Modded NSA Exploits Work on All Microsoft Operating Systems Since Windows 2000

Another Day and another leak – Yes we are still seen waves coming from the NSA exploit leakage last year – Am I worried, hell no because the good thing is that the holes getting detected and we can fix it! So the good thing is that people getting a higher attention because the word ‘NSA’ in it and might reading the article which is exactly why I wrote it, to make people aware of the current situation.

src.adapt.960.high.NSA LEAKS Web Banner 960x252.1401378826716

A security researcher has made three leaked NSA exploits work on all versions of Windows since Windows 2000 up to the latest Windows 10 versions. These exploits were leaked last year by The Shadow Brokers. This is the same group that had leaked the notorious EternalBlue exploit that was used to power the biggest online ransomware campaign this industry has seen so far. The three exploits in question now include EternalChampion, EternalRomance, and EternalSynergy, all of which were leaked by TSB in April, last year. One security researcher has now worked on the source code to make all of these run on all Windows versions released in the last two decades for “the purposes of academic research and for the development of effective defensive techniques”.

Source Code and Protection

The source code is available on GitHub, and from my tests Windows Defender is already aware of it and blocks the attack via it’s network scanning module as long as you set UAC to high and enable SmartScreen protection the additional payload can’t be loaded or executed.

Ensure it’s turned off – Windows 1709 and later using SMB v2 by default.
  • TCP: 445
  • UDP: 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP)
  • On several legacy protocols such as NBF, IPX/SPX.

Disabling Windows Script Host

This will stop the payload from been loaded/executed. The original article can be found here.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled

In the right panel, you will see Enabled. If you see the entry 0, it means that the Windows Script Host access is disabled on your Windows machine.

Double Click on it and give it Value Data 1 to enable it.

  • A value of 1 will enable Windows Script Host
  • A value of 0 will disable Windows Script Host.

Click on OK and exit the Registry. If you don’t see this entry, then you may need to create it, as it does not exist by default in Windows.


The exploit is dangerous and can be abused, I’m sure right as I wrote this article here, someone tried to abuse it for evil reasons but as long your NAT and Windows own mechanism are set to the highest settings you should be secure, sadly these days there less pages which really showing you what you should do to avoid such things, blocking the SMB protocol with the windows own firewall still seems for most people enough unless you really work with SMB. But you might should consider to switch to more secure alternatives.

3 replies on “Modded NSA Exploits Work on All Microsoft Operating Systems Since Windows 2000”

There no tips except blocking the ports itself, but I added a picture and the ports into the articles – thanks.

MS is already aware if it, I assume that we get a patch within the next 3 months.

Theoretically you could disable Windows script engine to avoid that the payload gets loaded but you might use powershell, batch and co.


Thanks then i’m fine.
I already block Windows Scripting, Powershell and block starting batchfiles.
And Whitelist in use too!


Comments are closed.