Blog

NMAP Part II

  • Post category:CEH

System enumeration

SCRIPTS (Vulnerabilities)

Perform more exhaustive scans to extract more information about a target or service running on a host.

Command:    nmap -Pn –script vuln <ip address>

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -Pn -script vuln 192.168.168.25
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-18 22:18 EDT
Nmap scan report for 192.168.168.25
Host is up (0.0017s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2011-2523 BID:48539
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
| https://www.securityfocus.com/bid/48539
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.ietf.org/rfc/rfc2246.txt
|
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: CVE:CVE-2015-4000 BID:74733
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://weakdh.org
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the “POODLE” issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
53/tcp open domain
80/tcp open http
| http-enum:
| /tikiwiki/: Tikiwiki
| /test/: Test page
| /phpinfo.php: Possible information file
| /phpMyAdmin/: phpMyAdmin
| /doc/: Potentially interesting directory w/ listing on ‘apache/2.2.8 (ubuntu) dav/2’
| /icons/: Potentially interesting folder w/ directory listing
|_ /index/: Potentially interesting folder
| http-fileupload-exploiter:
|
|_ Couldn’t find a file-type field.
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.168.25:80/dav/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?username=anonymous&page=password-generator.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=documentation%2Fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=home.php&do=toggle-security%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=home.php&do=toggle-hints%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.168.25:80/dav/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
| http://192.168.168.25:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
| http://192.168.168.25:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
| http://192.168.168.25:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
| http://192.168.168.25:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
| http://192.168.168.25:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
| http://192.168.168.25:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?username=anonymous&page=password-generator.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=documentation%2Fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=documentation%2Fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.168.25:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
|_ http://192.168.168.25:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.168.25
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.168.25:80/dvwa/
| Form id:
| Form action: login.php
|
| Path: http://192.168.168.25:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
|
| Path: http://192.168.168.25:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
|
| Path: http://192.168.168.25:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/edit/TWiki/
|
| Path: http://192.168.168.25:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
|
| Path: http://192.168.168.25:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
|
| Path: http://192.168.168.25:80/mutillidae/?page=text-file-viewer.php
| Form id: id-bad-cred-tr
|_ Form action: index.php?page=text-file-viewer.php
|_http-trace: TRACE is enabled
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
| rmi-vuln-classloader:
| VULNERABLE:
| RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|
| References:
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5432/tcp open postgresql
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the “CCS Injection” vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_ http://www.cvedetails.com/cve/2014-0224
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the “POODLE” issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8009/tcp open ajp13
8180/tcp open unknown
| http-cookie-flags:
| /admin/:
| JSESSIONID:
| httponly flag not set
| /admin/index.html:
| JSESSIONID:
| httponly flag not set
| /admin/login.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin.html:
| JSESSIONID:
| httponly flag not set
| /admin/account.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.html:
| JSESSIONID:
| httponly flag not set
| /admin/home.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.html:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.html:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.html:
| JSESSIONID:
| httponly flag not set
| /admin/cp.html:
| JSESSIONID:
| httponly flag not set
| /admin/index.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/home.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/cp.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/account.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/jscript/upload.html:
| JSESSIONID:
|_ httponly flag not set
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /admin/login.html: Possible admin folder
| /admin/admin.html: Possible admin folder
| /admin/account.html: Possible admin folder
| /admin/admin_login.html: Possible admin folder
| /admin/home.html: Possible admin folder
| /admin/admin-login.html: Possible admin folder
| /admin/adminLogin.html: Possible admin folder
| /admin/controlpanel.html: Possible admin folder
| /admin/cp.html: Possible admin folder
| /admin/index.jsp: Possible admin folder
| /admin/login.jsp: Possible admin folder
| /admin/admin.jsp: Possible admin folder
| /admin/home.jsp: Possible admin folder
| /admin/controlpanel.jsp: Possible admin folder
| /admin/admin-login.jsp: Possible admin folder
| /admin/cp.jsp: Possible admin folder
| /admin/account.jsp: Possible admin folder
| /admin/admin_login.jsp: Possible admin folder
| /admin/adminLogin.jsp: Possible admin folder
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
| /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_ /webdav/: Potentially interesting folder

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 327.66 seconds

SCRIPTS (RPC)

Interrogate NetBIOS information.

Command:    nmap -sV  <ip address> –script nbtstat.nse

Example:

┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.168.150 –script nbstat.nse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-19 02:40 EDT
Nmap scan report for 192.168.168.150
Host is up (0.0019s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-19 16:42:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: netlab.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: netlab.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: INFRA01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: INFRA01, NetBIOS user: <unknown>, NetBIOS MAC: 000c29c971a6 (VMware)
| Names:
| INFRA01<00> Flags: <unique><active>
| NETLAB<00> Flags: <group><active>
| NETLAB<1c> Flags: <group><active>
| NETLAB<1b> Flags: <unique><active>
|_ INFRA01<20> Flags: <unique><active>

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.60 seconds

Tags: