Enumeration With Nmap
nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Sun Nov 28 22:30:45 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 192.168.95.45 Increasing send delay for 192.168.95.45 from 0 to 5 due to 65 out of 216 dropped probes since last increase. Warning: 192.168.95.45 giving up on port because retransmission cap hit (10). Increasing send delay for 192.168.95.45 from 640 to 1000 due to 467 out of 1555 dropped probes since last increase. Nmap scan report for 192.168.95.45 Host is up (0.23s latency). Not shown: 41649 closed ports, 23876 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 3573/tcp open tag-ups-1 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown Read data files from: /usr/bin/../share/nmap # Nmap done at Sun Nov 28 22:32:12 2021 -- 1 IP address (1 host up) scanned in 87.23 seconds
Too much ports ahhh which is cool i guess now let run some default nmap scripts and service detection on the ports.
nmap -sC -sV -oA nmap/normal -p 80,135,139,445,3389,3573,49152,49153,49154,49155 192.168.95.45
# Nmap 7.91 scan initiated Sun Nov 28 22:33:31 2021 as: nmap -sC -sV -oA nmap/normal -p 80,135,139,445,3389,3573,49152,49153,49154,49155 192.168.95.45 Nmap scan report for 192.168.95.45 Host is up (0.41s latency). PORT STATE SERVICE VERSION 80/tcp open http GoAhead WebServer | http-title: HP Power Manager |_Requested resource was http://192.168.95.45/index.asp 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=kevin | Not valid before: 2021-11-28T00:29:02 |_Not valid after: 2022-05-30T00:29:02 |_ssl-date: 2021-11-29T00:34:46+00:00; +2h59m55s from scanner time. 3573/tcp open tag-ups-1? 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4h59m55s, deviation: 4h00m00s, median: 2h59m54s |_nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:bf:8b:72 (VMware) | smb-os-discovery: | OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1) | OS CPE: cpe:/o:microsoft:windows_7::- | Computer name: kevin | NetBIOS computer name: KEVIN\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-11-28T16:34:33-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-11-29T00:34:33 |_ start_date: 2021-11-29T00:29:57 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 28 22:34:51 2021 -- 1 IP address (1 host up) scanned in 80.04 seconds
Some pretty cool services running let check what we have on SMB first.
┌──(muzec㉿Muzec-Security)-[~/Documents/PG/PG Practice/kevin] └─$ smbclient -L //192.168.127.45/ -N 1 ⨯ Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available ┌──(muzec㉿Muzec-Security)-[~/Documents/PG/PG Practice/kevin]
Hmmmm we have no share let hit port 80 now which is HTTP.
HP Power Manager with a login page let try some default credentials maybe we can get access.
Using admin/admin and we are in cool let check which version the HP Power Manager is running.
Boom we have it let hit google to see if we have an exploit on it.
Boom exploit downloaded let run it and see.
we are system and done.
Greeting From Muzec