JTSEC1333

Anonymous JTSEC #OpSudan Full Recon #22

Feb 23rd, 2019
772
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #######################################################################################################################################
  2. =======================================================================================================================================
  3. Nom de l'hôte www.wgpolice.gov.sd FAI NICDC
  4. Continent Afrique Drapeau
  5. SD
  6. Pays Soudan Code du pays SD
  7. Région Inconnu Heure locale 23 Feb 2019 17:47 CAT
  8. Ville Inconnu Code Postal Inconnu
  9. Adresse IP 62.12.105.2 Latitude 15
  10. Longitude 30
  11. =======================================================================================================================================
  12. #######################################################################################################################################
  13. > www.wgpolice.gov.sd
  14. Server: 38.132.106.139
  15. Address: 38.132.106.139#53
  16.  
  17. Non-authoritative answer:
  18. Name: www.wgpolice.gov.sd
  19. Address: 62.12.105.2
  20. >
  21. #######################################################################################################################################
  22. HostIP:62.12.105.2
  23. HostName:www.wgpolice.gov.sd
  24.  
  25. Gathered Inet-whois information for 62.12.105.2
  26. ---------------------------------------------------------------------------------------------------------------------------------------
  27.  
  28.  
  29. inetnum: 62.12.96.0 - 62.12.127.255
  30. netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
  31. descr: IPv4 address block not managed by the RIPE NCC
  32. remarks: ------------------------------------------------------
  33. remarks:
  34. remarks: For registration information,
  35. remarks: you can consult the following sources:
  36. remarks:
  37. remarks: IANA
  38. remarks: http://www.iana.org/assignments/ipv4-address-space
  39. remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
  40. remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
  41. remarks:
  42. remarks: AFRINIC (Africa)
  43. remarks: http://www.afrinic.net/ whois.afrinic.net
  44. remarks:
  45. remarks: APNIC (Asia Pacific)
  46. remarks: http://www.apnic.net/ whois.apnic.net
  47. remarks:
  48. remarks: ARIN (Northern America)
  49. remarks: http://www.arin.net/ whois.arin.net
  50. remarks:
  51. remarks: LACNIC (Latin America and the Carribean)
  52. remarks: http://www.lacnic.net/ whois.lacnic.net
  53. remarks:
  54. remarks: ------------------------------------------------------
  55. country: EU # Country is really world wide
  56. admin-c: IANA1-RIPE
  57. tech-c: IANA1-RIPE
  58. status: ALLOCATED UNSPECIFIED
  59. mnt-by: RIPE-NCC-HM-MNT
  60. created: 2019-01-07T10:46:54Z
  61. last-modified: 2019-01-07T10:46:54Z
  62. source: RIPE
  63.  
  64. role: Internet Assigned Numbers Authority
  65. address: see http://www.iana.org.
  66. admin-c: IANA1-RIPE
  67. tech-c: IANA1-RIPE
  68. nic-hdl: IANA1-RIPE
  69. remarks: For more information on IANA services
  70. remarks: go to IANA web site at http://www.iana.org.
  71. mnt-by: RIPE-NCC-MNT
  72. created: 1970-01-01T00:00:00Z
  73. last-modified: 2001-09-22T09:31:27Z
  74. source: RIPE # Filtered
  75.  
  76. % This query was served by the RIPE Database Query Service version 1.92.6 (ANGUS)
  77.  
  78.  
  79.  
  80. Gathered Inic-whois information for wgpolice.gov.sd
  81. ---------------------------------------------------------------------------------------------------------------------------------------
  82. Error: Unable to connect - Invalid Host
  83. ERROR: Connection to InicWhois Server sd.whois-servers.net failed
  84. close error
  85.  
  86. Gathered Netcraft information for www.wgpolice.gov.sd
  87. ---------------------------------------------------------------------------------------------------------------------------------------
  88.  
  89. Retrieving Netcraft.com information for www.wgpolice.gov.sd
  90. Netcraft.com Information gathered
  91.  
  92. Gathered Subdomain information for wgpolice.gov.sd
  93. ---------------------------------------------------------------------------------------------------------------------------------------
  94. Searching Google.com:80...
  95. HostName:www.wgpolice.gov.sd
  96. HostIP:62.12.105.2
  97. Searching Altavista.com:80...
  98. Found 1 possible subdomain(s) for host wgpolice.gov.sd, Searched 0 pages containing 0 results
  99.  
  100. Gathered E-Mail information for wgpolice.gov.sd
  101. ---------------------------------------------------------------------------------------------------------------------------------------
  102. Searching Google.com:80...
  103. Searching Altavista.com:80...
  104. Found 0 E-Mail(s) for host wgpolice.gov.sd, Searched 0 pages containing 0 results
  105.  
  106. Gathered TCP Port information for 62.12.105.2
  107. ---------------------------------------------------------------------------------------------------------------------------------------
  108.  
  109. Port State
  110.  
  111. 21/tcp open
  112. 80/tcp open
  113. 110/tcp open
  114. 143/tcp open
  115.  
  116. Portscan Finished: Scanned 150 ports, 4 ports were in state closed
  117. #######################################################################################################################################
  118. [i] Scanning Site: http://www.wgpolice.gov.sd
  119.  
  120.  
  121.  
  122. B A S I C I N F O
  123. =======================================================================================================================================
  124.  
  125.  
  126. [+] Site Title: قسم شرطة الجريف غرب
  127. [+] IP address: 62.12.105.2
  128. [+] Web Server: Could Not Detect
  129. [+] CMS: Could Not Detect
  130. [+] Cloudflare: Not Detected
  131. [+] Robots File: Could NOT Find robots.txt!
  132.  
  133.  
  134.  
  135.  
  136.  
  137. G E O I P L O O K U P
  138. =======================================================================================================================================
  139.  
  140. [i] IP Address: 62.12.105.2
  141. [i] Country: Sudan
  142. [i] State:
  143. [i] City:
  144. [i] Latitude: 15.0
  145. [i] Longitude: 30.0
  146.  
  147.  
  148.  
  149.  
  150. H T T P H E A D E R S
  151. =======================================================================================================================================
  152.  
  153.  
  154. [i] HTTP/1.1 200 OK
  155. [i] Date: Sat, 23 Feb 2019 14:53:36 GMT
  156. [i] Content-Type: text/html
  157. [i] X-Powered-By: PHP/5.4.16
  158. [i] X-Powered-By: PleskLin
  159. [i] Connection: close
  160.  
  161.  
  162.  
  163.  
  164. D N S L O O K U P
  165. =======================================================================================================================================
  166.  
  167. wgpolice.gov.sd. 21599 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2016011408 10800 900 604800 86400
  168. wgpolice.gov.sd. 21599 IN NS ns1.ndc.gov.sd.
  169. wgpolice.gov.sd. 21599 IN NS ns0.ndc.gov.sd.
  170. wgpolice.gov.sd. 21599 IN A 62.12.105.2
  171. wgpolice.gov.sd. 21599 IN MX 10 mail.wgpolice.gov.sd.
  172. wgpolice.gov.sd. 21599 IN TXT "v=spf1 mx -all"
  173.  
  174.  
  175.  
  176.  
  177. S U B N E T C A L C U L A T I O N
  178. =======================================================================================================================================
  179.  
  180. Address = 62.12.105.2
  181. Network = 62.12.105.2 / 32
  182. Netmask = 255.255.255.255
  183. Broadcast = not needed on Point-to-Point links
  184. Wildcard Mask = 0.0.0.0
  185. Hosts Bits = 0
  186. Max. Hosts = 1 (2^0 - 0)
  187. Host Range = { 62.12.105.2 - 62.12.105.2 }
  188.  
  189.  
  190.  
  191. N M A P P O R T S C A N
  192. =======================================================================================================================================
  193.  
  194.  
  195. Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-23 15:51 UTC
  196. Nmap scan report for wgpolice.gov.sd (62.12.105.2)
  197. Host is up (0.22s latency).
  198. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
  199. PORT STATE SERVICE
  200. 21/tcp filtered ftp
  201. 22/tcp filtered ssh
  202. 23/tcp filtered telnet
  203. 80/tcp filtered http
  204. 110/tcp filtered pop3
  205. 143/tcp filtered imap
  206. 443/tcp filtered https
  207. 3389/tcp filtered ms-wbt-server
  208.  
  209. Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds
  210. #######################################################################################################################################
  211. [?] Enter the target: example( http://domain.com )
  212. http://www.wgpolice.gov.sd/
  213. [!] IP Address : 62.12.105.2
  214. [!] www.wgpolice.gov.sd doesn't seem to use a CMS
  215. [+] Honeypot Probabilty: 30%
  216. ---------------------------------------------------------------------------------------------------------------------------------------
  217. [~] Trying to gather whois information for www.wgpolice.gov.sd
  218. [+] Whois information found
  219. [-] Unable to build response, visit https://who.is/whois/www.wgpolice.gov.sd
  220. ---------------------------------------------------------------------------------------------------------------------------------------
  221. PORT STATE SERVICE
  222. 21/tcp filtered ftp
  223. 22/tcp filtered ssh
  224. 23/tcp filtered telnet
  225. 80/tcp filtered http
  226. 110/tcp filtered pop3
  227. 143/tcp filtered imap
  228. 443/tcp filtered https
  229. 3389/tcp filtered ms-wbt-server
  230. Nmap done: 1 IP address (1 host up) scanned in 14.58 seconds
  231. ---------------------------------------------------------------------------------------------------------------------------------------
  232. There was an error getting results
  233.  
