Scribd
Upload
45 views29 pages

CIBERSEGURIDAD

Uploaded by

Kevin Negri

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt

CIBERSEGURIDAD

Uploaded by

Kevin Negri
45 views29 pages

Copyright

© © All Rights Reserved

Available Formats

DOCX, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
45 views29 pages

CIBERSEGURIDAD

Uploaded by

Kevin Negri

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 29

mac

firewall

host

icmp
─# nmap --script vuln 192.168.159.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-18 23:20 -05
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.33% done; ETC: 23:21 (0:00:06 remaining)
Stats: 0:01:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.84% done; ETC: 23:21 (0:00:07 remaining)
Stats: 0:01:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 93.63% done; ETC: 23:22 (0:00:05 remaining)
Stats: 0:02:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.42% done; ETC: 23:22 (0:00:01 remaining)
Stats: 0:02:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.62% done; ETC: 23:23 (0:00:01 remaining)
Stats: 0:04:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.62% done; ETC: 23:25 (0:00:01 remaining)
Stats: 0:05:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.74% done; ETC: 23:25 (0:00:01 remaining)
Stats: 0:05:43 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.74% done; ETC: 23:26 (0:00:01 remaining)
Nmap scan report for 192.168.159.129
Host is up (0.0073s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
| eavesdropping, and are vulnerable to active man-in-the-middle attacks
| which could completely compromise the confidentiality and integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
| https://www.ietf.org/rfc/rfc2246.txt
|
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM
(Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://weakdh.org
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: postfix builtin
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain and Client Access policies.
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to
cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables
Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the
user.
| Check results:
| /crossdomain.xml:
| <?xml version="1.0"?>
| <!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
| <cross-domain-policy>
| <allow-access-from domain="*" />
| </cross-domain-policy>
| Extra information:
| Trusted domains:*
|
| References:
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
|
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Spe
cification.pdf
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|_ https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-
008%29
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.159.129:80/evil/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.159.129:80/evil/?C=M%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.159.129:80/evil/?C=D%3BO%3DA%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.159.129
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.159.129:80/drupal/
| Form id: user-login-form
| Form action: /drupal/?q=node&destination=node
|
| Path: http://192.168.159.129:80/phpmyadmin/
| Form id:
| Form action: index.php
|
| Path: http://192.168.159.129:80/phpmyadmin/
| Form id: input_username
| Form action: index.php
|
| Path: http://192.168.159.129:80/drupal/
| Form id: user-login-form
| Form action: /drupal/?q=node&destination=node
|
| Path: http://192.168.159.129:80/drupal/?q=user/password
| Form id: user-pass
| Form action: /drupal/?q=user/password
|
| Path: http://192.168.159.129:80/drupal/?q=node&amp;destination=node
| Form id: user-login-form
| Form action: /drupal/?q=node&destination=node%3Famp%253Bdestination%3Dnode
|
| Path: http://192.168.159.129:80/drupal/?q=user/register
| Form id: user-register-form
| Form action: /drupal/?q=user/register
|
| Path: http://192.168.159.129:80/evil/sandbox.htm
| Form id: login
|_ Form action: http://attacker.com/catch.php?
| http-enum:
| /crossdomain.xml: Adobe Flash crossdomain policy
| /phpmyadmin/: phpMyAdmin
| /README: Interesting, a readme.
| /README.txt: Interesting, a readme.
| /icons/: Potentially interesting folder w/ directory listing
| /server-status/: Potentially interesting folder
|_ /webdav/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2
mod_fastcgi/2.4.6 php/5.2.4-2ubuntu5 with suhosin-patch mod_ssl/2.2.8 openssl/0.9.8g'
139/tcp open netbios-ssn
443/tcp open https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-dh-params:
| VULNERABLE:
| Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM
(Logjam)
| State: VULNERABLE
| IDs: BID:74733 CVE:CVE-2015-4000
| The Transport Layer Security (TLS) protocol contains a flaw that is
| triggered when handling Diffie-Hellman key exchanges defined with
| the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
| to downgrade the security of a TLS session to 512-bit export-grade
| cryptography, which is significantly weaker, allowing the attacker
| to more easily break the encryption and monitor or tamper with
| the encrypted stream.
| Disclosure date: 2015-5-19
| Check results:
| EXPORT-GRADE DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.2.x/512-bit MODP group with safe prime modulus
| Modulus Length: 512
| Generator Length: 8
| Public Key Length: 512
| References:
| https://www.securityfocus.com/bid/74733
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
| https://weakdh.org
|
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
|_http-trace: TRACE is enabled
| http-sql-injection:
| Possible sqli for queries:
| https://192.168.159.129:443/evil/?C=D%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=M%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=S%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=N%3BO%3DD%27%20OR%20sqlspider
| https://192.168.159.129:443/sqlite/index.php?dbsel=1%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=M%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=N%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=S%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=D%3BO%3DD%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=D%3BO%3DA%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=M%3BO%3DD%27%20OR%20sqlspider
| https://192.168.159.129:443/evil/?C=N%3BO%3DA%27%20OR%20sqlspider
|_ https://192.168.159.129:443/evil/?C=S%3BO%3DA%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-fileupload-exploiter:
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
| Failed to upload and execute a payload.
|
|_ Failed to upload and execute a payload.
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.159.129
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.159.129:443/drupal/
| Form id: user-login-form
| Form action: /drupal/?q=node&destination=node
|
| Path: https://192.168.159.129:443/phpmyadmin/
| Form id:
| Form action: index.php
|
| Path: https://192.168.159.129:443/phpmyadmin/
| Form id: input_username
| Form action: index.php
|
| Path: https://192.168.159.129:443/sqlite/main.php?
| Form id:
| Form action: main.php
|
| Path: https://192.168.159.129:443/sqlite/main.php?
| Form id:
| Form action: main.php
|
| Path: https://192.168.159.129:443/evil/sandbox.htm
| Form id: login
|_ Form action: http://attacker.com/catch.php?
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain and Client Access policies.
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to
cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables
Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the
user.
| Check results:
| /crossdomain.xml:
| <?xml version="1.0"?>
| <!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
| <cross-domain-policy>
| <allow-access-from domain="*" />
| </cross-domain-policy>
| Extra information:
| Trusted domains:*
|
| References:
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
|
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Spe
cification.pdf
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|_ https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-
008%29
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
666/tcp open doom
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5901/tcp open vnc-1
6001/tcp open X11:1
8080/tcp open http-proxy
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain and Client Access policies.
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to
cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables
Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the
user.
| Check results:
| /crossdomain.xml:
| <?xml version="1.0"?>
| <!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
| <cross-domain-policy>
| <allow-access-from domain="*" />
| </cross-domain-policy>
| Extra information:
| Trusted domains:*
|
| References:
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
|
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Spe
cification.pdf
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|_ https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-
008%29
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ https://www.securityfocus.com/bid/49303
| http-enum:
|_ /crossdomain.xml: Adobe Flash crossdomain policy
8443/tcp open https-alt
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: nginx/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| http-cross-domain-policy:
| VULNERABLE:
| Cross-domain and Client Access policies.
| State: VULNERABLE
| A cross-domain policy file specifies the permissions that a web client such as Java,
Adobe Flash, Adobe Reader,
| etc. use to access data across different domains. A client acces policy file is similar to
cross-domain policy
| but is used for M$ Silverlight applications. Overly permissive configurations enables
Cross-site Request
| Forgery attacks, and may allow third parties to access sensitive data meant for the
user.
| Check results:
| /crossdomain.xml:
| <?xml version="1.0"?>
| <!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
| <cross-domain-policy>
| <allow-access-from domain="*" />
| </cross-domain-policy>
| Extra information:
| Trusted domains:*
|
| References:
| http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
| https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
|
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Spe
cification.pdf
| http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
| http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|_ https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-
008%29
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic
software library. It allows for stealing information intended to be protected by SSL/TLS
encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of
OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of
systems protected by the vulnerable OpenSSL versions and could allow for disclosure of
otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| http://cvedetails.com/cve/2014-0160/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http-enum:
|_ /crossdomain.xml: Adobe Flash crossdomain policy
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.securityfocus.com/bid/70574
|_ https://www.imperialviolet.org/2014/10/14/poodle.html
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.cvedetails.com/cve/2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ https://www.securityfocus.com/bid/49303
9080/tcp open glrpc
MAC Address: 00:0C:29:3E:91:8B (VMware)

