UNIVERSIDAD DE GUAYAQUIL

FACULTAD DE CIENCIAS MATEMATICAS Y FISICAS

CARRERA DE INGENIERIA EN NETWORKING Y TELECOMUNICACIONES

NMAP
N8J

Integrantes:
Robert Soria
Christian Marin
Hilda Vera
Angie Merchan
 |_http-default-accounts: [Apache Tomcat] credentials
[root:~]# nmap -f -sS -sV --script auth found -> tomcat:tomcat Path:/manager/html/
|_http-server-header: Apache-Coyote/1.1
192.168.27.129 MAC Address: 00:0C:29:F0:83:22 (VMware)
Service Info: Hosts: metasploitable.localdomain,
Starting Nmap 7.31 ( https://nmap.org ) at 2017-02- localhost, irc.Metasploitable.LAN; OSs: Unix, Linux;
07 18:24 COT CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.27.129
Host is up, received arp-response (0.0010s latency). Host script results:
Not shown: 977 closed ports | smb-enum-users:
Reason: 977 resets |_ Domain: METASPLOITABLE; Users: backup, bin,
PORT STATE SERVICE REASON VERSION bind, daemon, dhcp, distccd, ftp, games, gnats, irc,
21/tcp open ftp syn-ack ttl 64 vsftpd klog, libuuid, list, lp, mail, man, msfadmin, mysql,
2.3.4 news, nobody, postfix, postgres, proftpd, proxy,
|_ftp-anon: Anonymous FTP login allowed (FTP code root, service, sshd, sync, sys, syslog, telnetd,
230) tomcat55, user, uucp, www-data
22/tcp open ssh syn-ack ttl 64 OpenSSH
4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet syn-ack ttl 64 Linux Post-scan script results:
telnetd | creds-summary:
25/tcp open smtp syn-ack ttl 64 Postfix
smtpd | 192.168.27.129:
| smtp-enum-users: | 8180/http:
|_ Method RCPT returned a unhandled status code. |_ tomcat:tomcat - Valid
53/tcp open domain syn-ack ttl 64 ISC BIND
9.4.2 credentials
80/tcp open http syn-ack ttl 64 Apache Service detection performed. Please
httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
report any incorrect results at
111/tcp open rpcbind syn-ack ttl 64 2 (RPC https://nmap.org/submit/ .
#100000) Nmap done: 1 IP address (1 host up)
| rpcinfo:
| program version port/proto service scanned in 46.32 seconds
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs [root:~]# nmap -f -sS -sV --script auth
| 100005 1,2,3 35379/udp mountd 192.168.27.129
| 100005 1,2,3 51200/tcp mountd
| 100021 1,3,4 53204/udp nlockmgr Starting Nmap 7.31 ( https://nmap.org ) at 2017-02-
| 100021 1,3,4 55613/tcp nlockmgr 07 18:24 COT
| 100024 1 32796/udp status Nmap scan report for 192.168.27.129
|_ 100024 1 56463/tcp status Host is up, received arp-response (0.0010s latency).
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd Not shown: 977 closed ports
3.X - 4.X (workgroup: WORKGROUP) Reason: 977 resets
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd PORT STATE SERVICE REASON VERSION
3.X - 4.X (workgroup: WORKGROUP) 21/tcp open ftp syn-ack ttl 64 vsftpd
512/tcp open exec syn-ack ttl 64 netkit-rsh 2.3.4
rexecd |_ftp-anon: Anonymous FTP login allowed (FTP code
513/tcp open login? syn-ack ttl 64 230)
514/tcp open tcpwrapped syn-ack ttl 64 22/tcp open ssh syn-ack ttl 64 OpenSSH
1099/tcp open rmiregistry syn-ack ttl 64 GNU 4.7p1 Debian 8ubuntu1 (protocol 2.0)
Classpath grmiregistry 23/tcp open telnet syn-ack ttl 64 Linux
1524/tcp open shell syn-ack ttl 64 telnetd
Metasploitable root shell 25/tcp open smtp syn-ack ttl 64 Postfix
2049/tcp open nfs syn-ack ttl 64 2-4 (RPC smtpd
#100003) | smtp-enum-users:
2121/tcp open ftp syn-ack ttl 64 ProFTPD |_ Method RCPT returned a unhandled status code.
1.3.1 53/tcp open domain syn-ack ttl 64 ISC BIND
3306/tcp open mysql syn-ack ttl 64 MySQL 9.4.2
5.0.51a-3ubuntu5 80/tcp open http syn-ack ttl 64 Apache
| mysql-empty-password: httpd 2.2.8 ((Ubuntu) DAV/2)
|_ root account has empty password |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
| mysql-users: 111/tcp open rpcbind syn-ack ttl 64 2 (RPC
| debian-sys-maint #100000)
| guest | rpcinfo:
|_ root | program version port/proto service
5432/tcp open postgresql syn-ack ttl 64 PostgreSQL | 100000 2 111/tcp rpcbind
DB 8.3.0 - 8.3.7 | 100000 2 111/udp rpcbind
5900/tcp open vnc syn-ack ttl 64 VNC | 100003 2,3,4 2049/tcp nfs
(protocol 3.3) | 100003 2,3,4 2049/udp nfs
6000/tcp open X11 syn-ack ttl 64 (access | 100005 1,2,3 35379/udp mountd
denied) | 100005 1,2,3 51200/tcp mountd
6667/tcp open irc syn-ack ttl 64 Unreal | 100021 1,3,4 53204/udp nlockmgr
ircd | 100021 1,3,4 55613/tcp nlockmgr
8009/tcp open ajp13 syn-ack ttl 64 Apache | 100024 1 32796/udp status
Jserv (Protocol v1.3) |_ 100024 1 56463/tcp status
8180/tcp open http syn-ack ttl 64 Apache 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd
Tomcat/Coyote JSP engine 1.1 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 22/tcp open ssh syn-ack ttl 64 OpenSSH
3.X - 4.X (workgroup: WORKGROUP) 4.7p1 Debian 8ubuntu1 (protocol 2.0)
512/tcp open exec syn-ack ttl 64 netkit-rsh | ssh-hostkey:
rexecd | 1024
513/tcp open login? syn-ack ttl 64 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd
514/tcp open tcpwrapped syn-ack ttl 64 (DSA)
1099/tcp open rmiregistry syn-ack ttl 64 GNU |_ 2048
Classpath grmiregistry 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
1524/tcp open shell syn-ack ttl 64 (RSA)
Metasploitable root shell 23/tcp open telnet syn-ack ttl 64 Linux
2049/tcp open nfs syn-ack ttl 64 2-4 (RPC telnetd
#100003) 25/tcp open smtp syn-ack ttl 64 Postfix
2121/tcp open ftp syn-ack ttl 64 ProFTPD smtpd
1.3.1 |_smtp-commands: metasploitable.localdomain,
3306/tcp open mysql syn-ack ttl 64 MySQL PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS,
5.0.51a-3ubuntu5 ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| mysql-empty-password: | ssl-cert: Subject: commonName=ubuntu804-
|_ root account has empty password base.localdomain/organizationName=OCOSA/stateOrProvi
| mysql-users: nceName=There is no such thing outside
| debian-sys-maint US/countryName=XX
| guest | Not valid before: 2010-03-17T14:07:45
|_ root |_Not valid after: 2010-04-16T14:07:45
5432/tcp open postgresql syn-ack ttl 64 PostgreSQL |_ssl-date: 2017-02-07T23:44:50+00:00; -14s from
DB 8.3.0 - 8.3.7 scanner time.
