ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)

 

Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
TCP-1
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

tcp-02
Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request

tcp-02-02

Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
https://www.dropbox.com/s/dp64m5ay5xo75li/EternalBlue-Unpatched-Windows7-Exploit.pcap?dl=0
DoublePulsar PCAP exploit network analysis
https://www.dropbox.com/s/kujlk8p0oi7ych6/DoublePulsar-Exploit-mid-81.pcap?dl=0
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system

Mitigation

Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)

DKIM Office 365 & DNS change GoDaddy :

Configuring DKIM  on Office 365 and GoDaddy

What is DKIM

DomainKeys Identified Mail is an email authentication method designed implemented to detect email spoofing . It enable the receiver to check that an email claamied to have cam e from a specific “domain “ for example how do you know if you received an email and it’s not spoofed?

It is intended to prevent forged sender address in emails, a very common and affective technique to harvest credentials or drop a malicious attached file to the target system

Read on phishing and email spam here

 

Ok so you bored by now and like to jump to configuration with Office 365 and your DNS provider?  Ok in my case I will be configuring Office 365 demo tenant I created for 30 day trail and my Go phishing service provider sorry I meant GoDaddy

Please note you should always use SPF/DMARC in addition to DKIM to prevent spoofers from sending you malicious emails looks like they are coming from your domain .

Does this sound complicated at all ? DKIM is simple especially with office 365 its almost no technical skill required but I still see people struggle with this concept

Step one 

Go to office 365 and exchange online protection and click DKIM ( By default the first DKIM and SPF already enabled for you but any other site you add you need to configure and enable dkim.

DKIM

1

Figure  1 DKIM configuration

If you decide to add new site In my example securesystem.co.uk is my domain and registered for office 365 domain demo tenant and now I want to enable  DKIM for www.securesystem.co.uk

Add your domain if and click on enable button  and you will get an error like this?

CNAME record does not exist for this config. Please publish the following two CNAME records first.

selector1-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

selector2-securesystem-co-uk._domainkey.securesystem1.onmicrosoft.com

 

2

Figure 2 CNAME selectors for DKIM –

You need these selectors to be added to your external DNS service e.g Go Daddy or any other provider, it could be your own DNS service so that you can prove own the domain – I use Go Daddy because it’s cheap and easy to make dns changes

GoDaddy DNS portal

3-godaddy

Figure 3 add your selector1 to GoDaddy

 

Now we have configured the DNS and point CNAME to office 365 DKIM we test it by sending myself an email and capture the header

spf-signature

Figure 4 DLKIM header is pass and SPF already generated

Nslookup for testing ?

nslookup

Figure 4 nslookup with type=txt to check if DKIM work

Final word Remember Microsoft has the private key and you no longer have control of your own keys? Maybe secure maybe not but hey it’s easy to enable DKIM  J