3

i have tried this poc:

https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e

against a windows 8 target that i own, the code exits with an error that says:

impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host      timed out.

The error occures wherever there is conn.recvSMB().

although smb is running on port 445, all firewalls and security rules are deactivated (Anti-virus, Windows Firewall, SmartScan ...etc).

Does that mean my Win 8 box is pretty safe from Eternalblue? Also, is Windows Firewall enough to stop all those SMB attacks? If yes, then why Eternalblue is such a big deal? i mean a lot of Windows 7/8 come with Firewall activated by default.

Edit: I have tried a universal "exec calc.exe" shellcode and tried all possible numbers in numGroomConn parameter (3,4,5 ...etc)

4 R4C81D
  • 43
  • 1
  • 7
  • 1
    https://arstechnica.com/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/ – julian May 20 '17 at 17:17

2 Answers2

3

Just because it doesn't work for you doesn't mean it's safe. You should patch your box.

If you are running an unpatched Windows 8 box, don't expect to be safe.

There's a lot of reasons why it may not work if your box is unpatched:

  1. You may be attempting the wrong exploit packages. Would you trust random GitHub code without first auditing it?
  2. You may not be able to spawn a reverse shell due to firewall policies, and would need a bind shell, or the other way around. Maybe you can't do either, but RDP is open; in that case, use windows/adduser as a payload. There's a lot of things to consider here - you will need to enumerate your box.
  3. You may need the right target, encoding, to target the right architecture, process, etc... basically, you might not be using the right settings.

We can't really help you without enough details. Did you patch? If so, you should be fine. However, I would personally just disable SMB 1.0 because it's a dumpster fire.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
2

Eternalblue works fine when smb connection to the victim is established. However, default Windows 8 and later installation without additional service info: - anonymous is not allowed to access any share (including IPC$) - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows - tcp port 445 is filtered by firewall

So you can exploit Windows 8 and later versions with user credentials(even user name and hash).

Os Tiger
  • 46
  • 2