  234. [-] DNS Records
  235. [>] Initiating 3 intel modules
  236. [>] Loading Alpha module (1/3)
  237. [>] Beta module deployed (2/3)
  238. [>] Gamma module initiated (3/3)
  239.  
  240.  
  241. [+] Emails found:
  242. ---------------------------------------------------------------------------------------------------------------------------------------
  243. pixel-1550937110383214-web-@www.wgpolice.gov.sd
  244. pixel-1550937110962137-web-@www.wgpolice.gov.sd
  245. No hosts found
  246. [+] Virtual hosts:
  247. ---------------------------------------------------------------------------------------------------------------------------------------
  248. #######################################################################################################################################
  249. Enter Address Website = wgpolice.gov.sd
  250.  
  251. Reverse IP With YouGetSignal 'wgpolice.gov.sd'
  252. ---------------------------------------------------------------------------------------------------------------------------------------
  253.  
  254. [*] IP: 62.12.105.2
  255. [*] Domain: wgpolice.gov.sd
  256. [*] Total Domains: 8
  257.  
  258. [+] agricmi.gov.sd
  259. [+] eastgezira.gov.sd
  260. [+] mocit.gov.sd
  261. [+] rnspolice.gov.sd
  262. [+] sudan.gov.sd
  263. [+] unionkhr.sd
  264. [+] wgpolice.gov.sd
  265. [+] www.sudan.gov.sd
  266. #######################################################################################################################################
  267.  
  268. Geo IP Lookup 'wgpolice.gov.sd'
  269. ---------------------------------------------------------------------------------------------------------------------------------------
  270.  
  271. [+] IP Address: 62.12.105.2
  272. [+] Country: Sudan
  273. [+] State:
  274. [+] City:
  275. [+] Latitude: 15.0
  276. [+] Longitude: 30.0
  277. #######################################################################################################################################
  278.  
  279. Bypass Cloudflare 'wgpolice.gov.sd'
  280. ---------------------------------------------------------------------------------------------------------------------------------------
  281.  
  282. [!] CloudFlare Bypass 197.254.200.161 | webmail.wgpolice.gov.sd
  283. [!] CloudFlare Bypass 197.254.200.161 | mail.wgpolice.gov.sd
  284. [!] CloudFlare Bypass 62.12.105.2 | www.wgpolice.gov.sd
  285. #######################################################################################################################################
  286.  
  287. DNS Lookup 'wgpolice.gov.sd'
  288. ---------------------------------------------------------------------------------------------------------------------------------------
  289.  
  290. [+] wgpolice.gov.sd. 21599 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2016011408 10800 900 604800 86400
  291. [+] wgpolice.gov.sd. 21599 IN NS ns1.ndc.gov.sd.
  292. [+] wgpolice.gov.sd. 21599 IN NS ns0.ndc.gov.sd.
  293. [+] wgpolice.gov.sd. 21599 IN A 62.12.105.2
  294. [+] wgpolice.gov.sd. 21599 IN MX 10 mail.wgpolice.gov.sd.
  295. [+] wgpolice.gov.sd. 21599 IN TXT "v=spf1 mx -all"
  296. #######################################################################################################################################
  297.  
  298. Show HTTP Header 'wgpolice.gov.sd'
  299. --------------------------------------------------------------------------------------------------------------------------------------
  300.  
  301. [+] HTTP/1.1 301 Moved Permanently
  302. [+] Server: nginx
  303. [+] Date: Sat, 23 Feb 2019 14:53:33 GMT
  304. [+] Content-Type: text/html
  305. [+] Content-Length: 178
  306. [+] Connection: keep-alive
  307. [+] Location: http://www.wgpolice.gov.sd/
  308. [+] X-Powered-By: PleskLin
  309. #######################################################################################################################################
  310.  
  311. Port Scan 'wgpolice.gov.sd'
  312. ---------------------------------------------------------------------------------------------------------------------------------------
  313.  
  314. Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-23 15:51 UTC
  315. Nmap scan report for wgpolice.gov.sd (62.12.105.2)
  316. Host is up (0.22s latency).
  317. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
  318. PORT STATE SERVICE
  319. 21/tcp filtered ftp
  320. 22/tcp filtered ssh
  321. 23/tcp filtered telnet
  322. 80/tcp filtered http
  323. 110/tcp filtered pop3
  324. 143/tcp filtered imap
  325. 443/tcp filtered https
  326. 3389/tcp filtered ms-wbt-server
  327.  
  328. Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
  329. #######################################################################################################################################
  330.  
  331. Traceroute 'wgpolice.gov.sd'
  332. ---------------------------------------------------------------------------------------------------------------------------------------
  333.  
  334. Start: 2019-02-23T15:51:50+0000
  335. HOST: web01 Loss% Snt Last Avg Best Wrst StDev
  336. 1.|-- 45.79.12.201 0.0% 3 0.9 0.9 0.7 1.1 0.2
  337. 2.|-- 45.79.12.0 0.0% 3 1.1 1.5 0.9 2.4 0.8
  338. 3.|-- hu0-7-0-7.ccr41.dfw03.atlas.cogentco.com 0.0% 3 1.8 1.6 1.5 1.8 0.1
  339. 4.|-- be2764.ccr32.dfw01.atlas.cogentco.com 0.0% 3 1.6 1.7 1.6 1.9 0.2
  340. 5.|-- be2443.ccr42.iah01.atlas.cogentco.com 0.0% 3 6.7 7.1 6.7 7.5 0.4
  341. 6.|-- be2690.ccr42.atl01.atlas.cogentco.com 0.0% 3 20.9 21.0 20.9 21.2 0.2
  342. 7.|-- be2113.ccr42.dca01.atlas.cogentco.com 0.0% 3 31.8 32.1 31.8 32.6 0.5
  343. 8.|-- be2807.ccr42.jfk02.atlas.cogentco.com 0.0% 3 38.0 38.1 37.9 38.6 0.4
  344. 9.|-- be2490.ccr42.lon13.atlas.cogentco.com 0.0% 3 109.2 109.0 108.8 109.2 0.2
  345. 10.|-- be2871.ccr21.lon01.atlas.cogentco.com 0.0% 3 110.2 109.9 109.6 110.2 0.3
  346. 11.|-- expressotelecom.demarc.cogentco.com 0.0% 3 108.9 108.8 108.6 108.9 0.2
  347. 12.|-- 185.153.20.70 0.0% 3 188.2 188.3 188.2 188.4 0.1
  348. 13.|-- 185.153.20.82 0.0% 3 189.4 189.5 189.4 189.6 0.1
  349. 14.|-- 185.153.20.94 0.0% 3 188.1 188.2 188.1 188.4 0.2
  350. 15.|-- 185.153.20.153 0.0% 3 218.8 217.2 214.7 218.8 2.1
  351. 16.|-- 212.0.131.109 0.0% 3 219.7 220.2 219.7 220.9 0.6
  352. 17.|-- 196.202.137.249 0.0% 3 231.5 230.4 229.2 231.5 1.2
  353. 18.|-- 196.202.145.94 0.0% 3 227.5 227.2 226.8 227.5 0.4
  354. 19.|-- ??? 100.0 3 0.0 0.0 0.0 0.0 0.0
  355. #######################################################################################################################################
  356.  
  357. Ping 'wgpolice.gov.sd'
  358. --------------------------------------------------------------------------------------------------------------------------------------
  359.  
  360. Starting Nping 0.7.70 ( https://nmap.org/nping ) at 2019-02-23 15:52 UTC
  361. SENT (0.6204s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=63878 seq=1] IP [ttl=64 id=15081 iplen=28 ]
  362. SENT (1.6207s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=63878 seq=2] IP [ttl=64 id=15081 iplen=28 ]
  363. SENT (2.6220s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=63878 seq=3] IP [ttl=64 id=15081 iplen=28 ]
  364. SENT (3.6235s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=63878 seq=4] IP [ttl=64 id=15081 iplen=28 ]
  365.  
  366. Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
  367. Raw packets sent: 4 (112B) | Rcvd: 0 (0B) | Lost: 4 (100.00%)
  368. Nping done: 1 IP address pinged in 4.63 seconds
  369. #######################################################################################################################################
  370. ; <<>> DiG 9.11.5-P1-2-Debian <<>> wgpolice.gov.sd
  371. ;; global options: +cmd
  372. ;; Got answer:
  373. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12262
  374. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  375.  
