Nmap Scan Report - Scanned at Sun Aug 28 02:24:26 2016

Scan Summary

Nmap 7.25BETA1 was initiated at Sun Aug 28 02:24:26 2016 with these arguments:
nmap -vv -sS -Pn -A -sV -T5 --script=default,auth,vuln,discovery -p- -oX 192-168-56-102.xml --script-args=unsafe=1 192.168.56.102

Verbosity: 2; Debug level 0

Nmap done at Sun Aug 28 02:32:52 2016; 1 IP address (1 host up) scanned in 506.54 seconds

Pre-Scan Script Output

Script Name Output
broadcast-igmp-discovery 
  192.168.56.1
    Interface: eth1
    Version: 2
    Group: 224.0.0.251
    Description: mDNS (rfc6762)
  Use the newtargets script-arg to add the results as targets
broadcast-pim-discovery 
ERROR: Script execution failed (use -d to debug)
ipv6-multicast-mld-list 
  fe80::800:27ff:fe00:0: 
    device: eth1
    mac: 0a:00:27:00:00:00
    multicast_ips: 
      ff02::1:ff9b:1fa4         (Solicited-Node Address)
      ff02::fb                  (mDNSv6)
      ff02::fb                  (mDNSv6)
      ff02::fb                  (mDNSv6)
      ff02::fb                  (mDNSv6)
      ff02::fb                  (mDNSv6)
      ff02::1:ff00:0            (NDP Solicited-node)
      ff02::fb                  (mDNSv6)
knx-gateway-discover 
ERROR: Script execution failed (use -d to debug)
mrinfo 
ERROR: Script execution failed (use -d to debug)
targets-asn 
  targets-asn.asn is a mandatory parameter
targets-ipv6-multicast-echo 
  IP: fe80::800:27ff:fe00:0  MAC: 0a:00:27:00:00:00  IFACE: eth1
  Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-invalid-dst 
  IP: fe80::800:27ff:fe00:0  MAC: 0a:00:27:00:00:00  IFACE: eth1
  Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-mld 
  IP: fe80::800:27ff:fe00:0  MAC: 0a:00:27:00:00:00  IFACE: eth1

  Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-slaac 
  IP: fe80::800:27ff:fe00:0      MAC: 0a:00:27:00:00:00  IFACE: eth1
  IP: fe80::953f:e6d2:469b:1fa4  MAC: 0a:00:27:00:00:00  IFACE: eth1
  Use --script-args=newtargets to add the results as targets

192.168.56.102(online)

Address

Ports

The 65523 ports scanned but not shown below are in state: filtered

Port State (toggle closed [4] | filtered [0]) Service Reason Product Version Extra info
20 tcp closed ftp-data  reset      
21 tcp open ftp  syn-ack vsftpd  2.0.8 or later   
banner 
220-\x0D\x0A220-|----------------------------------------------
-------------------------------------------|\x0D\x0A220-| Harry, make s
ure to update the banner when you get a chance to show who has acces...
 
ftp-anon 
Anonymous FTP login allowed (FTP code 230)
Can't get directory listing: Can't parse PASV response: "Permission denied." 
sslv2-drown 
 
