Targets
10.0.0.0/8
10.0.0.1 MAC 00:50:56:98:14:F8
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 53/TCP | OPEN | DOMAIN | unbound | |
| 80/TCP | OPEN | HTTP | nginx |
10.0.0.100
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 53/TCP | OPEN | DOMAIN | unbound | |
| 88/TCP | OPEN | Kerberos-Sec | ||
| 135/TCP | OPEN | msrpc | ||
| 135/TCP | OPEN | msrpc | ||
| 389/TCP | OPEN | ldap | ||
| 445/TCP | OPEN | microsoft-ds | ||
| 464/TCP | OPEN | kpasswd5 | ||
| 593/TCP | OPEN | http-rpc-epnmap | ||
| 636/TCP | OPEN | ldapssl | ||
| 3268/TCP | OPEN | globalcatLDAP | ||
| 3269/TCP | OPEN | globalcatLDAPssl | ||
| 3389/TCP | OPEN | ms-wbt-server | ||
| 5800/TCP | OPEN | vnc-http | ||
| 5900/TCP | OPEN | vnc |
10.206.228.124 MAC:00:50:56:98:64:5C
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 21/TCP | OPEN | FTP | ProFTPD1.3.5 | |
| 22/TCP | OPEN | SSH | OpenSSH 6.61.p1 | |
| 80/TCP | OPEN | HTTP | Apache httpd 2.4.7 | YES |
| 445/TCP | OPEN | NETBIOS-SSN | Samba smbd 3.X - 4.X | |
| 631/TCP | OPEN | IPP 2.1 | CUPS 1.7 | YES |
| 3000/TCP | CLOSED | PPP | ||
| 3306/TCP | OPEN | MYSQL | ||
| 8181/TCP | OPEN | HTTP | WeBrick httpd 1.3.1 (RUBY 2.3.7) | YES |
192.168.0.0/24
192.168.0.1
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 53/TCP | OPEN | DOMAIN | unbound | |
| 80/TCP | OPEN | DOMAIN | HTTP |
192.168.0.50
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 53/TCP | CLOSED | DOMAIN | NA | |
| 80/TCP | OPEN | HTTP | APACHE 2.4.29 | YES |
| 445/TCP | CLOSED | HTTPS | NA |
192.168.0.239
| PORT | STATE | SERVICE | VERSION | VULNERABLE |
|---|---|---|---|---|
| 21/TCP | OPEN | FTP | vsftpd 2.3.4 | YES |
| 22/TCP | OPEN | SSH | OpenSSH4.7p1 Protocol 2.0 | |
| 23/TCP | OPEN | TELNET | Linux telnetd | |
| 25/TCP | OPEN | SMTP | postfix smtpd | |
| 53/TCP | OPEN | DOMAIN | ISC BIND 9.4.2 | |
| 80/TCP | OPEN | HTTP | Apache httpd 2.2.8 (DAV 2) | YES |
| 139/TCP | OPEN | NETBIOS-SSN | Samba smbd 3.X 4.X | |
| 445/TCP | OPEN | NETBIOS-SSN | Samba smbd | |
| 512/TCP | OPEN | exec | netkit-rsh rexecd | |
| 513/TCP | OPEN | login? | ||
| 514/TCP | OPEN | shell | Netkit rshd | |
| 1099/TCP | OPEN | java-rmi | GNU Classpath | |
| 1524/TCP | OPEN | BINDSHELL | Bash Shell (**BACKDOOR**: rootshell) | YES |
| 2049/TCP | OPEN | NFS | 2-4 (RPC #100003 | |
| 2121/TCP | OPEN | CCPROXY-FTP? | ||
| 3306/TCP | OPEN | MYSQL | My SQL 5.0.51a-3 | |
| 5355/UDP | FILTERED | llmr | ||
| 5432/TCP | OPEN | Postgresql | PostgreSQL DB 8.3.0 - 8.3.7 | |
| 5900/TCP | OPEN | VNC | VNC (Protocol 3.3) | YES |
| 6000/TCP | OPEN | X11 | (Access denied) | |
| 6667/TCP | OPEN | IRC | UnrealIIRCd 3.2.8.1 | YES |
| 8009/TCP | OPEN | HTTP | Apache Tomcat/Coyote JSP engine 1.1 | |
| 8180/TCP | OPEN | HTTP | Apache Tomcat | |
| 111/TCP | OPEN | RPCBIND | #10000 | |
| 111/UDP | OPEN | RPCBIND | #10000 | |
| 2049/UDP | OPEN | NFS | ||
| 3765/UDP | OPEN | MOUNTD | ||
| 38371/TCP | OPEN | MOUNTD | ||
| 32917/TCP | OPEN | NLOCKMGR | ||
| 50900/UDP | OPEN | NLOCKMGR | ||
| 34600/TCP | OPEN | STATUS | ||
| 45440/UDP | OPEN | STATUS |
SCANS
Scan One:
Basic scan nmap -sn 192.168.0.0/24 was used to only ping off a target and found two results.
Scan Two:
Nmap Vulners was grabbed off github and the scan nmap -sV --script http-vulners-regex 192.168.0.239 > school was used. This scan was also used on IP: 192.168.0.50
Scan Three:
The network was split up into 8 different networks to make easier to scan.
COMMANDS
nmap -sn 192.168.0.0/24
nmap -sV --script http-vulners-regex 192.168.0.239 > scanresults
masscan -p80 10.0.0.0/8 --rate=4000 -v > results.txt
nmap -T5 -n -sn -iL targets.txt -v > results.txt
cat results.txt | grep -B1 up
Scripts
PYTHON CODE
Code to generate targets for subnet/13. For the subnet/13 the code will help you create a text file with a subnet split up to avoid crashing the linux envirment with fping. This will also be paired with a bash script to run the subnet fping.
BASH CODE
This code is used along side "subnet()" to help with fping when discovering hosts on the network. In this the bash script is being outputed to "hosts_scanned.txt" in the case of an unexpected shutdown on the kali machine.
python3 python.py >> subnet13.txt
chmod +x bash.sh
./bash.sh > hosts_scanned.txt