  376. ;; OPT PSEUDOSECTION:
  377. ; EDNS: version: 0, flags:; udp: 4096
  378. ;; QUESTION SECTION:
  379. ;wgpolice.gov.sd. IN A
  380.  
  381. ;; ANSWER SECTION:
  382. wgpolice.gov.sd. 84676 IN A 62.12.105.2
  383.  
  384. ;; Query time: 32 msec
  385. ;; SERVER: 38.132.106.139#53(38.132.106.139)
  386. ;; WHEN: sam fév 23 11:14:20 EST 2019
  387. ;; MSG SIZE rcvd: 60
  388. #######################################################################################################################################
  389. ; <<>> DiG 9.11.5-P1-2-Debian <<>> +trace wgpolice.gov.sd
  390. ;; global options: +cmd
  391. . 83398 IN NS h.root-servers.net.
  392. . 83398 IN NS b.root-servers.net.
  393. . 83398 IN NS i.root-servers.net.
  394. . 83398 IN NS a.root-servers.net.
  395. . 83398 IN NS e.root-servers.net.
  396. . 83398 IN NS m.root-servers.net.
  397. . 83398 IN NS l.root-servers.net.
  398. . 83398 IN NS c.root-servers.net.
  399. . 83398 IN NS d.root-servers.net.
  400. . 83398 IN NS f.root-servers.net.
  401. . 83398 IN NS j.root-servers.net.
  402. . 83398 IN NS g.root-servers.net.
  403. . 83398 IN NS k.root-servers.net.
  404. . 83398 IN RRSIG NS 8 0 518400 20190308050000 20190223040000 16749 . JQeMGgmm0+LV3FW5wHpe975hhAP4/zE9iLeXH/YcrsuZAgpk5gTYdZ6e SR/JC5tJOOsU9CPqO2WhNf5bcjAbYmkt/sioFOR3xQpjvHIfBGqRiWBZ YaBGcAylp8JxqK5Y+CzZAaCKq8hRAmD0YSTL8Yd6/6RQEitkLQ2u+38R qK4T+kfuCd62q7eC34/+q14Ckrh4kIO4A2H/VkfQcwBbknyQtfyiJmMM jDlaujc2oHONbfbbKTaG77i3mNBxRkuaFx6vJ/UQjstxtK4k/pS0jUK3 MO7TPYRWP9LG3VCHyQLUVLMWE/Fe3l2LxyfoQ5BXSrolsnkTfvDQgVI6 h1d8XA==
  405. ;; Received 525 bytes from 38.132.106.139#53(38.132.106.139) in 37 ms
  406.  
  407. sd. 172800 IN NS ans2.canar.sd.
  408. sd. 172800 IN NS ns-sd.afrinic.net.
  409. sd. 172800 IN NS ns2.uaenic.ae.
  410. sd. 172800 IN NS ns1.uaenic.ae.
  411. sd. 172800 IN NS ans1.canar.sd.
  412. sd. 172800 IN NS ans1.sis.sd.
  413. sd. 172800 IN NS sd.cctld.authdns.ripe.net.
  414. sd. 86400 IN NSEC se. NS RRSIG NSEC
  415. sd. 86400 IN RRSIG NSEC 8 1 86400 20190308050000 20190223040000 16749 . Otzo1k4hYXEQuqSyxCH0ju6ESXmE8lnmmfbQGZbhRD2LfB1sfKpftrPP S/fOpZB8EIaR+RYL7JUPpEG01aaKeoPTbLdzHx5/wIEFTl82+WXJ+10H DAxS8V0z+AtmJZQZyuCJyBFohx7CH1AB/vDYExd0iuq5U5ACXS/RpsgI TLt3OjPxvsuQzS3JI/T19nW17HQ1WE45EJRFmI3pv44wy2dpnzkyn67d Yq9ov/Ng+RoyKXl1O0LD48h1EGv5SWV93q8l4JMHV74GwkRRjPs3hJfo jWPcn1UWTG8lbeLKuWsgahFwK7/3JdlJUUFuWCEzwt+2fF5NqwRoXgVA Ed+mNw==
  416. ;; Received 702 bytes from 2001:dc3::35#53(m.root-servers.net) in 86 ms
  417.  
  418. wgpolice.gov.sd. 14400 IN NS ns0.ndc.gov.sd.
  419. wgpolice.gov.sd. 14400 IN NS ns1.ndc.gov.sd.
  420. ;; Received 116 bytes from 2001:67c:e0::109#53(sd.cctld.authdns.ripe.net) in 106 ms
  421.  
  422. wgpolice.gov.sd. 86400 IN A 62.12.105.2
  423. wgpolice.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
  424. wgpolice.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
  425. ;; Received 132 bytes from 62.12.109.3#53(ns1.ndc.gov.sd) in 214 ms
  426. ######################################################################################################################################
  427. [*] Performing General Enumeration of Domain: wgpolice.gov.sd
  428. [-] DNSSEC is not configured for wgpolice.gov.sd
  429. [*] SOA ns0.ndc.gov.sd 62.12.109.2
  430. [*] NS ns0.ndc.gov.sd 62.12.109.2
  431. [*] Bind Version for 62.12.109.2 you guess!
  432. [*] NS ns1.ndc.gov.sd 62.12.109.3
  433. [*] Bind Version for 62.12.109.3 you guess!
  434. [*] MX mail.wgpolice.gov.sd 197.254.200.161
  435. [*] A wgpolice.gov.sd 62.12.105.2
  436. [*] TXT wgpolice.gov.sd v=spf1 mx -all
  437. [*] Enumerating SRV Records
  438. [-] No SRV Records Found for wgpolice.gov.sd
  439. [+] 0 Records Found
  440. #######################################################################################################################################
  441. [*] Processing domain wgpolice.gov.sd
  442. [*] Using system resolvers ['38.132.106.139', '194.187.251.67', '185.93.180.131', '2001:18c0:ffe0:2::2', '2001:18c0:ffe0:3::2', '2001:18c0:ffe0:1::2', '205.151.67.6', '205.151.67.34', '205.151.67.2']
  443. [+] Getting nameservers
  444. 62.12.109.2 - ns0.ndc.gov.sd
  445. [+] Zone transfer sucessful using nameserver ns0.ndc.gov.sd
  446. wgpolice.gov.sd. 86400 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2016011408 10800 900 604800 86400
  447. wgpolice.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
  448. wgpolice.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
  449. wgpolice.gov.sd. 86400 IN A 62.12.105.2
  450. wgpolice.gov.sd. 86400 IN MX 10 mail.wgpolice.gov.sd.
  451. wgpolice.gov.sd. 86400 IN TXT "v=spf1 mx -all"
  452. mail.wgpolice.gov.sd. 86400 IN A 197.254.200.161
  453. mail.wgpolice.gov.sd. 86400 IN MX 10 mail.wgpolice.gov.sd.
  454. webmail.wgpolice.gov.sd. 86400 IN CNAME mail.wgpolice.gov.sd.
  455. www.wgpolice.gov.sd. 86400 IN A 62.12.105.2
  456. #######################################################################################################################################
  457. =======================================================================================================================================
  458. | External hosts:
  459. | [+] External Host Found: http://httpd.apache.org
  460. =======================================================================================================================================
  461. | E-mails:
  462. | [+] E-mail Found: kevinh@kevcom.com
  463. | [+] E-mail Found: mike@hyperreal.org
  464. | [+] E-mail Found: humbedooh@apache.org
  465. =======================================================================================================================================
  466. ######################################################################################################################################
  467. dnsenum VERSION:1.2.4
  468.  
  469. ----- www.wgpolice.gov.sd -----
  470.  
  471.  
  472. Host's addresses:
  473. __________________
  474.  
  475. www.wgpolice.gov.sd. 85075 IN A 62.12.105.2
  476.  
  477.  
  478. Name Servers:
  479. ______________
  480. #######################################################################################################################################
  481. ===============================================
  482. -=Subfinder v1.1.3 github.com/subfinder/subfinder
  483. ===============================================
  484.  
  485.  
  486. Running Source: Ask
  487. Running Source: Archive.is
  488. Running Source: Baidu
  489. Running Source: Bing
  490. Running Source: CertDB
  491. Running Source: CertificateTransparency
  492. Running Source: Certspotter
  493. Running Source: Commoncrawl
  494. Running Source: Crt.sh
  495. Running Source: Dnsdb
  496. Running Source: DNSDumpster
  497. Running Source: DNSTable
  498. Running Source: Dogpile
  499. Running Source: Exalead
  500. Running Source: Findsubdomains
  501. Running Source: Googleter
  502. Running Source: Hackertarget
  503. Running Source: Ipv4Info
  504. Running Source: PTRArchive
  505. Running Source: Sitedossier
  506. Running Source: Threatcrowd
  507. Running Source: ThreatMiner
  508. Running Source: WaybackArchive
  509. Running Source: Yahoo
  510.  
  511. Running enumeration on www.wgpolice.gov.sd
  512.  
  513. dnsdb: Unexpected return status 503
  514.  
  515. ipv4info: <nil>
  516.  
  517.  
  518. Starting Bruteforcing of www.wgpolice.gov.sd with 9985 words
  519.  
  520. Total 1 Unique subdomains found for www.wgpolice.gov.sd
  521.  
  522. .www.wgpolice.gov.sd
  523. #######################################################################################################################################
  524. [+] www.wgpolice.gov.sd has no SPF record!
  525. [*] No DMARC record found. Looking for organizational record
  526. [+] No organizational DMARC record
  527. [+] Spoofing possible for www.wgpolice.gov.sd!
  528. #######################################################################################################################################
  529. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:13 EST
  530. Nmap scan report for www.wgpolice.gov.sd (62.12.105.2)
  531. Host is up (0.18s latency).
  532. Not shown: 464 filtered ports, 4 closed ports
  533. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
  534. PORT STATE SERVICE
  535. 21/tcp open ftp
  536. 80/tcp open http
  537. 110/tcp open pop3
  538. 143/tcp open imap
  539. 443/tcp open https
  540. 993/tcp open imaps
  541. 995/tcp open pop3s
  542. 8443/tcp open https-alt
  543. #######################################################################################################################################
  544. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:14 EST
  545. Nmap scan report for www.wgpolice.gov.sd (62.12.105.2)
  546. Host is up (0.025s latency).
  547. Not shown: 2 filtered ports
  548. PORT STATE SERVICE
  549. 53/udp open|filtered domain
  550. 67/udp open|filtered dhcps
  551. 68/udp open|filtered dhcpc
  552. 69/udp open|filtered tftp
  553. 88/udp open|filtered kerberos-sec
  554. 123/udp open|filtered ntp
  555. 139/udp open|filtered netbios-ssn
  556. 161/udp open|filtered snmp
  557. 162/udp open|filtered snmptrap
  558. 389/udp open|filtered ldap
  559. 520/udp open|filtered route
  560. 2049/udp open|filtered nfs
  561. #######################################################################################################################################
  562. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:14 EST
  563. Nmap scan report for www.wgpolice.gov.sd (62.12.105.2)
  564. Host is up (0.20s latency).
  565.  
  566. PORT STATE SERVICE VERSION
  567. 21/tcp open tcpwrapped
  568. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  569. Device type: specialized|WAP|general purpose|router
  570. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
  571. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
  572. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
  573. Network Distance: 20 hops
  574.  
  575. TRACEROUTE (using port 21/tcp)
  576. HOP RTT ADDRESS
  577. 1 22.17 ms 10.242.200.1
  578. 2 22.94 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  579. 3 23.80 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  580. 4 22.57 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  581. 5 22.95 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  582. 6 23.00 ms 154.54.25.126
  583. 7 92.43 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
  584. 8 98.43 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  585. 9 99.61 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  586. 10 99.68 ms be2868.ccr21.lon01.atlas.cogentco.com (154.54.57.154)
  587. 11 98.68 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  588. 12 177.53 ms 185.153.20.70
  589. 13 177.55 ms 185.153.20.82
  590. 14 177.26 ms 185.153.20.94
  591. 15 180.29 ms 185.153.20.153
  592. 16 ... 17
  593. 18 198.74 ms 196.202.145.94
  594. 19 ...
  595. 20 199.71 ms f03-web02.nic.gov.sd (62.12.105.2)
  596. #######################################################################################################################################
  597. wig - WebApp Information Gatherer
  598.  
  599.  
  600. Scanning http://www.wgpolice.gov.sd...
  601. _________________________________________ SITE INFO __________________________________________
  602. IP Title
  603. 62.12.105.2 قسم شرطة الجريف غرب
  604.  
  605. __________________________________________ VERSION ___________________________________________
  606. Name Versions Type
  607. Apache 2.4.10 | 2.4.11 | 2.4.12 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 Platform
  608. 2.4.9
  609. nginx Platform
  610.  
  611. ______________________________________________________________________________________________
  612. Time: 439.4 sec Urls: 837 Fingerprints: 40401
  613. #######################################################################################################################################
  614. HTTP/1.1 200 OK
  615. Server: nginx
  616. Date: Sat, 23 Feb 2019 15:35:51 GMT
  617. Content-Type: text/html
  618. Connection: keep-alive
  619. X-Powered-By: PHP/5.4.16
  620. X-Powered-By: PleskLin
  621.  
  622. HTTP/1.1 200 OK
  623. Server: nginx
  624. Date: Sat, 23 Feb 2019 15:35:52 GMT
  625. Content-Type: text/html
  626. Connection: keep-alive
  627. X-Powered-By: PHP/5.4.16
  628. X-Powered-By: PleskLin
  629. #######################################################################################################################################
  630. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:34 EST
  631. Nmap scan report for www.wgpolice.gov.sd (62.12.105.2)
  632. Host is up (0.20s latency).
  633.  
  634. PORT STATE SERVICE VERSION
  635. 110/tcp open pop3 Dovecot pop3d
  636. | pop3-brute:
  637. | Accounts: No valid accounts found
  638. |_ Statistics: Performed 220 guesses in 197 seconds, average tps: 1.1
  639. |_pop3-capabilities: TOP APOP PIPELINING UIDL STLS AUTH-RESP-CODE USER SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) CAPA RESP-CODES
  640. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  641. Device type: specialized|WAP|general purpose|router
  642. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
  643. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
  644. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
  645. Network Distance: 20 hops
  646. Service Info: Host: fo3-web02.nic.gov.sd
  647.  
  648. TRACEROUTE (using port 443/tcp)
  649. HOP RTT ADDRESS
  650. 1 25.54 ms 10.242.200.1
  651. 2 50.19 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  652. 3 28.19 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  653. 4 25.62 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  654. 5 26.22 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  655. 6 26.03 ms 154.54.25.126
  656. 7 95.01 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
  657. 8 101.27 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  658. 9 102.25 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  659. 10 102.61 ms be2868.ccr21.lon01.atlas.cogentco.com (154.54.57.154)
  660. 11 101.18 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  661. 12 179.58 ms 185.153.20.70
  662. 13 179.40 ms 185.153.20.82
  663. 14 179.34 ms 185.153.20.94
  664. 15 182.13 ms 185.153.20.153
  665. 16 ... 17
  666. 18 197.03 ms 196.202.145.94
  667. 19 ...
  668. 20 199.35 ms f03-web02.nic.gov.sd (62.12.105.2)
  669. #######################################################################################################################################
  670. Version: 1.11.12-static
  671. OpenSSL 1.0.2-chacha (1.0.2g-dev)
  672.  
  673. Connected to 62.12.105.2
  674.  
  675. Testing SSL server www.wgpolice.gov.sd on port 443 using SNI name www.wgpolice.gov.sd
  676.  
  677. TLS Fallback SCSV:
  678. Server supports TLS Fallback SCSV
  679.  
  680. TLS renegotiation:
  681. Secure session renegotiation supported
  682.  
  683. TLS Compression:
  684. Compression disabled
  685.  
  686. Heartbleed:
  687. TLS 1.2 not vulnerable to heartbleed
  688. TLS 1.1 not vulnerable to heartbleed
  689. TLS 1.0 not vulnerable to heartbleed
  690.  
  691. Supported Server Cipher(s):
  692. Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
  693. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
  694. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  695. Accepted TLSv1.2 256 bits AES256-GCM-SHA384
  696. Accepted TLSv1.2 256 bits AES256-SHA256
  697. Accepted TLSv1.2 256 bits AES256-SHA
  698. Accepted TLSv1.2 256 bits CAMELLIA256-SHA
  699. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
  700. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
  701. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  702. Accepted TLSv1.2 128 bits AES128-GCM-SHA256
  703. Accepted TLSv1.2 128 bits AES128-SHA256
  704. Accepted TLSv1.2 128 bits AES128-SHA
  705. Accepted TLSv1.2 128 bits CAMELLIA128-SHA
  706. Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  707. Accepted TLSv1.1 256 bits AES256-SHA
  708. Accepted TLSv1.1 256 bits CAMELLIA256-SHA
  709. Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  710. Accepted TLSv1.1 128 bits AES128-SHA
  711. Accepted TLSv1.1 128 bits CAMELLIA128-SHA
  712. Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  713. Accepted TLSv1.0 256 bits AES256-SHA
  714. Accepted TLSv1.0 256 bits CAMELLIA256-SHA
  715. Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  716. Accepted TLSv1.0 128 bits AES128-SHA
  717. Accepted TLSv1.0 128 bits CAMELLIA128-SHA
  718.  
  719. SSL Certificate:
  720. Signature Algorithm: sha256WithRSAEncryption
  721. RSA Key Strength: 2048
  722.  
  723. Subject: Plesk
  724. Issuer: Plesk
  725.  