22 tcp open ssh  syn-ack OpenSSH  7.2p2 Ubuntu 4  Ubuntu Linux; protocol 2.0 
banner 
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4 
ssh-hostkey 
  2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul
  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY= 
ssh2-enum-algos 
  kex_algorithms: (6)
      curve25519-sha256@libssh.org
      ecdh-sha2-nistp256
      ecdh-sha2-nistp384
      ecdh-sha2-nistp521
      diffie-hellman-group-exchange-sha256
      diffie-hellman-group14-sha1
  server_host_key_algorithms: (5)
      ssh-rsa
      rsa-sha2-512
      rsa-sha2-256
      ecdsa-sha2-nistp256
      ssh-ed25519
  encryption_algorithms: (6)
      chacha20-poly1305@openssh.com
      aes128-ctr
      aes192-ctr
      aes256-ctr
      aes128-gcm@openssh.com
      aes256-gcm@openssh.com
  mac_algorithms: (10)
      umac-64-etm@openssh.com
      umac-128-etm@openssh.com
      hmac-sha2-256-etm@openssh.com
      hmac-sha2-512-etm@openssh.com
      hmac-sha1-etm@openssh.com
      umac-64@openssh.com
      umac-128@openssh.com
      hmac-sha2-256
      hmac-sha2-512
      hmac-sha1
  compression_algorithms: (2)
      none
      zlib@openssh.com 
53 tcp open domain  syn-ack dnsmasq  2.75   
dns-nsec-enum 
Can't determine domain for host 192.168.56.102; use dns-nsec-enum.domains script arg. 
dns-nsec3-enum 
Can't determine domain for host 192.168.56.102; use dns-nsec3-enum.domains script arg. 
dns-nsid 
  bind.version: dnsmasq-2.75 
80 tcp open http  syn-ack      
http-chrono 
Request times for /; avg: 160.92ms; min: 154.53ms; max: 168.78ms 
http-comments-displayer 
Couldn't find any comments. 
http-csrf 
Couldn't find any CSRF vulnerabilities. 
http-devframework 
Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. 
http-dombased-xss 
Couldn't find any DOM based XSS. 
http-drupal-enum 
Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis) 
http-errors 
Spidering limited to: maxpagecount=40; withinhost=192.168.56.102
  Found the following error pages: 
  
  Error Code: 404
  	http://192.168.56.102:80/
 
http-feed 
Couldn't find any feeds. 
http-fileupload-exploiter 
 
http-frontpage-login 
false 
http-headers 
  Host: 192.168.56.102
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 533
  
  (Request type: GET)
 
http-methods 
  Supported Methods: GET HEAD POST OPTIONS 
http-mobileversion-checker 
No mobile version detected. 
http-referer-checker 
Couldn't find any cross-domain scripts. 
http-sitemap-generator 
  Directory structure:
  Longest directory structure:
    Depth: 0
    Dir: /
  Total files found (by extension):
    
 
http-stored-xss 
Couldn't find any stored XSS vulnerabilities. 
http-title 
Site doesn't have a title (text/html; charset=UTF-8). 
http-useragent-tester 
  
    Allowed User Agents:
    Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
    libwww
    lwp-trivial
    libcurl-agent/1.0
    PHP/
    Python-urllib/2.5
    GT::WWW
    Snoopy
    MFC_Tear_Sample
    HTTP::Lite
    PHPCrawl
    URI::Fetch
    Zend_Http_Client
    http client
    PECL::HTTP
    Wget/1.13.4 (linux-gnu)
    WWW-Mechanize/1.34
  
 
http-vhosts 
127 names had status 404 
http-wordpress-enum 
Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis) 
http-wordpress-users 
[Error] Wordpress installation was not found. We couldn't find wp-login.php 
http-xssed 
ERROR: Script execution failed (use -d to debug) 
123 tcp closed ntp  reset      
137 tcp closed netbios-ns  reset      
138 tcp closed netbios-dgm  reset      
139 tcp open netbios-ssn  syn-ack Samba smbd  4.3.9-Ubuntu  workgroup: WORKGROUP 
666 tcp open doom  syn-ack      
banner 
PK\x03\x04\x14\x00\x02\x00\x08\x00d\x80\xC3Hp\xDF\x15\x81\xAA,\
x00\x00\x152\x00\x00\x0C\x00\x1C\x00message2.jpgUT\x09\x00\x03+\x9CQWJ\
x9CQWux\x0B\x00\x01\x04\xF5\x01\x00\x00\x04\x14\x00\x00\x00\xADz\x0B...
 
