SMB
Nmap discovered a Windows Directory service on the target ports 139 and 445
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/internal_offsec]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-07 20:44 CET
Nmap scan report for 192.168.136.40
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
Host script results:
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used: <blank>
| \\192.168.136.40\ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.136.40\C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: <none>
| \\192.168.136.40\IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: READ
| \\192.168.136.40\PUBLIC:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access: <none>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.95 secondsShare mapping failed but anonymous access appears partially allowed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/internal_offsec]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB 192.168.136.40 445 INTERNAL [*] Windows Server (R) 2008 Standard 6001 Service Pack 1 x32 (name:INTERNAL) (domain:internal) (signing:False) (SMBv1:True)
SMB 192.168.136.40 445 INTERNAL [+] internal\:
SMB 192.168.136.40 445 INTERNAL [-] Error enumerating shares: STATUS_ACCESS_DENIEDN/A
The host system is Windows Server 2008 R2
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/internal_offsec]
└─$ nmap --script smb-vuln* -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-07 21:01 CET
Nmap scan report for INTERNAL (192.168.136.40)
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
Host script results:
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.69 secondsCVE-2009-3103 or MS09-050