exploiting-ms17-010-eternalblue-vulnerability
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it
Best use case
exploiting-ms17-010-eternalblue-vulnerability is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it
Teams using exploiting-ms17-010-eternalblue-vulnerability should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How exploiting-ms17-010-eternalblue-vulnerability Compares
| Feature / Agent | exploiting-ms17-010-eternalblue-vulnerability | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Exploiting MS17-010 EternalBlue Vulnerability ## Overview MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments. ## When to Use - When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability - When analyzing malware samples or attack artifacts in a controlled environment - When conducting red team exercises or penetration testing engagements - When building detection capabilities based on offensive technique understanding ## Prerequisites - Familiarity with red teaming concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## MITRE ATT&CK Mapping - **T1210** - Exploitation of Remote Services - **T1190** - Exploit Public-Facing Application - **T1569.002** - System Services: Service Execution ## Workflow ### Phase 1: Vulnerability Scanning 1. Scan target networks for SMB port 445 2. Check for SMBv1 protocol support 3. Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary) 4. Document vulnerable systems with OS version and patch level ### Phase 2: Exploitation 1. Select appropriate exploit variant based on target OS 2. Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode) 3. Execute exploit against confirmed vulnerable target 4. Verify code execution and establish session ### Phase 3: Post-Exploitation 1. Establish persistence on compromised system 2. Dump credentials from memory 3. Use compromised host as pivot point 4. Document exploitation evidence ## Tools and Resources | Tool | Purpose | |------|---------| | Nmap ms-17-010 NSE scripts | Vulnerability detection | | Metasploit ms17_010_eternalblue | Exploitation module | | Metasploit ms17_010_psexec | Alternative exploitation | | AutoBlue-MS17-010 | Standalone Python exploit | | CrackMapExec | Mass SMB vulnerability scanning | ## Detection Indicators - IDS/IPS signatures for EternalBlue exploit traffic - SMBv1 negotiation from unusual source hosts - Event ID 7045: New service installation after exploitation - Anomalous named pipe activity on SMB - Large SMB write requests characteristic of buffer overflow ## Validation Criteria - [ ] Vulnerable systems identified via scanning - [ ] Exploitation achieved on authorized target - [ ] Code execution confirmed with session established - [ ] Post-exploitation activities documented - [ ] Remediation recommendations provided