3306 tcp open mysql  syn-ack MySQL  5.7.12-0ubuntu1   
banner 
S\x00\x00\x00\x0A5.7.12-0ubuntu1\x00P\x00\x00\x00\x18\x19\x19(d
k%>\x00\xFF\xF7\x08\x02\x00\xFF\x81\x15\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x007y\x05\x06N_'mHTo\x03\x00mysql_native_password\x00 
mysql-info 
  Protocol: 53
  Version: .7.12-0ubuntu1
  Thread ID: 8
  Capabilities flags: 63487
  Some Capabilities: InteractiveClient, ODBCClient, FoundRows, Support41Auth, LongPassword, Speaks41ProtocolOld, SupportsTransactions, SupportsLoadDataLocal, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, IgnoreSigpipes, SupportsCompression, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn
  Status: Autocommit
  Salt: Znl0\x01p|LA'v92xxg._yf 
12380 tcp open http  syn-ack Apache httpd  2.4.18  (Ubuntu) 
http-chrono 
Request times for /; avg: 907.11ms; min: 264.61ms; max: 3440.48ms 
http-comments-displayer 
Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.102
    
    Path: http://192.168.56.102:12380/
    Line number: 345
    Comment: 
        /*           Navigation Bar             */
    
    Path: http://192.168.56.102:12380/
    Line number: 92
    Comment: 
        /*           Animations              */
    
    Path: http://192.168.56.102:12380/
    Line number: 495
    Comment: 
        /*     border-bottom: 1px solid #DDDDDD; */
    
    Path: http://192.168.56.102:12380/
    Line number: 4
    Comment: 
        <!-- Credit: http://www.creative-tim.com/product/coming-sssoon-page -->
    
    Path: http://192.168.56.102:12380/
    Line number: 44
    Comment: 
        /*           Font Smoothing      */
    
    Path: http://192.168.56.102:12380/
    Line number: 305
    Comment: 
        /*             Inputs               */
    
    Path: http://192.168.56.102:12380/
    Line number: 51
    Comment: 
        /*           Typography          */
    
    Path: http://192.168.56.102:12380/
    Line number: 907
    Comment: 
        <!--   You can change the black color for the filter with those colors: blue, green, red, orange       -->
    
    Path: http://192.168.56.102:12380/
    Line number: 221
    Comment: 
        /*           Buttons fill .btn-fill           */
    
    Path: http://192.168.56.102:12380/
    Line number: 913
    Comment: 
        <!--  H1 can have 2 designs: "logo" and "logo cursive"           -->
    
    Path: http://192.168.56.102:12380/
    Line number: 802
    Comment: 
        /*          For demo purpose         */
    
    Path: http://192.168.56.102:12380/
    Line number: 904
    Comment: 
        <!--    Change the image source '/images/default.jpg' with your favourite image.     -->
    
    Path: http://192.168.56.102:12380/
    Line number: 278
    Comment: 
        /*          End Buttons fill          */
    
    Path: http://192.168.56.102:12380/
    Line number: 902
    Comment: 
        <!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->
    
    Path: http://192.168.56.102:12380/
    Line number: 27
    Comment: 
        /*     General overwrite     */
 
http-csrf 
Couldn't find any CSRF vulnerabilities. 
http-date 
Sun, 28 Aug 2016 02:26:06 GMT; -4h59m48s from local time. 
http-devframework 
Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. 
http-dombased-xss 
Couldn't find any DOM based XSS. 
http-drupal-enum 
Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis) 
http-errors 
Spidering limited to: maxpagecount=40; withinhost=192.168.56.102
  Found the following error pages: 
  
  Error Code: 400
  	http://192.168.56.102:12380/
 
http-feed 
Couldn't find any feeds. 
http-fileupload-exploiter 
 
http-frontpage-login 
false 
http-headers 
  Date: Sun, 28 Aug 2016 02:26:09 GMT
  Server: Apache/2.4.18 (Ubuntu)
  Last-Modified: Fri, 03 Jun 2016 16:55:33 GMT
  ETag: "6a16a-53462974b46e8"
  Accept-Ranges: bytes
  Content-Length: 434538
  Dave: Soemthing doesn't look right here
  Connection: close
  Content-Type: text/html
  