  726. Not valid before: Apr 20 02:40:27 2016 GMT
  727. Not valid after: Apr 20 02:40:27 2017 GMT
  728. #######################################################################################################################################
  729. --------------------------------------------------------
  730. <<<Yasuo discovered following vulnerable applications>>>
  731. --------------------------------------------------------
  732. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  733. | App Name | URL to Application | Potential Exploit | Username | Password |
  734. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  735. | phpMyAdmin | https://62.12.105.2:8443/phpmyadmin/ | ./exploits/multi/http/phpmyadmin_preg_replace.rb | None | None |
  736. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  737. #######################################################################################################################################
  738. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:31 EST
  739. Nmap scan report for 62.12.105.2
  740. Host is up (0.17s latency).
  741. Not shown: 464 filtered ports, 4 closed ports
  742. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
  743. PORT STATE SERVICE
  744. 21/tcp open ftp
  745. 80/tcp open http
  746. 110/tcp open pop3
  747. 143/tcp open imap
  748. 443/tcp open https
  749. 993/tcp open imaps
  750. 995/tcp open pop3s
  751. 8443/tcp open https-alt
  752. #######################################################################################################################################
  753. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:31 EST
  754. Nmap scan report for 62.12.105.2
  755. Host is up (0.023s latency).
  756. Not shown: 2 filtered ports
  757. PORT STATE SERVICE
  758. 53/udp open|filtered domain
  759. 67/udp open|filtered dhcps
  760. 68/udp open|filtered dhcpc
  761. 69/udp open|filtered tftp
  762. 88/udp open|filtered kerberos-sec
  763. 123/udp open|filtered ntp
  764. 139/udp open|filtered netbios-ssn
  765. 161/udp open|filtered snmp
  766. 162/udp open|filtered snmptrap
  767. 389/udp open|filtered ldap
  768. 520/udp open|filtered route
  769. 2049/udp open|filtered nfs
  770. #######################################################################################################################################
  771. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:32 EST
  772. Nmap scan report for 62.12.105.2
  773. Host is up (0.20s latency).
  774.  
  775. PORT STATE SERVICE VERSION
  776. 21/tcp open tcpwrapped
  777. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  778. Device type: specialized|WAP|general purpose|router
  779. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
  780. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
  781. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
  782. Network Distance: 20 hops
  783.  
  784. TRACEROUTE (using port 21/tcp)
  785. HOP RTT ADDRESS
  786. 1 24.07 ms 10.242.200.1
  787. 2 24.53 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  788. 3 30.86 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  789. 4 25.05 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  790. 5 24.60 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  791. 6 25.04 ms hu0-4-0-1.ccr21.ymq01.atlas.cogentco.com (154.54.25.126)
  792. 7 94.32 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
  793. 8 100.14 ms 154.54.39.149
  794. 9 101.21 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  795. 10 101.24 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  796. 11 99.86 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  797. 12 178.65 ms 185.153.20.70
  798. 13 178.65 ms 185.153.20.82
  799. 14 178.57 ms 185.153.20.94
  800. 15 181.37 ms 185.153.20.153
  801. 16 ... 17
  802. 18 198.59 ms 196.202.145.94
  803. 19 ...
  804. 20 206.36 ms f03-web02.nic.gov.sd (62.12.105.2)
  805. #######################################################################################################################################
  806. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:43 EST
  807. Nmap scan report for 62.12.105.2
  808. Host is up.
  809.  
  810. PORT STATE SERVICE VERSION
  811. 67/udp open|filtered dhcps
  812. |_dhcp-discover: ERROR: Script execution failed (use -d to debug)
  813. Too many fingerprints match this host to give specific OS details
  814.  
  815. TRACEROUTE (using proto 1/icmp)
  816. HOP RTT ADDRESS
  817. 1 23.08 ms 10.242.200.1
  818. 2 23.14 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  819. 3 39.16 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  820. 4 23.14 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  821. 5 23.20 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  822. 6 23.19 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  823. 7 92.74 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  824. 8 98.57 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  825. 9 99.56 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  826. 10 99.66 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  827. 11 98.60 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  828. 12 177.25 ms 185.153.20.70
  829. 13 177.22 ms 185.153.20.82
  830. 14 177.18 ms 185.153.20.94
  831. 15 179.63 ms 185.153.20.153
  832. 16 211.28 ms 212.0.131.109
  833. 17 195.31 ms 196.202.137.249
  834. 18 198.40 ms 196.202.145.94
  835. 19 ... 30
  836. #######################################################################################################################################
  837. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:45 EST
  838. Nmap scan report for 62.12.105.2
  839. Host is up.
  840.  
  841. PORT STATE SERVICE VERSION
  842. 68/udp open|filtered dhcpc
  843. Too many fingerprints match this host to give specific OS details
  844.  
  845. TRACEROUTE (using proto 1/icmp)
  846. HOP RTT ADDRESS
  847. 1 27.15 ms 10.242.200.1
  848. 2 27.72 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  849. 3 41.93 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  850. 4 22.54 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  851. 5 22.96 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  852. 6 23.36 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  853. 7 92.19 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  854. 8 98.39 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  855. 9 99.38 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  856. 10 99.41 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  857. 11 99.74 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  858. 12 178.16 ms 185.153.20.70
  859. 13 178.16 ms 185.153.20.82
  860. 14 178.09 ms 185.153.20.94
  861. 15 181.08 ms 185.153.20.153
  862. 16 211.63 ms 212.0.131.109
  863. 17 193.27 ms 196.202.137.249
  864. 18 197.39 ms 196.202.145.94
  865. 19 ... 30
  866. #######################################################################################################################################
  867. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:48 EST
  868. Nmap scan report for 62.12.105.2
  869. Host is up.
  870.  
  871. PORT STATE SERVICE VERSION
  872. 69/udp open|filtered tftp
  873. Too many fingerprints match this host to give specific OS details
  874.  
  875. TRACEROUTE (using proto 1/icmp)
  876. HOP RTT ADDRESS
  877. 1 22.70 ms 10.242.200.1
  878. 2 23.07 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  879. 3 39.93 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  880. 4 23.05 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  881. 5 23.48 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  882. 6 23.08 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  883. 7 92.65 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  884. 8 98.60 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  885. 9 99.53 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  886. 10 99.95 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  887. 11 99.04 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  888. 12 177.70 ms 185.153.20.70
  889. 13 177.71 ms 185.153.20.82
  890. 14 177.66 ms 185.153.20.94
  891. 15 180.43 ms 185.153.20.153
  892. 16 213.80 ms 212.0.131.109
  893. 17 196.87 ms 196.202.137.249
  894. 18 201.24 ms 196.202.145.94
  895. 19 ... 30
  896. #######################################################################################################################################
  897.  
  898. wig - WebApp Information Gatherer
  899.  
  900.  
  901. Scanning http://62.12.105.2...
  902. ________________________________________ SITE INFO _________________________________________
  903. IP Title
  904. 62.12.105.2 Domain Default page
  905.  
  906. _________________________________________ VERSION __________________________________________
  907. Name Versions Type
  908. Apache 2.4.10 | 2.4.11 | 2.4.12 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 Platform
  909. 2.4.9
  910. nginx Platform
  911.  
  912. ____________________________________________________________________________________________
  913. Time: 0.9 sec Urls: 811 Fingerprints: 40401
  914. #######################################################################################################################################
  915. HTTP/1.1 200 OK
  916. Server: nginx
  917. Date: Sat, 23 Feb 2019 15:53:28 GMT
  918. Content-Type: text/html
  919. Content-Length: 3750
  920. Connection: keep-alive
  921. Last-Modified: Wed, 07 Feb 2018 11:25:44 GMT
  922. ETag: "ea6-5649d8e57844b"
  923. Accept-Ranges: bytes
  924.  
  925. HTTP/1.1 200 OK
  926. Server: nginx
  927. Date: Sat, 23 Feb 2019 15:53:28 GMT
  928. Content-Type: text/html
  929. Content-Length: 3750
  930. Connection: keep-alive
  931. Last-Modified: Wed, 07 Feb 2018 11:25:44 GMT
  932. ETag: "ea6-5649d8e57844b"
  933. Accept-Ranges: bytes
  934. #######################################################################################################################################
  935. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:51 EST
  936. Nmap scan report for 62.12.105.2
  937. Host is up (0.21s latency).
  938.  
  939. PORT STATE SERVICE VERSION
  940. 110/tcp open pop3 Dovecot pop3d
  941. | pop3-brute:
  942. | Accounts: No valid accounts found
  943. |_ Statistics: Performed 218 guesses in 197 seconds, average tps: 1.1
  944. |_pop3-capabilities: AUTH-RESP-CODE RESP-CODES SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) APOP PIPELINING UIDL TOP STLS CAPA USER
  945. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  946. Device type: specialized|WAP|general purpose|router
  947. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
  948. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
  949. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
  950. Network Distance: 20 hops
  951. Service Info: Host: fo3-web02.nic.gov.sd
  952.  
  953. TRACEROUTE (using port 443/tcp)
  954. HOP RTT ADDRESS
  955. 1 23.01 ms 10.242.200.1
  956. 2 23.37 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  957. 3 24.75 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  958. 4 23.62 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  959. 5 23.64 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  960. 6 23.64 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  961. 7 92.73 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
  962. 8 98.71 ms be2391.ccr51.lhr01.atlas.cogentco.com (154.54.39.149)
  963. 9 99.89 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  964. 10 99.73 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  965. 11 99.39 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  966. 12 177.96 ms 185.153.20.70
  967. 13 177.96 ms 185.153.20.82
  968. 14 177.75 ms 185.153.20.94
  969. 15 180.23 ms 185.153.20.153
  970. 16 ... 17
  971. 18 197.52 ms 196.202.145.94
  972. 19 ...
  973. 20 198.50 ms f03-web02.nic.gov.sd (62.12.105.2)
  974. #######################################################################################################################################
  975. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:55 EST
  976. Nmap scan report for 62.12.105.2
  977. Host is up.
  978.  
  979. PORT STATE SERVICE VERSION
  980. 123/udp open|filtered ntp
  981. Too many fingerprints match this host to give specific OS details
  982.  
  983. TRACEROUTE (using proto 1/icmp)
  984. HOP RTT ADDRESS
  985. 1 22.91 ms 10.242.200.1
  986. 2 23.34 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  987. 3 38.15 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  988. 4 22.94 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  989. 5 24.95 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  990. 6 23.37 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  991. 7 92.99 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  992. 8 99.02 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  993. 9 100.05 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  994. 10 100.10 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  995. 11 98.88 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  996. 12 199.93 ms 185.153.20.70
  997. 13 177.30 ms 185.153.20.82
  998. 14 177.32 ms 185.153.20.94
  999. 15 179.89 ms 185.153.20.153
  1000. 16 212.18 ms 212.0.131.109
  1001. 17 193.70 ms 196.202.137.249
  1002. 18 198.05 ms 196.202.145.94
  1003. 19 ... 30
  1004. #######################################################################################################################################
  1005. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 11:58 EST
  1006. Nmap scan report for 62.12.105.2
  1007. Host is up (0.20s latency).
  1008.  
  1009. PORT STATE SERVICE VERSION
  1010. 161/tcp filtered snmp
  1011. 161/udp open|filtered snmp
  1012. Too many fingerprints match this host to give specific OS details
  1013.  
  1014. TRACEROUTE (using proto 1/icmp)
  1015. HOP RTT ADDRESS
  1016. 1 23.14 ms 10.242.200.1
  1017. 2 23.53 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  1018. 3 44.96 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  1019. 4 25.60 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  1020. 5 23.77 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  1021. 6 23.56 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  1022. 7 93.31 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  1023. 8 98.70 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  1024. 9 99.90 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  1025. 10 99.94 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  1026. 11 99.12 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  1027. 12 178.04 ms 185.153.20.70
  1028. 13 178.01 ms 185.153.20.82
  1029. 14 178.02 ms 185.153.20.94
  1030. 15 180.54 ms 185.153.20.153
  1031. 16 214.94 ms 212.0.131.109
  1032. 17 197.29 ms 196.202.137.249
  1033. 18 197.24 ms 196.202.145.94
  1034. 19 ... 30
  1035. #######################################################################################################################################
  1036. Version: 1.11.12-static
  1037. OpenSSL 1.0.2-chacha (1.0.2g-dev)
  1038.  
  1039. Connected to 62.12.105.2
  1040.  
  1041. Testing SSL server 62.12.105.2 on port 443 using SNI name 62.12.105.2
  1042.  
  1043. TLS Fallback SCSV:
  1044. Server supports TLS Fallback SCSV
  1045.  
  1046. TLS renegotiation:
  1047. Secure session renegotiation supported
  1048.  
  1049. TLS Compression:
  1050. Compression disabled
  1051.  
  1052. Heartbleed:
  1053. TLS 1.2 not vulnerable to heartbleed
  1054. TLS 1.1 not vulnerable to heartbleed
  1055. TLS 1.0 not vulnerable to heartbleed
  1056.  
  1057. Supported Server Cipher(s):
  1058. Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
  1059. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
  1060. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  1061. Accepted TLSv1.2 256 bits AES256-GCM-SHA384
  1062. Accepted TLSv1.2 256 bits AES256-SHA256
  1063. Accepted TLSv1.2 256 bits AES256-SHA
  1064. Accepted TLSv1.2 256 bits CAMELLIA256-SHA
  1065. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
  1066. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
  1067. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  1068. Accepted TLSv1.2 128 bits AES128-GCM-SHA256
  1069. Accepted TLSv1.2 128 bits AES128-SHA256
  1070. Accepted TLSv1.2 128 bits AES128-SHA
  1071. Accepted TLSv1.2 128 bits CAMELLIA128-SHA
  1072. Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  1073. Accepted TLSv1.1 256 bits AES256-SHA
  1074. Accepted TLSv1.1 256 bits CAMELLIA256-SHA
  1075. Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  1076. Accepted TLSv1.1 128 bits AES128-SHA
  1077. Accepted TLSv1.1 128 bits CAMELLIA128-SHA
  1078. Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
  1079. Accepted TLSv1.0 256 bits AES256-SHA
  1080. Accepted TLSv1.0 256 bits CAMELLIA256-SHA
  1081. Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
  1082. Accepted TLSv1.0 128 bits AES128-SHA
  1083. Accepted TLSv1.0 128 bits CAMELLIA128-SHA
  1084.  
  1085. SSL Certificate:
  1086. Signature Algorithm: sha256WithRSAEncryption
  1087. RSA Key Strength: 2048
  1088.  
  1089. Subject: Plesk
  1090. Issuer: Plesk
  1091.  
  1092. Not valid before: Apr 20 02:40:27 2016 GMT
  1093. Not valid after: Apr 20 02:40:27 2017 GMT
  1094. #######################################################################################################################################
  1095. --------------------------------------------------------
  1096. <<<Yasuo discovered following vulnerable applications>>>
  1097. --------------------------------------------------------
  1098. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  1099. | App Name | URL to Application | Potential Exploit | Username | Password |
  1100. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  1101. | phpMyAdmin | https://62.12.105.2:8443/phpmyadmin/ | ./exploits/multi/http/phpmyadmin_preg_replace.rb | None | None |
  1102. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
  1103. #######################################################################################################################################