Host script results:


|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 351.73 seconds
sudo nikto -h 192.168.159.129
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.159.129
+ Target Hostname: 192.168.159.129
+ Target Port: 80
+ Start Time: 2024-06-19 00:11:56 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with
Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
+ /: Server may leak inodes via ETags, header found with file /, inode: 838422, size: 588,
mtime: Sun Nov 2 13:20:24 2014. See: http://cve.mitre.org/cgi-bin/cvename.cgi?
name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type. See:
https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-
header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /crossdomain.xml contains a full wildcard entry. See:
http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to
easily brute force file names. The following alternatives for 'index' were found: index.bak,
index.html. See:
http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/
vulnerabilities/8275
+ PHP/5.2.4-2ubuntu5 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the
7.4 branch.
+ OpenSSL/0.9.8g appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is
current for the 1.x branch and will be supported until Nov 11 2023.
+ mod_ssl/2.2.8 appears to be outdated (current is at least 2.9.6) (may depend on server
version).
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is
the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See:
https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ mod_ssl/2.2.8 OpenSSL/0.9.8g - mod_ssl 2.8.7 and lower are vulnerable to a remote
buffer overflow which may allow a remote shell.
+ PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /server-status: This reveals Apache information. Comment out appropriate line in the
Apache conf file or restrict access to allowed sources. See: OSVDB-561
+ /phpmyadmin/changelog.php: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.
+ /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and
should be protected or limited to authorized hosts.
+ /icons/: Directory indexing found.
+ /README: README file found.
+ /INSTALL.txt: Default file found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-
restricting-access-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and
should be protected or limited to authorized hosts.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8101 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2024-06-19 00:12:26 (GMT-5) (30 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

You might also like