This presents in all unpatched windows NT based versions windows 2000, Windows server
R2 and windows 7 Microsoft is given patch for this on 13th august 2019(found it on 14th
may 2019) Even related blue keep vulnerabilities are name “Dejakeep” effected windows 7
and windows 10 newer versions also.
Blue keep vulnerability is reported by UK national cyber security team on 14th may 2019.
Kevin Beaumont is named this vulnerability as a #bluekeep in this twitter page ( reference:
https://twitter.com/GossiTheDog/status/1128431661266415616 ) you can tract this officially
Microsoft says that attackers can use this vulnerability to actively propagate the worms,
similar to be eternal blue and WannaCry. Microsoft is estimated nearly 1 million devices are
vulnerable for this.
Technically The RDP protocol uses “virtual channels” configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.
Microsoft released patches for the vulnerability on 13th august 2019
How to test?
Lunch msfconsole in kali Linux
Search for blue keep related modules
Search for blue keep related modules in Metasploit by search command as below
We got one auxiliary scanner to check / identify the vulnerable/ infected system Load that module to console by using command use 0 Once it is loaded it will appear in red colour. Give show options to check available options
Give rhost(target) details that is 192.168.1.26 in my case in your case it may be different.
It will identify vulnerable system.
Sai Teja B
IT security consultant – Trainer
Triad square infosec pvt ltd