Scanning and Enumeration

Scanning

kali@kali:~/HTB/Legacy$ nmap -Pn -p139,445,3389 -sC -sV 10.10.10.4
Nmap scan report for 10.10.10.4
Host is up (0.078s latency).

PORT     STATE  SERVICE       VERSION
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -3h52m38s, deviation: 1h24m50s, median: -4h52m38s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:c2:72 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2020-11-18T00:33:39+02:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Enumeration

SMB port 139,445

• It appears that our point of Entry is going to be SMB. SMB has had known vulnerabilities in the past, let's check if there are any vulnerabilities using NMAP

nmap -Pn -script smb-vuln* -p 139,445 10.10.10.4

After running the nmap scan, the results show us that the box is vulnerable to

• CVE-2009-3103

• CVE-2017-0143

• CVE-2008-4250 (likley)