exploiting-ms17-010-eternalblue-vulnerability
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseExploiting MS17-010 EternalBlue Vulnerability
利用MS17-010 EternalBlue漏洞
Overview
概述
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.
MS17-010(EternalBlue)是Microsoft SMBv1实现中的一个严重漏洞,允许远程代码执行。该漏洞最初由NSA发现,并于2017年被Shadow Brokers泄露,曾被用于WannaCry和NotPetya勒索软件攻击活动。尽管自2017年3月起已有可用补丁,但许多组织仍存在未打补丁的系统,这使其成为红队可行的攻击载体,尤其是在遗留环境中。
When to Use
使用场景
- When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
- 当进行涉及利用MS17-010 EternalBlue漏洞的授权安全测试时
- 当在受控环境中分析恶意软件样本或攻击工件时
- 当开展红队演练或渗透测试项目时
- 当基于对攻击技术的理解构建检测能力时
Prerequisites
前置条件
- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
- 熟悉红队概念与工具
- 可访问测试或实验室环境以安全执行操作
- 安装了Python 3.8+及所需依赖
- 拥有任何测试活动的适当授权
MITRE ATT&CK Mapping
MITRE ATT&CK映射
- T1210 - Exploitation of Remote Services
- T1190 - Exploit Public-Facing Application
- T1569.002 - System Services: Service Execution
- T1210 - 远程服务利用
- T1190 - 利用面向公众的应用程序
- T1569.002 - 系统服务:服务执行
Workflow
工作流程
Phase 1: Vulnerability Scanning
阶段1:漏洞扫描
- Scan target networks for SMB port 445
- Check for SMBv1 protocol support
- Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
- Document vulnerable systems with OS version and patch level
- 扫描目标网络的SMB 445端口
- 检查是否支持SMBv1协议
- 运行MS17-010漏洞检测(Nmap NSE脚本或Metasploit辅助模块)
- 记录存在漏洞的系统及其操作系统版本和补丁级别
Phase 2: Exploitation
阶段2:漏洞利用
- Select appropriate exploit variant based on target OS
- Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
- Execute exploit against confirmed vulnerable target
- Verify code execution and establish session
- 根据目标操作系统选择合适的漏洞利用变体
- 配置漏洞利用载荷(Meterpreter、Cobalt Strike beacon、自定义shellcode)
- 针对已确认存在漏洞的目标执行漏洞利用
- 验证代码执行并建立会话
Phase 3: Post-Exploitation
阶段3:后渗透操作
- Establish persistence on compromised system
- Dump credentials from memory
- Use compromised host as pivot point
- Document exploitation evidence
- 在被攻陷的系统上建立持久化控制
- 从内存中提取凭证
- 将被攻陷的主机作为跳板
- 记录漏洞利用证据
Tools and Resources
工具与资源
| Tool | Purpose |
|---|---|
| Nmap ms-17-010 NSE scripts | Vulnerability detection |
| Metasploit ms17_010_eternalblue | Exploitation module |
| Metasploit ms17_010_psexec | Alternative exploitation |
| AutoBlue-MS17-010 | Standalone Python exploit |
| CrackMapExec | Mass SMB vulnerability scanning |
| 工具 | 用途 |
|---|---|
| Nmap ms-17-010 NSE脚本 | 漏洞检测 |
| Metasploit ms17_010_eternalblue | 漏洞利用模块 |
| Metasploit ms17_010_psexec | 替代漏洞利用方式 |
| AutoBlue-MS17-010 | 独立Python漏洞利用工具 |
| CrackMapExec | 批量SMB漏洞扫描 |
Detection Indicators
检测指标
- IDS/IPS signatures for EternalBlue exploit traffic
- SMBv1 negotiation from unusual source hosts
- Event ID 7045: New service installation after exploitation
- Anomalous named pipe activity on SMB
- Large SMB write requests characteristic of buffer overflow
- 针对EternalBlue攻击流量的IDS/IPS特征
- 来自异常源主机的SMBv1协商请求
- 事件ID 7045:漏洞利用后安装新服务
- SMB上的异常命名管道活动
- 具有缓冲区溢出特征的大型SMB写入请求
Validation Criteria
验证标准
- Vulnerable systems identified via scanning
- Exploitation achieved on authorized target
- Code execution confirmed with session established
- Post-exploitation activities documented
- Remediation recommendations provided
- 通过扫描识别出存在漏洞的系统
- 在授权目标上成功完成漏洞利用
- 确认代码执行并建立会话
- 记录后渗透操作活动
- 提供修复建议