exploiting-ms17-010-eternalblue-vulnerability
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it
What this skill does
# Exploiting MS17-010 EternalBlue Vulnerability ## Overview MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments. ## When to Use - When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability - When analyzing malware samples or attack artifacts in a controlled environment - When conducting red team exercises or penetration testing engagements - When building detection capabilities based on offensive technique understanding ## Prerequisites - Familiarity with red teaming concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## MITRE ATT&CK Mapping - **T1210** - Exploitation of Remote Services - **T1190** - Exploit Public-Facing Application - **T1569.002** - System Services: Service Execution ## Workflow ### Phase 1: Vulnerability Scanning 1. Scan target networks for SMB port 445 2. Check for SMBv1 protocol support 3. Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary) 4. Document vulnerable systems with OS version and patch level ### Phase 2: Exploitation 1. Select appropriate exploit variant based on target OS 2. Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode) 3. Execute exploit against confirmed vulnerable target 4. Verify code execution and establish session ### Phase 3: Post-Exploitation 1. Establish persistence on compromised system 2. Dump credentials from memory 3. Use compromised host as pivot point 4. Document exploitation evidence ## Tools and Resources | Tool | Purpose | |------|---------| | Nmap ms-17-010 NSE scripts | Vulnerability detection | | Metasploit ms17_010_eternalblue | Exploitation module | | Metasploit ms17_010_psexec | Alternative exploitation | | AutoBlue-MS17-010 | Standalone Python exploit | | CrackMapExec | Mass SMB vulnerability scanning | ## Detection Indicators - IDS/IPS signatures for EternalBlue exploit traffic - SMBv1 negotiation from unusual source hosts - Event ID 7045: New service installation after exploitation - Anomalous named pipe activity on SMB - Large SMB write requests characteristic of buffer overflow ## Validation Criteria - [ ] Vulnerable systems identified via scanning - [ ] Exploitation achieved on authorized target - [ ] Code execution confirmed with session established - [ ] Post-exploitation activities documented - [ ] Remediation recommendations provided
Related in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.