5900/tcp open vnc syn-ack ttl 64 VNC | sslv2:
(protocol 3.3) | SSLv2 supported
6000/tcp open X11 syn-ack ttl 64 (access | ciphers:
denied) | SSL2_RC2_128_CBC_WITH_MD5
6667/tcp open irc syn-ack ttl 64 Unreal | SSL2_DES_192_EDE3_CBC_WITH_MD5
ircd | SSL2_RC4_128_EXPORT40_WITH_MD5
8009/tcp open ajp13 syn-ack ttl 64 Apache | SSL2_RC4_128_WITH_MD5
Jserv (Protocol v1.3) | SSL2_DES_64_CBC_WITH_MD5
8180/tcp open http syn-ack ttl 64 Apache |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
Tomcat/Coyote JSP engine 1.1 53/tcp open domain syn-ack ttl 64 ISC BIND
|_http-default-accounts: [Apache Tomcat] credentials 9.4.2
found -> tomcat:tomcat Path:/manager/html/ | dns-nsid:
|_http-server-header: Apache-Coyote/1.1 |_ bind.version: 9.4.2
MAC Address: 00:0C:29:F0:83:22 (VMware) 80/tcp open http syn-ack ttl 64 Apache
Service Info: Hosts: metasploitable.localdomain, httpd 2.2.8 ((Ubuntu) DAV/2)
localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
CPE: cpe:/o:linux:linux_kernel |_http-title: Metasploitable2 - Linux
111/tcp open rpcbind syn-ack ttl 64 2 (RPC
Host script results: #100000)
| smb-enum-users: | rpcinfo:
|_ Domain: METASPLOITABLE; Users: backup, bin, | program version port/proto service
bind, daemon, dhcp, distccd, ftp, games, gnats, irc, | 100000 2 111/tcp rpcbind
klog, libuuid, list, lp, mail, man, msfadmin, mysql, | 100000 2 111/udp rpcbind
news, nobody, postfix, postgres, proftpd, proxy, | 100003 2,3,4 2049/tcp nfs
root, service, sshd, sync, sys, syslog, telnetd, | 100003 2,3,4 2049/udp nfs
tomcat55, user, uucp, www-data | 100005 1,2,3 35379/udp mountd
| 100005 1,2,3 51200/tcp mountd
Post-scan script results: | 100021 1,3,4 53204/udp nlockmgr
| creds-summary: | 100021 1,3,4 55613/tcp nlockmgr
| 192.168.27.129: | 100024 1 32796/udp status
| 8180/http: |_ 100024 1 56463/tcp status
|_ tomcat:tomcat - Valid credentials 139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd
Service detection performed. Please report any 3.X - 4.X (workgroup: WORKGROUP)
incorrect results at https://nmap.org/submit/ . 445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd
Nmap done: 1 IP address (1 host up) scanned in 46.32 3.0.20-Debian (workgroup: WORKGROUP)
seconds 512/tcp open exec syn-ack ttl 64 netkit-rsh
rexecd
513/tcp open login? syn-ack ttl 64
[root:~]# nmap -f -sS -sV --script default 514/tcp open tcpwrapped syn-ack ttl 64
1099/tcp open java-rmi syn-ack ttl 64 Java RMI
192.168.27.129 Registry
1524/tcp open shell syn-ack ttl 64
Starting Nmap 7.31 ( https://nmap.org ) at 2017-02- Metasploitable root shell
07 18:44 COT 2049/tcp open nfs syn-ack ttl 64 2-4 (RPC
Nmap scan report for 192.168.27.129 #100003)
Host is up, received arp-response (0.00090s 2121/tcp open ftp syn-ack ttl 64 ProFTPD
latency). 1.3.1
Not shown: 977 closed ports 3306/tcp open mysql syn-ack ttl 64 MySQL
Reason: 977 resets 5.0.51a-3ubuntu5
PORT STATE SERVICE REASON VERSION | mysql-info:
21/tcp open ftp syn-ack ttl 64 vsftpd | Protocol: 10
2.3.4 | Version: 5.0.51a-3ubuntu5
|_ftp-anon: Anonymous FTP login allowed (FTP code | Thread ID: 14
230) | Capabilities flags: 43564
| Some Capabilities: Support41Auth, | broadcast-dhcp-discover:
ConnectWithDatabase, LongColumnFlag, | Response 1 of 1:
SupportsCompression, SwitchToSSLAfterHandshake, | IP Offered: 192.168.27.130
Speaks41ProtocolNew, SupportsTransactions | Server Identifier: 192.168.27.254
| Status: Autocommit | Subnet Mask: 255.255.255.0
|_ Salt: Rrh2`n*$r6S~DuD/_r>|\x00 | Router: 192.168.27.2
5432/tcp open postgresql syn-ack ttl 64 PostgreSQL | Domain Name Server: 192.168.27.2
DB 8.3.0 - 8.3.7 | Domain Name: localdomain
| ssl-cert: Subject: commonName=ubuntu804- | Broadcast Address: 192.168.27.255
base.localdomain/organizationName=OCOSA/stateOrProvi |_ NetBIOS Name Server: 192.168.27.2
nceName=There is no such thing outside | broadcast-igmp-discovery:
US/countryName=XX | 192.168.27.1
| Not valid before: 2010-03-17T14:07:45 | Interface: eth0
|_Not valid after: 2010-04-16T14:07:45 | Version: 2
|_ssl-date: 2017-02-07T23:44:51+00:00; -14s from | Group: 224.0.0.251
scanner time. | Description: mDNS (rfc6762)
5900/tcp open vnc syn-ack ttl 64 VNC | 192.168.27.1
(protocol 3.3) | Interface: eth0
| vnc-info: | Version: 2
| Protocol version: 3.3 | Group: 224.0.0.252
| Security types: | Description: Link-local Multicast Name
|_ VNC Authentication (2) Resolution (rfc4795)
6000/tcp open X11 syn-ack ttl 64 (access | 192.168.27.1
denied) | Interface: eth0
6667/tcp open irc syn-ack ttl 64 Unreal | Version: 2
ircd | Group: 239.255.255.250
| irc-info: | Description: Organization-Local Scope
| users: 1.0 (rfc2365)
| servers: 1 |_ Use the newtargets script-arg to add the results
| lusers: 1 as targets
| lservers: 0 | broadcast-listener:
| server: irc.Metasploitable.LAN | ether
| version: Unreal3.2.8.1. irc.Metasploitable.LAN | EIGRP Hello
| uptime: 0 days, 0:23:09 |
| source ident: nmap | ARP Request
| source host: AAA2CCC2.3ED45D4B.FFFA6D49.IP | sender ip sender mac target ip
|_ error: Closing Link: jnoxwpdpm[192.168.27.128] | 192.168.27.2 00:50:56:ED:2A:E4
(Quit: jnoxwpdpm) 192.168.27.130
8009/tcp open ajp13 syn-ack ttl 64 Apache | udp
Jserv (Protocol v1.3) | DHCP
|_ajp-methods: Failed to get a valid response for | srv ip cli ip mask
the OPTION request gw dns vendor
8180/tcp open http syn-ack ttl 64 Apache | 192.168.27.254 192.168.27.130
