nmap
___
( _ ) _ __ ___ __ _ _ __
/ _ \| '_ ` _ \ / _` | '_ \
| (_) | | | | | | (_| | |_) |
\___/|_| |_| |_|\__,_| .__/
|_|
[+] Scanning 10.10.10.239 [65535 TCP ports]
[+] Enumerating 10.10.10.239 [80,135,139,443,445,3306,5000,5040,5985,5986,7680,9896,11708,47001,49664,49665,49666,49667,49668,49669,49670]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:07 CDT
Nmap scan report for love (10.10.10.239)
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| tls-alpn:
|_ http/1.1
|_http-title: 403 Forbidden
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSVersionBindReqTCP, GenericLines, Help, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
|_ Host '10.10.14.3' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2024-05-26T12:31:51+00:00; +21m33s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_http-title: Not Found
7680/tcp open pando-pub?
9896/tcp closed unknown
11708/tcp closed unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=5/26%Time=665325FC%P=x86_64-pc-linux-gnu%r
SF:(NULL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLin
SF:es,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4
SF:9,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,49,"E\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,49,
SF:"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,49,"E\0\0\x01\
SF:xffj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,49,"E\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\
SF:x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq,49,"E\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x01\xffj\x04H
SF:ost\x20'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x
SF:20this\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj\x04Host\x20
SF:'10\.10\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.1
SF:0\.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar
SF:iaDB\x20server")%r(LDAPSearchReq,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\
SF:.14\.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Maria
SF:DB\x20server")%r(LDAPBindReq,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\
SF:.3'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x
SF:20server")%r(SIPOptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x
SF:20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20ser
SF:ver")%r(TerminalServer,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.3'\x2
SF:0is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20serv
SF:er");
Service Info: Hosts: www.example.com, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-05-26T05:31:40-07:00
| smb2-time:
| date: 2024-05-26T12:31:39
|_ start_date: N/A
|_clock-skew: mean: 2h06m34s, deviation: 3h30m02s, median: 21m32s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.19 seconds
[+] Enumerating 10.10.10.239 for vulnerabilities [80,135,139,443,445,3306,5000,5040,5985,5986,7680,9896,11708,47001,49664,49665,49666,49667,49668,49669,49670]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:10 CDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for love (10.10.10.239)
Host is up (0.045s latency).
PORT STATE SERVICE
80/tcp open http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-sql-injection:
| Possible sqli for queries:
| http://love:80/bower_components/jquery/dist/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/dist/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://love:80/bower_components/jquery/?C=N%3BO%3DD%27%20OR%20sqlspider
|_ http://love:80/bower_components/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-trace: TRACE is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=love
| Found the following possible CSRF vulnerabilities:
|
| Path: http://love:80/
| Form id:
| Form action: login.php
|
| Path: http://love:80/login.php
| Form id:
|_ Form action: login.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin/: Possible admin folder
| /admin/index.php: Possible admin folder
| /Admin/: Possible admin folder
| /icons/: Potentially interesting folder w/ directory listing
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1j php/7.3.27'
|_ /includes/: Potentially interesting directory w/ listing on 'apache/2.4.46 (win64) openssl/1.1.1j php/7.3.27'
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
9896/tcp closed unknown
11708/tcp closed unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
Nmap done: 1 IP address (1 host up) scanned in 347.15 seconds
[+] Scanning 10.10.10.239 [1000 UDP ports]
[sudo] password for adot:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 07:30 CDT
Initiating Ping Scan at 07:30
Scanning 10.10.10.239 [4 ports]
Completed Ping Scan at 07:30, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 07:30
Scanning love (10.10.10.239) [100 ports]
Increasing send delay for 10.10.10.239 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.239 from 50 to 100 due to max_successful_tryno increase to 6
Warning: 10.10.10.239 giving up on port because retransmission cap hit (6).
Increasing send delay for 10.10.10.239 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 200 to 400 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 400 to 800 due to 11 out of 14 dropped probes since last increase.
Increasing send delay for 10.10.10.239 from 800 to 1000 due to 12 out of 29 dropped probes since last increase.
Completed UDP Scan at 07:32, 120.72s elapsed (100 total ports)
Nmap scan report for love (10.10.10.239)
Host is up (0.060s latency).
Not shown: 81 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
497/udp open|filtered retrospect
500/udp open|filtered isakmp
996/udp open|filtered vsinet
1813/udp open|filtered radacct
1900/udp open|filtered upnp
2222/udp open|filtered msantipiracy
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5632/udp open|filtered pcanywherestat
20031/udp open|filtered bakbonenetvault
49154/udp open|filtered unknown
49182/udp open|filtered unknown
49186/udp open|filtered unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 120.97 seconds
Raw packets sent: 461 (29.718KB) | Rcvd: 92 (9.197KB)
[+] Completed!
Last updated
Was this helpful?