Skip to main content

Internal

Enumeration

  • Found open ports after nmap scan but 137 is interesting port
# Nmap 7.98 scan initiated Sat Mar 28 07:26:30 2026 as: /usr/lib/nmap/nmap --privileged -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/kali/ctf/pvg/internal/results/192.168.164.40/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/kali/ctf/pvg/internal/results/192.168.164.40/scans/tcp139/xml/tcp_139_smb_nmap.xml 192.168.164.40
Nmap scan report for 192.168.164.40
Host is up, received user-set (0.23s latency).
Scanned at 2026-03-28 07:26:31 UTC for 253s

PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb2-capabilities:
| 2.0.2:
|_ Distributed File System
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:ae:a5 (VMware)
| Names:
| INTERNAL<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| INTERNAL<20> Flags: <unique><active>
| Statistics:
| 00 50 56 ab ae a5 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_smb-print-text: false
| smb2-time:
| date: 2026-03-28T07:26:39
|_ start_date: 2025-02-20T21:30:47
| smb2-security-mode:
| 2.0.2:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
|_ 2.0.2
| smb-os-discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: internal
| NetBIOS computer name: INTERNAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-03-28T00:26:39-07:00
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used: <blank>
| \\192.168.164.40\ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.164.40\C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.164.40\IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: READ
| \\192.168.164.40\PUBLIC:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access: <none>
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 2184

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 07:30:44 2026 -- 1 IP address (1 host up) scanned in 254.36 seconds
  • Found out it is vulnerable to EternalBlue
Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

Exploitation