Anonymous JTSEC #OpVenezuela full Recon #7

1. #######################################################################################################################################
2. Hostname www.mppp.gob.ve ISP CANTV Servicios, Venezuela
3. Continent South America Flag
4. VE
5. Country Venezuela Country Code VE
6. Region Distrito Federal Local time 07 Nov 2018 02:37 -04
7. City Caracas Postal Code Unknown
8. IP Address 201.249.203.40 Latitude 10.5
9. Longitude -66.917
10.  
11. ######################################################################################################################################
12. > www.mppp.gob.ve
13. Server: 194.187.251.67
14. Address: 194.187.251.67#53
15.  
16. Non-authoritative answer:
17. Name: www.mppp.gob.ve
18. Address: 201.249.203.40
19. ######################################################################################################################################
20. HostIP:201.249.203.40
21. HostName:www.mppp.gob.ve
22.  
23. Gathered Inet-whois information for 201.249.203.40
24. ---------------------------------------------------------------------------------------------------------------------------------------
25.  
26.  
27. inetnum: 201.0.0.0 - 201.255.255.255
28. netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
29. descr: IPv4 address block not managed by the RIPE NCC
30. remarks: ------------------------------------------------------
31. remarks:
32. remarks: You can find the whois server to query, or the
33. remarks: IANA registry to query on this web page:
34. remarks: http://www.iana.org/assignments/ipv4-address-space
35. remarks:
36. remarks: You can access databases of other RIRs at:
37. remarks:
38. remarks: AFRINIC (Africa)
39. remarks: http://www.afrinic.net/ whois.afrinic.net
40. remarks:
41. remarks: APNIC (Asia Pacific)
42. remarks: http://www.apnic.net/ whois.apnic.net
43. remarks:
44. remarks: ARIN (Northern America)
45. remarks: http://www.arin.net/ whois.arin.net
46. remarks:
47. remarks: LACNIC (Latin America and the Carribean)
48. remarks: http://www.lacnic.net/ whois.lacnic.net
49. remarks:
50. remarks: IANA IPV4 Recovered Address Space
51. remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
52. remarks:
53. remarks: ------------------------------------------------------
54. country: EU # Country is really world wide
55. admin-c: IANA1-RIPE
56. tech-c: IANA1-RIPE
57. status: ALLOCATED UNSPECIFIED
58. mnt-by: RIPE-NCC-HM-MNT
59. mnt-lower: RIPE-NCC-HM-MNT
60. created: 2014-11-07T14:15:06Z
61. last-modified: 2018-09-04T13:31:30Z
62. source: RIPE
63.  
64. role: Internet Assigned Numbers Authority
65. address: see http://www.iana.org.
66. admin-c: IANA1-RIPE
67. tech-c: IANA1-RIPE
68. nic-hdl: IANA1-RIPE
69. remarks: For more information on IANA services
70. remarks: go to IANA web site at http://www.iana.org.
71. mnt-by: RIPE-NCC-MNT
72. created: 1970-01-01T00:00:00Z
73. last-modified: 2001-09-22T09:31:27Z
74. source: RIPE # Filtered
75.  
76. % Information related to '201.249.0.0/16AS8048'
77.  
78. route: 201.249.0.0/16
79. descr: CANTV-NET
80. origin: AS8048
81. mnt-by: CANTV-MNTR
82. created: 2007-04-03T12:17:07Z
83. last-modified: 2018-09-04T15:50:05Z
84. source: RIPE-NONAUTH
85.  
86. % This query was served by the RIPE Database Query Service version 1.92.6 (HEREFORD)
87.  
88.  
89.  
90. Gathered Inic-whois information for mppp.gob.ve
91. ---------------------------------------------------------------------------------------------------------------------------------------
92.  
93. Gathered Netcraft information for www.mppp.gob.ve
94. --------------------------------------------------------------------------------------------------------------------------------------
95.  
96. Retrieving Netcraft.com information for www.mppp.gob.ve
97. Netcraft.com Information gathered
98.  
99. Gathered Subdomain information for mppp.gob.ve
100. ---------------------------------------------------------------------------------------------------------------------------------------
101. Searching Google.com:80...
102. HostName:www.mppp.gob.ve
103. HostIP:201.249.203.40
104. HostName:sipes.mppp.gob.ve
105. HostIP:200.109.67.89
106. HostName:correo.mppp.gob.ve
107. HostIP:201.249.203.33
108. Searching Altavista.com:80...
109. Found 3 possible subdomain(s) for host mppp.gob.ve, Searched 0 pages containing 0 results
110.  
111. Gathered E-Mail information for mppp.gob.ve
112. ---------------------------------------------------------------------------------------------------------------------------------------
113. Searching Google.com:80...
114. Searching Altavista.com:80...
115. Found 0 E-Mail(s) for host mppp.gob.ve, Searched 0 pages containing 0 results
116.  
117. Gathered TCP Port information for 201.249.203.40
118. ---------------------------------------------------------------------------------------------------------------------------------------
119.  
120. Port State
121.  
122. 80/tcp open
123.  
124. Portscan Finished: Scanned 150 ports, 2 ports were in state closed
125.  
126. #######################################################################################################################################
127. [i] Scanning Site: http://www.mppp.gob.ve
128.  
129.  
130.  
131. B A S I C I N F O
132. =======================================================================================================================================
133.  
134.  
135. [+] Site Title: MPPP | Ministerio del Poder Popular de Planificación
136. [+] IP address: 201.249.203.40
137. [+] Web Server: Could Not Detect
138. [+] CMS: WordPress
139. [+] Cloudflare: Not Detected
140. [+] Robots File: Found
141.  
142. -------------[ contents ]----------------
143. User-agent: *
144. Disallow: /wp-admin/
145. Allow: /wp-admin/admin-ajax.php
146.  
147. -----------[end of contents]-------------
148.  
149.  
150.  
151. W H O I S L O O K U P
152. =======================================================================================================================================
153.  
154.  
155. Servidor Whois del Centro de Información de Red de Venezuela (NIC.VE)
156.  
157. Este servidor contiene información autoritativa exclusivamente de dominios .VE
158. Cualquier consulta sobre este servicio, puede hacerla al correo electrónico whois@nic.ve
159.  
160. Titular:
161. Ministerio del Poder Popular de Planificacion despacho@mppp.gob.ve
162. Ministerio del Poder Popular de Planificacion
163. Av. Lecuna. Parque Central. Torre Oeste. Piso 20. Urb. El Conde. Municipio Libertador
164. Caracas, Distrito Capital VE
165. +58 (212) 507.05.14 / +58 (212) 507.09.38
166.  
167. Nombre de Dominio: mppp.gob.ve
168.  
169. Contacto Administrativo:
170. Manuel Gilly mgilly@mppp.gob.ve
171. Ministerio del Poder Popular de Planificacion
172. Av. Lecuna. Parque Central. Torre Oeste. Piso 20. Urb. El Conde. Municipio Libertador
173. Caracas, Distrito Capital VE
174. 0212-5070939 (FAX) 8021643.
175.  
176. Contacto Técnico:
177. Mebil Rosales mrosales@mppp.gob.ve
178. Ministerio del Poder Popular de Planificacion
179. Av. Lecuna. Parque Central. Torre Oeste. Piso 20. Urb. El Conde. Municipio Libertador
180. Caracas, Distrito Capital VE
181. 0212-7570936
182.  
183. Contacto de Cobranza:
184. Ministerio del Poder Popular de Planificacion despacho@mppp.gob.ve
185. Ministerio del Poder Popular de Planificacion
186. Av. Lecuna. Parque Central. Torre Oeste. Piso 20. Urb. El Conde. Municipio Libertador
187. Caracas, Distrito Capital VE
188. +58 (212) 507.05.14 / +58 (212) 507.09.38
189.  
190. Ultima Actualización: 2013-06-21 15:20:44
191. Fecha de Creación: 2013-06-21 15:12:26
192.  
193. Estatus del dominio: ACTIVO
194.  
195. Servidor(es) de Nombres de Dominio:
196.  
197. - ns1.mppp.gob.ve
198. - ns2.mppp.gob.ve
199.  
200. NIC-Venezuela - CONATEL
201. http://www.nic.ve
202.  
203.  
204.  
205.  
206. G E O I P L O O K U P
207. =======================================================================================================================================
208.  
209. [i] IP Address: 201.249.203.40
210. [i] Country: VE
211. [i] State: N/A
212. [i] City: N/A
213. [i] Latitude: 8.000000
214. [i] Longitude: -66.000000
215.  
216.  
217.  
218.  
219. H T T P H E A D E R S
220. =======================================================================================================================================
221.  
222.  
223. [i] HTTP/1.1 200 OK
224. [i] Date: Wed, 07 Nov 2018 09:14:58 GMT
225. [i] Set-Cookie: PHPSESSID=k086cottgn8dhjs8msc13maad4; path=/
226. [i] Expires: Thu, 19 Nov 1981 08:52:00 GMT
227. [i] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
228. [i] Pragma: no-cache
229. [i] Set-Cookie: wphc_seen=1; expires=Thu, 08-Nov-2018 09:14:59 GMT
230. [i] Link: <http://www.mppp.gob.ve/wp-json/>; rel="https://api.w.org/"
231. [i] Link: <http://www.mppp.gob.ve/>; rel=shortlink
232. [i] Vary: Accept-Encoding
233. [i] Content-Type: text/html; charset=UTF-8
234. [i] Connection: close
235.  
236.  
237.  
238.  
239. D N S L O O K U P
240. =======================================================================================================================================
241.  
242. mppp.gob.ve. 0 IN SOA mppp.gob.ve. soporte.mppp.gob.ve. 2018102901 1200 300 2419200 60
243. mppp.gob.ve. 0 IN A 201.249.203.40
244. mppp.gob.ve. 0 IN MX 10 correo.mppp.gob.ve.
245. mppp.gob.ve. 3599 IN TXT "v=spf1 a mx ~all"
246. mppp.gob.ve. 3599 IN TXT "google-site-verification=RqIgI6dEU1c9m7AButstf2q-CMpQOFz1684MpWzDX2M"
247. mppp.gob.ve. 0 IN NS ns2.mppp.gob.ve.