  (Request type: GET)
 
http-litespeed-sourcecode-download 
Request with null byte did not work. This web server might not be vulnerable 
http-methods 
  Supported Methods: OPTIONS GET HEAD POST 
http-mobileversion-checker 
No mobile version detected. 
http-referer-checker 
Couldn't find any cross-domain scripts. 
http-server-header 
Apache/2.4.18 (Ubuntu) 
http-sitemap-generator 
  Directory structure:
  Longest directory structure:
    Depth: 0
    Dir: /
  Total files found (by extension):
    
 
http-slowloris-check 
  VULNERABLE:
  Slowloris DOS attack
    State: LIKELY VULNERABLE
    IDs:  CVE:CVE-2007-6750
      Slowloris tries to keep many connections to the target web server open and hold
      them open as long as possible.  It accomplishes this by opening connections to
      the target web server and sending a partial request. By doing so, it starves
      the http server's resources causing Denial Of Service.
      
    Disclosure date: 2009-09-17
    References:
      http://ha.ckers.org/slowloris/
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
 
http-stored-xss 
Couldn't find any stored XSS vulnerabilities. 
http-title 
Site doesn't have a title (text/html). 
http-useragent-tester 
  
    Allowed User Agents:
    Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
    libwww
    lwp-trivial
    libcurl-agent/1.0
    PHP/
    Python-urllib/2.5
    GT::WWW
    Snoopy
    MFC_Tear_Sample
    HTTP::Lite
    PHPCrawl
    URI::Fetch
    Zend_Http_Client
    http client
    PECL::HTTP
    Wget/1.13.4 (linux-gnu)
    WWW-Mechanize/1.34
  
 
http-vhosts 
127 names had status 400 
http-wordpress-enum 
Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis) 
http-wordpress-users 
[Error] Wordpress installation was not found. We couldn't find wp-login.php 
http-xssed 
ERROR: Script execution failed (use -d to debug) 

Remote Operating System Detection

Host Script Output

Script Name Output
dns-brute 
Can't guess domain of "192.168.56.102"; use dns-brute.domain script argument. 
fcrdns 
FAIL (No PTR record) 
firewalk 
HOP  HOST          PROTOCOL  BLOCKED PORTS
0    192.168.56.5  tcp       1-10
 
ipidseq 
All zeros 
msrpc-enum 
NT_STATUS_OBJECT_NAME_NOT_FOUND 
nbstat 
NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Names:
  RED<00>              Flags: <unique><active>
  RED<03>              Flags: <unique><active>
  RED<20>              Flags: <unique><active>
  WORKGROUP<00>        Flags: <group><active>
  WORKGROUP<1e>        Flags: <group><active>
Statistics:
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 
p2p-conficker 
  Checking for Conficker.C or higher...
  Check 1 (port 50063/tcp): CLEAN (Timeout)
  Check 2 (port 10167/tcp): CLEAN (Timeout)
  Check 3 (port 34474/udp): CLEAN (Failed to receive data)
  Check 4 (port 29075/udp): CLEAN (Failed to receive data)
  0/4 checks are positive: Host is CLEAN or ports are blocked
 
path-mtu 
PMTU == 1500 
qscan 
PORT   FAMILY  MEAN (us)  STDDEV  LOSS (%)
20     0       230.30     47.67   0.0%
21     0       261.90     49.67   0.0%
22     0       263.50     75.89   0.0%
53     0       245.90     44.88   0.0%
80     0       250.89     56.03   10.0%
139    0       275.90     88.14   0.0%
666    0       257.80     71.84   0.0%
3306   0       230.90     43.02   0.0%
12380  0       238.30     54.61   0.0%
 
smb-enum-domains 
  Builtin
    Groups: n/a
    Users: n/a
    Creation time: unknown
    Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
    Account lockout disabled
  RED
    Groups: n/a
    Users: n/a
    Creation time: unknown
    Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
    Account lockout disabled
 
