PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Microsoft DNS 6.0.6001 (17714650) (Windows Server 2008 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.0.6001 (17714650)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Service
| ssl-cert: Subject: commonName=internal
| Issuer: commonName=internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-01-05T19:52:51
| Not valid after: 2025-07-07T19:52:51
| MD5: 7c2b:85a9:1fe2:c264:4be8:ed3e:e16b:274a
| SHA-1: 05e9:c5e9:7ac6:242e:0a18:ca56:e1b5:1c38:31db:d393
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQFHV8TrpYYLdKV58423mJ8zANBgkqhkiG9w0BAQUFADAT
| MREwDwYDVQQDEwhpbnRlcm5hbDAeFw0yNTAxMDUxOTUyNTFaFw0yNTA3MDcxOTUy
| NTFaMBMxETAPBgNVBAMTCGludGVybmFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAsuNdIa0z31V1iHCg2TtuOK+FoyVu3aXcVxL/Q8jUvhOtpe0fWn9j
| qpT+smMeA0XpJfeS917Tpy5t5gqyqUCAXPOwoeGnZu1IrvxwcMlpMImPGXeMZ+0q
| Cb/3LdlwA7WEUaZtAxpMHBx7UNbcEnj38BsrWY6zr/K7TDlFgsrsITDDuyddIjNz
| 2VU8gFBPPwzHZGMGsMgo2v3mCZnA6Xkp8tmwGq137fxrwbvzC3vNdt1/m5icsyYD
| hMglYmztE9vp0rwKB0CB5K+mwc9U7isWsRbORWutqkBbp4XI08RbSklP3A6XPUNu
| eUb1rIMV4ZbTbRTOKOGa12X7isXq6cVzOwIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAE0duqOsApBP
| OvE8znZxfUgAF5f+WR+GsAPYwhV0c6GWv7PnghnTAFfoBy+8Gy1PeyrAwfL2PQqT
| AHIBgpfbkEWwA/idfGpTJNDF2n8uZ3W8hOBU7elqRAHtvj749IqnMz15n5WwsGvW
| A6hsOIoEKyluekiV9kOosMjKG9jtB+iwOe88L5EqHrEfPeml2mpvhH6VhvJZnXlJ
| 1l0/GDRRXslgyBir672iqHy25PNqJQYlEMSooxZCwKUpo345E4J6BIxeayvNeLca
| W+SKB84s3A/9pXnPEXLD7IT6I4ln9ZQeYXHK0n3U2LcSCt8JtEr1vfi4LMSboxxi
| lRXQzPUUSW8=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-30T10:04:47+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: INTERNAL
| NetBIOS_Domain_Name: INTERNAL
| NetBIOS_Computer_Name: INTERNAL
| DNS_Domain_Name: internal
| DNS_Computer_Name: internal
| Product_Version: 6.0.6001
|_ System_Time: 2025-09-30T10:04:39+00:00
5357/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: INTERNAL; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008::sp1, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26934/tcp): CLEAN (Couldn't connect)
| Check 2 (port 49283/tcp): CLEAN (Couldn't connect)
| Check 3 (port 16981/udp): CLEAN (Timeout)
| Check 4 (port 47684/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: internal
| NetBIOS computer name: INTERNAL\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-09-30T03:04:39-07:00
| smb2-security-mode:
| 2:0:2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-09-30T10:04:39
|_ start_date: 2025-02-20T21:30:47
| nbstat: NetBIOS name: INTERNAL, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:93:68 (VMware)
| Names:
| INTERNAL<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| INTERNAL<20> Flags: <unique><active>
| Statistics:
| 00:50:56:ab:93:68:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:04
Completed NSE at 06:04, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.38 seconds
Raw packets sent: 17 (724B) | Rcvd: 14 (600B)
smbmap
但沒有爆出東西首先找找看 WSDAPI 的漏洞,發現有 MS09-050 的漏洞
應該可以嘗試,但 exploit db 的 code 是 python2 的
所以只能用 msfconsole 來用 (我不會改 code w)
就這樣成功取得 system ㄌ