248. mppp.gob.ve. 0 IN NS ns1.mppp.gob.ve.
249.  
250.  
251.  
252.  
253. S U B N E T C A L C U L A T I O N
254. ======================================================================================================================================
255.  
256. Address = 201.249.203.40
257. Network = 201.249.203.40 / 32
258. Netmask = 255.255.255.255
259. Broadcast = not needed on Point-to-Point links
260. Wildcard Mask = 0.0.0.0
261. Hosts Bits = 0
262. Max. Hosts = 1 (2^0 - 0)
263. Host Range = { 201.249.203.40 - 201.249.203.40 }
264.  
265.  
266.  
267. N M A P P O R T S C A N
268. =======================================================================================================================================
269.  
270.  
271. Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-07 08:43 UTC
272. Nmap scan report for mppp.gob.ve (201.249.203.40)
273. Host is up (0.085s latency).
274. PORT STATE SERVICE
275. 21/tcp filtered ftp
276. 22/tcp filtered ssh
277. 23/tcp filtered telnet
278. 80/tcp open http
279. 110/tcp filtered pop3
280. 143/tcp filtered imap
281. 443/tcp open https
282. 3389/tcp filtered ms-wbt-server
283.  
284. Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds
285.  
286.  
287.  
288. S U B - D O M A I N F I N D E R
289. =======================================================================================================================================
290.  
291.  
292. [i] Total Subdomains Found : 22
293.  
294. [+] Subdomain: ns2.mppp.gob.ve
295. [-] IP: 201.249.201.70
296.  
297. [+] Subdomain: indicadoresplanpatria.mppp.gob.ve
298. [-] IP: 201.249.203.48
299.  
300. [+] Subdomain: sala.mppp.gob.ve
301. [-] IP: 201.249.203.45
302.  
303. [+] Subdomain: siruma.mppp.gob.ve
304. [-] IP: 201.249.203.50
305.  
306. [+] Subdomain: collabora.mppp.gob.ve
307. [-] IP: 201.249.203.38
308.  
309. [+] Subdomain: gitlab.mppp.gob.ve
310. [-] IP: 201.249.203.46
311.  
312. [+] Subdomain: mautic.mppp.gob.ve
313. [-] IP: 201.249.203.45
314.  
315. [+] Subdomain: nube.mppp.gob.ve
316. [-] IP: 201.249.203.43
317.  
318. [+] Subdomain: openfire.mppp.gob.ve
319. [-] IP: 201.249.203.37
320.  
321. [+] Subdomain: www.sicecom.mppp.gob.ve
322. [-] IP: 201.249.203.40
323.  
324. [+] Subdomain: www.infoplan.mppp.gob.ve
325. [-] IP: 201.249.203.44
326.  
327. [+] Subdomain: correo.mppp.gob.ve
328. [-] IP: 201.249.203.33
329.  
330. [+] Subdomain: www.papelcero.mppp.gob.ve
331. [-] IP: 201.249.203.40
332.  
333. [+] Subdomain: sidepro.mppp.gob.ve
334. [-] IP: 150.187.36.126
335.  
336. [+] Subdomain: operativo.mppp.gob.ve
337. [-] IP: 201.249.203.42
338.  
339. [+] Subdomain: www.rernep.mppp.gob.ve
340. [-] IP: 201.249.203.41
341.  
342. [+] Subdomain: www.snip.mppp.gob.ve
343. [-] IP: 201.249.203.57
344.  
345. [+] Subdomain: siglas.mppp.gob.ve
346. [-] IP: 201.249.203.42
347.  
348. [+] Subdomain: zonaseconomicasespeciales.mppp.gob.ve
349. [-] IP: 201.249.203.40
350.  
351. [+] Subdomain: sipes.mppp.gob.ve
352. [-] IP: 150.187.36.127
353.  
354. [+] Subdomain: www.sipes.mppp.gob.ve
355. [-] IP: 150.187.36.127
356.  
357. [+] Subdomain: www.mppp.gob.ve
358. [-] IP: 201.249.203.40
359.  
360. ######################################################################################################################################
361. [?] Enter the target: http://www.mppp.gob.ve
362. [!] IP Address : 201.249.203.40
363. [!] CMS Detected : WordPress
364. [+] Honeypot Probabilty: 0%
365. ---------------------------------------------------------------------------------------------------------------------------------------
366. [~] Trying to gather whois information for www.mppp.gob.ve
367. [+] Whois information found
368. [-] Unable to build response, visit https://who.is/whois/www.mppp.gob.ve
369. ---------------------------------------------------------------------------------------------------------------------------------------
370. [+] Robots.txt retrieved
371. User-agent: *
372. Disallow: /wp-admin/
373. Allow: /wp-admin/admin-ajax.php
374.  
375. ---------------------------------------------------------------------------------------------------------------------------------------
376. PORT STATE SERVICE
377. 21/tcp filtered ftp
378. 22/tcp filtered ssh
379. 23/tcp filtered telnet
380. 80/tcp open http
381. 110/tcp filtered pop3
382. 143/tcp filtered imap
383. 443/tcp open https
384. 3389/tcp filtered ms-wbt-server
385. Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
386. ---------------------------------------------------------------------------------------------------------------------------------------
387. #######################################################################################################################################
388. ; <<>> DiG 9.11.5-1-Debian <<>> mppp.gob.ve
389. ;; global options: +cmd
390. ;; Got answer:
391. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43928
392. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
393.  
394. ;; OPT PSEUDOSECTION:
395. ; EDNS: version: 0, flags:; udp: 4096
396. ;; QUESTION SECTION:
397. ;mppp.gob.ve. IN A
398.  
399. ;; ANSWER SECTION:
400. mppp.gob.ve. 0 IN A 201.249.203.40
401.  
402. ;; Query time: 304 msec
403. ;; SERVER: 194.187.251.67#53(194.187.251.67)
404. ;; WHEN: mer nov 07 03:58:33 EST 2018
405. ;; MSG SIZE rcvd: 56
406. #######################################################################################################################################
407. ; <<>> DiG 9.11.5-1-Debian <<>> +trace mppp.gob.ve
408. ;; global options: +cmd
409. . 80650 IN NS i.root-servers.net.
410. . 80650 IN NS h.root-servers.net.
411. . 80650 IN NS f.root-servers.net.
412. . 80650 IN NS c.root-servers.net.
413. . 80650 IN NS k.root-servers.net.
414. . 80650 IN NS j.root-servers.net.
415. . 80650 IN NS m.root-servers.net.
416. . 80650 IN NS l.root-servers.net.
417. . 80650 IN NS d.root-servers.net.
418. . 80650 IN NS e.root-servers.net.
419. . 80650 IN NS a.root-servers.net.
420. . 80650 IN NS g.root-servers.net.
421. . 80650 IN NS b.root-servers.net.
422. . 80650 IN RRSIG NS 8 0 518400 20181120050000 20181107040000 2134 . Np3RvppFEuYVNCJJIPBVV0MEWJf5BYaWh3cW85bg2RmXkkgSgkRSQG+H xL228jJONP/kIn/HJfr8kjufCMatXUTxFz2OVw5GQvemO32pBoIiywCm B+PO4lBDv4kMnmjm/GZ+sREJQ9Pq5/1kY0CKEPxfA+LkPPHSmnL6uOfr jatf1G8adJT7jpImoIfFg5y9CRlnU2RIQD5Xb1117o9HLUXS74osaHln 3d7s6/bxhPUdEkJSLfLBD2KbUOmFFd1uHJt/cywJClviRKgxjEySvMTZ 8ydBPSARLRlVi3NxHnvjDKxNcRP3kExSg5RRMhHG1lOhL025R2QisuBM VJQBJw==
423. ;; Received 525 bytes from 194.187.251.67#53(194.187.251.67) in 118 ms
424.  
425. ve. 172800 IN NS ns4.nic.ve.
426. ve. 172800 IN NS sns-pb.isc.org.
427. ve. 172800 IN NS ns3.nic.ve.
428. ve. 172800 IN NS ns1.nic.ve.
429. ve. 172800 IN NS ns2.nic.ve.
430. ve. 172800 IN NS azmodan.ula.ve.
431. ve. 172800 IN NS ns-ext.nic.cl.
432. ve. 86400 IN NSEC vegas. NS RRSIG NSEC
433. ve. 86400 IN RRSIG NSEC 8 1 86400 20181120050000 20181107040000 2134 . RDmFLwTIfKeOFFTD1MvP8qvBugCPUs6w8s8RILzSRVwRczOWmO6nwZqK aecI5oHiUBvuNr9TbubR3ujtDW1bjpvLp3Vj6RD0dvWjPEySdYwTjvTB EYaiNDgAhI6xtrFPFz0vYAZxsClyq74T5sfzqK1+wGoiv2SwEq4BJslj 0Bd2mN9JSmS0bUo323hhLfsClanj5wrdWQq7HixJoCaBipXjQu9kJKy0 NhyGxMcmrxx7qFhD5r5T9kju1E2rvkbkJLdhqI2EryHGl55jCrT5FHpa fLhAsPtXN0oj0JXMzelte4Cpnuu4l1VSH8FxsKp8nJt+iFpBv6ZoSMHr 5xFWzQ==
434. ;; Received 735 bytes from 202.12.27.33#53(m.root-servers.net) in 125 ms
435.  
436. mppp.gob.ve. 600 IN NS ns2.mppp.gob.ve.
437. mppp.gob.ve. 600 IN NS ns1.mppp.gob.ve.
438. ;; Received 108 bytes from 150.188.228.5#53(ns2.nic.ve) in 313 ms
439.  
440. mppp.gob.ve. 0 IN A 201.249.203.40
441. mppp.gob.ve. 0 IN NS ns1.mppp.gob.ve.
442. mppp.gob.ve. 0 IN NS ns2.mppp.gob.ve.
443. ;; Received 124 bytes from 201.249.201.69#53(ns1.mppp.gob.ve) in 297 ms
444. #######################################################################################################################################
445. [+] Hosting Info for Website: www.mppp.gob.ve
446. [+] Visitors per day: 1,740
447. [+] IP Address: ...
448. [+] IP Reverse DNS (Host): 201.249.203.40
449. [+] Hosting Company IP Owner: Cantv Servicios, Venezuela
450. [+] Hosting IP Range: 201.249.128.0 - 201.249.255.255 (32,768 ip)
451. [+] Owner Address: Cantv Cor Los Palos Grandes- Chacao, Caracas Venezuela, 000, 1060 - Caracas - Mi, VE
452. [+] Owner Country: VEN
453. [+] Owner Phone: +58 2122095685
454. [+] Owner Website: www.cantv.net
455. [+] Owner CIDR: 201.249.128.0/17
456. #######################################################################################################################################
457. [+] Testing domain
458. www.mppp.gob.ve 201.249.203.40
459. [+] Dns resolving
460. Domain name Ip address Name server
461. No address associated with hostname mppp.gob.ve
462. [+] Testing wildcard
463. Ok, no wildcard found.
464.  
465. [+] Scanning for subdomain on mppp.gob.ve
466. [!] Wordlist not specified. I scannig with my internal wordlist...
467. Estimated time about 229.82 seconds
468.  
469. Subdomain Ip address Name server
470.  
471. ns1.mppp.gob.ve 201.249.201.69 201-249-201-69.estatic.cantv.net
472. ns2.mppp.gob.ve 201.249.201.70 201-249-201-70.estatic.cantv.n
473. #######################################################################################################################################
474. Ip Address Status Type Domain Name Server
475. ---------------------------------------------------------------------------------------------------------------------------------------
476. 201.249.203.37 503 alias conference.mppp.gob.ve
477. 201.249.203.37 503 host openfire.mppp.gob.ve
478. 201.249.203.33 302 host correo.mppp.gob.ve
479. 201.249.201.69 host ns1.mppp.gob.ve
480. 201.249.201.70 host ns2.mppp.gob.ve
481. 201.249.203.40 200 host www.mppp.gob.ve
482. #######################################################################################################################################
483. [*] Performing General Enumeration of Domain: mppp.gob.ve
484. [-] DNSSEC is not configured for mppp.gob.ve
485. [*] SOA mppp.gob.ve 201.249.203.40
486. [*] NS ns1.mppp.gob.ve 201.249.201.69
487. [*] Bind Version for 201.249.201.69 9.10.3-P4-Debian
488. [*] NS ns2.mppp.gob.ve 201.249.201.70
489. [*] Bind Version for 201.249.201.70 9.10.3-P4-Debian
490. [*] MX correo.mppp.gob.ve 201.249.203.33
491. [*] A mppp.gob.ve 201.249.203.40
492. [*] TXT mppp.gob.ve v=spf1 a mx ~all
493. [*] TXT mppp.gob.ve google-site-verification=RqIgI6dEU1c9m7AButstf2q-CMpQOFz1684MpWzDX2M
494. [*] Enumerating SRV Records
495. [*] SRV _xmpp-client._tcp.mppp.gob.ve openfire.mppp.gob.ve 201.249.203.37 5222 5
496. [*] SRV _xmpp-server._tcp.mppp.gob.ve openfire.mppp.gob.ve 201.249.203.37 5269 5
497. [+] 2 Records Found
498. #######################################################################################################################################
499. [*] Processing domain mppp.gob.ve
500. [+] Getting nameservers
501. 201.249.201.69 - ns1.mppp.gob.ve
502. 201.249.201.70 - ns2.mppp.gob.ve
503. [-] Zone transfer failed
504.  
505. [+] TXT records found
506. "v=spf1 a mx ~all"
507. "google-site-verification=RqIgI6dEU1c9m7AButstf2q-CMpQOFz1684MpWzDX2M"
508.  
509. [+] MX records found, added to target list
510. 10 correo.mppp.gob.ve.
511.  
512. [*] Scanning mppp.gob.ve for A records
513. 201.249.203.40 - mppp.gob.ve
514. 201.249.203.37 - conference.mppp.gob.ve
515. 201.249.203.33 - correo.mppp.gob.ve
516. 201.249.201.69 - ns1.mppp.gob.ve
517. 201.249.201.70 - ns2.mppp.gob.ve
518. 201.249.203.44 - report.mppp.gob.ve
519. 201.249.203.40 - www.mppp.gob.ve
520. #######################################################################################################################################
521.  
522.  
523. Total hosts: 57
524.  
525. [-] Resolving hostnames IPs...
526.  
527. 253Dinfoplan.mppp.gob.ve:empty
528. 253Dmail.mppp.gob.ve:empty
529. Infoplan.mppp.gob.ve:201.249.203.40
530. bigbluebutton.mppp.gob.ve:empty
531. collabora.mppp.gob.ve:201.249.203.38
532. correo.mppp.gob.ve:201.249.203.33
533. gitlab.mppp.gob.ve:201.249.203.46
534. infoplan.mppp.gob.ve:201.249.203.40
535. mail.mppp.gob.ve:empty
536. mautic.mppp.gob.ve:201.249.203.45
537. mtrreport-mail.mppp.gob.ve:empty
538. nextcloud.mppp.gob.ve:empty
539. ns1.mppp.gob.ve:201.249.201.69
540. ns2.mppp.gob.ve:201.249.201.70
541. nube.mppp.gob.ve:201.249.203.49
542. openfire.mppp.gob.ve:201.249.203.37
543. riot.mppp.gob.ve:empty
544. sidepro.mppp.gob.ve:200.109.67.88
545. siglas.mppp.gob.ve:201.249.203.42
546. sipes.mppp.gob.ve:150.187.36.127
547. sisov.mppp.gob.ve:empty
548. snip.mppp.gob.ve:201.249.203.57
549. specialzones.mppp.gob.ve:201.249.203.40
550. www.infoplan.mppp.gob.ve:201.249.203.40
551. www.mppp.gob.ve:201.249.203.40
552. www.papelcero.mppp.gob.ve:201.249.203.40
553. www.rernep.mppp.gob.ve:201.249.203.41
554. www.sicecom.mppp.gob.ve:201.249.203.40
555. www.specialzones.mppp.gob.ve:201.249.203.40
556. www.zonaseconomicasespeciales.mppp.gob.ve:201.249.203.40
557. zonaseconomicasespeciales.mppp.gob.ve:201.249.203.40
558. ######################################################################################################################################
559. ---------------------------------------------------------------------------------------------------------------------------------------
560. + Target IP: 201.249.203.40
561. + Target Hostname: 201.249.203.40
562. + Target Port: 443
563. ---------------------------------------------------------------------------------------------------------------------------------------
564. + SSL Info: Subject: /C=VE/ST=DistritoCapital/L=Caracas/O=MPPP/OU=DGI/CN=mppp/emailAddress=soporte@mppp.gob.ve
565. Ciphers: ECDHE-RSA-AES256-GCM-SHA384
566. Issuer: /C=VE/ST=DistritoCapital/L=Caracas/O=MPPP/OU=DGI/CN=mppp/emailAddress=soporte@mppp.gob.ve
567. + Start Time: 2018-11-07 06:23:46 (GMT-5)
568. ---------------------------------------------------------------------------------------------------------------------------------------
569. + Server: MicrosoftIIS/8.0
570. + The anti-clickjacking X-Frame-Options header is not present.
571. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
572. + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
573. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
574. + Cookie PHPSESSID created without the secure flag
575. + Cookie PHPSESSID created without the httponly flag
576. + Cookie wphc_seen created without the secure flag
577. + Cookie wphc_seen created without the httponly flag
578. + Root page / redirects to: https://www.mppp.gob.ve/
579. + Uncommon header 'link' found, with contents: <https://www.mppp.gob.ve/>; rel=shortlink
580. + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
581. + Hostname '201.249.203.40' does not match certificate's names: mppp
582. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
583. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
584. + Server leaks inodes via ETags, header found with file /sitemap.xml, inode: 140176, size: 17622, mtime: Tue Aug 8 15:01:07 2017
585. + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
586. + OSVDB-3092: /libro/: This might be interesting...
587. + Uncommon header 'tcn' found, with contents: choice
588. + OSVDB-3092: /readme: This might be interesting...
589. + OSVDB-3233: /icons/README: Apache default file found.
590. + /wp-links-opml.php: This WordPress script reveals the installed version.
591. + OSVDB-3092: /license.txt: License file found may identify site software.
592. + Cookie wordpress_test_cookie created without the httponly flag
593. + OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
594. + /.git/HEAD: Git HEAD file found. Full repo details may be present.
595. + OSVDB-3268: /wp-content/uploads/: Directory indexing found.
596. + /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
597. + /.git/config: Git config file found. Infos about repo details may be present.
598. + 8346 requests: 0 error(s) and 27 item(s) reported on remote host
599. + End Time: 2018-11-07 09:40:18 (GMT-5) (11792 seconds)
600. ---------------------------------------------------------------------------------------------------------------------------------------
601. #######################################################################################################################################
602. ---------------------------------------------------------------------------------------------------------------------------------------
603. + Target IP: 201.249.203.40
604. + Target Hostname: 201.249.203.40
605. + Target Port: 80
606. + Start Time: 2018-11-07 06:23:19 (GMT-5)
607. ---------------------------------------------------------------------------------------------------------------------------------------
608. + Server: No banner retrieved
609. + The anti-clickjacking X-Frame-Options header is not present.
610. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
611. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
612. + Cookie PHPSESSID created without the httponly flag
613. + Cookie wphc_seen created without the httponly flag
614. + Root page / redirects to: http://www.mppp.gob.ve/
615. + Uncommon header 'link' found, with contents: <http://www.mppp.gob.ve/wp-json/>; rel="https://api.w.org/"
616. + Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
617. + Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
618. + "robots.txt" contains 2 entries which should be manually viewed.
619. + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0
620. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
621. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
622. + /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
623. + Server leaks inodes via ETags, header found with file /sitemap.xml, inode: 140176, size: 17622, mtime: Tue Aug 8 15:01:07 2017
624. + OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
625. + OSVDB-3092: /libro/: This might be interesting...
626. + OSVDB-3092: /noticias/: This might be interesting...
627. + OSVDB-3233: /icons/README: Apache default file found.
628. + /wp-links-opml.php: This WordPress script reveals the installed version.
629. + OSVDB-3092: /license.txt: License file found may identify site software.
630. + /wp-app.log: Wordpress' wp-app.log may leak application/system details.
631. + /login1/: Admin login page/section found.
632. + /wordpress/: A Wordpress installation was found.
633. + /.git/HEAD: Git HEAD file found. Full repo details may be present.
634. + /portal/changelog: Vignette richtext HTML editor changelog found.
635. + /.git/config: Git config file found. Infos about repo details may be present.
636. #######################################################################################################################################
637. ---------------------------------------------------------------------------------------------------------------------------------------
638. + Target IP: 201.249.203.40
639. + Target Hostname: www.mppp.gob.ve
640. + Target Port: 80
641. + Start Time: 2018-11-07 06:23:31 (GMT-5)
642. ---------------------------------------------------------------------------------------------------------------------------------------
643. + Server: No banner retrieved
644. + The anti-clickjacking X-Frame-Options header is not present.
645. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
646. + Uncommon header 'link' found, with contents: <http://www.mppp.gob.ve/>; rel=shortlink
647. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
648. + Cookie PHPSESSID created without the httponly flag
649. + Cookie wphc_seen created without the httponly flag
650. + Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
651. + Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
652. + "robots.txt" contains 2 entries which should be manually viewed.
653. + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0
654. + Server leaks inodes via ETags, header found with file /wp-content/uploads/2013/11/favicon.ico, inode: 6613, size: 16958, mtime: Tue Aug 8 15:00:34 2017
655. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
656. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
657. + /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
658. #######################################################################################################################################
659. [+] URL: http://www.mppp.gob.ve/
660. [+] Started: Wed Nov 7 01:46:05 2018
661.  
662. Interesting Finding(s):
663.  
664. [+] http://www.mppp.gob.ve/robots.txt
665. | Interesting Entries:
666. | - /wp-admin/
667. | - /wp-admin/admin-ajax.php
668. | Found By: Robots Txt (Aggressive Detection)
669. | Confidence: 100%
670.  
671. [+] http://www.mppp.gob.ve/xmlrpc.php
672. | Found By: Direct Access (Aggressive Detection)
673. | Confidence: 100%
674. | References:
675. | - http://codex.wordpress.org/XML-RPC_Pingback_API
676. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
677. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
678. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
679. | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
680.  
681. [+] http://www.mppp.gob.ve/readme.html
682. | Found By: Direct Access (Aggressive Detection)
683. | Confidence: 100%
684.  
685. [+] WordPress version 4.8.1 identified (Released on 2017-08-02).
686. | Detected By: Rss Generator (Passive Detection)
687. | - http://www.mppp.gob.ve/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
688. | - http://www.mppp.gob.ve/comments/feed/, <generator>https://wordpress.org/?v=4.8.1</generator>
689. |
690. | [!] 18 vulnerabilities identified:
691. |
692. | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
693. | Fixed in: 4.8.2
694. | References:
695. | - https://wpvulndb.com/vulnerabilities/8905
696. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
697. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
698. | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
699. |
700. | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
701. | Fixed in: 4.8.2
702. | References:
703. | - https://wpvulndb.com/vulnerabilities/8910
704. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
705. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
706. | - https://core.trac.wordpress.org/changeset/41398
707. |
708. | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
709. | Fixed in: 4.8.2
710. | References:
711. | - https://wpvulndb.com/vulnerabilities/8911
712. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
713. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
714. | - https://core.trac.wordpress.org/changeset/41457
715. |
716. | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
717. | Fixed in: 4.8.2
718. | References:
719. | - https://wpvulndb.com/vulnerabilities/8912
720. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
721. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
722. | - https://core.trac.wordpress.org/changeset/41397
723. |
724. | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
725. | Fixed in: 4.8.2
726. | References:
727. | - https://wpvulndb.com/vulnerabilities/8913
728. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
729. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
730. | - https://core.trac.wordpress.org/changeset/41448
731. |
732. | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
733. | Fixed in: 4.8.2
734. | References:
735. | - https://wpvulndb.com/vulnerabilities/8914
736. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
737. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
738. | - https://core.trac.wordpress.org/changeset/41395
739. | - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
740. |
741. | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
742. | References:
743. | - https://wpvulndb.com/vulnerabilities/8807
744. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
745. | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
746. | - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
747. | - https://core.trac.wordpress.org/ticket/25239
748. |
749. | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
750. | Fixed in: 4.8.3
751. | References:
752. | - https://wpvulndb.com/vulnerabilities/8941
753. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
754. | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
755. | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
756. | - https://twitter.com/ircmaxell/status/923662170092638208
757. | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
758. |
759. | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
760. | Fixed in: 4.8.4
761. | References:
762. | - https://wpvulndb.com/vulnerabilities/8966
763. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
764. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
765. | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
766. |
767. | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
768. | Fixed in: 4.8.4
769. | References:
770. | - https://wpvulndb.com/vulnerabilities/8967
771. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
772. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
773. | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
774. |
775. | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
776. | Fixed in: 4.8.4
777. | References:
778. | - https://wpvulndb.com/vulnerabilities/8968
779. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
780. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
781. | - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
782. |
783. | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
784. | Fixed in: 4.8.4
785. | References:
786. | - https://wpvulndb.com/vulnerabilities/8969
787. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
788. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
789. | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
790. |
791. | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
792. | Fixed in: 4.8.5
793. | References:
794. | - https://wpvulndb.com/vulnerabilities/9006
795. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
796. | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
797. | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
798. | - https://core.trac.wordpress.org/ticket/42720
799. |
800. | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
801. | References:
802. | - https://wpvulndb.com/vulnerabilities/9021
803. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
804. | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
805. | - https://github.com/quitten/doser.py
806. | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
807. |
808. | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
809. | Fixed in: 4.8.6
810. | References:
811. | - https://wpvulndb.com/vulnerabilities/9053
812. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
813. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
814. | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
815. |
816. | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
817. | Fixed in: 4.8.6
818. | References:
819. | - https://wpvulndb.com/vulnerabilities/9054
820. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
821. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
822. | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
823. |
824. | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
825. | Fixed in: 4.8.6
826. | References:
827. | - https://wpvulndb.com/vulnerabilities/9055
828. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
829. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
830. | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
831. |
832. | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
833. | Fixed in: 4.8.7
834. | References:
835. | - https://wpvulndb.com/vulnerabilities/9100
836. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
837. | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
838. | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
839. | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
840. | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
841. | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
842.  
843. [+] WordPress theme in use: planshet
844. | Location: http://www.mppp.gob.ve/wp-content/themes/planshet/
845. | Readme: http://www.mppp.gob.ve/wp-content/themes/planshet/readme.txt
846. | Changelog: http://www.mppp.gob.ve/wp-content/themes/planshet/changelog.txt
847. | [!] An error log file has been found: http://www.mppp.gob.ve/wp-content/themes/planshet/error_log
848. | Style URL: http://www.mppp.gob.ve/wp-content/themes/planshet/style.css
849. |
850. | Detected By: Css Style (Passive Detection)
851. | Confirmed By: Urls In Homepage (Passive Detection)
852. |
853. | The version could not be determined.
854.  
855. [+] Enumerating Vulnerable Plugins
856. [+] Checking Plugin Versions
857.  
858. [i] Plugin(s) Identified:
859.  
860. [+] contact-form-7
861. | Location: http://www.mppp.gob.ve/wp-content/plugins/contact-form-7/
862. | Last Updated: 2018-10-29T23:58:00.000Z
863. | [!] The version is out of date, the latest version is 5.0.5
864. |
865. | Detected By: Urls In Homepage (Passive Detection)
866. |
867. | [!] 1 vulnerability identified:
868. |
869. | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
870. | Fixed in: 5.0.4
871. | References:
872. | - https://wpvulndb.com/vulnerabilities/9127
873. | - https://contactform7.com/2018/09/04/contact-form-7-504/
874. | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7
875. | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7
876. | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7
877. | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7
878. |
879. | Version: 4.8.1 (100% confidence)
880. | Detected By: Query Parameter (Passive Detection)
881. | - http://www.mppp.gob.ve/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.8.1
882. | - http://www.mppp.gob.ve/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=4.8.1
883. | Confirmed By:
884. | Readme - Stable Tag (Aggressive Detection)
885. | - http://www.mppp.gob.ve/wp-content/plugins/contact-form-7/readme.txt
886. | Readme - ChangeLog Section (Aggressive Detection)
887. | - http://www.mppp.gob.ve/wp-content/plugins/contact-form-7/readme.txt
888.  
889. [+] events-manager
890. | Location: http://www.mppp.gob.ve/wp-content/plugins/events-manager/
891. | Last Updated: 2018-08-07T19:10:00.000Z
892. | [!] The version is out of date, the latest version is 5.9.5
893. |
894. | Detected By: Urls In Homepage (Passive Detection)
895. |
896. | [!] 1 vulnerability identified:
897. |
898. | [!] Title: Events Manager <= 5.8.1.1 - Unauthenticated Stored XSS
899. | Fixed in: 5.8.1.2
900. | References:
901. | - https://wpvulndb.com/vulnerabilities/9047
902. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9020
903. | - https://www.gubello.me/blog/events-manager-authenticated-stored-xss/
904. |
905. | Version: 5.7.3 (100% confidence)
906. | Detected By: Readme - Stable Tag (Aggressive Detection)
907. | - http://www.mppp.gob.ve/wp-content/plugins/events-manager/readme.txt
908. | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
909. | - http://www.mppp.gob.ve/wp-content/plugins/events-manager/readme.txt
910.  
911. [+] wp-custom-fields-search
912. | Location: http://www.mppp.gob.ve/wp-content/plugins/wp-custom-fields-search/
913. | Last Updated: 2018-10-10T18:47:00.000Z
914. | [!] The version is out of date, the latest version is 1.2.12
915. |
916. | Detected By: Urls In Homepage (Passive Detection)
917. |
918. | [!] 1 vulnerability identified:
919. |
920. | [!] Title: WP Custom Fields Search - Unauthenticated Reflected Cross-Site Scripting (XSS)
921. | References:
922. | - https://wpvulndb.com/vulnerabilities/8848
923. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9419
924. | - https://dtsa.eu/cve-2017-9419-wordpress-wp-custom-fields-search-v-0-3-28-reflected-cross-site-scripting-xss/
925. |
926. | Version: 0.3.23 (80% confidence)
927. | Detected By: Readme - Stable Tag (Aggressive Detection)
928. | - http://www.mppp.gob.ve/wp-content/plugins/wp-custom-fields-search/README.txt
929.  
930. [+] Enumerating Vulnerable Themes
931. Checking Known Locations - Time: 00:02:25 <> (287 / 287) 100.00% Time: 00:02:25
932. [+] Checking Theme Versions
933.  
934. [i] No themes Found.
935.  
936. [+] Enumerating Timthumbs
937.  
938. [i] No Timthumbs Found.
939.  
940. [+] Enumerating Config Backups
941. Checking Config Backups - Time: 00:00:11 <===> (21 / 21) 100.00% Time: 00:00:11
942.  
943. [i] No Config Backups Found.
944.  
945. [+] Enumerating DB Exports
946. Checking DB Exports - Time: 00:00:17 <=======> (36 / 36) 100.00% Time: 00:00:17
947.  
948. [i] No DB Exports Found.
949.  
950.  
951. [i] No Medias Found.
952.  
953. [+] Enumerating Users
954. Brute Forcing Author IDs - Time: 00:00:07 <==> (10 / 10) 100.00% Time: 00:00:07
955.  
956. [i] User(s) Identified:
957.  
958. [+] Marian Marrero
959. | Detected By: Rss Generator (Passive Detection)
960. | Confirmed By: Rss Generator (Aggressive Detection)
961.  
962. [+] editor
963. | Detected By: Wp Json Api (Aggressive Detection)
964. | - http://www.mppp.gob.ve/wp-json/wp/v2/users/
965. | Confirmed By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
966.  
967. [+] mmarrero
968. | Detected By: Wp Json Api (Aggressive Detection)
969. | - http://www.mppp.gob.ve/wp-json/wp/v2/users/
970.  
971. [+] oticmppp
972. | Detected By: Wp Json Api (Aggressive Detection)
973. | - http://www.mppp.gob.ve/wp-json/wp/v2/users/
974. | Confirmed By: Oembed API - Author URL (Aggressive Detection)
975. | - http://www.mppp.gob.ve/wp-json/oembed/1.0/embed?url=http://www.mppp.gob.ve/&format=json
976.  
977. [+] sistema
978. | Detected By: Wp Json Api (Aggressive Detection)
979. | - http://www.mppp.gob.ve/wp-json/wp/v2/users/
980. | Confirmed By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
981.  
982. [+] Finished: Wed Nov 7 02:12:28 2018
983. [+] Requests Done: 3074
984. [+] Cached Requests: 7
985. [+] Data Sent: 713.975 KB
986. [+] Data Received: 193.655 MB
987. [+] Memory used: 196.941 MB
988. [+] Elapsed time: 00:26:23
989.  
990. #######################################################################################################################################
991.  
992. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:43 EST
993. Nmap scan report for 201.249.203.40
994. Host is up (0.13s latency).
995. Not shown: 471 filtered ports, 3 closed ports
996. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
997. PORT STATE SERVICE
998. 80/tcp open http
999. 443/tcp open https
1000. #######################################################################################################################################
1001. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:43 EST
1002. Nmap scan report for 201.249.203.40
1003. Host is up (0.11s latency).
1004. Not shown: 2 filtered ports
1005. PORT STATE SERVICE
1006. 53/udp open|filtered domain
1007. 67/udp open|filtered dhcps
1008. 68/udp open|filtered dhcpc
1009. 69/udp open|filtered tftp
1010. 88/udp open|filtered kerberos-sec
1011. 123/udp open|filtered ntp
1012. 139/udp open|filtered netbios-ssn
1013. 161/udp open|filtered snmp
1014. 162/udp open|filtered snmptrap
1015. 389/udp open|filtered ldap
1016. 520/udp open|filtered route
1017. 2049/udp open|filtered nfs
1018. #######################################################################################################################################
1019. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:44 EST
1020. Nmap scan report for 201.249.203.40
1021. Host is up.
1022.  
1023. PORT STATE SERVICE VERSION
1024. 67/udp open|filtered dhcps
1025. |_dhcp-discover: ERROR: Script execution failed (use -d to debug)
1026. Too many fingerprints match this host to give specific OS details
1027.  
1028. TRACEROUTE (using proto 1/icmp)
1029. HOP RTT ADDRESS
1030. 1 106.02 ms 10.244.200.1
1031. 2 116.82 ms vlan200.bb1.par1.fr.m247.com (185.94.189.129)
1032. 3 115.63 ms 82.102.29.40
1033. 4 115.67 ms 82.102.29.61
1034. 5 121.76 ms 77.243.180.166
1035. 6 ...
1036. 7 221.75 ms us-was03a-rd1-ae102-0.aorta.net (84.116.130.122)
1037. 8 221.70 ms us-was03a-ri1-ae11-0.aorta.net (84.116.130.165)
1038. 9 243.24 ms 213.46.182.18
1039. 10 232.68 ms 69.79.100.23
1040. 11 232.92 ms 63.245.5.183
1041. 12 300.04 ms 63.245.45.174
1042. 13 ... 16
1043. 17 303.59 ms 201-249-202-146.estatic.cantv.net (201.249.202.146)
1044. 18 ... 30
1045. #######################################################################################################################################
1046. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:46 EST
1047. Nmap scan report for 201.249.203.40
1048. Host is up.
1049.  
1050. PORT STATE SERVICE VERSION
1051. 68/udp open|filtered dhcpc
1052. Too many fingerprints match this host to give specific OS details
1053.  
1054. TRACEROUTE (using proto 1/icmp)
1055. HOP RTT ADDRESS
1056. 1 106.34 ms 10.244.200.1
1057. 2 109.79 ms vlan200.bb1.par1.fr.m247.com (185.94.189.129)
1058. 3 115.53 ms 82.102.29.40
1059. 4 115.96 ms 82.102.29.61
1060. 5 116.01 ms 77.243.180.166
1061. 6 117.60 ms 84.116.130.177
1062. 7 221.67 ms us-was03a-rd1-ae102-0.aorta.net (84.116.130.122)
1063. 8 221.63 ms us-was03a-ri1-ae11-0.aorta.net (84.116.130.165)
1064. 9 242.98 ms 213.46.182.18
1065. 10 232.63 ms 69.79.100.23
1066. 11 232.76 ms 63.245.5.183
1067. 12 301.95 ms 63.245.45.174
1068. 13 ... 16
1069. 17 306.12 ms 201-249-202-146.estatic.cantv.net (201.249.202.146)
1070. 18 ... 30
1071. #######################################################################################################################################
1072. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:48 EST
1073. Nmap scan report for 201.249.203.40
1074. Host is up.
1075.  
1076. PORT STATE SERVICE VERSION
1077. 69/udp open|filtered tftp
1078. Too many fingerprints match this host to give specific OS details
1079.  
1080. TRACEROUTE (using proto 1/icmp)
1081. HOP RTT ADDRESS
1082. 1 106.92 ms 10.244.200.1
1083. 2 108.47 ms vlan200.bb1.par1.fr.m247.com (185.94.189.129)
1084. 3 128.35 ms 82.102.29.40
1085. 4 116.69 ms 82.102.29.61
1086. 5 116.74 ms 77.243.180.166
1087. 6 116.99 ms 84.116.130.177
1088. 7 222.64 ms us-was03a-rd1-ae102-0.aorta.net (84.116.130.122)
1089. 8 222.62 ms us-was03a-ri1-ae11-0.aorta.net (84.116.130.165)
1090. 9 243.93 ms 213.46.182.18
1091. 10 233.62 ms 69.79.100.23
1092. 11 235.50 ms 63.245.5.183
1093. 12 304.04 ms 63.245.45.174
1094. 13 ... 16
1095. 17 302.84 ms 201-249-202-146.estatic.cantv.net (201.249.202.146)
1096. 18 ... 30
1097.  
1098. #######################################################################################################################################
1099.  
1100. ^ ^
1101. _ __ _ ____ _ __ _ _ ____
1102. ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
1103. | V V // o // _/ | V V // 0 // 0 // _/
1104. |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
1105. <
1106. ...'
1107.  
1108. WAFW00F - Web Application Firewall Detection Tool
1109.  
1110. By Sandro Gauci && Wendel G. Henrique
1111.  
1112. Checking http://201.249.203.40
1113. The site http://201.249.203.40 is behind a ModSecurity (OWASP CRS)
1114. Number of requests: 12
1115. #######################################################################################################################################
1116. http://201.249.203.40 [301 Moved Permanently] Cookies[PHPSESSID,wphc_seen], Country[VENEZUELA][VE], IP[201.249.203.40], RedirectLocation[http://www.mppp.gob.ve/]
1117. http://www.mppp.gob.ve/ [200 OK] Cookies[PHPSESSID,wphc_seen], Country[VENEZUELA][VE], Frame, HTML5, IP[201.249.203.40], JQuery[4.8.1], Lightbox, MetaGenerator[WordPress 4.8.1], Script[text/javascript], Title[MPPP | Ministerio del Poder Popular de Planificación], UncommonHeaders[link], WordPress[4.8,4.8.1], YouTube
1118. #######################################################################################################################################
1119.  
1120. wig - WebApp Information Gatherer
1121.  
1122.  
1123. Scanning http://www.mppp.gob.ve...
1124. ___________________________________________ SITE INFO ____________________________________________
1125. IP Title
1126. 201.249.203.40 MPPP | Ministerio del Poder Popular de Planificación
1127.  
