• OTW

Network Forensics, Part 2: Packet-Level Analysis of the NSA's EternalBlue Exploit


Welcome back, my aspiring cyber warriors!

In April 2017, a nefarious group known only as the Shadow Brokers, released to the world a group of exploits that had been stolen from the U.S. espionage agency, the National Security Agency (NSA). The NSA is charged with protecting U.S. citizens from terrorist and other threats to U.S. security, but has also been known to spy on its own citizens. In this capacity, the NSA develops and purchases zero-day exploits. Apparently, someone at the NSA in Ft. Mead, MD, stole some of the exploits and provided them to this shadowy group who then tried to sell them on the Internet. When no one stepped up to purchase these at the minimum asking price (of course, priced in Bitcoin), the Shadow Brokers released the exploits to anyone who wanted them.

Among this group of exploits was one known as EternalBlue This exploit took advantage of a vulnerability in Server Message Block (SMB) on port 445. This protocol enables file, drive and printer sharing on local area networks among other things. When the exploit works properly, it enables the attacker to execute their code (RCE) with system administrator privileges on the target system. The exploit is similar to an earlier (but NOT the same, as some have reported) exploit against SMB known as MS08-067. Microsoft designated this vulnerability MS17-010 and patched it March 2017 (apparently, the NSA, knowing that the exploits were stolen and would soon be released, notified Microsoft and the patch was available before the exploit was released).​

Despite Microsoft's patch, later that same year, both the WannaCry and Petya ransomware attacks utilized the EternalBlue exploit for their malicious purposes and wreaked havoc around the world. All told, EternalBlue and its children were responsible for tens of millions of dollars of damage, if not more.

Given the severity of this exploit and its consequences, it is worth studying it-- not only to recognize this singular attack--but also to become familiar enough with this type of attack to recognize the next variant that is certainly coming in the future.

Step #1: Open Wireshark

Wireshark is the tool of choice for analyzing network packets and performing network forensic analysis. For an introduction on the powerful and versatile tool, check out my two tutorials on Wireshark Basics here.

Step #2: Open the Eternalblue .pcap file

As you know from my previous tutorials on network forensics, Wireshark stores packets in what has become the standard packet file format known as .pcap. We don't have to analyze network traffic in real time, we can store the packets in the .pcap format and analyze them later. That's what we will doing here.

You can download a .pcap capture of the EternalBlue exploit here on DropBox.

Download eternalblue-success-unpatched-win7-1.pcap from Dropbox here.

If you are unfamiliar with the Microsoft implementation of SMB (who is?) and want to learn more, Microsoft has an excellent reference here.

Step #3 Open the file with Wireshark

Once the pcap has been loaded into Wireshark, go to packets 6 and 7. Here you see the protocol (SMB) negotiation. You should see a Negotiate Protocol Request and Negotiate Protocol Response packets. These two packets are initiating the SMB protocol communication.

In the very next packet you will see a Session Setup and the user "anonymous".

This will then be followed two packets later where you should see "Tree Connect" and Path: \\192.168.198.203\IPC$. This is the remote system attempting to connect to an IPC share on target machine. You can also see the IPC share attempt and the IP address in the lower window.

Step #3: Create a SMB Filter

Rather than viewing all the packets, let's just focus on just the SMB packets. In the filter window, enter "SMB" and now you should only see SMB packets in the live window at the top. This should make our further analysis much simpler.

Step #4: NT Trans Request

Next, the exploit sends out NT Trans Request with a huge payload (see the middle window) and a large number of NOP's (you can see the NOP's in the lower window of Wireshark). The attack is preparing the SMB for the specially crafted packet necessary to exploit the system.

This large NT Trans request leads to many Secondary Trans2 Requests made necessary by the large request size. These act as a trigger point for the vulnerability, and the request portion contains the shellcode and encrypted payload, which is the launcher for the malware on the remote machine.

Step #5: Trans2 Response

Now, let's navigate down to packet #165. Here we see a Trans2 Response with STATUS_INVALID_PARAMETER. This is the victim's machine responding, which means that the overwrite has been successful.

Step #6 Finding the Signature of a Successful Payload Installation

Next, Let's check to see whether the payload has been successfully installed. If it has, we should find the SMB Multiplex ID = 82 field in one of the packets. Let's now create a filter for that field and look for it in our stream of packets.

As you can see, we did find one packet indicating that the payload has been successfully installed and the attacker has executed their remote code on your network!

This field, SMB MultiplexID=82, is one of the key signatures for this successful attack.As you can see below, one of the key Snort rules for detecting EternalBlue compromise includes detecting just this field in this packet.

alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)# EternalBlue signature matching return signature for connection to pre-installed SMB payload

For more on Snort rules, check out my tutorial "How to Read and Write Snort Rules" here.

Step # 7: Follow the Stream

Finally, if we right click on the Trans2 packet from Step #5 above and select Follow -> TCP Stream, we can the see contents of the packets. Here we can see the contents of the payloads that created the buffer overflow and delivered the payload that enabled this exploit.

When we follow the stream, Wireshark displays the payload contents as see below.

Conclusion

Detecting and preventing network attacks is a key responsibility of the network and information security engineers. Without knowing what the attack actually looks like from the packet-level makes that task challenging, if not impossible. Here, by analyzing the EternalBlue attack packet-by-packet, we can be better prepared to prevent this or similar type attack on our network.

For more on Network Forensics, sign up for my Network Forensics training on Hackers-Arise.


0 views