10.10.10.4 - Legacy - WindowsXP samba

Summary:
      vulnerable software : 445 WindowsXP samba
      system vulnerable : 10.10.10.4
      vulnerability explanation : EternalBlue Samba Exploit
      privilege escalation: none, service running with administrative privileges 
      severity : critical
Enumeration:
1
[+] Running UDP and TCP port scan
2
​
3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-09 23:09 GMT
4
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
5
NSE Timing: About 0.00% done
6
Stats: 0:02:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
7
NSE Timing: About 98.23% done; ETC: 23:11 (0:00:02 remaining)
8
Stats: 0:02:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
9
NSE Timing: About 98.23% done; ETC: 23:12 (0:00:02 remaining)
10
Nmap scan report for 10.10.10.4
11
Host is up (0.15s latency).
12
​
13
PORT    STATE SERVICE      VERSION
14
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
15
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
16
137/udp open  netbios-ns   Microsoft Windows netbios-ns (workgroup: HTB)
17
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
18
Device type: general purpose
19
Running (JUST GUESSING): Microsoft Windows XP|2003|2000 (88%)
20
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 cpe:/o:microsoft:windows_2000::sp4
21
Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Small Business Server 2003 (88%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (87%), Microsoft Windows XP SP2 (86%), Microsoft Windows XP SP2 or SP3 (85%)
22
No exact OS matches for host (test conditions non-ideal).
23
Service Info: Host: LEGACY; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
24
​
Copied!
Also nmap --script=vuln detected several vulnerabilities in the Windows XP samba service:
This type of Nmap scan resulted in a denial of service on SMB port. In future it is always a good idea to probe the service manually before running this script against WindowsXP samba service.
Since port 445 and 139 is opened we can safely assume that a remote host is running Samba share service. Next step is to enumerate the content of these shares if possible or more importantly check is we have read or write access to them:
No shares found or access denied
Confirmation with smbmap:
Even though we have not found direct access to the shares, manual probing revealed named pipes and patching information:
Metasploit exploitation on MS17-010:
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe. - Metasploit Information
Metasploit Exploitation of MS08-067
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

10.10.10.3 - Lame - DistCC, SMB, SSH Reuse

10.10.10.5 - Devel - Windows 7

Last modified 3yr ago

Copy link