1 week ago

How to Discover Computers Vulnerable to EternalBlue & EternalRomance Zero-Days « Null Byte :: WonderHowTo

The public leaks of NSA tools along with also information have led to the Discharge of previously secret zero-day exploits such as EternalBlue, used inside notorious WannaCry ransomware attack. Despite multiple patches being released, many users have failed to update their systems, along with also as such many devices are still vulnerable to these currently-public attacks.In This kind of guide, Eternal Scanner is usually used to assist in automating the process of scanning for vulnerable devices.

CVE-2017-0144, or EternalBlue, along with also CVE-2017-0145, or EternalRomance, originally came to light following the Shadow Brokers’ leaks of NSA compromised tools. These exploits targeted errors in Microsoft’s Server Message Block protocol implementation (or SMB).

Don’t Miss: How to Use the Shodan API with Python to Automate Scans for Vulnerable Devices

These vulnerabilities are especially valuable to attackers as a maliciously crafted packet allows for remote code execution, which could carry malware payloads such as ransomware or a remote access toolkit. These exploits have already been used to distribute ransomware such as WannaCry, Petya/NotPetya, along with also Bad Rabbit.

A WannaCry decryption window displayed on Windows 10. Image by GReAT/Securelist

While most users have updated by currently, along with also many of the internet facing devices vulnerable to these exploits have already been attacked, there are many devices on local networks not directly exposed to the internet that will may still be at risk. Any infected device joining the network can spread the infection to vulnerable devices on the same network, so being able to scan a network or IP range for these vulnerabilities allows one to ensure that will their own internal network is usually currently protected against these attacks. Additionally, This kind of exercise will help you gain insight into the methodology of how a hacker seeks out along with also attacks vulnerable devices.

Step 1: Installing Requirements

Eternal Scanner utilizes quite a few tools in order to scan for vulnerable devices. Masscan is usually used to scan for devices within an IP range, along with also the Metasploit Framework is usually used to check for vulnerabilities. In addition, Wget is usually used to update the tool itself. quite a few Python modules are also required to detect additional vulnerabilities. To install the prerequisites on a Debian-based system such as Kali or Ubuntu, run the command below in a command line window.

apt-get install masscan metasploit-framework wget python-pip

If the Python modules are available in your system repositories, they can be installed by running the command below.

sudo apt-get install python-crypto python-impacket python-pyasn1-modules

If the modules are not available in your system repositories, they can also be installed using pip.

pip install crypto impacket pyasn1-modules

With the requirements installed, we can currently download Eternal Scanner by Git.

git clone https://github.com/peterpt/eternal_scanner

currently, Eternal Scanner is usually ready to install along with also run.

Step 2: Using Eternal Scanner

To install Eternal Scanner, first change directory into the Git cloned directory using cd.

cd eternal_scanner

Once inside directory, Eternal Scanner can be run using the following command.


On the first run of the script, the tool will automatically be installed along with also can currently be run by simply entering escan. To continue to use the tool upon the first run, simply press the Enter key.

by here, the Eternal Scanner splash screen should open.

In order to scan your local network, enter the first three octets of your local network IP followed by the desired range. To scan every address within the subnet, a string such as “1/24” could be used. If you are uncertain of your subnet IP format, you can run netstat -rn in a brand-new terminal window along with also look at the “Gateway” IP address shown.

This kind of IP will most likely be something like “” or “” inside example above, the first three octets returned by netstat are “192.168.0” so was used as the input for Eternal Scanner, as shown below.

If all of the systems on your local network are updated, you most likely won’t receive vulnerable targets, which is usually most likely a Great thing. If This kind of were to be run against a larger IP ranger on the internet, something which touched more of the 4,294,967,296 theoretically possible IP address, more results might much more likely be found, along with also these results could still be very valuable to an attacker, even if the devices had already been attacked.

As the shell script itself makes quite a few direct calls to the programs which were installed as prerequisites, we can also replicate a similar process manually by directly creating similar requests to these same tools, including Masscan along with also the Metasploit Framework.

Step 3: creating Masscan Requests Directly

To examine the Masscan request, we can have a look at the shell script itself. To open that will in nano, run nano escan by the folder which was cloned by Git. To specifically find the Masscan request, press Ctrl+W along with also press Enter until you reach the Masscan request string.

The highlighted line inside image above applies several variables defined inside script.

masscan “$ip” -p “$port” –rate “$rt” –exclude –output-filename “$mass”

Some variables, such as “$port,” are defined inside beginning of the script, as shown below, where the variable “port” is usually set to “455.”

We can also manually fill in This kind of same string directly using our own parameters. The same IP address or range used earlier, such as “” can replace “$ip.” The port, or ports, to scan, such as “455” can replace “$port” directly. The rate, or “$rt” can be replaced with “500.” Finally, “$mass” can be replaced with the desired filename of the output of Masscan. This kind of output will be formatted as an XML file, so that will may be useful to remove the “–output-filename” parameter by the command. The complete string may appear similar to the one below.

masscan -p 455 –rate 500 –exclude –output-filename out.txt

The “–exclude” parameter exists as a preventative measure inside original script in order to establish a confirmation if the range is usually deemed too large by masscan. This kind of is usually not required for a tiny-range scan, although may be useful for larger sets.