smb-enum-sessions 
  <nobody>
 
smb-enum-shares 
  account_used: guest
  IPC$: 
    Type: STYPE_IPC_HIDDEN
    Comment: IPC Service (red server (Samba, Ubuntu))
    Users: 3
    Max Users: <unlimited>
    Path: C:\tmp
    Anonymous access: READ/WRITE
    Current user access: READ/WRITE
  kathy: 
    Type: STYPE_DISKTREE
    Comment: Fred, What are we doing here?
    Users: 0
    Max Users: <unlimited>
    Path: C:\var\samba\
    Anonymous access: READ
    Current user access: READ
  print$: 
    Type: STYPE_DISKTREE
    Comment: Printer Drivers
    Users: 0
    Max Users: <unlimited>
    Path: C:\var\lib\samba\printers
    Anonymous access: <none>
    Current user access: <none>
  tmp: 
    Type: STYPE_DISKTREE
    Comment: All temporary files should be stored here
    Users: 0
    Max Users: <unlimited>
    Path: C:\var\tmp
    Anonymous access: READ/WRITE
    Current user access: READ/WRITE 
smb-ls 
Volume \\192.168.56.102\kathy
SIZE     TIME                 FILENAME
<DIR>    2016-06-03 11:52:52  .
<DIR>    2016-06-06 16:39:56  ..
<DIR>    2016-06-05 10:02:27  kathy_stuff
64       2016-06-05 10:02:27  kathy_stuff\todo-list.txt
<DIR>    2016-06-05 10:04:14  backup
5961     2016-06-05 10:03:45  backup\vsftpd.conf
6321767  2015-04-27 12:14:46  backup\wordpress-4.tar.gz


Volume \\192.168.56.102\tmp
SIZE   TIME                 FILENAME
<DIR>  2016-08-27 21:26:23  .
<DIR>  2016-06-06 16:39:56  ..
274    2016-06-05 10:32:58  ls

 
smb-mbenum 
  DFS Root
    RED  0.0  red server (Samba, Ubuntu)
  Potential Browser
    RED  0.0  red server (Samba, Ubuntu)
  Print server
    RED  0.0  red server (Samba, Ubuntu)
  Server
    RED  0.0  red server (Samba, Ubuntu)
  Server service
    RED  0.0  red server (Samba, Ubuntu)
  Unix server
    RED  0.0  red server (Samba, Ubuntu)
  Windows NT/2000/XP/2003 server
    RED  0.0  red server (Samba, Ubuntu)
  Workstation
    RED  0.0  red server (Samba, Ubuntu)
 
smb-os-discovery 
  OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
  Computer name: red
  NetBIOS computer name: RED
  Domain name: 
  FQDN: red
  System time: 2016-08-28T03:25:58+01:00
 
smb-security-mode 
  account_used: guest
  authentication_level: user
  challenge_response: supported
  message_signing: disabled (dangerous, but default) 
smb-system-info 
ERROR: Script execution failed (use -d to debug) 
smb-vuln-cve2009-3103 
  VULNERABLE:
  SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
    State: VULNERABLE
    IDs:  CVE:CVE-2009-3103
          Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, 
          Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a 
          denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE 
          PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, 
          aka "SMBv2 Negotiation Vulnerability." 
          
    Disclosure date: 2009-09-08
    References:
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
 
smb-vuln-ms10-054 
ERROR: Script execution failed (use -d to debug) 
smb-vuln-ms10-061 
false 
smb-vuln-regsvc-dos 
  VULNERABLE:
  Service regsvc in Microsoft Windows systems vulnerable to denial of service
    State: VULNERABLE
      The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference 
      pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes 
      while working on smb-enum-sessions.
          
 
smbv2-enabled 
Server supports SMBv2 protocol 
traceroute-geolocation 
  HOP  RTT   ADDRESS         GEOLOCATION
  1    0.49  192.168.56.102  - ,- 
 

Misc Metrics (click to expand)