exploiting-ms17-010-eternalblue-vulnerability

$npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/exploiting-ms17-010-eternalblue-vulnerability

Execute controlled exploitation of the critical MS17-010 EternalBlue vulnerability for authorized testing.

  • Enables simulating real-world attacks against unpatched SMBv1 services in a lab.
  • Requires a controlled test environment and knowledge of offensive security tooling.
  • Determines execution based on explicit user intent for vulnerability assessment.
  • Outputs results detailing the success or failure of the remote code execution attempt.

SKILL.md

.github/skills/exploiting-ms17-010-eternalblue-vulnerabilityView on GitHub ↗
---
name: exploiting-ms17-010-eternalblue-vulnerability
description: MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it 
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, eternalblue, smb, remote-code-execution]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Exploiting MS17-010 EternalBlue Vulnerability

## Overview

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.


## When to Use

- When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding

## Prerequisites

- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## MITRE ATT&CK Mapping

- **T1210** - Exploitation of Remote Services
- **T1190** - Exploit Public-Facing Application
- **T1569.002** - System Services: Service Execution

## Workflow

### Phase 1: Vulnerability Scanning
1. Scan target networks for SMB port 445
2. Check for SMBv1 protocol support
3. Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
4. Document vulnerable systems with OS version and patch level

### Phase 2: Exploitation
1. Select appropriate exploit variant based on target OS
2. Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
3. Execute exploit against confirmed vulnerable target
4. Verify code execution and establish session

### Phase 3: Post-Exploitation
1. Establish persistence on compromised system
2. Dump credentials from memory
3. Use compromised host as pivot point
4. Document exploitation evidence

## Tools and Resources

| Tool | Purpose |
|------|---------|
| Nmap ms-17-010 NSE scripts | Vulnerability detection |
| Metasploit ms17_010_eternalblue | Exploitation module |
| Metasploit ms17_010_psexec | Alternative exploitation |
| AutoBlue-MS17-010 | Standalone Python exploit |
| CrackMapExec | Mass SMB vulnerability scanning |

## Detection Indicators

- IDS/IPS signatures for EternalBlue exploit traffic
- SMBv1 negotiation from unusual source hosts
- Event ID 7045: New service installation after exploitation
- Anomalous named pipe activity on SMB
- Large SMB write requests characteristic of buffer overflow

## Validation Criteria

- [ ] Vulnerable systems identified via scanning
- [ ] Exploitation achieved on authorized target
- [ ] Code execution confirmed with session established
- [ ] Post-exploitation activities documented
- [ ] Remediation recommendations provided

More from mukul975/Anthropic-Cybersecurity-Skills

SkillDescription
acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
analyzing-api-gateway-access-logs>
analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
analyzing-azure-activity-logs-for-threats>
analyzing-bootkit-and-rootkit-samples>
analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.