Recent Question/Assignment


Assignment 1
Subject: ITNET302A_118
Title: Advanced Network Security 1: EternalBlue
Lecturer: David Best
Due Date: 11:59pm Sunday 15th September
On August 13th, 2016, the shadow brokers tweeted their sale page for an all-inclusive state sponsored cyber weapons toolkit developed by the Equation Group.
No one bought.
In response, on April 14th, 2017, the shadow brokers tweeted ...TheShadowBrokers rather being getting drunk with McAfee on a desert island with hot babes... and released the exploits free of charge. One of these exploits, leveraging vulnerability CVE-2017-0144, has the name EternalBlue.
FilesRUs is a small company with 30 employees that earns its profits from hosting files for clients.
FilesRUs is all inclusive, offering hosting solutions across all file transfer protocols such as, FTP, HTTP, SMB, SFTP, SCP, WebDav and more. This hosting solution allows any customer to upload files and any internet user to download files using any of the available file transfer protocols.
In this scenario you work for FilesRUs as a recently employed undergraduate. Your job responsibilities include customer service and managing the file servers through file transfers and configuration. This is a non-trivial task as you are in the Corporate Environment and the Windows fileservers are segregated off in a DMZ that is only accessible via RDP using a domain account.
Without the ability to use normal file transfer protocols, such as SMB, you are forced to use RDP. You have noticed you can RDP in and out of the DMZ speeding up this process. Reviewing documentation on this, you notice there is no company vulnerability patch management process.
Your boss has recently learned that SMB is being targeted by the EternalBlue exploit and is concerned about the company’s Windows file servers as they have SMB externally facing for customers and internet users. He has supplied you with a simplified company network diagram (below) and asked you, the network security student, to write a research paper addressing the following concerns:
? Why does the CVE-2017-0144 vulnerability occur (cover all 3 components)
? How is CVE-2017-0144 leveraged to perform the EternalBlue exploit
? Using a risk matrix, what risk does the EternalBlue exploit pose to Files’R’Us?
(Include a risk rating with a brief justification)
? Provide a Proof of Concept (PoC) EternalBlue exploitation against one of Files’R’Us machines and, using your shell, print the flag on the tafe user’s Desktop.
? Immediate mitigation and/or remediation actions
(Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware)
? Prevention measures that can be taken to reduce/eliminate future events
(Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware)
As part of the exploitation process, include screenshots of the following:
? Network discovery of the Virtual Machine, including discovery of port 445 being open.
? Vulnerability scanning for EternalBlue against the Virtual Machine
? Exploitation being launched
? Successful shell acquired
? Using the shell, printing the file contents of C:Users afeDesktopflag.txt
Domain Impact
As a recent hire, you want to impress your boss by going above and beyond. You decide to use your knowledge of the company’s business operations and network setup to determine, in the event of a compromised DMZ, whether the Corporate environment can also be compromised.
Knowing that RDP is the only allowed port (3389) between the DMZ and Corporate environment, EternalBlue cannot be used to attack the Corporate environment - however employees are still using RDP to access the DMZ.
The question remains:
If the DMZ is compromised and employees are still accessing it via RDP, can an attacker spread to
the corporate environment?
Your boss is a stickler for details and a single sentence saying Yes or No will not suffice.
In a paragraph, justify your Yes or No response. If you have chosen Yes, include a theoretical exploitation path.An exploitation path is a quick summary of the steps taken to go from nothing to owned. You do not need to do a deep dive explanation, just theoretical conceptual steps. “I bruteforced __________ and owned everything” is not a valid response
For example, a possible exploitation path to compromise a domain via phishing would be:
1. Clone company’s Outlook web login page and host it on an attacker-controlled server
2. Send phishing email asking company employees to log in, including a link to the attackercontrolled outlook web login page
3. Capture employee credentials as they click the phishing link and try to log in
4. Access the corporate network using employee credentials
5. Using Wireshark, sniff HTTP traffic on port 80 to capture domain administrative credentials
6. Once acquired, log into the domain controller and add a new domain administrative user.
Network Diagram

Note: This diagram has been simplified to paint an easy to understand picture for you regarding the domain impact question. It is missing some irrelevant details on purpose, for example – how the corporate environment access the internet.
Ransomware is not part of EternalBlue. EternalBlue does not need Ransomware, it does not include Ransomware and is fully functional without any Ransomware component. Ransomware is a post-exploitation choice by attackers to blackmail for money. If you include Ransomware in your paper, it is only relevant to the assess the risk section.
Contextual Metaphor: If Ransomware is a falling rock, then EternalBlue is gravity. The rock relies on gravity to fall, but gravity will exist regardless of the rock. EternalBlue will exist regardless of Ransomware.
I’ve listed an example paper structure below. This is by no means a “must follow” structure, feel free to mix it up as you see fit as long as you cover all the deliverables.
? Title page
? Table of Contents
? Introduction/Abstract
? CVE-2017-0144 Writeup o Cover all 3 issues
? EternalBlue Writeup o Explain how EternalBlue leverages CVE-2017-0144 to perform an exploit
? Practical EternalBlue exploitation
? Risk assessment o Include a risk matrix and the assigned risk rating you have chosen, with a brief justification why.
? Domain Impact assessment
? Immediate remediation/mitigation actions
? Future prevention policies (read the scenario carefully)
? References/Figures/Spelling/Grammar
Marking Rubric
Each component will be assessed on the following criteria:
• Organisation and Structure
• Knowledge/Understanding
• Communication
• Spelling and grammar
• Figures/References
The associated marks for each component is as follows:
Component Total Marks
Title page 1
Table of Contents 1
Introduction 3
Discussion of first vulnerability 8
Discussion of second vulnerability 8
Discussion of third vulnerability 8
Explanation of how the vulnerabilities are combined to form the EternalBlue exploit 6
EternalBlue exploitation 10
Risk Assessment 10
Domain impact assessment 5
Immediate mitigation/remediation advice 9
Future prevention policies 9
References and Figures 5
Spelling and Grammar 2
Total Marks 85