Tomcat/Coyote JSP engine 1.1 255.255.255.0 192.168.27.2 192.168.27.2 -
|_http-favicon: Apache Tomcat | SSDP
|_http-server-header: Apache-Coyote/1.1 | ip uri
|_http-title: Apache Tomcat/5.5 | 192.168.27.1 urn:dial-multiscreen-
MAC Address: 00:0C:29:F0:83:22 (VMware) org:service:dial:1
Service Info: Hosts: metasploitable.localdomain, | DHCP6
localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; | ip fqdn
CPE: cpe:/o:linux:linux_kernel |_ fe80::14f:1949:8f2d:5b58 EDu
| broadcast-netbios-master-browser:
Host script results: |_ip server domain
|_clock-skew: mean: -14s, deviation: 0s, median: - | broadcast-ping:
14s | IP: 192.168.27.2 MAC: 00:50:56:ed:2a:e4
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS |_ Use --script-args=newtargets to add the results
user: <unknown>, NetBIOS MAC: <unknown> (unknown) as targets
| smb-os-discovery: | broadcast-wsdd-discover:
| OS: Unix (Samba 3.0.20-Debian) | Devices
| NetBIOS computer name: | 239.255.255.250
| Workgroup: WORKGROUP | Message id: 01d12830-91b9-473c-95d2-
|_ System time: 2017-02-07T18:44:40-05:00 e852b058a114
| Address:
Post-scan script results: http://192.168.27.1:5357/db40509b-49c3-4f2d-a4ab-
| clock-skew: ec9701096048/
|_ -14s: Majority of systems scanned |_ Type: Device pub:Computer
Service detection performed. Please report any |_eap-info: please specify an interface with -e
incorrect results at https://nmap.org/submit/ . | targets-asn:
Nmap done: 1 IP address (1 host up) scanned in 53.03 |_ targets-asn.asn is a mandatory parameter
seconds Stats: 0:03:00 elapsed; 0 hosts completed (1 up), 1
[root:~]# undergoing Script Scan
NSE Timing: About 99.92% done; ETC: 18:51 (0:00:00
root:~]# nmap -f --script safe remaining)
192.168.27.129 Stats: 0:06:00 elapsed; 0 hosts completed (1 up), 1
undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 18:54 (0:00:00
Starting Nmap 7.31 ( https://nmap.org ) at 2017-02-
remaining)
07 18:48 COT
Nmap scan report for 192.168.27.129
Pre-scan script results:
Host is up, received arp-response (0.00087s | the DHE_EXPORT cipher. This may allow a man-
latency). in-the-middle attacker
Not shown: 977 closed ports | to downgrade the security of a TLS session
Reason: 977 resets to 512-bit export-grade
PORT STATE SERVICE REASON | cryptography, which is significantly weaker,
21/tcp open ftp syn-ack ttl 64 allowing the attacker
|_banner: 220 (vsFTPd 2.3.4) | to more easily break the encryption and
|_ftp-anon: Anonymous FTP login allowed (FTP code monitor or tamper with
230) | the encrypted stream.
22/tcp open ssh syn-ack ttl 64 | Disclosure date: 2015-5-19
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 | Check results:
| ssh-hostkey: | EXPORT-GRADE DH GROUP 1
| 1024 | Cipher Suite:
60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
(DSA) | Modulus Type: Safe prime
|_ 2048 | Modulus Source: Unknown/Custom-
56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 generated
(RSA) | Modulus Length: 512
| ssh2-enum-algos: | Generator Length: 8
| kex_algorithms: (4) | Public Key Length: 504
| server_host_key_algorithms: (2) | References:
| encryption_algorithms: (13) | https://cve.mitre.org/cgi-
| mac_algorithms: (7) bin/cvename.cgi?name=CVE-2015-4000
|_ compression_algorithms: (2) | http://osvdb.org/122331
23/tcp open telnet syn-ack ttl 64 | https://weakdh.org
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD' |
| telnet-encryption: | Diffie-Hellman Key Exchange Insufficient Group
|_ Telnet server does not support encryption Strength
25/tcp open smtp syn-ack ttl 64 | State: VULNERABLE
|_banner: 220 metasploitable.localdomain ESMTP | Transport Layer Security (TLS) services that
Postfix (Ubuntu) use Diffie-Hellman groups
|_smtp-commands: metasploitable.localdomain, | of insufficient strength, especially those
PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, using one of a few commonly
ENHANCEDSTATUSCODES, 8BITMIME, DSN, | shared groups, may be susceptible to passive
| ssl-cert: Subject: commonName=ubuntu804- eavesdropping attacks.
base.localdomain/organizationName=OCOSA/stateOrProvi | Check results:
nceName=There is no such thing outside | WEAK DH GROUP 1
US/countryName=XX | Cipher Suite:
| Not valid before: 2010-03-17T14:07:45 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|_Not valid after: 2010-04-16T14:07:45 | Modulus Type: Safe prime
|_ssl-date: 2017-02-07T23:48:46+00:00; -18s from | Modulus Source: Unknown/Custom-
scanner time. generated
| ssl-dh-params: | Modulus Length: 1024
| VULNERABLE: | Generator Length: 8
| Anonymous Diffie-Hellman Key Exchange MitM | Public Key Length: 1024
Vulnerability | References:
| State: VULNERABLE |_ https://weakdh.org
| Transport Layer Security (TLS) services that | ssl-poodle:
use anonymous | VULNERABLE:
| Diffie-Hellman key exchange only provide | SSL POODLE information leak
protection against passive | State: VULNERABLE
| eavesdropping, and are vulnerable to active | IDs: OSVDB:113251 CVE:CVE-2014-3566
man-in-the-middle attacks | The SSL protocol 3.0, as used in OpenSSL
| which could completely compromise the through 1.0.1i and other
confidentiality and integrity | products, uses nondeterministic CBC
| of any data exchanged over the resulting padding, which makes it easier
session. | for man-in-the-middle attackers to
| Check results: obtain cleartext data via a
| ANONYMOUS DH GROUP 1 | padding-oracle attack, aka the "POODLE"
| Cipher Suite: issue.
