InfoSec LAB

Blueprint_SMB

Created: 4 min read

SMB

Nmap discovered a Windows Directory server on the ports 139 and 445 of the BLUEPRINT(10.10.136.191) host.

┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ nmap --script smb-vuln* -sV -p139,445 $IP                                                  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 12:13 CEST
Nmap scan report for 10.10.136.191
Host is up (0.033s latency).
 
PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: BLUEPRINT; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.73 seconds
 
 
┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 12:14 CEST
Nmap scan report for 10.10.136.191
Host is up (0.033s latency).
 
PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: BLUEPRINT; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.136.191\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.136.191\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.136.191\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ
|     Current user access: READ/WRITE
|   \\10.10.136.191\Users: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|     Current user access: READ
|   \\10.10.136.191\Windows: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: <none>
|_    Current user access: READ
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.15 seconds

Share mapping failed, but guest access and listing shares are granted. Access to the IPC$ share is granted. User enumeration via RID Cycling is possible.

Null Session

┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces 
SMB         10.10.136.191   445    BLUEPRINT        [*] Windows 7 / Server 2008 R2 Build 7601 x32 (name:BLUEPRINT) (domain:BLUEPRINT) (signing:False) (SMBv1:True)
SMB         10.10.136.191   445    BLUEPRINT        [+] BLUEPRINT\: 
SMB         10.10.136.191   445    BLUEPRINT        [-] Error enumerating shares: STATUS_ACCESS_DENIED
 
┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ nxc smb $IP -u 'blah' -p 'blah' --shares --interfaces 
SMB         10.10.136.191   445    BLUEPRINT        [*] Windows 7 / Server 2008 R2 Build 7601 x32 (name:BLUEPRINT) (domain:BLUEPRINT) (signing:False) (SMBv1:True)
SMB         10.10.136.191   445    BLUEPRINT        [+] BLUEPRINT\blah:blah (Guest)
SMB         10.10.136.191   445    BLUEPRINT        [*] Enumerated shares
SMB         10.10.136.191   445    BLUEPRINT        Share           Permissions     Remark
SMB         10.10.136.191   445    BLUEPRINT        -----           -----------     ------
SMB         10.10.136.191   445    BLUEPRINT        ADMIN$                          Remote Admin
SMB         10.10.136.191   445    BLUEPRINT        C$                              Default share
SMB         10.10.136.191   445    BLUEPRINT        IPC$                            Remote IPC
SMB         10.10.136.191   445    BLUEPRINT        Users           READ            
SMB         10.10.136.191   445    BLUEPRINT        Windows

Confirmed.

Users Share

┌──(kali㉿kali)-[~/archive/thm/blueprint]
└─$ impacket-smbclient blah@$IP                    
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
Type help for list of commands
# ls
drw-rw-rw-          0  Fri Apr 12 00:36:40 2019 .
drw-rw-rw-          0  Fri Apr 12 00:36:40 2019 ..
drw-rw-rw-          0  Sun Jan 15 23:38:59 2017 Default
-rw-rw-rw-        174  Sun Jan 15 23:28:56 2017 desktop.ini
drw-rw-rw-          0  Sun Jan 15 23:38:59 2017 Public

The Users share seems to be mirroring the C:\Users directory.

# tree
/desktop.ini
/Default/AppData
/Default/Desktop
/Default/Documents
/Default/Downloads
/Default/Favorites
/Default/Links
/Default/Music
/Default/NTUSER.DAT
/Default/NTUSER.DAT.LOG
/Default/NTUSER.DAT.LOG1
/Default/NTUSER.DAT.LOG2
/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
/Default/NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
/Default/Pictures
/Default/Saved Games
/Default/Videos
/Public/desktop.ini
/Public/Documents
/Public/Downloads
/Public/Favorites
/Public/Libraries
/Public/Music
/Public/Pictures
/Public/Videos
/Default/AppData/Local
/Default/AppData/Roaming
/Public/Documents/desktop.ini
/Public/Downloads/desktop.ini
/Public/Libraries/desktop.ini
/Public/Libraries/RecordedTV.library-ms
/Public/Music/desktop.ini
/Public/Music/Sample Music
/Public/Pictures/desktop.ini
/Public/Pictures/Sample Pictures
/Public/Videos/desktop.ini
/Public/Videos/Sample Videos
/Default/AppData/Local/Microsoft
/Default/AppData/Local/Temp
/Default/AppData/Roaming/Microsoft
/Public/Music/Sample Music/desktop.ini
/Public/Music/Sample Music/Kalimba.mp3
/Public/Music/Sample Music/Maid with the Flaxen Hair.mp3
/Public/Music/Sample Music/Sleep Away.mp3
/Public/Pictures/Sample Pictures/Chrysanthemum.jpg
/Public/Pictures/Sample Pictures/Desert.jpg
/Public/Pictures/Sample Pictures/desktop.ini
/Public/Pictures/Sample Pictures/Hydrangeas.jpg
/Public/Pictures/Sample Pictures/Jellyfish.jpg
/Public/Pictures/Sample Pictures/Koala.jpg
/Public/Pictures/Sample Pictures/Lighthouse.jpg
/Public/Pictures/Sample Pictures/Penguins.jpg
/Public/Pictures/Sample Pictures/Tulips.jpg
/Public/Videos/Sample Videos/desktop.ini
/Public/Videos/Sample Videos/Wildlife.wmv
/Default/AppData/Local/Microsoft/Windows
/Default/AppData/Roaming/Microsoft/Internet Explorer
/Default/AppData/Roaming/Microsoft/Windows
/Default/AppData/Local/Microsoft/Windows/GameExplorer
/Default/AppData/Local/Microsoft/Windows/History
/Default/AppData/Local/Microsoft/Windows/Temporary Internet Files
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/desktop.ini
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Shows Desktop.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Window Switcher.lnk
Finished - 67 files and folders

Nothing notable.

Interactive Graph View

Backlinks