Recon

$ nmap -p- --min-rate=1000 -Pn -v 192.168.165.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 16:39 CDT
Initiating Parallel DNS resolution of 1 host. at 16:39
Completed Parallel DNS resolution of 1 host. at 16:39, 0.02s elapsed
Initiating Connect Scan at 16:39
Scanning 192.168.165.61 [65535 ports]
Discovered open port 445/tcp on 192.168.165.61
Discovered open port 80/tcp on 192.168.165.61
Increasing send delay for 192.168.165.61 from 0 to 5 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 192.168.165.61 from 5 to 10 due to 25 out of 83 dropped probes since last increase.
Increasing send delay for 192.168.165.61 from 10 to 20 due to 16 out of 53 dropped probes since last increase.
Discovered open port 139/tcp on 192.168.165.61
Discovered open port 21/tcp on 192.168.165.61
Discovered open port 135/tcp on 192.168.165.61
Discovered open port 8081/tcp on 192.168.165.61
Discovered open port 49668/tcp on 192.168.165.61
Discovered open port 49669/tcp on 192.168.165.61
Connect Scan Timing: About 46.43% done; ETC: 16:41 (0:00:36 remaining)
Discovered open port 49664/tcp on 192.168.165.61
Discovered open port 49665/tcp on 192.168.165.61
Discovered open port 5040/tcp on 192.168.165.61
Discovered open port 49667/tcp on 192.168.165.61
Discovered open port 7680/tcp on 192.168.165.61
Discovered open port 49666/tcp on 192.168.165.61
Completed Connect Scan at 16:41, 65.77s elapsed (65535 total ports)
Nmap scan report for 192.168.165.61
Host is up (0.048s latency).
Not shown: 65521 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
7680/tcp  open  pando-pub
8081/tcp  open  blackice-icecap
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 65.90 seconds

$ nmap -sC -sV -T5 --script=vuln -Pn -p 21,80,135,445,5040,7680,8081,49664-49669 192.168.165.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 16:56 CDT
Stats: 0:07:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.93% done; ETC: 17:04 (0:00:00 remaining)
Nmap scan report for 192.168.165.61
Host is up (0.045s latency).
Scanned at 2024-08-16 16:57:08 CDT for 427s

PORT      STATE  SERVICE       VERSION
21/tcp    open   ftp           Microsoft ftpd
80/tcp    open   http          Microsoft IIS httpd 10.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-phpmyadmin-dir-traversal: 
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|       
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd not found.
|   
|     References:
|       http://www.exploit-db.com/exploits/1244/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Microsoft-IIS/10.0
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
135/tcp   open   msrpc         Microsoft Windows RPC
445/tcp   open   microsoft-ds?
5040/tcp  open   unknown
7680/tcp  closed pando-pub
8081/tcp  open   http          Jetty 9.4.18.v20190429
| vulners: 
|   Jetty 9.4.18.v20190429: 
|_    	CVE-2024-22201	7.5	https://vulners.com/cve/CVE-2024-22201
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Nexus/3.21.0-05 (OSS)
| http-enum: 
|_  /robots.txt: Robots file
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49668/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Final times for host: srtt: 44897 rttvar: 2894  to: 56473

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read from /usr/bin/../share/nmap: nmap-protocols nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 437.63 seconds

PreviousBillyboss NextEnumeration

Last updated 6 months ago

$ nmap -p- --min-rate=1000 -Pn -v 192.168.165.61 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 16:39 CDT Initiating Parallel DNS resolution of 1 host. at 16:39 Completed Parallel DNS resolution of 1 host. at 16:39, 0.02s elapsed Initiating Connect Scan at 16:39 Scanning 192.168.165.61 [65535 ports] Discovered open port 445/tcp on 192.168.165.61 Discovered open port 80/tcp on 192.168.165.61 Increasing send delay for 192.168.165.61 from 0 to 5 due to 11 out of 24 dropped probes since last increase. Increasing send delay for 192.168.165.61 from 5 to 10 due to 25 out of 83 dropped probes since last increase. Increasing send delay for 192.168.165.61 from 10 to 20 due to 16 out of 53 dropped probes since last increase. Discovered open port 139/tcp on 192.168.165.61 Discovered open port 21/tcp on 192.168.165.61 Discovered open port 135/tcp on 192.168.165.61 Discovered open port 8081/tcp on 192.168.165.61 Discovered open port 49668/tcp on 192.168.165.61 Discovered open port 49669/tcp on 192.168.165.61 Connect Scan Timing: About 46.43% done; ETC: 16:41 (0:00:36 remaining) Discovered open port 49664/tcp on 192.168.165.61 Discovered open port 49665/tcp on 192.168.165.61 Discovered open port 5040/tcp on 192.168.165.61 Discovered open port 49667/tcp on 192.168.165.61 Discovered open port 7680/tcp on 192.168.165.61 Discovered open port 49666/tcp on 192.168.165.61 Completed Connect Scan at 16:41, 65.77s elapsed (65535 total ports) Nmap scan report for 192.168.165.61 Host is up (0.048s latency). Not shown: 65521 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5040/tcp open unknown 7680/tcp open pando-pub 8081/tcp open blackice-icecap 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 65.90 seconds

$ nmap -sC -sV -T5 --script=vuln -Pn -p 21,80,135,445,5040,7680,8081,49664-49669 192.168.165.61 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 16:56 CDT Stats: 0:07:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE: Active NSE Script Threads: 1 (1 waiting) NSE Timing: About 99.93% done; ETC: 17:04 (0:00:00 remaining) Nmap scan report for 192.168.165.61 Host is up (0.045s latency). Scanned at 2024-08-16 16:57:08 CDT for 427s PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 10.0 |_http-dombased-xss: Couldn't find any DOM based XSS. | http-phpmyadmin-dir-traversal: | VULNERABLE: | phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion | State: LIKELY VULNERABLE | IDs: CVE:CVE-2005-3299 | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. | | Disclosure date: 2005-10-nil | Extra information: | ../../../../../etc/passwd not found. | | References: | http://www.exploit-db.com/exploits/1244/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-server-header: Microsoft-IIS/10.0 |_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? 5040/tcp open unknown 7680/tcp closed pando-pub 8081/tcp open http Jetty 9.4.18.v20190429 | vulners: | Jetty 9.4.18.v20190429: |_ CVE-2024-22201 7.5 https://vulners.com/cve/CVE-2024-22201 |_http-dombased-xss: Couldn't find any DOM based XSS. | http-fileupload-exploiter: | |_ Couldn't find a file-type field. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-server-header: Nexus/3.21.0-05 (OSS) | http-enum: |_ /robots.txt: Robots file 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR Final times for host: srtt: 44897 rttvar: 2894 to: 56473 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. NSE: Starting runlevel 2 (of 2) scan. Read from /usr/bin/../share/nmap: nmap-protocols nmap-service-probes nmap-services. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 437.63 seconds