TLS_DH_anon_WITH_RC4_128_MD5 | Disclosure date: 2014-10-14
| Modulus Type: Safe prime | Check results:
| Modulus Source: Unknown/Custom- | TLS_RSA_WITH_AES_128_CBC_SHA
generated | References:
| Modulus Length: 1024 | http://osvdb.org/113251
| Generator Length: 8 |
| Public Key Length: 1024 https://www.imperialviolet.org/2014/10/14/poodle.htm
| References: l
| https://www.ietf.org/rfc/rfc2246.txt | https://cve.mitre.org/cgi-
| bin/cvename.cgi?name=CVE-2014-3566
| Transport Layer Security (TLS) Protocol |_ https://www.openssl.org/~bodo/ssl-poodle.pdf
DHE_EXPORT Ciphers Downgrade MitM (Logjam) | sslv2:
| State: VULNERABLE | SSLv2 supported
| IDs: OSVDB:122331 CVE:CVE-2015-4000 | ciphers:
| The Transport Layer Security (TLS) protocol | SSL2_DES_64_CBC_WITH_MD5
contains a flaw that is | SSL2_RC4_128_WITH_MD5
| triggered when handling Diffie-Hellman key | SSL2_RC4_128_EXPORT40_WITH_MD5
exchanges defined with | SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5 | * Visit Dynamic Drive at
53/tcp open domain syn-ack ttl 64 http://www.dynamicdrive.com/ for full source code
80/tcp open http syn-ack ttl 64 |
|_http-apache-negotiation: mod_negotiation enabled. *********************************************
| http-auth-finder: **/
| Spidering limited to: maxdepth=3; maxpagecount=20; |
withinhost=192.168.27.129 | Path:
| url http://192.168.27.129/mutillidae/./index.php?page=in
method stallation.php
| http://192.168.27.129/phpMyAdmin/ | Line number: 638
FORM | Comment:
|_ | <!-- End Content -->
http://192.168.27.129/mutillidae/index.php?page=logi |
n.php FORM | Path:
| http-comments-displayer: http://192.168.27.129/mutillidae/./javascript/bookma
| Spidering limited to: maxdepth=3; maxpagecount=20; rk-site.js
withinhost=192.168.27.129 | Line number: 8
| | Comment:
| Path: | /* Modified heavily by Jeremy Druin */
http://192.168.27.129/mutillidae/./index.php?page=ca |
ptured-data.php | Path:
| Line number: 509 http://192.168.27.129/mutillidae/index.php?page=logi
| Comment: n.php
| <!-- BEGIN HTML OUTPUT --> | Line number: 519
| | Comment:
| Path: |
http://192.168.27.129/mutillidae/./index.php?page=in | //-->
stallation.php |
| Line number: 32 | Path:
| Comment: http://192.168.27.129/mutillidae/./javascript/bookma
| //Horizontal or vertical menu: Set to "h" rk-site.js
or "v" | Line number: 2
| | Comment:
| Path: |
http://192.168.27.129/mutillidae/./index.php?page=in /***********************************************
stallation.php | * Bookmark site script- \xA9 Dynamic
| Line number: 35 Drive DHTML code library (www.dynamicdrive.com)
| Comment: | * This notice MUST stay intact for
| //"markup" or ["container_id", legal use
"path_to_menu_file"] | * Visit Dynamic Drive at
| http://www.dynamicdrive.com/ for full source code
| Path: http://192.168.27.129/phpMyAdmin/ |
| Line number: 18 *********************************************
| Comment: **/
| |
| //]]> | Path: http://192.168.27.129/phpMyAdmin/
| | Line number: 66
| Path: http://192.168.27.129/phpMyAdmin/ | Comment:
| Line number: 44 |
| Comment: | // <![CDATA[
| <!-- Login form --> |
| | Path: http://192.168.27.129/phpMyAdmin/
| Path: | Line number: 79
http://192.168.27.129/mutillidae/./index.php?page=in | Comment:
stallation.php |
| Line number: 488 | // ]]>
| Comment: |
| <!-- Begin Content --> | Path:
| http://192.168.27.129/mutillidae/index.php?page=logi
| Path: n.php
http://192.168.27.129/mutillidae/./index.php?page=in | Line number: 496
stallation.php | Comment:
| Line number: 33 | /*HTMLFormElement*/
| Comment: |
| //class added to menu's outer DIV | Path:
| http://192.168.27.129/mutillidae/index.php?page=logi
| Path: n.php
http://192.168.27.129/mutillidae/./index.php?page=in | Line number: 491
stallation.php | Comment:
| Line number: 23 | <!--
| Comment: | var l_loggedIn = false;
| | var l_failedLogInFlag = "0";
/*********************************************** | var lValidateInput = "FALSE"
| * Smooth Navigational Menu- |
(c) Dynamic Drive DHTML code library | function
(www.dynamicdrive.com) onSubmitOfLoginForm(/*HTMLFormElement*/ theForm){
| * This notice MUST stay intact | try{
for legal use | var lUnsafeCharacters
= /[`~!@#$%^&*()-_=+\[\]{}\\|;':",./<>?]/;
| |_http-date: Tue, 07 Feb 2017 23:48:37 GMT; -23s
| if(lValidateInput == from local time.
"TRUE"){ |_http-fetch: Please enter the complete path of the
| if directory to save data in.
(theForm.username.value.length > 15 || | http-grep:
| | (1) http://192.168.27.129/dvwa/:
theForm.password.value.length > 15){ | (1) ip:
| | + 192.168.27.129
alert('Username too long. We dont want to | (1)
allow too many characters.\n\nSomeone might have http://192.168.27.129/mutillidae/./index.php?page=cr
enough room to enter a hack attempt.'); edits.php:
| | (1) email:
return false; |_ + mutillidae-development@gmail.com
| }// end if | http-headers:
| | Date: Tue, 07 Feb 2017 23:48:33 GMT
| if | Server: Apache/2.2.8 (Ubuntu) DAV/2
(theForm.username.value.search(lUnsafeCharacters) > | X-Powered-By: PHP/5.2.4-2ubuntu5.10
-1 || | Connection: close
| | Content-Type: text/html
theForm.password.value.search(lUnsafeCharacte |
rs) > -1){ |_ (Request type: HEAD)
| |_http-malware-host: ERROR: Script execution failed
alert('Dangerous characters detected. We (use -d to debug)
can\'t allow these. This all powerful blacklist will |_http-mobileversion-checker: No mobile version
stop such attempts.\n\nMuch like padlocks, filtering detected.
cannot be defeated.\n\nBlacklisting is l33t like | http-php-version: Versions from logo query (less
l33tspeak.'); accurate): 5.1.3 - 5.1.6, 5.2.0 - 5.2.17
| | Versions from credits query (more accurate): 5.2.3
return false; - 5.2.5, 5.2.6RC3
| }// end if |_Version from header x-powered-by: PHP/5.2.4-
| }// end 2ubuntu5.10
if(lValidateInput) |_http-referer-checker: Couldn't find any cross-
| domain scripts.
| return true; |_http-title: Metasploitable2 - Linux
| }catch(e){ |_http-trace: TRACE is enabled
| alert("Error: " + | http-traceroute:
e.message); | content-length
| }// end catch | Hop #1: 891
| }// end function | Hop #2
onSubmitOfLoginForm(/*HTMLFormElement*/ theForm) |_ Hop #3
| //--> | http-useragent-tester:
| |
| Path: | Allowed User Agents:
http://192.168.27.129/mutillidae/./index.php?page=in | Mozilla/5.0 (compatible; Nmap Scripting
stallation.php Engine; https://nmap.org/book/nse.html)
| Line number: 31 | libwww
| Comment: | lwp-trivial
| //menu DIV id | libcurl-agent/1.0
| | PHP/
| Path: | Python-urllib/2.5
http://192.168.27.129/mutillidae/./index.php?page=in | GT::WWW
stallation.php | Snoopy
| Line number: 2 | MFC_Tear_Sample
| Comment: | HTTP::Lite
| <!-- I think the database password is set | PHPCrawl
to blank or perhaps samurai. | URI::Fetch
| It depends on whether | Zend_Http_Client
you installed this web app from irongeeks site or | http client
| are using it inside | PECL::HTTP
Kevin Johnsons Samurai web testing framework. | Wget/1.13.4 (linux-gnu)
| It is ok to put the | WWW-Mechanize/1.34
password in HTML comments because no user will ever |_
see |_http-xssed: No previously reported XSS vuln.
| this comment. I 111/tcp open rpcbind syn-ack ttl 64
remember that security instructor saying we should | nfs-ls: Volume /
use the | access: Read Lookup Modify Extend Delete
| framework comment NoExecute
symbols (ASP.NET, JAVA, PHP, Etc.) | PERMISSION UID GID SIZE TIME
| rather than HTML FILENAME
comments, but we all know those | drwxr-xr-x 0 0 4096 2012-05-14T03:35:33
| security instructors bin
are just making all this up. --> | drwxr-xr-x 0 0 4096 2010-04-16T06:16:02
| home
| Path: http://192.168.27.129/phpMyAdmin/ | drwxr-xr-x 0 0 4096 2010-03-16T22:57:40
| Line number: 13 initrd
| Comment: | lrwxrwxrwx 0 0 32 2010-04-28T20:26:18
| initrd.img
|_ //<![CDATA[ | drwxr-xr-x 0 0 4096 2012-05-14T03:35:22
lib
| drwx------ 0 0 16384 2010-03-16T22:55:15 |
lost+found http://www.openssl.org/news/secadv_20140605.txt
| drwxr-xr-x 0 0 4096 2010-03-16T22:55:52 |_ https://cve.mitre.org/cgi-
media bin/cvename.cgi?name=CVE-2014-0224
| drwxr-xr-x 0 0 4096 2010-04-28T20:16:56 | ssl-cert: Subject: commonName=ubuntu804-
mnt base.localdomain/organizationName=OCOSA/stateOrProvi
| drwxr-xr-x 0 0 4096 2012-05-14T01:54:53 nceName=There is no such thing outside
sbin US/countryName=XX
| drwxr-xr-x 0 0 4096 2010-04-28T04:06:37 | Not valid before: 2010-03-17T14:07:45
usr |_Not valid after: 2010-04-16T14:07:45
|_ |_ssl-date: 2017-02-07T23:48:44+00:00; -16s from
| nfs-showmount: scanner time.
