- Legacy - WindowsXP samba

Wannacry's main ingredient.

Summary: vulnerable software : 445 WindowsXP samba system vulnerable : vulnerability explanation : EternalBlue Samba Exploit privilege escalation: none, service running with administrative privileges severity : critical


[+] Running UDP and TCP port scan
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-09 23:09 GMT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:02:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.23% done; ETC: 23:11 (0:00:02 remaining)
Stats: 0:02:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.23% done; ETC: 23:12 (0:00:02 remaining)
Nmap scan report for
Host is up (0.15s latency).
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
137/udp open netbios-ns Microsoft Windows netbios-ns (workgroup: HTB)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (88%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (88%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (87%), Microsoft Windows XP SP2 (86%), Microsoft Windows XP SP2 or SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: LEGACY; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Also nmap --script=vuln detected several vulnerabilities in the Windows XP samba service:

This type of Nmap scan resulted in a denial of service on SMB port. In future it is always a good idea to probe the service manually before running this script against WindowsXP samba service.

Since port 445 and 139 is opened we can safely assume that a remote host is running Samba share service. Next step is to enumerate the content of these shares if possible or more importantly check is we have read or write access to them:

No shares found or access denied

Confirmation with smbmap:

Even though we have not found direct access to the shares, manual probing revealed named pipes and patching information:

Metasploit exploitation on MS17-010:

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe. - Metasploit Information

Metasploit Exploitation of MS08-067

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.