This Nmap scan I performed was very fruitful. This turned up a lot of beneficial information about a target.
┏━(Message from Kali developers) ┃ ┃ This is a minimal installation of Kali Linux, you likely ┃ want to install supplementary tools. Learn how: ┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/ ┃ ┗━(Run: “touch ~/.hushlogin” to hide this message) ╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.25.74.218)┋ sudo nmap 147.161.219.87 -script intrusive |
Here are a few of the open ports on this host. This is a lot to have exposed on the Internet.
3128/tcp open squid-http 8080/tcp open http-proxy | http-vhosts: | whois | firewall |_126 names had status 407 |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) |_http-chrono: Request times for /; avg: 722430.53ms; min: 95.31ms; max: 3611591.17ms |_http-slowloris: false 8800/tcp open sunwebadmin 10000/tcp open snet-sensor-mgmt 10009/tcp open swdtp-sv 10010/tcp open rxapi 10012/tcp open unknown 10082/tcp open amandaidx 10180/tcp open unknown 10215/tcp open unknown 10566/tcp open unknown 10616/tcp open unknown 10621/tcp open unknown 10778/tcp open unknown 11111/tcp open vce 12000/tcp open cce4x 12345/tcp open netbus 55555/tcp open unknown |
This host also has FTP and HTTPS open as well. I have no idea why they are using FTP.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 05:14 AEDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 147.161.219.87 Host is up (0.067s latency). Not shown: 978 filtered tcp ports (no-response) PORT STATE SERVICE 21/tcp open ftp | ftp-brute: | Accounts: No valid accounts found | Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0 |_ ERROR: The service seems to have failed or is heavily firewalled... 80/tcp open http | http-vhosts: |_128 names had status ERROR |_http-feed: Couldn't find any feeds. |_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) | http-brute: |_ Path "/" does not require authentication |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-chrono: Request times for /; avg: 14214.86ms; min: 14204.07ms; max: 14243.23ms |_http-dombased-xss: Couldn't find any DOM based XSS. | http-slowloris: | Vulnerable: | the DoS attack took +2m02s | with 1001 concurrent connections |_ and 20 sent queries | http-sitemap-generator: | Directory structure: | Longest directory structure: | Depth: 0 | Dir: / | Total files found (by extension): |_ |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) |_http-errors: ERROR: Script execution failed (use -d to debug) 443/tcp open https |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-chrono: Request times for /; avg: 365393.20ms; min: 257.35ms; max: 1825790.62ms | http-brute: |_ Path "/" does not require authentication |_http-feed: Couldn't find any feeds. |_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument) | http-vhosts: | 46 names had status ERROR |_82 names had status 403 |_http-slowloris: false |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. |
The FTP may only be used from certain locations.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.25.74.218)┋ ftp 147.161.219.87 Connected to 147.161.219.87. 421 Proxy is closed (unknown user location) |
The Nmap intrusive scan is very slow, but this can turn up a lot of open ports and useful host information.