|_ / * | ssl-dh-params:
| nfs-statfs: | VULNERABLE:
| Filesystem 1K-blocks Used Available | Diffie-Hellman Key Exchange Insufficient Group
Use% Maxfilesize Maxlink Strength
|_ / 7282168.0 1496096.0 5419072.0 22% | State: VULNERABLE
2.0T 32000 | Transport Layer Security (TLS) services that
| rpcinfo: use Diffie-Hellman groups
| program version port/proto service | of insufficient strength, especially those
| 100000 2 111/tcp rpcbind using one of a few commonly
| 100000 2 111/udp rpcbind | shared groups, may be susceptible to passive
| 100003 2,3,4 2049/tcp nfs eavesdropping attacks.
| 100003 2,3,4 2049/udp nfs | Check results:
| 100005 1,2,3 35379/udp mountd | WEAK DH GROUP 1
| 100005 1,2,3 51200/tcp mountd | Cipher Suite:
| 100021 1,3,4 53204/udp nlockmgr TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| 100021 1,3,4 55613/tcp nlockmgr | Modulus Type: Safe prime
| 100024 1 32796/udp status | Modulus Source: Unknown/Custom-
|_ 100024 1 56463/tcp status generated
139/tcp open netbios-ssn syn-ack ttl 64 | Modulus Length: 1024
445/tcp open microsoft-ds syn-ack ttl 64 | Generator Length: 8
512/tcp open exec syn-ack ttl 64 | Public Key Length: 1024
|_banner: \x01Where are you? | References:
513/tcp open login syn-ack ttl 64 |_ https://weakdh.org
514/tcp open shell syn-ack ttl 64 | ssl-poodle:
1099/tcp open java-rmi syn-ack ttl 64 | VULNERABLE:
1524/tcp open ingreslock syn-ack ttl 64 | SSL POODLE information leak
|_banner: root@metasploitable:/# | State: VULNERABLE
2049/tcp open nfs syn-ack ttl 64 | IDs: OSVDB:113251 CVE:CVE-2014-3566
2121/tcp open ccproxy-ftp syn-ack ttl 64 | The SSL protocol 3.0, as used in OpenSSL
|_banner: 220 ProFTPD 1.3.1 Server (Debian) through 1.0.1i and other
[::ffff:192.168.27.129] | products, uses nondeterministic CBC
3306/tcp open mysql syn-ack ttl 64 padding, which makes it easier
|_banner: >\x00\x00\x00\x0A5.0.51a- | for man-in-the-middle attackers to
3ubuntu5\x00\x10\x00\x00\x00"{gt14P... obtain cleartext data via a
| mysql-info: | padding-oracle attack, aka the "POODLE"
| Protocol: 10 issue.
| Version: 5.0.51a-3ubuntu5 | Disclosure date: 2014-10-14
| Thread ID: 15 | Check results:
| Capabilities flags: 43564 | TLS_RSA_WITH_AES_128_CBC_SHA
| Some Capabilities: SupportsTransactions, | References:
LongColumnFlag, Support41Auth, ConnectWithDatabase, | http://osvdb.org/113251
SupportsCompression, Speaks41ProtocolNew, |
SwitchToSSLAfterHandshake https://www.imperialviolet.org/2014/10/14/poodle.htm
| Status: Autocommit l
|_ Salt: 37X8LVM^p9i'$~q<tT*p\x00 | https://cve.mitre.org/cgi-
5432/tcp open postgresql syn-ack ttl 64 bin/cvename.cgi?name=CVE-2014-3566
| ssl-ccs-injection: |_ https://www.openssl.org/~bodo/ssl-poodle.pdf
| VULNERABLE: 5900/tcp open vnc syn-ack ttl 64
| SSL/TLS MITM vulnerability (CCS Injection) |_banner: RFB 003.003
| State: VULNERABLE | vnc-info:
| Risk factor: High | Protocol version: 3.3
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, | Security types:
and 1.0.1 before 1.0.1h |_ VNC Authentication (2)
| does not properly restrict processing of 6000/tcp open X11 syn-ack ttl 64
ChangeCipherSpec messages, 6667/tcp open irc syn-ack ttl 64
| which allows man-in-the-middle attackers to |_banner: :irc.Metasploitable.LAN NOTICE AUTH :***
trigger use of a zero Looking up your hos...
| length master key in certain OpenSSL-to- | irc-info:
OpenSSL communications, and | users: 1.0
| consequently hijack sessions or obtain | servers: 1
sensitive information, via | lusers: 1
| a crafted TLS handshake, aka the "CCS | lservers: 0
Injection" vulnerability. | server: irc.Metasploitable.LAN
| | version: Unreal3.2.8.1. irc.Metasploitable.LAN
| References: | uptime: 0 days, 0:27:19
| http://www.cvedetails.com/cve/2014-0224 | source ident: nmap
| source host: AAA2CCC2.3ED45D4B.FFFA6D49.IP
|_ error: Closing Link: evweujmve[192.168.27.128] | Content-Type: text/html;charset=ISO-8859-1
(Quit: evweujmve) | Date: Tue, 07 Feb 2017 23:48:45 GMT
8009/tcp open ajp13 syn-ack ttl 64 | Connection: close
| ajp-headers: |
|_ Content-Type: text/html;charset=ISO-8859-1 |_ (Request type: HEAD)
|_ajp-methods: Failed to get a valid response for |_http-malware-host: ERROR: Script execution failed
the OPTION request (use -d to debug)
| ajp-request: |_http-title: Apache Tomcat/5.5
| AJP/1.3 200 OK MAC Address: 00:0C:29:F0:83:22 (VMware)
| Content-Type: text/html;charset=ISO-8859-1
| Host script results:
| iguring and using Tomcat</li> |_clock-skew: mean: -19s, deviation: 3s, median: -
| <li><b><a 18s
href="mailto:dev@tomcat.apache.org">dev@tomcat.apach |_fcrdns: FAIL (No PTR record)
e.org</a></b> for developers working on Tomcat</li> |_ipidseq: All zeros
| </ul> |_msrpc-enum: NT_STATUS_OBJECT_NAME_NOT_FOUND
| |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS
| <p>Thanks for using Tomcat!</p> user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| |_path-mtu: PMTU == 1500
| <p id="footer"><img src="tomcat- | qscan:
power.gif" width="77" height="80" alt="Powered by | PORT FAMILY MEAN (us) STDDEV LOSS (%)
Tomcat"/><br/> | 1 0 591.60 222.57 0.0%
| &nbsp; | 21 0 942.10 902.32 0.0%
| | 22 0 1052.20 1065.75 0.0%
| Copyright &copy; 1999-2005 Apache | 23 0 1556.30 1897.65 0.0%
Software Foundation<br/> | 25 0 12630.60 37642.14 0.0%
| All Rights Reserved | 53 1 741.90 128.23 0.0%
| </p> | 80 0 718.80 305.93 0.0%
| </td> | 111 0 582.90 142.52 0.0%
| |_139 0 3173.60 8066.89 0.0%
| </tr> | smb-mbenum:
| </table> |_ ERROR: Failed to connect to browser service:
| SMB: ERROR: Server returned less data than it was