If no devices have an open port 455, then This kind of scan will not return any results. To test more common ports, we can use a much simpler string, such as the one below.

masscan -p80,23

This kind of scan also tests all IP addresses within the “192.168.0” subnet, along with also specifically tests for port 80, used for HTTP, along with also port 23, used for Telnet.

As shown inside results of This kind of scan above, an open port 23 was discovered at, as well as an open port 80 at While This kind of might not necessarily be consistent across every network, if This kind of scan was performed across a wider IP range on the internet there might surely be a tremendous amount of results.

A string such as the one below will attempt the same scan as the one shown above, although across the entire internet rather than 1 subnet. This kind of will, on most devices along with also internet connections, take a very long time to complete.

masscan -p80,23 –exclude

We can compare the results of Masscan to the output of a similar, narrower-range network scanner, Nmap. Nmap is usually available in most Linux repositories, along with also on Debian-based systems, that will can be installed using the command below.

sudo apt-get install nmap

Running a scan such as the one defined inside string below will run a TCP SYN scan across the local subnet, along with also return practically every common port which may be open on any device connected to the network.

sudo nmap -sS

Example results for such a scan are shown below. This kind of scan result provides much more detail than Masscan’s port-specific report, although is usually far less effective at wider network ranges, as that will was not designed for scanning the entire internet.

With an understanding of how the script utilizes Masscan to discover potentially vulnerable IP addresses, we can also examine how the actual test process works.

Step 4: Using Metasploit to Test EternalBlue Vulnerability

To see how the script calls the Metasploit Framework, we can Yet again open the file directly. To do This kind of using nano, run nano escan by the folder Eternal Scanner folder. To search for the msfconsole request, press Ctrl+W, type msfconsole, along with also press Enter until you reach the code shown inside image below.

Each of the “echo” commands which end in “>> “$defdir/msf.rc”” are commands which are sent to the Metasploit Framework console. While these commands include quite a few variables set by the script, they can also be manually executed by us. To launch the Metasploit console, simply enter msfconsole at a command line.

Launching Metasploit may initially print quite a few database connection errors. While these will not necessarily limit the function required with This kind of tutorial, using the database will speed usage of Metasploit when searching for certain modules. If you have already configured the database, that will can be launched with service start postgresql or systemctl start postgresql. Once Metasploit is usually running, we can proceed with using the commands as defined inside scanning script. Entering the command below into the Metasploit console will load the module which can test for EternalBlue vulnerability.

use auxiliary/scanner/smb/smb_ms17_010

Once This kind of module is usually loaded, we can view more information about that will by typing info along with also pressing enter.

This kind of shows that will that will is usually indeed the desired detection module, checking for the “SMB RCE” vulnerability, or EternalBlue. To show the configuration options for the module, we can enter options along with also press enter.

This kind of shows quite a few the configuration parameters which were automatically set within the Eternal Scanner script, such as “RHOSTS,” “RPORT,” along with also “THREADS.” These configuration parameters can also be manually set by us. Some of them may already have defined values, although the most important, the target address, has most likely not been set. To set This kind of parameter, we can use the “set” command, then the name of the setting, such as “RHOSTS,” followed by the IP which one wishes to test. This kind of may be one of the same IP addresses discovered earlier by Masscan.


After This kind of value is usually set, we can ensure the modifications were written by running options again.

After all desired options are set, the vulnerability can be tested by simply typing exploit along with also pressing Enter.

If the device is usually not vulnerable to the exploit, the module will complete its execution although the although the scanner will not return any results. This kind of same methodology can be applied to many additional Metasploit modules, along with also additionally the method in which Eternal Scanner called the Metasploit Framework to test these vulnerabilities could be applied for additional modules as well.

Defending Against Scanning-Based Attacks

The first line of defense is usually to minimize the number of vulnerable systems that will could be discovered by maintaining updated systems. Scanning is usually a double-edged sword, along with also limiting your exposure involves being aware of what sort of fingerprint along with also internet presence your devices have.

This kind of could involve checking the privacy along with also security settings for your devices, scanning for your own outgoing IP addresses on search engines such as Shodan, or even using port scanners such as Nmap along with also Masscan, as detailed in This kind of tutorial to be better aware of what your network looks like to a hacker.

How to Find Vulnerable Webcams Across the Globe Using Shodan

The majority of automated attacks are derived by publicly released vulnerabilities, spurring a rush to find along with also exploit any unpatched devices by hackers. These vulnerabilities are rarely known to the public prior to a patch becoming available, so the best defense is usually Great security settings with automatic updates enabled when possible.

Scan Your Network to Be the First to Know About Problems

While our guide focuses on how an attacker might use these tools, the same principals will apply to anyone trying to secure their network. Hackers using publically released vulnerabilities need owners of the network to either fail to apply patches or be unaware there is usually an issue to be fixed inside first place, so you can take that will power back by learning to scan your network. Discovering a serious vulnerability on your network first gives you the upper hand in responding to that will, so learning to be aware is usually the first key to defending yourself.

I expect that will you enjoyed This kind of tutorial on web scanning for vulnerabilities! If you have any questions about This kind of tutorial or w3af, feel free to leave a comment or reach me on Twitter, @tahkion.

Cover photo by Kody/ Null Byte
Screenshots by TAKHION/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

8 − 2 =