nmap
___
( _ ) _ __ ___ __ _ _ __
/ _ \| '_ ` _ \ / _` | '_ \
| (_) | | | | | | (_| | |_) |
\___/|_| |_| |_|\__,_| .__/
|_|
adot8 <3
[+] Scanning 192.168.160.136 [65535 TCP ports]
[+] Enumerating 192.168.160.136 [22,25,80,389,443,5667]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 05:56 CDT
Nmap scan report for 192.168.160.136
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA)
| 256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA)
|_ 256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-09-08T17:59:00
|_Not valid after: 2030-09-06T17:59:00
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Nagios XI
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-09-08T18:28:08
|_Not valid after: 2030-09-06T18:28:08
|_ssl-date: TLS randomness does not represent time
5667/tcp open tcpwrapped
Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.68 seconds
[+] Enumerating 192.168.160.136 for vulnerabilities [22,25,80,389,443,5667]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 05:57 CDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.160.136
Host is up (0.049s latency).
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 2048
| Generator Length: 8
| Public Key Length: 2048
| References:
|_ https://www.ietf.org/rfc/rfc2246.txt
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.160.136
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.160.136:80/nagiosxi/login.php?redirect=/nagiosxi/index.php%3F&noauth=1
| Form id: loginform
| Form action: /nagiosxi/login.php
|
| Path: http://192.168.160.136:80/nagiosxi/login.php?redirect=/nagiosxi/index.php%3F&noauth=1
| Form id: loginform
| Form action: /nagiosxi/login.php
|
| Path: http://192.168.160.136:80/nagiosxi/login.php
| Form id: loginform
|_ Form action: /nagiosxi/login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
389/tcp open ldap
443/tcp open https
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.160.136
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.160.136:443/nagiosxi/login.php?redirect=/nagiosxi/index.php%3F&noauth=1
| Form id: loginform
| Form action: /nagiosxi/login.php
|
| Path: https://192.168.160.136:443/nagiosxi/login.php?redirect=/nagiosxi/index.php%3F&noauth=1
| Form id: loginform
| Form action: /nagiosxi/login.php
|
| Path: https://192.168.160.136:443/nagiosxi/includes/js/views.js?1555548979
| Form id: addview_form
| Form action: "+ajax_helper_url+"
|
| Path: https://192.168.160.136:443/nagiosxi/includes/js/views.js?1555548979
| Form id: editview_form
| Form action: "+ajax_helper_url+"
|
| Path: https://192.168.160.136:443/nagiosxi/includes/js/views.js?1555548979
| Form id: addview_form
| Form action: "+ajax_helper_url+"
|
| Path: https://192.168.160.136:443/nagiosxi/includes/js/dashlets.js?1555548979
| Form id: addtodashboard_form
|_ Form action: "+ajax_helper_url+"
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
5667/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 349.64 seconds
[+] Scanning 192.168.160.136 [1000 UDP ports]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-20 06:02 CDT
Initiating Ping Scan at 06:02
Scanning 192.168.160.136 [4 ports]
Completed Ping Scan at 06:02, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:02
Completed Parallel DNS resolution of 1 host. at 06:02, 0.01s elapsed
Initiating UDP Scan at 06:02
Scanning 192.168.160.136 [100 ports]
Increasing send delay for 192.168.160.136 from 0 to 50 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for 192.168.160.136 from 50 to 100 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 192.168.160.136 from 100 to 200 due to 11 out of 12 dropped probes since last increase.
Completed UDP Scan at 06:03, 36.32s elapsed (100 total ports)
Nmap scan report for 192.168.160.136
Host is up (0.067s latency).
Not shown: 61 open|filtered udp ports (no-response)
PORT STATE SERVICE
69/udp closed tftp
80/udp closed http
111/udp closed rpcbind
135/udp closed msrpc
137/udp closed netbios-ns
139/udp closed netbios-ssn
161/udp closed snmp
177/udp closed xdmcp
427/udp closed svrloc
443/udp closed https
518/udp closed ntalk
593/udp closed http-rpc-epmap
626/udp closed serialnumberd
1025/udp closed blackjack
1026/udp closed win-rpc
1027/udp closed unknown
1029/udp closed solid-mux
1434/udp closed ms-sql-m
1701/udp closed L2TP
1718/udp closed h225gatedisc
1719/udp closed h323gatestat
1812/udp closed radius
1900/udp closed upnp
2000/udp closed cisco-sccp
4500/udp closed nat-t-ike
9200/udp closed wap-wsp
20031/udp closed bakbonenetvault
31337/udp closed BackOrifice
32768/udp closed omad
32771/udp closed sometimes-rpc6
49152/udp closed unknown
49154/udp closed unknown
49181/udp closed unknown
49182/udp closed unknown
49191/udp closed unknown
49193/udp closed unknown
49200/udp closed unknown
49201/udp closed unknown
65024/udp closed unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 36.58 seconds
Raw packets sent: 655 (40.164KB) | Rcvd: 42 (3.685KB)
[+] Completed!Last updated