C:\Program Files (x86)\Nmap>nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse SYSTEM01 Winpcap present, dynamic linked to: Npcap version 0.78 r5, based on libpcap vers ion 1.8.1 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 15:05 US Mountain Standard Time --------------- Timing report --------------- hostgroups: min 1, max 3 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.3. NSE: Arguments from CLI: NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:05 Completed NSE at 15:05, 0.00s elapsed Initiating Ping Scan at 15:05 Scanning SYSTEM01 (xx.xx.xx.xx) [4 ports] Packet capture filter (device eth0): dst host xx.xx.xx.xx and (icmp or icmp6 o r ((tcp or udp or sctp) and (src host xx.xx.xx.xx))) We got a ping packet back from xx.xx.xx.xx: id = 64377 seq = 0 checksum = 64869 Completed Ping Scan at 15:05, 0.47s elapsed (1 total hosts) Overall sending rates: 8.47 packets / s, 322.03 bytes / s. mass_rdns: Using DNS server xx.xx.xx.xx mass_rdns: Using DNS server xx.xx.xx.xx Initiating Parallel DNS resolution of 1 host. at 15:05 mass_rdns: 0.91s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed DNS resolution of 1 IPs took 0.91s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 15:05 Scanning SYSTEM01 (xx.xx.xx.xx) [1 port] Packet capture filter (device eth0): dst host xx.xx.xx.xx and (icmp or icmp6 o r ((tcp or udp or sctp) and (src host xx.xx.xx.xx))) Discovered open port 445/tcp on xx.xx.xx.xx Completed SYN Stealth Scan at 15:05, 0.01s elapsed (1 total ports) Overall sending rates: 200.00 packets / s, 8800.00 bytes / s. NSE: Script scanning xx.xx.xx.xx. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:05 NSE: Starting smb-vuln-ms17-010 against SYSTEM01 (xx.xx.xx.xx). NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Added account '' to account list NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Added account 'guest' to account list NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] LM Password: NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Extended login to xx.xx.xx.xx as USF \guest failed (NT_STATUS_LOGON_FAILURE) NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] LM Password: NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Extended login to xx.xx.xx.xx as USF \ failed (NT_STATUS_ACCESS_DENIED) NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] Could not connect to 'IPC$' NSE: Finished smb-vuln-ms17-010 against SYSTEM01 (xx.xx.xx.xx). Completed NSE at 15:05, 0.03s elapsed Nmap scan report for SYSTEM01 (xx.xx.xx.xx) Host is up, received timestamp-reply ttl 127 (0.0019s latency). rDNS record for xx.xx.xx.xx: SYSTEM01.usf.ad.usfood.local Scanned at 2017-05-19 15:05:16 US Mountain Standard Time for 1s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack ttl 127 Host script results: |_smb-vuln-ms17-010: Could not connect to 'IPC$' Final times for host: srtt: 1875 rttvar: 4000 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:05 Completed NSE at 15:05, 0.00s elapsed Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds Raw packets sent: 5 (196B) | Rcvd: 2 (84B)