Robᵇᵉᵗᵒ Graham
Wed Jun 05 16:44:52 +0000 2019

1/ So I thought I'd write up a few explanations of what you see in this video. To start with, the left-hand screen shows the 'hacker' running on their machine (Linux) on the left, and the victim run Windows Server 2008 on the right.

2/ On the left, the 'hacker' has loaded Metasploit, a toolkit containing lots of infrastructure for exploiting systems, and tons of exploits. Instead of writing a bluekeep exploit from scratch, they are writing it for use within Metasploit

3/ What you don't see before the start of this video is how they've loaded metasploit. chosen their 'target' and which 'exploit' (their newly written bluekeep exploit) they are using.

4/ You see only after they've chosen all the parameters of the attack and they've typed "exploit" to launch it. After that, you see a bunch of status messages as their bluekeep exploit tells them what's going on, ending in message telling them it's been successful.

5/ This is a "connect-back" exploit, meaning that once the system has been successfully exploited, it connects back to the hacker with a new TCP connection, then downloads the 'meterpreter' shell into the victim system.

6/ This is a 'shell', but not a PowerShell or cmd.exe command-line, but a specially designed command-line for working with Metasploit on compromised systems.

7/ At 0:14 into the video, the 'hacker' types their first commands, getuid, to query the system which user account they've got. If targeting a program like Word, you'll get just the account of the user running Word.

8/ Such user accounts are limitted, what we really want is an "Administrator" account that has full access to the machine. Luckily, the Remote Desktop service already runs as Administrator, so that's the account we get with this exploit, as confirmed in the video.

9/ The next thing the 'hacker' does is load then run 'mimikatz'. This program is designed to scrape any additional user accounts that may be on the system. In particular, it's hoping to get Domain accounts that allows us to 'move laterally', to log into other computers on the net

10/ This is generally the first thing a hacker does when breaking into a system. More importantly, it's often the first thing those catastrophic ransomware worms (like notPetya) do when breaking into a system.

11/ The danger of the coming worm isn't that it'll spread to unpatched systems, most corporate systems will be patched. Instead, the worm gets a few of the remaining unpatched system, and then uses this 'mimikatz' technique to move laterally to patched systems...

12/ ...or to systems that aren't running Remote Desktop in the first place. If it gets lucky, it might get a Domain Administrator account. At that point, it's game over for the organization. The worm hacks the Domain Controller, than ALL THE OTHER COMPUTERS.

13/ That's what happened with notPetya and shipping giant Maersk. The ransomware got into the Domain Controller, then from there to all the backup Domain Controllers, and thence to every other computer in the network.

14/ The only computer left was a backup Domain Controller in Africa that happened to be turned off during the attack. Yes, all these computers where patched, that wasn't the problem. The problem was a single unpatched computer that gave up a Domain Admin account.

15/ So what this video shows is all the expected steps to show that this exploit will work as expected. And you can believe the author, because they've already demonstrated they thoroughly understand the problem. My 'rdpscan' tool is based on their clever test for the vuln.

16/ BTW, during the entire video, nothing happens on the right hand side. That, too, is proof. It's showing that they haven't crashed the machine throughout the attack.

17/ Because this a kernel level exploit in a driver, when things go wrong, then it will bluescreen/crash the Windows systems, forcing a reboot. When the worm hits, it'll likely target a few popular Windows versions and bluescreen the rest.

18/ Each version of Windows needs a slight adjustment to the exploit. The same was true of ETERNALBLUE, and why it was so important the NSA made it robust enough to not bluescreen/crash targets.

19/ I highly recommend this Ars Technica article by @dangoodin001:

20/ So this is a good equestion: what's the alphanumeric string in the tweet above the video? The answer is that it's a "cryptographic hash", probably of the metasploit plugin.

21/ It means once somebody else publishes their exploit, the author can publish their exploit, and prove in the future it matched the same exploit published here in the past.