ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)


Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request


Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
DoublePulsar PCAP exploit network analysis
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system


Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s