creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-ms17-010-eternalblue-vulnerability/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.0 KiB
Raw Blame History

API Reference: MS17-010 (EternalBlue) Detection

CVE-2017-0144 — EternalBlue

Affected Systems

  • Windows XP, Vista, 7, 8, 8.1, 10 (pre-patch)
  • Windows Server 2003, 2008, 2008 R2, 2012, 2016 (pre-patch)

Protocol: SMBv1 (Port 445)

Nmap NSE Script

Check for MS17-010

nmap -p 445 --script smb-vuln-ms17-010 <target>

Output (Vulnerable)

PORT    STATE SERVICE
445/tcp open  microsoft-ds
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers
|     Risk factor: HIGH  CVSSv2: 9.3

SMB Protocol Basics

Negotiate Protocol Request

Offset Size Field
0 4 NetBIOS Session header
4 4 SMB magic (0xFF534D42)
8 1 Command (0x72 = Negotiate)
9 4 Status
13 1 Flags

SMB Versions

Version Protocol Notes
SMBv1 NT LM 0.12 Vulnerable to EternalBlue
SMBv2 SMB 2.002 Not vulnerable
SMBv3 SMB 3.0 Not vulnerable

Python Socket Check

SMBv1 Connection Test

import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target, 445))
sock.send(SMB_NEGOTIATE_PACKET)
response = sock.recv(4096)

Metasploit Module (Authorized Testing)

Scanner

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target>
run

Detection Events

Source Indicator
Windows Event 7036 Service state change
Sysmon Event 3 Network connection to 445
IDS Signature for EternalBlue SMB exploit

Remediation

  1. Apply MS17-010 patch (KB4012598 / KB4013389)
  2. Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false
  3. Block port 445 at network perimeter
  4. Enable Windows Firewall rules for SMB

Suricata Detection Rule

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT EternalBlue Attempt";
  flow:established,to_server; content:"|ff|SMB|73|";
  content:"|08 00|"; within:2; distance:54; sid:2024217;)
Reference in New Issue View Git Blame Copy Permalink