service Execution

Workflow

Phase 1: Vulnerability Scanning

Scan target networks for SMB port 445
Check for SMBv1 protocol support
Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
Document vulnerable systems with OS version and patch level

Phase 2: Exploitation

Select appropriate exploit variant based on target OS
Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
Execute exploit against confirmed vulnerable target
Verify code execution and establish session

Phase 3: Post-Exploitation

Establish persistence on compromised system
Dump credentials from memory
Use compromised host as pivot point
Document exploitation evidence

Tools and Resources

Tool	Purpose
Nmap ms-17-010 NSE scripts	Vulnerability detection
Metasploit ms17_010_eternalblue	Exploitation module
Metasploit ms17_010_psexec	Alternative exploitation
AutoBlue-MS17-010	Standalone Python exploit
CrackMapExec	Mass SMB vulnerability scanning

Detection Indicators

IDS/IPS signatures for EternalBlue exploit traffic
SMBv1 negotiation from unusual source hosts
Event ID 7045: New service installation after exploitation
Anomalous named pipe activity on SMB
Large SMB write requests characteristic of buffer overflow

Validation Criteria

Vulnerable systems identified via scanning
Exploitation achieved on authorized target
Code execution confirmed with session established
Post-exploitation activities documented
Remediation recommendations provided