| </body> supposed to (one or more fields are missing);
|_</html> aborting [12]
8180/tcp open unknown syn-ack ttl 64 | smb-os-discovery:
| http-auth-finder: | OS: Unix (Samba 3.0.20-Debian)
| Spidering limited to: maxdepth=3; maxpagecount=20; | NetBIOS computer name:
withinhost=192.168.27.129 | Workgroup: WORKGROUP
| url |_ System time: 2017-02-07T18:48:44-05:00
method | unusual-port:
| http://192.168.27.129:8180/manager/status HTTP: |_ WARNING: this script depends on Nmap's
Basic service/version detection (-sV)
|_ http://192.168.27.129:8180/manager/html HTTP:
Basic Post-scan script results:
|_http-date: Tue, 07 Feb 2017 23:48:44 GMT; -17s | clock-skew:
from local time. |_ -19s: Majority of systems scanned
|_http-favicon: Apache Tomcat | reverse-index:
|_http-fetch: Please enter the complete path of the | 21/tcp: 192.168.27.129
directory to save data in. | 22/tcp: 192.168.27.129
| http-grep: | 23/tcp: 192.168.27.129
| (2) http://192.168.27.129:8180/: | 25/tcp: 192.168.27.129
| (2) email: | 53/tcp: 192.168.27.129
| + users@tomcat.apache.org | 80/tcp: 192.168.27.129
| + dev@tomcat.apache.org | 111/tcp: 192.168.27.129
| (3) http://192.168.27.129:8180/tomcat- | 139/tcp: 192.168.27.129
docs/changelog.html: | 445/tcp: 192.168.27.129
| (3) email: | 512/tcp: 192.168.27.129
| + remm@apache.org | 513/tcp: 192.168.27.129
| + yoavs@apache.org | 514/tcp: 192.168.27.129
| + fhanik@apache.org | 1099/tcp: 192.168.27.129
| (1) http://192.168.27.129:8180/tomcat- | 1524/tcp: 192.168.27.129
docs/introduction.html: | 2049/tcp: 192.168.27.129
| (1) email: | 2121/tcp: 192.168.27.129
| + rslifka@sfu.ca | 3306/tcp: 192.168.27.129
| (1) http://192.168.27.129:8180/tomcat- | 5432/tcp: 192.168.27.129
docs/manager-howto.html: | 5900/tcp: 192.168.27.129
| (1) email: | 6000/tcp: 192.168.27.129
| + craigmcc@apache.org | 6667/tcp: 192.168.27.129
| (1) http://192.168.27.129:8180/tomcat- | 8009/tcp: 192.168.27.129
docs/cluster-howto.html: |_ 8180/tcp: 192.168.27.129
| (1) email: Nmap done: 1 IP address (1 host up) scanned in
| + pero@apache.org 381.19 seconds
| (1) http://192.168.27.129:8180/tomcat-
docs/default-servlet.html:
| (1) email:
|_ + funkman@apache.org root:~]# nmap -f --script vuln
| http-headers: 192.168.27.129
| Server: Apache-Coyote/1.1
Starting Nmap 7.31 ( https://nmap.org ) at 2017-02- | to downgrade the security of a TLS session
07 18:58 COT to 512-bit export-grade
Stats: 0:03:00 elapsed; 0 hosts completed (1 up), 1 | cryptography, which is significantly weaker,
undergoing Script Scan allowing the attacker
NSE Timing: About 99.77% done; ETC: 19:01 (0:00:00 | to more easily break the encryption and
remaining) monitor or tamper with
Nmap scan report for 192.168.27.129 | the encrypted stream.
Host is up, received arp-response (0.00088s | Disclosure date: 2015-5-19
latency). | Check results:
Not shown: 977 closed ports | EXPORT-GRADE DH GROUP 1
Reason: 977 resets | Cipher Suite:
PORT STATE SERVICE REASON TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
21/tcp open ftp syn-ack ttl 64 | Modulus Type: Safe prime
| ftp-vsftpd-backdoor: | Modulus Source: Unknown/Custom-
| VULNERABLE: generated
| vsFTPd version 2.3.4 backdoor | Modulus Length: 512
| State: VULNERABLE (Exploitable) | Generator Length: 8
| IDs: CVE:CVE-2011-2523 OSVDB:73573 | Public Key Length: 512
| vsFTPd version 2.3.4 backdoor, this was | References:
reported on 2011-07-04. | http://osvdb.org/122331
| Disclosure date: 2011-07-03 | https://cve.mitre.org/cgi-
| Exploit results: bin/cvename.cgi?name=CVE-2015-4000
| Shell command: id | https://weakdh.org
| Results: uid=0(root) gid=0(root) |
| References: | Diffie-Hellman Key Exchange Insufficient Group
| https://cve.mitre.org/cgi- Strength
bin/cvename.cgi?name=CVE-2011-2523 | State: VULNERABLE
| https://github.com/rapid7/metasploit- | Transport Layer Security (TLS) services that
framework/blob/master/modules/exploits/unix/ftp/vsft use Diffie-Hellman groups
pd_234_backdoor.rb | of insufficient strength, especially those
| using one of a few commonly
http://scarybeastsecurity.blogspot.com/2011/07/alert | shared groups, may be susceptible to passive
-vsftpd-download-backdoored.html eavesdropping attacks.
|_ http://osvdb.org/73573 | Check results:
|_sslv2-drown: | WEAK DH GROUP 1
22/tcp open ssh syn-ack ttl 64 | Cipher Suite:
23/tcp open telnet syn-ack ttl 64 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
25/tcp open smtp syn-ack ttl 64 | Modulus Type: Safe prime
| smtp-vuln-cve2010-4344: | Modulus Source: Unknown/Custom-
|_ The SMTP server is not Exim: NOT VULNERABLE generated
| ssl-dh-params: | Modulus Length: 1024
| VULNERABLE: | Generator Length: 8
| Anonymous Diffie-Hellman Key Exchange MitM | Public Key Length: 1024
Vulnerability | References:
| State: VULNERABLE |_ https://weakdh.org
| Transport Layer Security (TLS) services that | ssl-poodle:
use anonymous | VULNERABLE:
| Diffie-Hellman key exchange only provide | SSL POODLE information leak
protection against passive | State: VULNERABLE
| eavesdropping, and are vulnerable to active | IDs: CVE:CVE-2014-3566 OSVDB:113251
man-in-the-middle attacks | The SSL protocol 3.0, as used in OpenSSL
| which could completely compromise the through 1.0.1i and other
confidentiality and integrity | products, uses nondeterministic CBC
| of any data exchanged over the resulting padding, which makes it easier
session. | for man-in-the-middle attackers to
| Check results: obtain cleartext data via a
| ANONYMOUS DH GROUP 1 | padding-oracle attack, aka the "POODLE"
| Cipher Suite: issue.
