C:\Program Files (x86)\Nmap>nmap -d -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse SYSTEM01 Winpcap present, dynamic linked to: Npcap version 0.78 r5, based on libpcap vers ion 1.8.1 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 15:16 US Mountain Standard Time --------------- Timing report --------------- hostgroups: min 1, max 3 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.3. NSE: Arguments from CLI: NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:16 Completed NSE at 15:16, 0.00s elapsed Initiating Ping Scan at 15:16 Scanning SYSTEM01 (xx.xx.xx.xx) [4 ports] Packet capture filter (device eth0): dst host xx.xx.xx.xx and (icmp or icmp6 o r ((tcp or udp or sctp) and (src host xx.xx.xx.xx))) We got a ping packet back from xx.xx.xx.xx: id = 3117 seq = 0 checksum = 62418 Completed Ping Scan at 15:16, 2.03s elapsed (1 total hosts) Overall sending rates: 0.49 packets / s, 13.85 bytes / s. mass_rdns: Using DNS server xx.xx.xx.xx mass_rdns: Using DNS server xx.xx.xx.xx Initiating Parallel DNS resolution of 1 host. at 15:16 mass_rdns: 1.56s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 15:16, 0.01s elapsed DNS resolution of 1 IPs took 1.56s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 15:16 Scanning SYSTEM01 (xx.xx.xx.xx) [1 port] Packet capture filter (device eth0): dst host xx.xx.xx.xx and (icmp or icmp6 o r ((tcp or udp or sctp) and (src host xx.xx.xx.xx))) Discovered open port 445/tcp on xx.xx.xx.xx Completed SYN Stealth Scan at 15:16, 0.02s elapsed (1 total ports) Overall sending rates: 62.50 packets / s, 2750.00 bytes / s. NSE: Script scanning xx.xx.xx.xx. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:16 NSE: Starting smb-vuln-ms17-010 against SYSTEM01 (xx.xx.xx.xx). NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Added account '' to account list NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Added account 'guest' to account list NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] LM Password: NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Extended login to xx.xx.xx.xx as USF \guest failed (NT_STATUS_LOGON_FAILURE) NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] LM Password: NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] SMB: Extended login to xx.xx.xx.xx as USF \ failed (NT_STATUS_ACCESS_DENIED) NSE: [smb-vuln-ms17-010 xx.xx.xx.xx] Could not connect to 'IPC$' NSE: Finished smb-vuln-ms17-010 against SYSTEM01 (xx.xx.xx.xx). Completed NSE at 15:16, 1.07s elapsed Nmap scan report for SYSTEM01 (xx.xx.xx.xx) Host is up, received echo-reply ttl 127 (0.0034s latency). rDNS record for xx.xx.xx.xx: SYSTEM01.usf.ad.usfood.local Scanned at 2017-05-19 15:16:05 US Mountain Standard Time for 4s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack ttl 127 Host script results: |_smb-vuln-ms17-010: Could not connect to 'IPC$' Final times for host: srtt: 3375 rttvar: 4500 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:16 Completed NSE at 15:16, 0.00s elapsed Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 7.53 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) C:\Program Files (x86)\Nmap>