  1104. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 12:06 EST
  1105. NSE: Loaded 148 scripts for scanning.
  1106. NSE: Script Pre-scanning.
  1107. NSE: Starting runlevel 1 (of 2) scan.
  1108. Initiating NSE at 12:06
  1109. Completed NSE at 12:06, 0.00s elapsed
  1110. NSE: Starting runlevel 2 (of 2) scan.
  1111. Initiating NSE at 12:06
  1112. Completed NSE at 12:06, 0.00s elapsed
  1113. Initiating Ping Scan at 12:06
  1114. Scanning 62.12.105.2 [4 ports]
  1115. Completed Ping Scan at 12:06, 0.24s elapsed (1 total hosts)
  1116. Initiating Parallel DNS resolution of 1 host. at 12:06
  1117. Completed Parallel DNS resolution of 1 host. at 12:06, 16.50s elapsed
  1118. Initiating Connect Scan at 12:06
  1119. Scanning 62.12.105.2 [1000 ports]
  1120. Discovered open port 80/tcp on 62.12.105.2
  1121. Discovered open port 110/tcp on 62.12.105.2
  1122. Discovered open port 143/tcp on 62.12.105.2
  1123. Discovered open port 995/tcp on 62.12.105.2
  1124. Discovered open port 21/tcp on 62.12.105.2
  1125. Discovered open port 993/tcp on 62.12.105.2
  1126. Discovered open port 443/tcp on 62.12.105.2
  1127. Discovered open port 8443/tcp on 62.12.105.2
  1128. Completed Connect Scan at 12:07, 12.65s elapsed (1000 total ports)
  1129. Initiating Service scan at 12:07
  1130. Scanning 8 services on 62.12.105.2
  1131. Completed Service scan at 12:07, 14.41s elapsed (8 services on 1 host)
  1132. Initiating OS detection (try #1) against 62.12.105.2
  1133. Retrying OS detection (try #2) against 62.12.105.2
  1134. WARNING: OS didn't match until try #2
  1135. Initiating Traceroute at 12:07
  1136. Completed Traceroute at 12:07, 6.15s elapsed
  1137. Initiating Parallel DNS resolution of 18 hosts. at 12:07
  1138. Completed Parallel DNS resolution of 18 hosts. at 12:07, 16.50s elapsed
  1139. NSE: Script scanning 62.12.105.2.
  1140. NSE: Starting runlevel 1 (of 2) scan.
  1141. Initiating NSE at 12:07
  1142. NSE Timing: About 98.90% done; ETC: 12:08 (0:00:00 remaining)
  1143. NSE Timing: About 99.45% done; ETC: 12:08 (0:00:00 remaining)
  1144. NSE Timing: About 99.63% done; ETC: 12:09 (0:00:00 remaining)
  1145. NSE Timing: About 99.72% done; ETC: 12:09 (0:00:00 remaining)
  1146. Completed NSE at 12:10, 138.31s elapsed
  1147. NSE: Starting runlevel 2 (of 2) scan.
  1148. Initiating NSE at 12:10
  1149. Completed NSE at 12:10, 0.44s elapsed
  1150. Nmap scan report for 62.12.105.2
  1151. Host is up, received syn-ack ttl 44 (0.16s latency).
  1152. Scanned at 2019-02-23 12:06:35 EST for 213s
  1153. Not shown: 988 filtered ports
  1154. Reason: 987 no-responses and 1 host-unreach
  1155. PORT STATE SERVICE REASON VERSION
  1156. 21/tcp open tcpwrapped syn-ack
  1157. 25/tcp closed smtp conn-refused
  1158. 80/tcp open http syn-ack nginx
  1159. |_http-favicon: Unknown favicon MD5: 1DB747255C64A30F9236E9D929E986CA
  1160. | http-methods:
  1161. |_ Supported Methods: GET HEAD POST OPTIONS
  1162. |_http-server-header: nginx
  1163. |_http-title: Domain Default page
  1164. 110/tcp open pop3 syn-ack Dovecot pop3d
  1165. |_pop3-capabilities: USER CAPA SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) RESP-CODES STLS APOP PIPELINING TOP UIDL AUTH-RESP-CODE
  1166. |_ssl-date: TLS randomness does not represent time
  1167. 113/tcp closed ident conn-refused
  1168. 139/tcp closed netbios-ssn conn-refused
  1169. 143/tcp open imap syn-ack Dovecot imapd
  1170. |_imap-capabilities: AUTH=PLAIN ID AUTH=DIGEST-MD5 Pre-login OK capabilities AUTH=LOGIN LOGIN-REFERRALS more listed have post-login SASL-IR STARTTLS AUTH=CRAM-MD5A0001 IDLE IMAP4rev1 LITERAL+ ENABLE
  1171. |_ssl-date: TLS randomness does not represent time
  1172. 443/tcp open ssl/http syn-ack nginx
  1173. | http-methods:
  1174. |_ Supported Methods: GET HEAD POST OPTIONS
  1175. |_http-server-header: nginx
  1176. |_http-title: Domain Default page
  1177. | ssl-cert: Subject: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/emailAddress=info@plesk.com/organizationalUnitName=Plesk/localityName=Seattle
  1178. | Issuer: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/emailAddress=info@plesk.com/organizationalUnitName=Plesk/localityName=Seattle
  1179. | Public Key type: rsa
  1180. | Public Key bits: 2048
  1181. | Signature Algorithm: sha256WithRSAEncryption
  1182. | Not valid before: 2016-04-20T02:40:27
  1183. | Not valid after: 2017-04-20T02:40:27
  1184. | MD5: a38f 7308 6ca0 a95d 2faa d3f0 6cb4 5553
  1185. | SHA-1: 1479 6658 f803 6987 8f42 5473 9eaf 97e1 50dd 2d68
  1186. | -----BEGIN CERTIFICATE-----
  1187. | MIIDfTCCAmUCBFcW7BswDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMRMw
  1188. | EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0wCwYDVQQKEwRP
  1189. | ZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UEAxMFUGxlc2sxHTAbBgkqhkiG9w0B
  1190. | CQEWDmluZm9AcGxlc2suY29tMB4XDTE2MDQyMDAyNDAyN1oXDTE3MDQyMDAyNDAy
  1191. | N1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
  1192. | EwdTZWF0dGxlMQ0wCwYDVQQKEwRPZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UE
  1193. | AxMFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMIIBIjANBgkq
  1194. | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZDNfEWzRPuiKR6QpFWONPYHX+Pl6rwn
  1195. | 6ctlVkGd2xcdnPKqzuL8z06rprVz1ro/kK7O9Xna4YfMzqoZjanxdzvjg5936PKF
  1196. | jjf5+AA4mmbD1SD1wFCE4+U4PnE2lz/Ae/Nj5wSLK1xAL3zitACHRLTXs3a4GMQC
  1197. | Q1LD36PSzhTl2EhDgQbSK+HB3YqsuJ8tKvn7P4qIGTZJ+HPikTXZ2e+bztPJGN4H
  1198. | iL16zcL5F8DcIKuRx6qpmGjji8As/JsNLckYD0O8CFWZHNjbAniQ+c64Umif9UrD
  1199. | IMcNJ3sgChQA7o8A1Qlu63FqJWGwxKlnPGt94tRpTUT1SGDCCMTTTwIDAQABMA0G
  1200. | CSqGSIb3DQEBCwUAA4IBAQAmNWQp2HI7DaKdIhVqqviur4Z852Z1RCrqWXMl95DP
  1201. | vtMpgRNrfdqC33xw627iWLJo4vKLvFK0OBgZ6O1gcLhcOeTGGbJLykhNjiPd0YU1
  1202. | oIg7G6HWKeQ30q2FTv43qoc1s6uiuflihbctsF7tnLxMXQcZO3nwWkkLcuQtMDFS
  1203. | RAkfBKbIoI/36MFs4GUh/nS78k9b3RgnSWwAD7DQi2+FrVr712EelRT627XIDp0U
  1204. | t3D2RhpH0SqBX1ncmzF5P9wll3Yqoy0nrJOpXXEf3nP9LyTBA2imWclm4NHaBVat
  1205. | CfsxXtJeFHpedfALThLxsTPAz/fsZoMC4s4N/ViMbF62
  1206. |_-----END CERTIFICATE-----
  1207. |_ssl-date: TLS randomness does not represent time
  1208. | tls-alpn:
  1209. |_ http/1.1
  1210. | tls-nextprotoneg:
  1211. |_ http/1.1
  1212. 445/tcp closed microsoft-ds conn-refused
  1213. 993/tcp open ssl/imaps? syn-ack
  1214. |_ssl-date: TLS randomness does not represent time
  1215. 995/tcp open ssl/pop3s? syn-ack
  1216. |_ssl-date: TLS randomness does not represent time
  1217. 8443/tcp open ssl/http syn-ack sw-cp-server httpd (Plesk Onyx 17.5.3)
  1218. | http-methods:
  1219. |_ Supported Methods: GET HEAD POST
  1220. |_http-server-header: sw-cp-server
  1221. |_http-title: Plesk Onyx 17.5.3
  1222. | ssl-cert: Subject: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/emailAddress=info@plesk.com/organizationalUnitName=Plesk/localityName=Seattle
  1223. | Issuer: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/emailAddress=info@plesk.com/organizationalUnitName=Plesk/localityName=Seattle
  1224. | Public Key type: rsa
  1225. | Public Key bits: 2048
  1226. | Signature Algorithm: sha256WithRSAEncryption
  1227. | Not valid before: 2016-04-20T02:40:27
  1228. | Not valid after: 2017-04-20T02:40:27
  1229. | MD5: a38f 7308 6ca0 a95d 2faa d3f0 6cb4 5553
  1230. | SHA-1: 1479 6658 f803 6987 8f42 5473 9eaf 97e1 50dd 2d68
  1231. | -----BEGIN CERTIFICATE-----
  1232. | MIIDfTCCAmUCBFcW7BswDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMRMw
  1233. | EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0wCwYDVQQKEwRP
  1234. | ZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UEAxMFUGxlc2sxHTAbBgkqhkiG9w0B
  1235. | CQEWDmluZm9AcGxlc2suY29tMB4XDTE2MDQyMDAyNDAyN1oXDTE3MDQyMDAyNDAy
  1236. | N1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
  1237. | EwdTZWF0dGxlMQ0wCwYDVQQKEwRPZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UE
  1238. | AxMFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMIIBIjANBgkq
  1239. | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZDNfEWzRPuiKR6QpFWONPYHX+Pl6rwn
  1240. | 6ctlVkGd2xcdnPKqzuL8z06rprVz1ro/kK7O9Xna4YfMzqoZjanxdzvjg5936PKF
  1241. | jjf5+AA4mmbD1SD1wFCE4+U4PnE2lz/Ae/Nj5wSLK1xAL3zitACHRLTXs3a4GMQC
  1242. | Q1LD36PSzhTl2EhDgQbSK+HB3YqsuJ8tKvn7P4qIGTZJ+HPikTXZ2e+bztPJGN4H
  1243. | iL16zcL5F8DcIKuRx6qpmGjji8As/JsNLckYD0O8CFWZHNjbAniQ+c64Umif9UrD
  1244. | IMcNJ3sgChQA7o8A1Qlu63FqJWGwxKlnPGt94tRpTUT1SGDCCMTTTwIDAQABMA0G
  1245. | CSqGSIb3DQEBCwUAA4IBAQAmNWQp2HI7DaKdIhVqqviur4Z852Z1RCrqWXMl95DP
  1246. | vtMpgRNrfdqC33xw627iWLJo4vKLvFK0OBgZ6O1gcLhcOeTGGbJLykhNjiPd0YU1
  1247. | oIg7G6HWKeQ30q2FTv43qoc1s6uiuflihbctsF7tnLxMXQcZO3nwWkkLcuQtMDFS
  1248. | RAkfBKbIoI/36MFs4GUh/nS78k9b3RgnSWwAD7DQi2+FrVr712EelRT627XIDp0U
  1249. | t3D2RhpH0SqBX1ncmzF5P9wll3Yqoy0nrJOpXXEf3nP9LyTBA2imWclm4NHaBVat
  1250. | CfsxXtJeFHpedfALThLxsTPAz/fsZoMC4s4N/ViMbF62
  1251. |_-----END CERTIFICATE-----
  1252. |_ssl-date: TLS randomness does not represent time
  1253. | tls-nextprotoneg:
  1254. |_ http/1.1
  1255. Device type: general purpose
  1256. Running: Linux 2.6.X
  1257. OS CPE: cpe:/o:linux:linux_kernel:2.6
  1258. OS details: Linux 2.6.18 - 2.6.22
  1259. TCP/IP fingerprint:
  1260. OS:SCAN(V=7.70%E=4%D=2/23%OT=80%CT=25%CU=%PV=N%G=N%TM=5C717E70%P=x86_64-pc-
  1261. OS:linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)SEQ(CI=Z)OPS(O1=M4B3ST
  1262. OS:11NW7%O2=M4B3ST11NW7%O3=M4B3NNT11NW7%O4=M4B3ST11NW7%O5=M4B3ST11NW7%O6=M4
  1263. OS:B3ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%
  1264. OS:TG=40%W=7210%O=M4B3NNSNW7%CC=Y%Q=)ECN(R=N)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=A
  1265. OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD
  1266. OS:=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=N)IE(R=N)
  1267.  