TLS_DH_anon_WITH_DES_CBC_SHA | Disclosure date: 2014-10-14
| Modulus Type: Safe prime | Check results:
| Modulus Source: Unknown/Custom- | TLS_RSA_WITH_AES_128_CBC_SHA
generated | References:
| Modulus Length: 1024 |
| Generator Length: 8 https://www.imperialviolet.org/2014/10/14/poodle.htm
| Public Key Length: 1024 l
| References: | https://cve.mitre.org/cgi-
| https://www.ietf.org/rfc/rfc2246.txt bin/cvename.cgi?name=CVE-2014-3566
| | http://osvdb.org/113251
| Transport Layer Security (TLS) Protocol |_ https://www.openssl.org/~bodo/ssl-poodle.pdf
DHE_EXPORT Ciphers Downgrade MitM (Logjam) | sslv2-drown:
| State: VULNERABLE | ciphers:
| IDs: CVE:CVE-2015-4000 OSVDB:122331 | SSL2_DES_64_CBC_WITH_MD5
| The Transport Layer Security (TLS) protocol | SSL2_RC2_128_CBC_WITH_MD5
contains a flaw that is | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| triggered when handling Diffie-Hellman key | SSL2_DES_192_EDE3_CBC_WITH_MD5
exchanges defined with | SSL2_RC4_128_WITH_MD5
| the DHE_EXPORT cipher. This may allow a man- | SSL2_RC4_128_EXPORT40_WITH_MD5
in-the-middle attacker | vulns:
| CVE-2016-0703:
| title: OpenSSL: Divide-and-conquer session | Form id: id-bad-cred-tr
key recovery in SSLv2 | Form action: index.php?page=register.php
| state: VULNERABLE |
| ids: | Path:
| CVE:CVE-2016-0703 http://192.168.27.129/mutillidae/?page=login.php
| description: | Form id: idloginform
| The get_client_master_key function |_ Form action: index.php?page=login.php
in s2_srvr.c in the SSLv2 implementation in |_http-dombased-xss: Couldn't find any DOM based
| OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, XSS.
1.0.1 before 1.0.1m, and 1.0.2 before | http-enum:
| 1.0.2a accepts a nonzero CLIENT-MASTER-KEY | /tikiwiki/: Tikiwiki
CLEAR-KEY-LENGTH value for an arbitrary | /test/: Test page
| cipher, which allows man-in-the-middle | /phpinfo.php: Possible information file
attackers to determine the MASTER-KEY value | /phpMyAdmin/: phpMyAdmin
| and decrypt TLS ciphertext data by | /doc/: Potentially interesting directory w/
leveraging a Bleichenbacher RSA padding oracle, a listing on 'apache/2.2.8 (ubuntu) dav/2'
| related issue to CVE-2016-0800. | /icons/: Potentially interesting folder w/
| directory listing
| refs: |_ /index/: Potentially interesting folder
| https://cve.mitre.org/cgi- | http-slowloris-check:
bin/cvename.cgi?name=CVE-2016-0703 | VULNERABLE:
| | Slowloris DOS attack
https://www.openssl.org/news/secadv/20160301.txt | State: LIKELY VULNERABLE
| CVE-2016-0800: | IDs: CVE:CVE-2007-6750
| title: OpenSSL: Cross-protocol attack on TLS | Slowloris tries to keep many connections to
using SSLv2 (DROWN) the target web server open and hold
| state: VULNERABLE | them open as long as possible. It
| ids: accomplishes this by opening connections to
| CVE:CVE-2016-0800 | the target web server and sending a partial
| description: request. By doing so, it starves
| The SSLv2 protocol, as used in | the http server's resources causing Denial
OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and Of Service.
| other products, requires a server to send a |
ServerVerify message before establishing | Disclosure date: 2009-09-17
| that a client possesses certain plaintext | References:
RSA data, which makes it easier for remote | http://ha.ckers.org/slowloris/
| attackers to decrypt TLS ciphertext data by |_ https://cve.mitre.org/cgi-
leveraging a Bleichenbacher RSA padding bin/cvename.cgi?name=CVE-2007-6750
| oracle, aka a "DROWN" attack. | http-sql-injection:
| | Possible sqli for queries:
| refs: |
| https://cve.mitre.org/cgi- http://192.168.27.129/mutillidae/./index.php?page=us
bin/cvename.cgi?name=CVE-2016-0800 er%2dinfo%2ephp%27%20OR%20sqlspider
|_ |
https://www.openssl.org/news/secadv/20160301.txt http://192.168.27.129/mutillidae/./index.php?page=ht
53/tcp open domain syn-ack ttl 64 ml5%2dstorage%2ephp%27%20OR%20sqlspider
80/tcp open http syn-ack ttl 64 |
| http-csrf: http://192.168.27.129/mutillidae/./index.php?page=sh
| Spidering limited to: maxdepth=3; maxpagecount=20; ow%2dlog%2ephp%27%20OR%20sqlspider
withinhost=192.168.27.129 |
| Found the following possible CSRF http://192.168.27.129/mutillidae/./index.php?page=br
vulnerabilities: owser%2dinfo%2ephp%27%20OR%20sqlspider
| |
| Path: http://192.168.27.129/mutillidae/./index.php?page=cr
http://192.168.27.129/mutillidae/./index.php?page=us edits%2ephp%27%20OR%20sqlspider
er-info.php |
| Form id: id-bad-cred-tr http://192.168.27.129/mutillidae/index.php?page=logi
| Form action: ./index.php?page=user-info.php n%2ephp%27%20OR%20sqlspider
| |
| Path: http://192.168.27.129/mutillidae/./index.php?page=ho
http://192.168.27.129/mutillidae/./index.php?page=ht me%2ephp&do=toggle%2dhints%27%20OR%20sqlspider
ml5-storage.php |
| Form id: idform http://192.168.27.129/mutillidae/./index.php?page=ho
| Form action: index.php?page=html5-storage.php me%2ephp&do=toggle%2dsecurity%27%20OR%20sqlspider
| |
| Path: http://192.168.27.129/mutillidae/?page=user%2dinfo%2
http://192.168.27.129/mutillidae/index.php?page=logi ephp%27%20OR%20sqlspider
n.php |
| Form id: idloginform http://192.168.27.129/mutillidae/index.php?page=capt
| Form action: index.php?page=login.php ure%2ddata%2ephp%27%20OR%20sqlspider
| |
| Path: http://192.168.27.129/mutillidae/./index.php?page=re
http://192.168.27.129/mutillidae/?page=user-info.php gister%2ephp%27%20OR%20sqlspider
| Form id: id-bad-cred-tr |
| Form action: ./index.php?page=user-info.php http://192.168.27.129/mutillidae/./index.php?page=ph
| p%2derrors%2ephp%27%20OR%20sqlspider
| Path: |
http://192.168.27.129/mutillidae/./index.php?page=re http://192.168.27.129/mutillidae/?page=login%2ephp%2
gister.php 7%20OR%20sqlspider
| | Diffie-Hellman Key Exchange Insufficient Group
http://192.168.27.129/mutillidae/?page=view%2dsomeon Strength
es%2dblog%2ephp%27%20OR%20sqlspider | State: VULNERABLE
| | Transport Layer Security (TLS) services that
http://192.168.27.129/mutillidae/./index.php?usernam use Diffie-Hellman groups
e=anonymous&page=password%2dgenerator%2ephp%27%20OR% | of insufficient strength, especially those
20sqlspider using one of a few commonly
| | shared groups, may be susceptible to passive
http://192.168.27.129/mutillidae/index.php?page=add% eavesdropping attacks.
