| Port |
State
(toggle closed [0] | filtered [0])
|
Service |
Reason |
Product |
Version |
Extra info |
| 21 |
tcp |
open |
ftp |
syn-ack |
vsftpd |
2.3.4 |
|
|
ftp-anon |
Anonymous FTP login allowed (FTP code 230) |
| 22 |
tcp |
open |
ssh |
syn-ack |
OpenSSH |
4.7p1 Debian 8ubuntu1 |
protocol 2.0 |
|
ssh-hostkey |
1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) |
| 23 |
tcp |
open |
telnet |
syn-ack |
Linux telnetd |
|
|
| 25 |
tcp |
open |
smtp |
syn-ack |
Postfix smtpd |
|
|
|
ssl-cert |
Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
Not valid before: 2010-03-17 14:07:45
Not valid after: 2010-04-16 14:07:45 |
|
smtp-commands |
metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |
|
smtp-enum-users |
Method RCPT returned a unhandled status code.
|
|
smtp-vuln-cve2010-4344 |
The SMTP server is not Exim: NOT VULNERABLE
|
|
smtp-open-relay |
Server doesn't seem to be an open relay, all tests failed |
| 53 |
tcp |
open |
domain |
syn-ack |
ISC BIND |
9.4.2 |
|
|
dns-nsid |
bind.version: 9.4.2
|
| 80 |
tcp |
open |
http |
syn-ack |
Apache httpd |
2.2.8 |
(Ubuntu) DAV/2 |
|
citrix-brute-xml |
FAILED: No domain specified (use ntdomain argument) |
|
http-google-malware |
[ERROR] No API key found. Update the variable APIKEY in http-google-malware or set it in the argument http-google-malware.api |
|
http-trace |
TRACE is enabled |
|
http-title |
Metasploitable2 - Linux |
|
http-vuln-cve2012-1823 |
VULNERABLE:
PHP-CGI Remote code execution and source code disclosure
State: VULNERABLE (Exploitable)
IDs: CVE:2012-1823
Description:
According to PHP's website, "PHP is a widely-used general-purpose
scripting language that is especially suited for Web development and
can be embedded into HTML." When PHP is used in a CGI-based setup
(such as Apache's mod_cgid), the php-cgi receives a processed query
string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary,
which can be exploited to disclose source code and obtain arbitrary
code execution.
Disclosure date: 2012-05-3
Extra information:
Proof of Concept:/index.php?-s
<code><span style="color: #000000">
<html><head><title>Metasploitable2 - Linux</title></head><body><br /><pre><br /><br /> _ _ _ _ _ _ ____ <br /> _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ <br />| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |<br />| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/ <br />|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|<br /> |_| <br /><br /><br />Warning: Never expose this VM to an untrusted network!<br /><br />Contact: msfdev[at]metasploit.com<br /><br />Login with msfadmin/msfadmin to get started<br /><br /><br /></pre><br /><ul><br /><li><a href="/twiki/">TWiki</a></li><br /><li><a href="/phpMyAdmin/">phpMyAdmin</a></li><br /><li><a href="/mutillidae/">Mutillidae</a></li><br /><li><a href="/dvwa/">DVWA</a></li><br /><li><a href="/dav/">WebDAV</a></li><br /></ul><br /></body><br /></html><br /><br /></span>
</code>
References:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
http://ompldr.org/vZGxxaQ
|
|
http-methods |
No Allow or Public header in OPTIONS response (status code 200) |
|
http-domino-enum-passwords |
ERROR: No valid credentials were found (see domino-enum-passwords.username and domino-enum-passwords.password) |
|
http-enum |
/tikiwiki/: Tikiwiki
/test/: Test page
/phpMyAdmin/: phpMyAdmin
/doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
/icons/: Potentially interesting folder w/ directory listing
/index/: Potentially interesting folder
|
| 111 |
tcp |
open |
rpcbind |
syn-ack |
|
2 |
rpc #100000 |
|
rpcinfo |
program version port/proto service
100000 2 111/tcp rpcbind
100000 2 111/udp rpcbind
100003 2,3,4 2049/tcp nfs
100003 2,3,4 2049/udp nfs
100005 1,2,3 33649/udp mountd
100005 1,2,3 37000/tcp mountd
100021 1,3,4 44501/tcp nlockmgr
100021 1,3,4 58930/udp nlockmgr
100024 1 48701/udp status
100024 1 57176/tcp status
|
| 139 |
tcp |
open |
netbios-ssn |
syn-ack |
Samba smbd |
3.X |
workgroup: WORKGROUP |
| 445 |
tcp |
open |
netbios-ssn |
syn-ack |
Samba smbd |
3.X |
workgroup: WORKGROUP |
| 512 |
tcp |
open |
exec |
syn-ack |
netkit-rsh rexecd |
|
|
| 513 |
tcp |
open |
login |
syn-ack |
|
|
|
| 514 |
tcp |
open |
shell |
syn-ack |
|
|
|
| 1099 |
tcp |
open |
java-rmi |
syn-ack |
Java RMI Registry |
|
|
| 1524 |
tcp |
open |
ingreslock |
syn-ack |
|
|
|
| 2049 |
tcp |
open |
nfs |
syn-ack |
|
2-4 |
rpc #100003 |
| 2121 |
tcp |
open |
ftp |
syn-ack |
ProFTPD |
1.3.1 |
|
| 3306 |
tcp |
open |
mysql |
syn-ack |
MySQL |
5.0.51a-3ubuntu5 |
|
|
mysql-info |
Protocol: 10
Version: 5.0.51a-3ubuntu5
Thread ID: 15776
Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
Status: Autocommit
Salt: v9W+lc*E]'Hr'gURy.t!
|
|
mysql-empty-password |
root account has empty password
|
|
mysql-users |
debian-sys-maint
guest
root
|
| 5432 |
tcp |
open |
postgresql |
syn-ack |
PostgreSQL DB |
8.3.0 - 8.3.7 |
|
| 5900 |
tcp |
open |
vnc |
syn-ack |
VNC |
|
protocol 3.3 |
|
vnc-info |
Protocol version: 3.3
Security types:
Unknown security type (33554432)
|
| 6000 |
tcp |
open |
X11 |
syn-ack |
|
|
access denied |
| 6667 |
tcp |
open |
irc |
syn-ack |
Unreal ircd |
|
|
|
irc-unrealircd-backdoor |
Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277 |
|
irc-info |
Server: irc.Metasploitable.LAN
Version: Unreal3.2.8.1. irc.Metasploitable.LAN
Lservers/Lusers: 0/1
Uptime: 1 days, 8:50:46
Source host: AF59FDED.97684684.FFFA6D49.IP
Source ident: OK nmap
|
| 8009 |
tcp |
open |
ajp13 |
syn-ack |
Apache Jserv |
|
Protocol v1.3 |
| 8180 |
tcp |
open |
http |
syn-ack |
Apache Tomcat/Coyote JSP engine |
1.1 |
|
|
http-google-malware |
[ERROR] No API key found. Update the variable APIKEY in http-google-malware or set it in the argument http-google-malware.api |
|
http-favicon |
Apache Tomcat |
|
http-title |
Apache Tomcat/5.5 |
|
http-domino-enum-passwords |
ERROR: No valid credentials were found (see domino-enum-passwords.username and domino-enum-passwords.password) |
|
http-default-accounts |
[Apache Tomcat] credentials found -> tomcat:tomcat Path:/manager/html/ |
|
http-methods |
No Allow or Public header in OPTIONS response (status code 200) |
|
http-enum |
/admin/: Possible admin folder
/admin/index.html: Possible admin folder
/admin/login.html: Possible admin folder
/admin/admin.html: Possible admin folder
/admin/account.html: Possible admin folder
/admin/admin_login.html: Possible admin folder
/admin/home.html: Possible admin folder
/admin/admin-login.html: Possible admin folder
/admin/adminLogin.html: Possible admin folder
/admin/controlpanel.html: Possible admin folder
/admin/cp.html: Possible admin folder
/admin/index.jsp: Possible admin folder
/admin/login.jsp: Possible admin folder
/admin/admin.jsp: Possible admin folder
/admin/home.jsp: Possible admin folder
/admin/controlpanel.jsp: Possible admin folder
/admin/admin-login.jsp: Possible admin folder
/admin/cp.jsp: Possible admin folder
/admin/account.jsp: Possible admin folder
/admin/admin_login.jsp: Possible admin folder
/admin/adminLogin.jsp: Possible admin folder
/manager/html/upload: Apache Tomcat (401 Unauthorized)
/manager/html: Apache Tomcat (401 Unauthorized)
/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
/admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
/admin/jscript/upload.html: Lizard Cart/Remote File upload
/webdav/: Potentially interesting folder
|
| 44501 |
tcp |
open |
nlockmgr |
syn-ack |
|
1-4 |
rpc #100021 |
| Script Name |
Output |
| smb-os-discovery |
OS: Unix (Samba 3.0.20-Debian)
NetBIOS computer name:
Workgroup: WORKGROUP
System time: 2012-08-16 23:15:40 UTC-4
|
| nbstat |
NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> |
| smb-enum-users |
Domain: METASPLOITABLE; Users: backup, bin, bind, daemon, dhcp, distccd, ftp, games, gnats, irc, klog, libuuid, list, lp, mail, man, msfadmin, mysql, news, nobody, postfix, postgres, proftpd, proxy, root, service, sshd, sync, sys, syslog, telnetd, tomcat55, user, uucp, www-data
|