Packet-level Analyze NSA’s EternalBlue Exploit via Wireshark

In April 2017, a clandestine group called the Shadow Brokers unleashed a series of exploits known as EternalBlue, which had been stolen from the National Security Agency (NSA) of the United States. The NSA, tasked with safeguarding U.S. citizens from various threats, including terrorism, also engages in surveillance activities. As part of its operations, the NSA develops and acquires zero-day exploits. It appears that someone within the NSA’s Fort Meade facility in Maryland pilfered some of these exploits and handed them over to this covert group. The Shadow Brokers then attempted to sell these exploits online. When they failed to attract buyers at the minimum asking price (denominated in Bitcoin), they decided to release the exploits to the public.

EternalBlue Exploit

Among these exploits was one named EternalBlue, which exploited a vulnerability in the Server Message Block (SMB) protocol on port 445. This protocol is essential for file, drive, and printer sharing on local area networks. When successfully executed, the exploit allowed attackers to run their code with system administrator privileges on the target system. It bears similarities to an earlier exploit known as MS08-067 but is not the same. Microsoft identified this new vulnerability as MS17-010 and issued a patch in March 2017, likely after being warned by the NSA, which knew the exploits had been stolen and would soon be made public.

Despite Microsoft’s timely patch, later in 2017, the EternalBlue exploit was used in the devastating WannaCry and Petya ransomware attacks, causing widespread chaos globally. Collectively, EternalBlue and its derivatives inflicted damages amounting to tens of millions of dollars, if not more.

EternalBlue Exploit Analysis with Wireshark

Given the severity of the EternalBlue exploit and its profound consequences, it’s crucial to study this attack closely. Understanding it thoroughly will not only help recognize this specific threat but also prepare us to identify future variants.

Step 1: Open Wireshark

Wireshark is an essential tool for analyzing network packets and conducting forensic analysis. For an introduction to this powerful tool, refer to my tutorials on Wireshark Basics.

Step 2: Open the Eternalblue .pcap file

As discussed in previous tutorials on network forensics, Wireshark saves packets in the standard .pcap format. This allows us to capture network traffic and analyze it later. Here, we will be doing exactly that.

You can download a .pcap capture of the EternalBlue exploit from DropBox.

Download the file: eternalblue-success-unpatched-win7-1.pcap.

For more information about SMB, Microsoft’s implementation, refer to their comprehensive documentation.

Step 3: Open the file with Wireshark

After loading the .pcap file into Wireshark, examine packets 6 and 7. These packets show the SMB protocol negotiation, specifically the Negotiate Protocol Request and Response. These packets initiate SMB protocol communication.

In the subsequent packet, you will see a Session Setup with the user “anonymous.”

Following this, observe the “Tree Connect” packet with the Path: \192.168.198.203\IPC$. This indicates the remote system’s attempt to connect to an IPC share on the target machine. The IPC share attempt and the IP address are visible in the lower window.

Step 4: Create a SMB Filter

To focus solely on SMB packets, enter “SMB” in the filter window. This will simplify our analysis by displaying only SMB packets.

Step 5: NT Trans Request

The exploit then sends an NT Trans Request with a large payload, including numerous NOPs (seen in Wireshark’s lower window). This prepares the SMB protocol for the specially crafted packet needed for exploitation.

This large NT Trans Request triggers many Secondary Trans2 Requests due to its size. These requests contain the shellcode and encrypted payload, launching the malware on the remote machine.

Step 6: Trans2 Response

Navigate to packet #165, where a Trans2 Response with STATUS_INVALID_PARAMETER appears. This response indicates a successful overwrite on the victim’s machine.

Step 7: Finding the Signature of a Successful Payload Installation

To confirm if the payload was successfully installed, look for the SMB Multiplex ID = 82 field in the packets. Create a filter for this field and search for it in the packet stream.

Finding this field indicates a successful payload installation and that the attacker has executed their remote code.

This SMB MultiplexID=82 is a key signature of a successful attack. Snort rules for detecting EternalBlue include this field.

For more on Snort rules, check out my tutorial “How to Read and Write Snort Rules.”

Step 8: Follow the Stream

Right-click on the Trans2 packet from Step #5 and select Follow -> TCP Stream to view packet contents. This reveals the payload details that caused the buffer overflow and enabled the exploit.

By following the stream, Wireshark displays the payload contents, as shown below.

Conclusion

Detecting and preventing network attacks is a crucial responsibility for network and information security engineers. Understanding attacks at the packet level is essential. By analyzing the EternalBlue attack step-by-step, we can better defend our networks against similar threats.

For more on Network Forensics, enroll in my Network Forensics training on Hackers-Arise.