2dto%2dyour%2dblog%2ephp%27%20OR%20sqlspider | Check results:
| | WEAK DH GROUP 1
http://192.168.27.129/mutillidae/./index.php?usernam | Cipher Suite:
e=anonymous&page=password%2dgenerator%2ephp%27%20OR% TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
20sqlspider | Modulus Type: Safe prime
| Possible sqli for forms: | Modulus Source: Unknown/Custom-
| Form at path: /mutillidae/./index.php, form's generated
action: ./index.php?page=user-info.php. Fields that | Modulus Length: 1024
might be vulnerable: | Generator Length: 8
| username | Public Key Length: 1024
| Form at path: /mutillidae/, form's action: | References:
./index.php?page=user-info.php. Fields that might be |_ https://weakdh.org
vulnerable: | ssl-poodle:
|_ username | VULNERABLE:
|_http-stored-xss: Couldn't find any stored XSS | SSL POODLE information leak
vulnerabilities. | State: VULNERABLE
|_http-trace: TRACE is enabled | IDs: CVE:CVE-2014-3566 OSVDB:113251
111/tcp open rpcbind syn-ack ttl 64 | The SSL protocol 3.0, as used in OpenSSL
139/tcp open netbios-ssn syn-ack ttl 64 through 1.0.1i and other
445/tcp open microsoft-ds syn-ack ttl 64 | products, uses nondeterministic CBC
512/tcp open exec syn-ack ttl 64 padding, which makes it easier
513/tcp open login syn-ack ttl 64 | for man-in-the-middle attackers to
514/tcp open shell syn-ack ttl 64 obtain cleartext data via a
1099/tcp open rmiregistry syn-ack ttl 64 | padding-oracle attack, aka the "POODLE"
| rmi-vuln-classloader: issue.
| VULNERABLE: | Disclosure date: 2014-10-14
| RMI registry default configuration remote code | Check results:
execution vulnerability | TLS_RSA_WITH_AES_128_CBC_SHA
| State: VULNERABLE | References:
| Default configuration of RMI registry allows |
loading classes from remote URLs which can lead to https://www.imperialviolet.org/2014/10/14/poodle.htm
remote code executeion. l
| | https://cve.mitre.org/cgi-
| References: bin/cvename.cgi?name=CVE-2014-3566
|_ https://github.com/rapid7/metasploit- | http://osvdb.org/113251
framework/blob/master/modules/exploits/multi/misc/ja |_ https://www.openssl.org/~bodo/ssl-poodle.pdf
va_rmi_server.rb |_sslv2-drown:
1524/tcp open ingreslock syn-ack ttl 64 5900/tcp open vnc syn-ack ttl 64
2049/tcp open nfs syn-ack ttl 64 |_sslv2-drown:
2121/tcp open ccproxy-ftp syn-ack ttl 64 6000/tcp open X11 syn-ack ttl 64
3306/tcp open mysql syn-ack ttl 64 6667/tcp open irc syn-ack ttl 64
|_mysql-vuln-cve2012-2122: ERROR: Script execution |_irc-unrealircd-backdoor: Looks like trojaned
failed (use -d to debug) version of unrealircd. See
5432/tcp open postgresql syn-ack ttl 64 http://seclists.org/fulldisclosure/2010/Jun/277
| ssl-ccs-injection: 8009/tcp open ajp13 syn-ack ttl 64
| VULNERABLE: 8180/tcp open unknown syn-ack ttl 64
| SSL/TLS MITM vulnerability (CCS Injection) MAC Address: 00:0C:29:F0:83:22 (VMware)
| State: VULNERABLE
| Risk factor: High Host script results:
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, |_smb-vuln-ms10-054: false
and 1.0.1 before 1.0.1h |_smb-vuln-ms10-061: false
| does not properly restrict processing of
ChangeCipherSpec messages, Nmap done: 1 IP address (1 host up) scanned in
| which allows man-in-the-middle attackers to 334.90 seconds
trigger use of a zero
| length master key in certain OpenSSL-to-
OpenSSL communications, and
| consequently hijack sessions or obtain
sensitive information, via
| a crafted TLS handshake, aka the "CCS
Injection" vulnerability. root:~]# nmap -f --script all
| 192.168.27.129
| References:
| http://www.cvedetails.com/cve/2014-0224 Starting Nmap 7.31 ( https://nmap.org ) at 2017-02-
| https://cve.mitre.org/cgi- 07 19:15 COT
bin/cvename.cgi?name=CVE-2014-0224 Pre-scan script results:
|_ | broadcast-dhcp-discover:
http://www.openssl.org/news/secadv_20140605.txt | Response 1 of 1:
| ssl-dh-params: | IP Offered: 192.168.27.130
| VULNERABLE: | Server Identifier: 192.168.27.254
| Subnet Mask: 255.255.255.0 | IP: fe80::20c:29ff:fef0:8322 MAC:
| Router: 192.168.27.2 00:0c:29:f0:83:22 IFACE: eth0
| Domain Name Server: 192.168.27.2 |_ Use --script-args=newtargets to add the results
| Domain Name: localdomain as targets
| Broadcast Address: 192.168.27.255 | targets-ipv6-multicast-invalid-dst:
|_ NetBIOS Name Server: 192.168.27.2 | IP: fe80::20c:29ff:fef0:8322 MAC:
| broadcast-igmp-discovery: 00:0c:29:f0:83:22 IFACE: eth0
| 192.168.27.1 | IP: fe80::14f:1949:8f2d:5b58 MAC:
| Interface: eth0 00:50:56:c0:00:08 IFACE: eth0
| Version: 2 |_ Use --script-args=newtargets to add the results
| Group: 239.255.255.253 as targets
| Description: Organization-Local Scope | targets-ipv6-multicast-mld:
(rfc2365) | IP: fe80::14f:1949:8f2d:5b58 MAC:
|_ Use the newtargets script-arg to add the results 00:50:56:c0:00:08 IFACE: eth0
as targets | IP: fe80::20c:29ff:fef0:8322 MAC:
| broadcast-listener: 00:0c:29:f0:83:22 IFACE: eth0
| ether |
| EIGRP Hello |_ Use --script-args=newtargets to add the results
| as targets
| ARP Request | targets-ipv6-multicast-slaac:
| sender ip sender mac target ip | IP: fe80::14f:1949:8f2d:5b58 MAC:
| 192.168.27.2 00:50:56:ED:2A:E4 00:50:56:c0:00:08 IFACE: eth0
192.168.27.130 | IP: fe80::141a:c10a:3e6:d431 MAC:
| udp 00:50:56:c0:00:08 IFACE: eth0
| DHCP | IP: fe80::20c:29ff:fef0:8322 MAC:
| srv ip cli ip mask 00:0c:29:f0:83:22 IFACE: eth0
gw dns vendor |_ Use --script-args=newtargets to add the results
| 192.168.27.254 192.168.27.130 as targets
255.255.255.0 192.168.27.2 192.168.27.2 -
| Netbios
| Query
| ip query
| 192.168.27.1
| LLMNR
| ip query
| fe80::14f:1949:8f2d:5b58 wpad
| 192.168.27.1 wpad
| fe80::14f:1949:8f2d:5b58 EDu
|_ 192.168.27.1 EDu
| broadcast-netbios-master-browser:
|_ip server domain
| broadcast-ping:
| IP: 192.168.27.2 MAC: 00:50:56:ed:2a:e4
|_ Use --script-args=newtargets to add the results
as targets
| broadcast-wsdd-discover:
| Devices
| 239.255.255.250
| Message id: f46e18d1-0c4e-4972-bf1e-
045b80860115
| Address:
http://192.168.27.1:5357/db40509b-49c3-4f2d-a4ab-
ec9701096048/
|_ Type: Device pub:Computer
|_eap-info: please specify an interface with -e
| ipv6-multicast-mld-list:
| fe80::20c:29ff:fef0:8322:
| device: eth0
| mac: 00:0c:29:f0:83:22
| multicast_ips:
| ff02::1:fff0:8322 (NDP Solicited-
node)
| fe80::14f:1949:8f2d:5b58:
| device: eth0
| mac: 00:50:56:c0:00:08
| multicast_ips:
| ff02::1:ffe6:d431 (Solicited-Node
Address)
| ff02::1:3 (Link-local
Multicast Name Resolution)
| ff02::1:3 (Link-local
Multicast Name Resolution)
| ff02::1:ffe6:d431 (Solicited-Node
Address)
|_ ff02::1:3 (Link-local
Multicast Name Resolution)
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
| targets-ipv6-multicast-echo: