creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-ms17-010-eternalblue-vulnerability/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

87 lines
2.0 KiB
Markdown
Raw Blame History

# API Reference: MS17-010 (EternalBlue) Detection
## CVE-2017-0144 — EternalBlue
### Affected Systems
- Windows XP, Vista, 7, 8, 8.1, 10 (pre-patch)
- Windows Server 2003, 2008, 2008 R2, 2012, 2016 (pre-patch)
### Protocol: SMBv1 (Port 445)
## Nmap NSE Script
### Check for MS17-010
```bash
nmap -p 445 --script smb-vuln-ms17-010 <target>
```
### Output (Vulnerable)
```
PORT STATE SERVICE
445/tcp open microsoft-ds
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers
| Risk factor: HIGH CVSSv2: 9.3
```
## SMB Protocol Basics
### Negotiate Protocol Request
| Offset | Size | Field |
|--------|------|-------|
| 0 | 4 | NetBIOS Session header |
| 4 | 4 | SMB magic (0xFF534D42) |
| 8 | 1 | Command (0x72 = Negotiate) |
| 9 | 4 | Status |
| 13 | 1 | Flags |
### SMB Versions
| Version | Protocol | Notes |
|---------|----------|-------|
| SMBv1 | NT LM 0.12 | Vulnerable to EternalBlue |
| SMBv2 | SMB 2.002 | Not vulnerable |
| SMBv3 | SMB 3.0 | Not vulnerable |
## Python Socket Check
### SMBv1 Connection Test
```python
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target, 445))
sock.send(SMB_NEGOTIATE_PACKET)
response = sock.recv(4096)
```
## Metasploit Module (Authorized Testing)
### Scanner
```
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS <target>
run
```
### Detection Events
| Source | Indicator |
|--------|-----------|
| Windows Event 7036 | Service state change |
| Sysmon Event 3 | Network connection to 445 |
| IDS | Signature for EternalBlue SMB exploit |
## Remediation
1. Apply MS17-010 patch (KB4012598 / KB4013389)
2. Disable SMBv1: `Set-SmbServerConfiguration -EnableSMB1Protocol $false`
3. Block port 445 at network perimeter
4. Enable Windows Firewall rules for SMB
## Suricata Detection Rule
```
alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT EternalBlue Attempt";
flow:established,to_server; content:"|ff|SMB|73|";
content:"|08 00|"; within:2; distance:54; sid:2024217;)
```
Reference in New Issue View Git Blame Copy Permalink