ACADEMI/ ALSO KNOW AS BLACKWATER

1. EXPLOITATION & VULNERABILITY OF ACADEMI/ ALSO KNOW AS BLACKWATER (RAMBO'S). BY ANON-NINJA-CAT , CONTACT INFOSEC-CAT THROUGHT ENCRYPTED CODE ,WHO WILL CONTACT CONE-CAT FOR CLEARANCE TO THE CYBER-HIVE . /MILD EXPLOITATION REPORT/
2.  
3. WE ARE ANONYMOUS
4. WE ARE LEGION
5. WE ARE GHOSTS OF THE CYBER-HIVE.
6.  
7.  
8. https://www.academi.com/
9.  
10. Academi is an American private military company, founded in 1997 by Erik Prince. Formerly known as Blackwater, the company was renamed Xe Services in 2009, and "Academi" in 2011.
11.  
12.  
13. IP Address 54.243.51.249
14.  
15. Server Type nginx
16.  
17.  
18. Server:nginx
19. IP Address:54.243.51.249
20. Port:443
21. Hostname:www.academi.com
22.  
23. The target site *has* a DNS wildcard configuration
24.  
25. The contents of https://54.243.51.249 differ from the contents of https://www.academi.com
26.  
27. The URL "https://www.academi.com/" has the following allowed methods, which include DAV methods: ACL, BASELINE_CONTROL, CHECKIN, CHECKOUT, CONNECT, COPY, DEBUG, GET, HEAD, INDEX, INVALID, INVOKE, LABEL, LINK, LOCK, MERGE, MKACTIVITY, MKCOL, MKDIR, MKWORKSPACE, MOVE, NOTIFY, OPTIONS, PATCH, PIN, POLL, POST, PROPFIND, PROPPATCH, REPLY, REPORT, RMDIR, SEARCH, SHOWMETHOD, SPACEJUMP, SUBSCRIBE, SUBSCRIPTIONS, TEXTSEARCH, TRACK, UNCHECKOUT, UNLINK, UNLOCK, UNSUBSCRIBE, VERSION_CONTROL.
28.  
29. The mail account: "feedback@academi.com" was found in:
30. - https://www.academi.com/
31.  
32. Name Servers ip location
33. ns1.dnsbycomodo.net 8.20.241.1 usa
34. ns2.dnsbycomodo.net 8.20.243.1 usa
35.  
36. mail.academi.com A 1 hour 67.238.84.240 (Biglerville, PA, US)
37. www.academi.com A 1 hour 54.243.51.249 (US)
38.  
39.  
40. Hostname:*.academi.com
41. Organization:ACADEMI LLC
42. Locality:Moyock
43. State:North Carolina
44. Country:US
45.  
46. report for ec2-54-243-51-249.compute-1.amazonaws.com (54.243.51.249)
47. Host is up (0.063s latency).
48. PORT STATE SERVICE
49. 21/tcp filtered ftp
50. 22/tcp open ssh
51. 80/tcp open http
52. 443/tcp open https
53.  
54. report for amazonaws.com (72.21.206.80)
55. Host is up (0.0060s latency).
56. Other addresses for amazonaws.com (not scanned): 72.21.210.29 207.171.166.22
57. rDNS record for 72.21.206.80: 206-80.amazon.com
58. PORT STATE SERVICE
59. 80/tcp open http
60. ---------------------------------------------------------------------------------------------------------------------------------
61.  
62. # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
63. #
64. # To ban all spiders from the entire site uncomment the next two lines:
65. # User-Agent: *
66. # Disallow: /
67. User-agent: *
68. Disallow: /checkout
69. Disallow: /cart
70. Disallow: /orders
71. Disallow: /countries
72. Disallow: /line_items
73. Disallow: /password_resets
74. Disallow: /states
75. Disallow: /user_sessions
76. Disallow: /user_registrations
77. Disallow: /users
78. Disallow: /account
79.  
80. ------------------------------------------------------------------------------------------------------------------------------------
81. EXPLOITS:
82.  
83. The URL: "https://www.academi.com/admin.php" returned a response that may contain a "MD5" hash. The hash is: "5c16451fd9ead8323c89fc4c1f23aebb".
84.  
85. The URL: "https://www.academi.com/" possibly discloses a US Social Security Number: "261-52-8395
86.  
87. The URL: "https://www.academi.com/" sent the cookie: "_academi_session=RE45aUppcVhQYW9GSHVpSHpvVTNteXZzN1FpekNQa09jaDc1T05QL3pZSHhrYVRCYytyR1FhTi9PaUlxZWZEL01iM0t6bWtnZUE5U0pKSW1iU1RBNVVlNkFXdUxqZnV2dVVkcElQc0M2elJMZXdCNTBBQlZMT3dWd1RXYm5ESlNBWkw5TGZYZks1cVZtLzdXeHpDbkY0SURVTzlCR2NGMVNET1d4eEFPYyszT3g1NHkxY0tUL0JEN0dJMXFnTWtLLS13bDVQV0xJN0hTYWI2VTRyclhLS0dnPT0%3D--897595f414a1d8dc7b914ba7786eeaa19d06c434; path=/; HttpOnly". This information was found in the request with id 1.
88.  
89. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "5a3ea22574d3f96af589ebfd32cbc880
90.  
91. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "d0ff998a8f8b02c25f6b4d199a446596
92.  
93. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "403130d0ccfc849775ac6b6c1fbd8e0f
94.  
95. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "493d6c3c2770d886b6c43b2c412c2b01
96.  
97. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "fd0e05aa9954598ad66ea4c12f697715
98.  
99. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "e793d662ba44243d0b29e66f9b9e1b66
100.  
101. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "3d1232cd21812ded98fbf1e7d78a12e1".
102.  
103. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "2ecf8863467623131e841a5a2a678dc2
104.  
105. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "7507cb104a2fe68224f25465e2038cbb".
106.  
107. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "bf9e6d98af0d29a751f5eb6801940f95
108.  
109. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "9bede45fa0e99f768d1c78e42cd6aa12"
110.  
111. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "d7d10eadf5ebf82902332553b7a398a9
112.  
113. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "6a6b20b099d8dd48704e9fde64d166cc
114.  
115. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "a9aefa4c5ba416e8c2b06d042ee2673d
116.  
117. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "41f9be3be29b4ea1b830fdc61ee0d0f6"
118.  
119. The URL: "https://www.academi.com/" returned a response that may contain a "MD5" hash. The hash is: "b3330d615ef9176cb23283c2b46ab4cf"
120.  
121. An unidentified vulnerability was found at: "https://www.academi.com/", using HTTP method GET. The sent data was: "mode=d%27kc%22z%27gj%27%22%2A%2A5%2A%28%28%28%3B-%2A%60%29"
122. GET https://www.academi.com/?mode=phpinfo HTTP/1.1
123. Host: www.academi.com
124. Cookie: _academi_session=NlpxM09DYWR2akxEL09tS3VJams5NytqZ3l6M3I3RjBmVzhCcTd3dnhNelJuaUVaWlFGdmFIYXp0QmZwcUJ0KzZZcjhZL28vTGVhSDlxQXFFS3lYM1N4alhpbnNFWW5FVDRVakxBYzdYTC9Tc25UcS9EdEQ3RDBHRnVNTm5pOS96ZVJXTWJuSXVrNXllUGlvTnRraFZmR1cyRTJUZks1a2xxcWMzZzc4UmVqc1l6SGJ2bjlSUjZuVDdyNHdCaytBLS1MRGw2cW1SR3dzckhwRGNURE8reFFnPT0%3D--4e8872122a34a7f33ff3a632095285d7b042033f;
125.  
126. An unidentified vulnerability was found at: "https://www.academi.com/admin.php", using HTTP method GET. The sent data was: "mode=d%27kc%22z%27gj%27%22%2A%2A5%2A%28%28%28%3B-%2A%60%29
127. GET https://www.academi.com/admin/login HTTP/1.1
128. Host: www.academi.com
129. Cookie: _academi_session=THhUckh5NDdOc0t1T3ViYWZMc0pjazI1WDlxT29uSmY4dDFXSWUwL0lSRXBEZVBpT0dxWCtOTHZ5R0pOVFlxOTgyQTM2TkxyWXpVbjJSVW5kS1BmdEZKeFBNSGxXeWtzWFFvOFdtdUZReERsNVM5TDhpTDlPUUNQOTdzK3ZHYmk4ZFJGVm9PTCtKbUFBcE1EcDNVNmhCVUhUbEdWazRTSFNmZXZFdnEycFF3TldpTE5uZko0SkhSWkpjTGZQMHBLLS16ZVBJaFJ6MUR5K2JyQlNNRXk4VVNBPT0%3D--44a81cba5181ca0d9b39101ed7f9a330dce6f62c;
130.  
131. An unidentified vulnerability was found at: "https://www.academi.com/", using HTTP method GET. The sent data was: "view=d%27kc%22z%27gj%27%22%2A%2A5%2A%28%28%28%3B-%2A%60%29"
132. GET https://www.academi.com/?view=phpinfo HTTP/1.1
133. Host: www.academi.com
134. Cookie: _academi_session=S202YW9BTTBEWmtyOWpWVm1YTzIwc3VBa0M2UE9vM3FjemdRVUs3bkRhaStDSHpYWGFra0QvWGNyUTM3ZFpQTjZ4TXcvUkdSb0lLT0xsWXdEcU1waEtDUDZFLzBZZnZvai93RnpnSkJGSWxvZkNDRVhZbUJ1UnVJREdqaFpRa0RnVG5YQ01HTjBBdEl3VkxYTXdjT0NSWTRDS09yT0JXbW9iN1RiVDY3d0NCU3VYMW5xNHVmdks3MXEvRWhuQkRrLS02dU5ZblZGOW1PQlRybmhRazFzSTFBPT0%3D--7d4fbd67edc6c386ca4a9757d4c500668f4970d5;
135.  
136.  
137.  
138. TLS v1.1 and TLS v1.2 should be enabled
139. Server should enable more recent versions of TLS protocol
140.  
141. Server does not have session resumption enabled
142. Users may experience slower performance
143.  
144. Server has not enabled HTTP Strict-Transport-Security
145. Users may be exposed to man-in-the-middle attacks
146.  
147. Server is mixing http and https content
148. Attackers may be able to manipulate the page.
149.  
150. Server uses RC4 cipher with modern browsers
151. More secure ciphers are available for TLS 1.1 and newe
152.  
153. Server configuration does not meet FIPS guidelines
154. Federal standards for data handling are not being met
155.  
156. SSL 2.0 Disabled:Pass
157. SSL 3.0 Disabled:Pass
158. TLS 1.0 Enabled:Pass
159. TLS 1.1 Enabled:Fail <<<<<
160. TLS 1.2 Enabled:Fail <<<<<
161. Weak ciphersuites disabled:Pass
162. Certificates configured correctly:Pass
163. Secure renegotiation configured:Pass
164. Session resumption configured:Fail <<<<<
165. BEAST Vulnerability:Pass
166. OCSP Stapling:Fail <<<<<
167. PCI Compliant:Pass
168. FIPS Compliant:Fail <<<<<
169. Forward Secrecy Supported:Pass
170. Heartbleed Vulnerability:Pass
171.  
172. Strict Transport Security:Fail <<<<<
173. Mixed Content (HTTP and HTTPS):Fail <<<<<<
174. Domain name resolves to IPv4 address:Pass
175. Domain name resolves to IPv6 address:Fail <<<<<
176. ===================================================================================================================================
177. http://www.academiproshop.com (67.132.195.12)
178.  
179. 80/tcp open http
180.  
181. [ .NET Configuration Analysis ]
182.  
183. Server -> Microsoft-IIS/6.0
184. AppTrace -> LocalOnly
185. Application -> /
186. ADNVersion -> 2.0.50727.5710
187.  
188. Found -> /aspnet_client/system_web/2_0_50727 <<<<<<<<