Nmap Scanning
$ nmap -A -T4 -vvv 10.10.101.14
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-05-21 02:08 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:08
Completed NSE at 02:08, 0.00s elapsed
Initiating Ping Scan at 02:08
Scanning 10.10.101.14 [2 ports]
Completed Ping Scan at 02:08, 1.95s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 0.04s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:08
Scanning 10.10.101.14 [1000 ports]
Discovered open port 139/tcp on 10.10.101.14
Discovered open port 3389/tcp on 10.10.101.14
Discovered open port 445/tcp on 10.10.101.14
Discovered open port 135/tcp on 10.10.101.14
Increasing send delay for 10.10.101.14 from 0 to 5 due to 81 out of 201 dropped probes since last increase.
Increasing send delay for 10.10.101.14 from 5 to 10 due to 11 out of 12 dropped probes since last increase.
Discovered open port 49152/tcp on 10.10.101.14
Discovered open port 49158/tcp on 10.10.101.14
Discovered open port 49159/tcp on 10.10.101.14
Discovered open port 49153/tcp on 10.10.101.14
Discovered open port 49154/tcp on 10.10.101.14
Completed Connect Scan at 02:09, 44.66s elapsed (1000 total ports)
Initiating Service scan at 02:09
Scanning 9 services on 10.10.101.14
Service scan Timing: About 44.44% done; ETC: 02:11 (0:01:16 remaining)
Completed Service scan at 02:11, 132.75s elapsed (9 services on 1 host)
NSE: Script scanning 10.10.101.14.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 13.62s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 1.48s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Nmap scan report for 10.10.101.14
Host is up, received conn-refused (0.42s latency).
Scanned at 2023-05-21 02:08:15 EDT for 192s
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
280/tcp filtered http-mgmt no-response
445/tcp open microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server? syn-ack
|_ssl-date: 2023-05-21T06:11:28+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-05-20T06:03:11
| Not valid after: 2023-11-19T06:03:11
| MD5: 38f4b98ba9bcc7dc7f1275bf1fe90966
| SHA-1: 340b18eba9a498d4f094062df8749af278f79344
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQZXPfGCfmW4dGi7CztuvxFTANBgkqhkiG9w0BAQUFADAR
| MQ8wDQYDVQQDEwZKb24tUEMwHhcNMjMwNTIwMDYwMzExWhcNMjMxMTE5MDYwMzEx
| WjARMQ8wDQYDVQQDEwZKb24tUEMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDFYkJ1C3qPkP7j8qrxeqHQZVTSeHCSHRKQOPJuWgIlVSnu8M6PU65fOgez
| WjVD+dTJV2zvz02tX5e7pMRETPigDGGzjc/YdMEtzdTbAWlrNMb2Dsv5P7n2Sih2
| Kz9snCM8Qs0ADz7lagmBX2EOvazOpm0+o3lPqE7OHYBzudN8rvFJ05fzVDcVCm1i
| diBL8+aMd7X3cJwTI9QvuLERAFg0qP8z7UbB9k87FxD+gcQ70fA6CVFXF3zdWRwP
| Mk0g3MM73pn52sqvVH9oBWCS3jvpUiFoYv4AK/znJW148Bu2gHIdOelCUQk/A3G9
| viXBtGmAZm/ZBK4Gnxqiu8geynobAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUFAAOCAQEAsD/8CzdLLR58FNFH
| RlHa2pnrZXZnIXM4ff7+DsvUOiahKcN8uSDXGt7dfbqa85km1VBjnHkx6D0wL+oz
| M8QlXzwqlPRVcJ5eRHd7dZ4/E2MtUEsBj7ekB9TrVDBQPjrh5848Kb2eEuI5eKJx
| S+dJoazgl1E89jiRqx+BHE1EReQlu8ehBQlJZw4u16Vdz8vVPCwiaV/bXIK9JZco
| NM7HyoC2SLY5uAt4ba8mFdThA8NEBmsg+FGU4mjz88JPWFKchQPwQ56cLtO23v0w
| Fq8HMRh5TGbbSWe71oWJl2I+Y8D5HDYd0+runaEV53QMhcc0DdoeBe2Ea3iIcNnl
| xwj85A==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: JON-PC
| NetBIOS_Domain_Name: JON-PC
| NetBIOS_Computer_Name: JON-PC
| DNS_Domain_Name: Jon-PC
| DNS_Computer_Name: Jon-PC
| Product_Version: 6.1.7601
|_ System_Time: 2023-05-21T06:11:16+00:00
3826/tcp filtered wormux no-response
19350/tcp filtered unknown no-response
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49159/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-05-21T06:11:15
|_ start_date: 2023-05-21T06:03:09
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h00m01s, deviation: 2h14m10s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 021a7b7d5371 (unknown)
| Names:
| JON-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| JON-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \\x01\\x02__MSBROWSE__\\x02<01> Flags: <group><active>
| Statistics:
| 021a7b7d53710000000000000000000000
| 0000000000000000000000000000000000
|_ 0000000000000000000000000000
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2023-05-21T01:11:15-05:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30358/tcp): CLEAN (Couldn't connect)
| Check 2 (port 11124/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20306/udp): CLEAN (Failed to receive data)
| Check 4 (port 63881/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:11
Completed NSE at 02:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 195.01 seconds
- From the Nmap scan, we discovered the OS as Windows 7 Professional 7601.
- Also scanned using metasploit.
Exploitation
$ sudo john --format=nt hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
