smb_ms17_010: Can't gain a reverse shell over WAN however the target machine has the vuln

[0xIslamTaha]

Scenario: Exploit Windows 7 Ultimate 7601 Service Pack 1 using the latest ms17_010_eternablue code https://github.com/rapid7/metasploit-framework/pull/8419 over WAN is producing the following error, However, It is going perfect in LAN

Metasploit Version: metasploit v4.14.20-dev-

[linuxdaddy]

Hey bro, when i try to use this exploit on WAN i get nothing similar to the photo you uploaded. msf > version Framework: 4.12.40-dev Console : 4.12.40-dev Even when i set verbose true, i don't get any text like yours Any help? Much appreciated.

[0xIslamTaha]

@linuxdaddy
Make sure that u have the latest exploit code, I updated my framework to 4.14 and I added it manually. Please, post how did u configure the payload options here

[linuxdaddy]

I cant upgrade my metasploit to latest version. I run kali linux. I try apt- get update && apt-get upgrade && apt-get dist-upgrade and still it doesnt update. Tried with msfupdate and it says there are no updates available. I have the actual kali repo. I mean in the repos page, the first one. Need some help here. Thanks in advance!

On May 28, 2017 10:41 AM, "islamTaha12" notifications@github.com wrote:

@linuxdaddy https://github.com/linuxdaddy Make sure that u have the latest exploit code, I updated my framework to 4.14 and I added it manually. Please, post how did u configure the payload options here

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8447#issuecomment-304500919, or mute the thread https://github.com/notifications/unsubscribe-auth/AZK_D7HdEtJukPUADYge9xXGCxtn3yrzks5r-TNPgaJpZM4NlKkN .

[h00die]

git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
./msfconsole

??? profit

[linuxdaddy]

Okay, i figured it out. When i try it i get the same results as you, because the target pc gets Blue Screen Of Death everytime i run the exploit. This should be fixed somehow.

[ghost]

Please provide %SystemRoot%\memory.dmp file if you can, otherwise nothing can be done to diagnose any BSoD issues.

[linuxdaddy]

Hello, thanks for the reply. It didnt let me upload it here so i used mediafire. Here is the dmp file. Thanks in advance! http://www.mediafire.com/file/u559yl82jcwv1j2/052917-24523-01.dmp

[linuxdaddy]

Okay that one was the BSoD of the last time i tried the exploit, before the exploit was updated. Now that it is updated it doesnt crash the pc. If i am right this error is because my target is x86 and this exploit supports x64 only. Regards!

[void-in]

@linuxdaddy You are targeting x86 Windows 7 while the module only supports x64 at the moment.

[linuxdaddy]

I tried it with x64. Doesnt work on WAN. I use pptp vpn that has port forwarding and all i get when i run the exploit is connection timed out.

On May 31, 2017 12:48 PM, "Waqas Ali" notifications@github.com wrote:

@linuxdaddy https://github.com/linuxdaddy You are targeting x86 Windows 7 while the module only supports x64 at the moment.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8447#issuecomment-305154853, or mute the thread https://github.com/notifications/unsubscribe-auth/AZK_DygdGDCuYNzaVW7jAC2fG_0px-ETks5r_UVkgaJpZM4NlKkN .

[0xIslamTaha]

@linuxdaddy please do show option advanced and post it here

[linuxdaddy]

Here:

[0xIslamTaha]

sorry i do a typo the correct cmd is show options advanced

[linuxdaddy]

[0xIslamTaha]

but u didnt set a payload?!

[linuxdaddy]

Isnt it automatically set?

[linuxdaddy]

Because in LAN it works like a charm.

[0xIslamTaha]

in my case I set a payload, id it was set automatically may be u can tell me what is the payload and what is the options for it

[busterb]

Setting the payload is likely important, because over a WAN (I'm presuming you're doing port forwarding), you'll want to set LHOST to be your public IP address. Otherwise it will default to something that is unlikely to be routable across the internet.

[0xIslamTaha]

@busterb Is that possible to set a list of rhosts ips and loop over them one by one automatically?

[linuxdaddy]

Yes i know, i did set them all. Here is the screenshot.

[0xIslamTaha]

@linuxdaddy Your local ip is the public one?

[linuxdaddy]

Lhost is my external ip, do i have to set my 192.168.1.... ip?

[0xIslamTaha]

@linuxdaddy You have to set LHOST=, do portforward in your router and start the payload in your local ip.

Are u sure this target has the vunl? Did u do scan for it before trying to exploit?

[linuxdaddy]

The target is vuln, its my other pc. It works in LAN. But i am using VPN. PPTP vpn, because my router doesnt have the port forward option(its blocked). The ISP blocks it. I can do port forwarding with vpn and it works when i try it with .exe or .bat payload or whatever. But eternalblue gives me timeout.

[0xIslamTaha]

did u set this option? ReverseListenerBindAddress

[linuxdaddy]

No, i should set my vpn ip on it right?

[0xIslamTaha]

you have to do set LHOST set ReverseListenerBindAddress

[linuxdaddy]

Tried it, still same result

[linuxdaddy]

I even tried using FuzzBunch, in LAN it works immediately, in WAN says connection timed out.

[0xIslamTaha]

are u sure u have the latest module? check one in master github and download it to your modules dir

[linuxdaddy]

Everything is updated to lasted version from source.

[0xIslamTaha]

restart your target machine and retry ... It happened to me once in Lan

[linuxdaddy]

Tried, still timeout.

[0xIslamTaha]

ask a friend to try to hack it may be port forwarding in your system doesn't go well, however, I don't understand how can u reach a local machine through your public ip

[linuxdaddy]

When i create a powershell payload, when i set up the listener, i put my VPN ip on lhost. When i run the payload on the target machine it gives me session. I just dont understand why eternalblue doesnt work, maybe it's configuration is not made for this kind of port forwarding(with vpn). Thanks for your help. Btw my friends dont even know how to create an email. Regards!

[busterb]

I don't think this is a problem with the exploit but getting networking setup. If you're going over a VPN, you'll have to make sure you use the right VPN IPs, and make sure that all of the proper routes are setup both directions. I'd suggest just trying to do something simple like browse an SMB share over the VPN first, or use netcat to verify routing.

Going to close this ticket since this is turning into a support issue than something that looks like a bug.

[bobtee77]

can any one help this is what i get when testing over wan i did port forwarding and sti get no response, is there something am missing.

   =[ metasploit v4.16.35-dev                         ]

• -- --=[ 1732 exploits - 990 auxiliary - 300 post ]
• -- --=[ 509 payloads - 40 encoders - 10 nops ]
• -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 88.117.xxx.xxx RHOSTS => 88.117.xxx.xxx msf auxiliary(scanner/smb/smb_ms17_010) > run

[] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf auxiliary(scanner/smb/smb_ms17_010) >

[bobtee77]

@islamTaha12 can you help am pretty new to penetration testing this is what i get when testing over WAN i did port forwarding and sti get no response, is there something am missing. other wise on LAN it works just fine.

=[ metasploit v4.16.35-dev ]

-- --=[ 1732 exploits - 990 auxiliary - 300 post ]
-- --=[ 509 payloads - 40 encoders - 10 nops ]
-- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 88.117.xxx.xxx RHOSTS => 88.117.xxx.xxx msf auxiliary(scanner/smb/smb_ms17_010) > run

[] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf auxiliary(scanner/smb/smb_ms17_010) >

[h00die]

Many ISPs block SMB. Based on how much info you gave us, could be that. Also, this ticket is closed 8m ago, don't add to it.