1128. ____________________________________________ VERSION _____________________________________________
1129. Name Versions Type
1130. WordPress 4.8 | 4.8.1 CMS
1131. Apache 2.2.11 | 2.2.12 | 2.2.13 | 2.2.14 | 2.2.15 | 2.2.16 | 2.2.17 Platform
1132. 2.2.18 | 2.2.19 | 2.2.20 | 2.2.21 | 2.2.22 | 2.2.23 | 2.2.24
1133. 2.2.25 | 2.2.26 | 2.2.27 | 2.2.28 | 2.2.29 | 2.3.0 | 2.3.1
1134. 2.3.10 | 2.3.11 | 2.3.12 | 2.3.13 | 2.3.14 | 2.3.15 | 2.3.16
1135. 2.3.2 | 2.3.3 | 2.3.4 | 2.3.5 | 2.3.6 | 2.3.7 | 2.3.8
1136. 2.3.9 | 2.4.0 | 2.4.1 | 2.4.2 | 2.4.3
1137. PHP Platform
1138.  
1139. __________________________________________ INTERESTING ___________________________________________
1140. URL Note Type
1141. /readme.html Wordpress readme Interesting
1142. /readme.html Readme file Interesting
1143. /robots.txt robots.txt index Interesting
1144.  
1145. _____________________________________________ TOOLS ______________________________________________
1146. Name Link Software
1147. wpscan https://github.com/wpscanteam/wpscan WordPress
1148. CMSmap https://github.com/Dionach/CMSmap WordPress
1149.  
1150. __________________________________________________________________________________________________
1151. Time: 210.4 sec Urls: 556 Fingerprints: 40401
1152. #######################################################################################################################################
1153. HTTP/1.1 301 Moved Permanently
1154. Date: Wed, 07 Nov 2018 09:28:11 GMT
1155. Set-Cookie: PHPSESSID=vjoitafde7n3eq6r7aar56sh82; path=/
1156. Expires: Thu, 19 Nov 1981 08:52:00 GMT
1157. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
1158. Pragma: no-cache
1159. Set-Cookie: wphc_seen=1; expires=Thu, 08-Nov-2018 09:28:12 GMT
1160. Location: http://www.mppp.gob.ve/
1161. Vary: Accept-Encoding
1162. Content-Encoding: gzip
1163. Content-Length: 20
1164. Content-Type: text/html; charset=UTF-8
1165. Connection: keep-alive
1166. #######################################################################################################################################
1167. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:57 EST
1168. Nmap scan report for 201.249.203.40
1169. Host is up.
1170.  
1171. PORT STATE SERVICE VERSION
1172. 123/udp open|filtered ntp
1173. Too many fingerprints match this host to give specific OS details
1174.  
1175. TRACEROUTE (using proto 1/icmp)
1176. HOP RTT ADDRESS
1177. 1 105.85 ms 10.244.200.1
1178. 2 117.67 ms vlan200.bb1.par1.fr.m247.com (185.94.189.129)
1179. 3 126.86 ms 82.102.29.40
1180. 4 115.66 ms 82.102.29.61
1181. 5 115.70 ms 77.243.180.166
1182. 6 116.25 ms 84.116.130.177
1183. 7 221.67 ms us-was03a-rd1-ae102-0.aorta.net (84.116.130.122)
1184. 8 221.49 ms us-was03a-ri1-ae11-0.aorta.net (84.116.130.165)
1185. 9 243.01 ms 213.46.182.18
1186. 10 232.55 ms 69.79.100.23
1187. 11 232.67 ms 63.245.5.183
1188. 12 300.00 ms 63.245.45.174
1189. 13 ... 16
1190. 17 302.72 ms 201-249-202-146.estatic.cantv.net (201.249.202.146)
1191. 18 ... 30
1192. #######################################################################################################################################
1193. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 03:59 EST
1194. Nmap scan report for 201.249.203.40
1195. Host is up (0.11s latency).
1196.  
1197. PORT STATE SERVICE VERSION
1198. 161/tcp filtered snmp
1199. 161/udp open|filtered snmp
1200. Too many fingerprints match this host to give specific OS details
1201.  
1202. TRACEROUTE (using proto 1/icmp)
1203. HOP RTT ADDRESS
1204. 1 106.58 ms 10.244.200.1
1205. 2 137.98 ms vlan200.bb1.par1.fr.m247.com (185.94.189.129)
1206. 3 119.21 ms 82.102.29.40
1207. 4 116.38 ms 82.102.29.61
1208. 5 116.40 ms 77.243.180.166
1209. 6 117.06 ms 84.116.130.177
1210. 7 222.57 ms us-was03a-rd1-ae102-0.aorta.net (84.116.130.122)
1211. 8 222.27 ms us-was03a-ri1-ae11-0.aorta.net (84.116.130.165)
1212. 9 243.77 ms 213.46.182.18
1213. 10 233.22 ms 69.79.100.23
1214. 11 233.63 ms 63.245.5.183
1215. 12 298.63 ms 63.245.45.174
1216. 13 ... 16
1217. 17 303.61 ms 201-249-202-146.estatic.cantv.net (201.249.202.146)
1218. 18 ... 30
1219. #######################################################################################################################################
1220. ^ ^
1221. _ __ _ ____ _ __ _ _ ____
1222. ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
1223. | V V // o // _/ | V V // 0 // 0 // _/
1224. |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
1225. <
1226. ...'
1227.  
1228. WAFW00F - Web Application Firewall Detection Tool
1229.  
1230. By Sandro Gauci && Wendel G. Henrique
1231.  
1232. Checking https://201.249.203.40
1233. The site https://201.249.203.40 is behind a ModSecurity (OWASP CRS)
1234. Number of requests: 11
1235. #######################################################################################################################################
1236.  
1237.  
1238.  
1239. AVAILABLE PLUGINS
1240. -----------------
1241.  
1242. PluginCertInfo
1243. PluginChromeSha1Deprecation
1244. PluginSessionRenegotiation
1245. PluginHSTS
1246. PluginSessionResumption
1247. PluginOpenSSLCipherSuites
1248. PluginHeartbleed
1249. PluginCompression
1250.  
1251.  
1252.  
1253. CHECKING HOST(S) AVAILABILITY
1254. -----------------------------
1255.  
1256. 201.249.203.40:443 => 201.249.203.40:443
1257.  
1258.  
1259.  
1260. SCAN RESULTS FOR 201.249.203.40:443 - 201.249.203.40:443
1261. --------------------------------------------------------
1262.  
1263. * Deflate Compression:
1264. OK - Compression disabled
1265.  
1266. * Session Renegotiation:
1267. Client-initiated Renegotiations: OK - Rejected
1268. Secure Renegotiation: OK - Supported
1269.  
1270. * Certificate - Content:
1271. SHA1 Fingerprint: aeada941188f2dc870662075108e319ecf6f7520
1272. Common Name: mppp
1273. Issuer: mppp
1274. Serial Number: CD13B17446FFC19D
1275. Not Before: Mar 6 16:07:17 2014 GMT
1276. Not After: Mar 6 16:07:17 2015 GMT
1277. Signature Algorithm: sha1WithRSAEncryption
1278. Public Key Algorithm: rsaEncryption
1279. Key Size: 2048 bit
1280. Exponent: 65537 (0x10001)
1281.  
1282. * Certificate - Trust:
1283. Hostname Validation: FAILED - Certificate does NOT match 201.249.203.40
1284. Google CA Store (09/2015): FAILED - Certificate is NOT Trusted: self signed certificate
1285. Java 6 CA Store (Update 65): FAILED - Certificate is NOT Trusted: self signed certificate
1286. Microsoft CA Store (09/2015): FAILED - Certificate is NOT Trusted: self signed certificate
1287. Mozilla NSS CA Store (09/2015): FAILED - Certificate is NOT Trusted: self signed certificate
1288. Apple CA Store (OS X 10.10.5): FAILED - Certificate is NOT Trusted: self signed certificate
1289. Certificate Chain Received: ['mppp']
1290.  
1291. * Certificate - OCSP Stapling:
1292. NOT SUPPORTED - Server did not send back an OCSP response.
1293.  
1294. * Session Resumption:
1295. With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
1296. With TLS Session Tickets: OK - Supported
1297.  
1298. * SSLV2 Cipher Suites:
1299. Server rejected all cipher suites.
1300.  
1301. * SSLV3 Cipher Suites:
1302. Preferred:
1303. ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits
1304. Accepted:
1305. ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits
1306. DHE-RSA-CAMELLIA256-SHA DH-2048 bits 256 bits
1307. DHE-RSA-AES256-SHA DH-2048 bits 256 bits
1308. CAMELLIA256-SHA - 256 bits
1309. AES256-SHA - 256 bits
1310. ECDHE-RSA-RC4-SHA ECDH-256 bits 128 bits
1311. ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits
1312. DHE-RSA-SEED-SHA DH-2048 bits 128 bits
1313. DHE-RSA-CAMELLIA128-SHA DH-2048 bits 128 bits
1314. DHE-RSA-AES128-SHA DH-2048 bits 128 bits
1315. SEED-SHA - 128 bits
1316. RC4-SHA - 128 bits
1317. CAMELLIA128-SHA - 128 bits
1318. AES128-SHA - 128 bits
1319. ECDHE-RSA-DES-CBC3-SHA ECDH-256 bits 112 bits
1320. EDH-RSA-DES-CBC3-SHA DH-2048 bits 112 bits
1321. DES-CBC3-SHA - 112 bits
1322.  
1323.  
1324.  
1325. SCAN COMPLETED IN 6.80 S
1326. ------------------------
1327. Version: 1.11.12-static
1328. OpenSSL 1.0.2-chacha (1.0.2g-dev)
1329.  
1330. Connected to 201.249.203.40
1331.  
1332. Testing SSL server 201.249.203.40 on port 443 using SNI name 201.249.203.40
1333.  
1334. TLS Fallback SCSV:
1335. Server supports TLS Fallback SCSV
1336.  
1337. TLS renegotiation:
1338. Secure session renegotiation supported
1339.  
1340. TLS Compression:
1341. Compression disabled
1342.  
1343. Heartbleed:
1344. TLS 1.2 not vulnerable to heartbleed
1345. TLS 1.1 not vulnerable to heartbleed
1346. TLS 1.0 not vulnerable to heartbleed
1347.  
1348. Supported Server Cipher(s):
1349. Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
1350. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
1351. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1352. Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
1353. Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits
1354. Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
1355. Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
1356. Accepted TLSv1.2 256 bits AES256-GCM-SHA384
1357. Accepted TLSv1.2 256 bits AES256-SHA256
1358. Accepted TLSv1.2 256 bits AES256-SHA
1359. Accepted TLSv1.2 256 bits CAMELLIA256-SHA
1360. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
1361. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
1362. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1363. Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
1364. Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits
1365. Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
1366. Accepted TLSv1.2 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
1367. Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
1368. Accepted TLSv1.2 128 bits AES128-GCM-SHA256
1369. Accepted TLSv1.2 128 bits AES128-SHA256
1370. Accepted TLSv1.2 128 bits AES128-SHA
1371. Accepted TLSv1.2 128 bits SEED-SHA
1372. Accepted TLSv1.2 128 bits CAMELLIA128-SHA
1373. Accepted TLSv1.2 128 bits ECDHE-RSA-RC4-SHA Curve P-256 DHE 256
1374. Accepted TLSv1.2 128 bits RC4-SHA
1375. Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
1376. Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
1377. Accepted TLSv1.2 112 bits DES-CBC3-SHA
1378. Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1379. Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
1380. Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
1381. Accepted TLSv1.1 256 bits AES256-SHA
1382. Accepted TLSv1.1 256 bits CAMELLIA256-SHA
1383. Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1384. Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
1385. Accepted TLSv1.1 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
1386. Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
1387. Accepted TLSv1.1 128 bits AES128-SHA
1388. Accepted TLSv1.1 128 bits SEED-SHA
1389. Accepted TLSv1.1 128 bits CAMELLIA128-SHA
1390. Accepted TLSv1.1 128 bits ECDHE-RSA-RC4-SHA Curve P-256 DHE 256
1391. Accepted TLSv1.1 128 bits RC4-SHA
1392. Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
1393. Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
1394. Accepted TLSv1.1 112 bits DES-CBC3-SHA
1395. Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1396. Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
1397. Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
1398. Accepted TLSv1.0 256 bits AES256-SHA
1399. Accepted TLSv1.0 256 bits CAMELLIA256-SHA
1400. Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1401. Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
1402. Accepted TLSv1.0 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
1403. Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
1404. Accepted TLSv1.0 128 bits AES128-SHA
1405. Accepted TLSv1.0 128 bits SEED-SHA
1406. Accepted TLSv1.0 128 bits CAMELLIA128-SHA
1407. Accepted TLSv1.0 128 bits ECDHE-RSA-RC4-SHA Curve P-256 DHE 256
1408. Accepted TLSv1.0 128 bits RC4-SHA
1409. Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
1410. Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
1411. Accepted TLSv1.0 112 bits DES-CBC3-SHA
1412. Preferred SSLv3 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1413. Accepted SSLv3 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
1414. Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
1415. Accepted SSLv3 256 bits AES256-SHA
1416. Accepted SSLv3 256 bits CAMELLIA256-SHA
1417. Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1418. Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
1419. Accepted SSLv3 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
1420. Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
1421. Accepted SSLv3 128 bits AES128-SHA
1422. Accepted SSLv3 128 bits SEED-SHA
1423. Accepted SSLv3 128 bits CAMELLIA128-SHA
1424. Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA Curve P-256 DHE 256
1425. Accepted SSLv3 128 bits RC4-SHA
1426. Accepted SSLv3 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
1427. Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
1428. Accepted SSLv3 112 bits DES-CBC3-SHA
1429.  
1430. SSL Certificate:
1431. Signature Algorithm: sha1WithRSAEncryption
1432. RSA Key Strength: 2048
1433.  
1434. Subject: mppp
1435. Issuer: mppp
1436.  
1437. Not valid before: Mar 6 16:07:17 2014 GMT
1438. Not valid after: Mar 6 16:07:17 2015 GMT
1439.  
1440. ######################################################################################################################################
1441.  
1442. I, [2018-11-07T04:05:57.359627 #10640] INFO -- : Initiating port scan
1443. I, [2018-11-07T04:08:47.223919 #10640] INFO -- : Using nmap scan output file logs/nmap_output_2018-11-07_04-05-57.xml
1444. I, [2018-11-07T04:08:47.250943 #10640] INFO -- : Discovered open port: 201.249.203.40:80
1445. I, [2018-11-07T04:08:51.341409 #10640] INFO -- : Discovered open port: 201.249.203.40:443
1446. I, [2018-11-07T04:08:53.766629 #10640] INFO -- : <<<Enumerating vulnerable applications>>>
1447.  
1448.  
1449. --------------------------------------------------------
1450. <<<Yasuo discovered following vulnerable applications>>>
1451. --------------------------------------------------------
1452. +----------+--------------------+-------------------+----------+----------+
1453. | App Name | URL to Application | Potential Exploit | Username | Password |
1454. +----------+--------------------+-------------------+----------+----------+
1455. +----------+--------------------+-------------------+----------+----------+
1456. #######################################################################################################################################
1457. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 04:16 EST
1458. NSE: Loaded 148 scripts for scanning.
1459. NSE: Script Pre-scanning.
1460. Initiating NSE at 04:16
1461. Completed NSE at 04:16, 0.00s elapsed
1462. Initiating NSE at 04:16
1463. Completed NSE at 04:16, 0.00s elapsed
1464. Initiating Parallel DNS resolution of 1 host. at 04:16
1465. Completed Parallel DNS resolution of 1 host. at 04:16, 16.50s elapsed
1466. Initiating SYN Stealth Scan at 04:16
1467. Scanning 201.249.203.40 [474 ports]
1468. Discovered open port 80/tcp on 201.249.203.40
1469. Discovered open port 443/tcp on 201.249.203.40
1470. Completed SYN Stealth Scan at 04:16, 13.41s elapsed (474 total ports)
1471. Initiating Service scan at 04:16
1472. Scanning 2 services on 201.249.203.40
1473. Service scan Timing: About 50.00% done; ETC: 04:18 (0:00:40 remaining)
1474. Completed Service scan at 04:18, 129.29s elapsed (2 services on 1 host)
1475. Initiating OS detection (try #1) against 201.249.203.40
1476. Retrying OS detection (try #2) against 201.249.203.40
1477. Initiating Traceroute at 04:18
1478. Completed Traceroute at 04:18, 0.12s elapsed
1479. Initiating Parallel DNS resolution of 2 hosts. at 04:18
1480. Completed Parallel DNS resolution of 2 hosts. at 04:19, 16.50s elapsed
1481. NSE: Script scanning 201.249.203.40.
1482. Initiating NSE at 04:19
1483. Completed NSE at 04:19, 33.75s elapsed
1484. Initiating NSE at 04:19
1485. Completed NSE at 04:19, 0.00s elapsed
1486. Nmap scan report for 201.249.203.40
1487. Host is up (0.11s latency).
1488. Not shown: 469 filtered ports
1489. PORT STATE SERVICE VERSION
1490. 25/tcp closed smtp
1491. 80/tcp open http-proxy Squid http proxy
1492. | http-cookie-flags:
1493. | /:
1494. | PHPSESSID:
1495. |_ httponly flag not set
1496. |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
1497. | http-git:
1498. | 201.249.203.40:80/.git/
1499. | Git repository found!
1500. | Repository description: Unnamed repository; edit this file 'description' to name the...
1501. | Last commit message: PRIMERA SUBIDA PORTAL PRINCIPAL
1502. | Remotes:
1503. |_ ssh://git@gitlab.mppp.gob.ve:22000/sistemas/mppp.git
1504. | http-methods:
1505. |_ Supported Methods: GET HEAD POST OPTIONS
1506. |_http-open-proxy: Proxy might be redirecting requests
1507. | http-robots.txt: 1 disallowed entry
1508. |_/wp-admin/
1509. |_http-title: Did not follow redirect to http://www.mppp.gob.ve/
1510. 139/tcp closed netbios-ssn
1511. 443/tcp open ssl/https MicrosoftIIS/8.0
1512. | fingerprint-strings:
1513. | GetRequest:
1514. | HTTP/1.0 301 Moved Permanently
1515. | Date: Wed, 07 Nov 2018 09:48:08 GMT
1516. | Server: MicrosoftIIS/8.0
1517. | Set-Cookie: PHPSESSID=m0iucr90p82cuoh93i4o36ru94; path=/
1518. | Expires: Thu, 19 Nov 1981 08:52:00 GMT
1519. | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
1520. | Pragma: no-cache
1521. | Set-Cookie: wphc_seen=1; expires=Thu, 08-Nov-2018 09:48:09 GMT
1522. | Location: https:///
1523. | Vary: Accept-Encoding
1524. | Content-Length: 0
1525. | Connection: close
1526. | Content-Type: text/html; charset=UTF-8
1527. | HTTPOptions:
1528. | HTTP/1.0 200 OK
1529. | Date: Wed, 07 Nov 2018 09:48:11 GMT
1530. | Server: MicrosoftIIS/8.0
1531. | Set-Cookie: PHPSESSID=ni1bgnvd8atc3bhhk4a71p1412; path=/
1532. | Expires: Thu, 19 Nov 1981 08:52:00 GMT
1533. | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
1534. | Pragma: no-cache
1535. | Set-Cookie: wphc_seen=1; expires=Thu, 08-Nov-2018 09:48:11 GMT
1536. | Link: <https://www.mppp.gob.ve/wp-json/>; rel="https://api.w.org/"
1537. | Link: <https://www.mppp.gob.ve/>; rel=shortlink
1538. | Vary: Accept-Encoding
1539. | Connection: close
1540. | Content-Type: text/html; charset=UTF-8
1541. | <!DOCTYPE html>
1542. | <html xmlns="http://www.w3.org/1999/xhtml" lang="es-ES">
1543. | <head>
1544. | <meta name="google-site-verification" content="xg3iAA0jWXTPSUbut-xZZNomD9kJgzu37TvmGXJe63A" />
1545. | <title>MPPP | Ministerio del Poder Popular de Planificaci
1546. | n</title>
1547. |_ <meta name="a
1548. | http-methods:
1549. |_ Supported Methods: GET HEAD POST OPTIONS
1550. |_http-server-header: MicrosoftIIS/8.0
1551. | ssl-cert: Subject: commonName=mppp/organizationName=MPPP/stateOrProvinceName=DistritoCapital/countryName=VE
1552. | Issuer: commonName=mppp/organizationName=MPPP/stateOrProvinceName=DistritoCapital/countryName=VE
1553. | Public Key type: rsa
1554. | Public Key bits: 2048
1555. | Signature Algorithm: sha1WithRSAEncryption
1556. | Not valid before: 2014-03-06T16:07:17
1557. | Not valid after: 2015-03-06T16:07:17
1558. | MD5: e2f3 c645 3ae7 ad04 b833 3eeb b8b7 8f18
1559. |_SHA-1: aead a941 188f 2dc8 7066 2075 108e 319e cf6f 7520
1560. |_ssl-date: TLS randomness does not represent time
1561. 445/tcp closed microsoft-ds
1562. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
1563. SF-Port443-TCP:V=7.70%T=SSL%I=7%D=11/7%Time=5BE2AD87%P=x86_64-pc-linux-gnu
1564. SF:%r(GetRequest,1DE,"HTTP/1\.0\x20301\x20Moved\x20Permanently\r\nDate:\x2
1565. SF:0Wed,\x2007\x20Nov\x202018\x2009:48:08\x20GMT\r\nServer:\x20MicrosoftII
1566. SF:S/8\.0\r\nSet-Cookie:\x20PHPSESSID=m0iucr90p82cuoh93i4o36ru94;\x20path=
1567. SF:/\r\nExpires:\x20Thu,\x2019\x20Nov\x201981\x2008:52:00\x20GMT\r\nCache-
1568. SF:Control:\x20no-store,\x20no-cache,\x20must-revalidate,\x20post-check=0,
1569. SF:\x20pre-check=0\r\nPragma:\x20no-cache\r\nSet-Cookie:\x20wphc_seen=1;\x
1570. SF:20expires=Thu,\x2008-Nov-2018\x2009:48:09\x20GMT\r\nLocation:\x20https:
1571. SF:///\r\nVary:\x20Accept-Encoding\r\nContent-Length:\x200\r\nConnection:\
1572. SF:x20close\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\n")%r(HT
1573. SF:TPOptions,2381,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2007\x20Nov\x2
1574. SF:02018\x2009:48:11\x20GMT\r\nServer:\x20MicrosoftIIS/8\.0\r\nSet-Cookie:
1575. SF:\x20PHPSESSID=ni1bgnvd8atc3bhhk4a71p1412;\x20path=/\r\nExpires:\x20Thu,
1576. SF:\x2019\x20Nov\x201981\x2008:52:00\x20GMT\r\nCache-Control:\x20no-store,
1577. SF:\x20no-cache,\x20must-revalidate,\x20post-check=0,\x20pre-check=0\r\nPr
1578. SF:agma:\x20no-cache\r\nSet-Cookie:\x20wphc_seen=1;\x20expires=Thu,\x2008-
1579. SF:Nov-2018\x2009:48:11\x20GMT\r\nLink:\x20<https://www\.mppp\.gob\.ve/wp-
1580. SF:json/>;\x20rel=\"https://api\.w\.org/\"\r\nLink:\x20<https://www\.mppp\
1581. SF:.gob\.ve/>;\x20rel=shortlink\r\nVary:\x20Accept-Encoding\r\nConnection:
1582. SF:\x20close\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\n<!DOCT
1583. SF:YPE\x20html>\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\"\x20la
1584. SF:ng=\"es-ES\">\r\n<head>\r\n\r\n<meta\x20name=\"google-site-verification
1585. SF:\"\x20content=\"xg3iAA0jWXTPSUbut-xZZNomD9kJgzu37TvmGXJe63A\"\x20/>\x20
1586. SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
1587. SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
1588. SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
1589. SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
1590. SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\r\n\t<titl
1591. SF:e>MPPP\x20\|\x20Ministerio\x20del\x20Poder\x20Popular\x20de\x20Planific
1592. SF:aci\xc3\xb3n</title>\r\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20name=\
1593. SF:"a");
1594. Device type: general purpose|storage-misc|broadband router|WAP
1595. Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (93%), HP embedded (90%), Asus embedded (87%)
1596. OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u
1597. Aggressive OS guesses: Linux 3.18 (93%), Linux 3.16 - 4.6 (93%), Linux 3.10 - 4.11 (91%), Linux 3.13 (91%), Linux 3.13 or 4.2 (91%), Linux 4.2 (91%), Linux 4.4 (91%), HP P2000 G3 NAS device (90%), Linux 3.2 - 4.9 (90%), Linux 3.16 (89%)
1598. No exact OS matches for host (test conditions non-ideal).
1599. Uptime guess: 85.089 days (since Tue Aug 14 03:11:13 2018)
1600. Network Distance: 2 hops
1601. TCP Sequence Prediction: Difficulty=263 (Good luck!)
1602. IP ID Sequence Generation: All zeros
1603.  
1604. TRACEROUTE (using port 139/tcp)
1605. HOP RTT ADDRESS
1606. 1 105.87 ms 10.244.200.1
1607. 2 105.88 ms 201.249.203.40
1608.  
1609. NSE: Script Post-scanning.
1610. Initiating NSE at 04:19
1611. Completed NSE at 04:19, 0.00s elapsed
1612. Initiating NSE at 04:19
1613. Completed NSE at 04:19, 0.00s elapsed
1614. Read data files from: /usr/bin/../share/nmap
1615. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1616. Nmap done: 1 IP address (1 host up) scanned in 214.58 seconds
1617. Raw packets sent: 1499 (70.804KB) | Rcvd: 1071 (509.358KB)
1618. #######################################################################################################################################
1619. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-07 04:19 EST
1620. NSE: Loaded 148 scripts for scanning.
1621. NSE: Script Pre-scanning.
1622. Initiating NSE at 04:19
1623. Completed NSE at 04:19, 0.00s elapsed
1624. Initiating NSE at 04:19
1625. Completed NSE at 04:19, 0.00s elapsed
1626. Initiating Parallel DNS resolution of 1 host. at 04:19
1627. Completed Parallel DNS resolution of 1 host. at 04:20, 16.50s elapsed
1628. Initiating UDP Scan at 04:20
1629. Scanning 201.249.203.40 [14 ports]
1630. Completed UDP Scan at 04:20, 2.01s elapsed (14 total ports)
1631. Initiating Service scan at 04:20
1632. Scanning 12 services on 201.249.203.40
1633. Service scan Timing: About 8.33% done; ETC: 04:39 (0:17:58 remaining)
1634. Completed Service scan at 04:21, 102.58s elapsed (12 services on 1 host)
1635. Initiating OS detection (try #1) against 201.249.203.40
1636. Retrying OS detection (try #2) against 201.249.203.40
1637. Initiating Traceroute at 04:21
1638. Completed Traceroute at 04:21, 7.18s elapsed
1639. Initiating Parallel DNS resolution of 1 host. at 04:21
1640. Completed Parallel DNS resolution of 1 host. at 04:22, 16.50s elapsed
1641. NSE: Script scanning 201.249.203.40.
1642. Initiating NSE at 04:22
1643. Completed NSE at 04:22, 20.33s elapsed
1644. Initiating NSE at 04:22
1645. Completed NSE at 04:22, 1.03s elapsed
1646. Nmap scan report for 201.249.203.40
1647. Host is up (0.11s latency).
1648.  
1649. PORT STATE SERVICE VERSION
1650. 53/udp open|filtered domain
1651. 67/udp open|filtered dhcps
1652. 68/udp open|filtered dhcpc
1653. 69/udp open|filtered tftp
1654. 88/udp open|filtered kerberos-sec
1655. 123/udp open|filtered ntp
1656. 137/udp filtered netbios-ns
1657. 138/udp filtered netbios-dgm
1658. 139/udp open|filtered netbios-ssn
1659. 161/udp open|filtered snmp
1660. 162/udp open|filtered snmptrap
1661. 389/udp open|filtered ldap
1662. 520/udp open|filtered route
1663. 2049/udp open|filtered nfs
1664. Too many fingerprints match this host to give specific OS details
1665.  
1666. TRACEROUTE (using port 138/udp)
1667. HOP RTT ADDRESS
1668. 1 105.56 ms 10.244.200.1
1669. 2 ... 3
1670. 4 106.54 ms 10.244.200.1
1671. 5 106.78 ms 10.244.200.1
1672. 6 106.78 ms 10.244.200.1
1673. 7 106.63 ms 10.244.200.1
1674. 8 106.63 ms 10.244.200.1
1675. 9 106.63 ms 10.244.200.1
1676. 10 106.66 ms 10.244.200.1
1677. 11 ... 18
1678. 19 104.97 ms 10.244.200.1
1679. 20 105.21 ms 10.244.200.1
1680. 21 ... 28
1681. 29 107.03 ms 10.244.200.1
1682. 30 106.45 ms 10.244.200.1
1683.  
1684. NSE: Script Post-scanning.
1685. Initiating NSE at 04:22
1686. Completed NSE at 04:22, 0.00s elapsed
1687. Initiating NSE at 04:22
1688. Completed NSE at 04:22, 0.00s elapsed
1689. Read data files from: /usr/bin/../share/nmap
1690. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1691. Nmap done: 1 IP address (1 host up) scanned in 171.06 seconds
1692. Raw packets sent: 147 (9.964KB) | Rcvd: 730 (335.937KB)
1693. #######################################################################################################################################
1694. Anonymous JTSEC #OpVenezuela full Recon #7