  1268. Service Info: Host: fo3-web02.nic.gov.sd
  1269.  
  1270. TRACEROUTE (using proto 1/icmp)
  1271. HOP RTT ADDRESS
  1272. 1 22.16 ms 10.242.200.1
  1273. 2 45.86 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
  1274. 3 41.62 ms xe-0-0-1-0.agg2.qc1.ca.m247.com (37.120.128.166)
  1275. 4 22.36 ms vlan304.as032.buc.ro.m247.com (77.243.185.226)
  1276. 5 22.74 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
  1277. 6 22.55 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
  1278. 7 92.08 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
  1279. 8 98.51 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
  1280. 9 99.30 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
  1281. 10 99.35 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
  1282. 11 100.15 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
  1283. 12 178.71 ms 185.153.20.70
  1284. 13 178.65 ms 185.153.20.82
  1285. 14 178.68 ms 185.153.20.94
  1286. 15 183.99 ms 185.153.20.153
  1287. 16 224.69 ms 212.0.131.109
  1288. 17 193.76 ms 196.202.137.249
  1289. 18 198.32 ms 196.202.145.94
  1290. 19 ... 30
  1291.  
  1292. NSE: Script Post-scanning.
  1293. NSE: Starting runlevel 1 (of 2) scan.
  1294. Initiating NSE at 12:10
  1295. Completed NSE at 12:10, 0.00s elapsed
  1296. NSE: Starting runlevel 2 (of 2) scan.
  1297. Initiating NSE at 12:10
  1298. Completed NSE at 12:10, 0.00s elapsed
  1299. Read data files from: /usr/bin/../share/nmap
  1300. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1301. Nmap done: 1 IP address (1 host up) scanned in 212.87 seconds
  1302. Raw packets sent: 142 (10.432KB) | Rcvd: 194 (31.414KB)
  1303. #######################################################################################################################################
  1304. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 12:10 EST
  1305. NSE: Loaded 148 scripts for scanning.
  1306. NSE: Script Pre-scanning.
  1307. Initiating NSE at 12:10
  1308. Completed NSE at 12:10, 0.00s elapsed
  1309. Initiating NSE at 12:10
  1310. Completed NSE at 12:10, 0.00s elapsed
  1311. Initiating Parallel DNS resolution of 1 host. at 12:10
  1312. Completed Parallel DNS resolution of 1 host. at 12:10, 16.50s elapsed
  1313. Initiating UDP Scan at 12:10
  1314. Scanning 62.12.105.2 [14 ports]
  1315. Completed UDP Scan at 12:10, 1.23s elapsed (14 total ports)
  1316. Initiating Service scan at 12:10
  1317. Scanning 12 services on 62.12.105.2
  1318. Service scan Timing: About 8.33% done; ETC: 12:30 (0:17:58 remaining)
  1319. Completed Service scan at 12:12, 102.58s elapsed (12 services on 1 host)
  1320. Initiating OS detection (try #1) against 62.12.105.2
  1321. Retrying OS detection (try #2) against 62.12.105.2
  1322. Initiating Traceroute at 12:12
  1323. Completed Traceroute at 12:12, 7.09s elapsed
  1324. Initiating Parallel DNS resolution of 1 host. at 12:12
  1325. Completed Parallel DNS resolution of 1 host. at 12:12, 16.51s elapsed
  1326. NSE: Script scanning 62.12.105.2.
  1327. Initiating NSE at 12:12
  1328. Completed NSE at 12:12, 20.36s elapsed
  1329. Initiating NSE at 12:12
  1330. Completed NSE at 12:12, 1.02s elapsed
  1331. Nmap scan report for 62.12.105.2
  1332. Host is up (0.022s latency).
  1333.  
  1334. PORT STATE SERVICE VERSION
  1335. 53/udp open|filtered domain
  1336. 67/udp open|filtered dhcps
  1337. 68/udp open|filtered dhcpc
  1338. 69/udp open|filtered tftp
  1339. 88/udp open|filtered kerberos-sec
  1340. 123/udp open|filtered ntp
  1341. 137/udp filtered netbios-ns
  1342. 138/udp filtered netbios-dgm
  1343. 139/udp open|filtered netbios-ssn
  1344. 161/udp open|filtered snmp
  1345. 162/udp open|filtered snmptrap
  1346. 389/udp open|filtered ldap
  1347. 520/udp open|filtered route
  1348. 2049/udp open|filtered nfs
  1349. Too many fingerprints match this host to give specific OS details
  1350.  
  1351. TRACEROUTE (using port 137/udp)
  1352. HOP RTT ADDRESS
  1353. 1 22.34 ms 10.242.200.1
  1354. 2 ... 3
  1355. 4 22.15 ms 10.242.200.1
  1356. 5 22.92 ms 10.242.200.1
  1357. 6 22.92 ms 10.242.200.1
  1358. 7 22.91 ms 10.242.200.1
  1359. 8 22.75 ms 10.242.200.1
  1360. 9 22.76 ms 10.242.200.1
  1361. 10 22.77 ms 10.242.200.1
  1362. 11 ... 18
  1363. 19 21.89 ms 10.242.200.1
  1364. 20 21.46 ms 10.242.200.1
  1365. 21 ... 28
  1366. 29 22.28 ms 10.242.200.1
  1367. 30 23.20 ms 10.242.200.1
  1368.  
  1369. NSE: Script Post-scanning.
  1370. Initiating NSE at 12:12
  1371. Completed NSE at 12:12, 0.00s elapsed
  1372. Initiating NSE at 12:12
  1373. Completed NSE at 12:12, 0.00s elapsed
  1374. Read data files from: /usr/bin/../share/nmap
  1375. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1376. Nmap done: 1 IP address (1 host up) scanned in 168.40 seconds
  1377. Raw packets sent: 146 (13.536KB) | Rcvd: 134 (17.846KB)
  1378. #######################################################################################################################################
  1379. ---------------------------------------------------------------------------------------------------------------------------------------
  1380. + Target IP: 62.12.105.2
  1381. + Target Hostname: 62.12.105.2
  1382. + Target Port: 443
  1383. ---------------------------------------------------------------------------------------------------------------------------------------
  1384. + SSL Info: Subject: /C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
  1385. Ciphers: ECDHE-RSA-AES256-GCM-SHA384
  1386. Issuer: /C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
  1387. + Start Time: 2019-02-23 11:17:46 (GMT-5)
  1388. ---------------------------------------------------------------------------------------------------------------------------------------
  1389. + Server: nginx
  1390. + Server leaks inodes via ETags, header found with file /, fields: 0xea6 0x5649d8e57844b
  1391. + The anti-clickjacking X-Frame-Options header is not present.
  1392. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  1393. + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
  1394. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  1395. + Hostname '62.12.105.2' does not match certificate's names: Plesk
  1396. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
  1397. + OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
  1398. + OSVDB-3268: /icons/: Directory indexing found.
  1399. ---------------------------------------------------------------------------------------------------------------------------------------
  1400. #######################################################################################################################################
  1401. Anonymous JTSEC #OpSudan Full Recon #22
RAW Paste Data