Nmap Scan Report - Scanned at Sun Aug 28 02:24:26 2016

Scan Summary

Nmap 7.25BETA1 was initiated at Sun Aug 28 02:24:26 2016 with these arguments:
nmap -vv -sS -Pn -A -sV -T5 --script=default,auth,vuln,discovery -p- -oX 192-168-56-102.xml --script-args=unsafe=1 192.168.56.102

Verbosity: 2; Debug level 0

Nmap done at Sun Aug 28 02:32:52 2016; 1 IP address (1 host up) scanned in 506.54 seconds

Pre-Scan Script Output

Script Name	Output
broadcast-igmp-discovery	192.168.56.1 Interface: eth1 Version: 2 Group: 224.0.0.251 Description: mDNS (rfc6762) Use the newtargets script-arg to add the results as targets
broadcast-pim-discovery	ERROR: Script execution failed (use -d to debug)
ipv6-multicast-mld-list	fe80::800:27ff:fe00:0: device: eth1 mac: 0a:00:27:00:00:00 multicast_ips: ff02::1:ff9b:1fa4 (Solicited-Node Address) ff02::fb (mDNSv6) ff02::fb (mDNSv6) ff02::fb (mDNSv6) ff02::fb (mDNSv6) ff02::fb (mDNSv6) ff02::1:ff00:0 (NDP Solicited-node) ff02::fb (mDNSv6)
knx-gateway-discover	ERROR: Script execution failed (use -d to debug)
mrinfo	ERROR: Script execution failed (use -d to debug)
targets-asn	targets-asn.asn is a mandatory parameter
targets-ipv6-multicast-echo	IP: fe80::800:27ff:fe00:0 MAC: 0a:00:27:00:00:00 IFACE: eth1 Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-invalid-dst	IP: fe80::800:27ff:fe00:0 MAC: 0a:00:27:00:00:00 IFACE: eth1 Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-mld	IP: fe80::800:27ff:fe00:0 MAC: 0a:00:27:00:00:00 IFACE: eth1 Use --script-args=newtargets to add the results as targets
targets-ipv6-multicast-slaac	IP: fe80::800:27ff:fe00:0 MAC: 0a:00:27:00:00:00 IFACE: eth1 IP: fe80::953f:e6d2:469b:1fa4 MAC: 0a:00:27:00:00:00 IFACE: eth1 Use --script-args=newtargets to add the results as targets

192.168.56.102(online)

Address

192.168.56.102 (ipv4)
08:00:27:45:42:FC - Oracle VirtualBox virtual NIC (mac)

Ports

The 65523 ports scanned but not shown below are in state: filtered

65523 ports replied with: no-responses

Port		State (toggle closed [4] \| filtered [0])	Service	Reason	Product	Version	Extra info
20	tcp	closed	ftp-data	reset
21	tcp	open	ftp	syn-ack	vsftpd	2.0.8 or later
	banner	220-\x0D\x0A220-\|---------------------------------------------- -------------------------------------------\|\x0D\x0A220-\| Harry, make s ure to update the banner when you get a chance to show who has acces...
	ftp-anon	Anonymous FTP login allowed (FTP code 230) Can't get directory listing: Can't parse PASV response: "Permission denied."
	sslv2-drown
22	tcp	open	ssh	syn-ack	OpenSSH	7.2p2 Ubuntu 4	Ubuntu Linux; protocol 2.0
	banner	SSH-2.0-OpenSSH_7.2p2 Ubuntu-4
	ssh-hostkey	2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY=
	ssh2-enum-algos	kex_algorithms: (6) curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 server_host_key_algorithms: (5) ssh-rsa rsa-sha2-512 rsa-sha2-256 ecdsa-sha2-nistp256 ssh-ed25519 encryption_algorithms: (6) chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com mac_algorithms: (10) umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1-etm@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha1 compression_algorithms: (2) none zlib@openssh.com
53	tcp	open	domain	syn-ack	dnsmasq	2.75
	dns-nsec-enum	Can't determine domain for host 192.168.56.102; use dns-nsec-enum.domains script arg.
	dns-nsec3-enum	Can't determine domain for host 192.168.56.102; use dns-nsec3-enum.domains script arg.
	dns-nsid	bind.version: dnsmasq-2.75
80	tcp	open	http	syn-ack
	http-chrono	Request times for /; avg: 160.92ms; min: 154.53ms; max: 168.78ms
	http-comments-displayer	Couldn't find any comments.
	http-csrf	Couldn't find any CSRF vulnerabilities.
	http-devframework	Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
	http-dombased-xss	Couldn't find any DOM based XSS.
	http-drupal-enum	Nothing found amongst the top 100 resources,use --script-args number=<number\|all> for deeper analysis)
	http-errors	Spidering limited to: maxpagecount=40; withinhost=192.168.56.102 Found the following error pages: Error Code: 404 http://192.168.56.102:80/
	http-feed	Couldn't find any feeds.
	http-fileupload-exploiter
	http-frontpage-login	false
	http-headers	Host: 192.168.56.102 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 533 (Request type: GET)
	http-methods	Supported Methods: GET HEAD POST OPTIONS
	http-mobileversion-checker	No mobile version detected.
	http-referer-checker	Couldn't find any cross-domain scripts.
	http-sitemap-generator	Directory structure: Longest directory structure: Depth: 0 Dir: / Total files found (by extension):
	http-stored-xss	Couldn't find any stored XSS vulnerabilities.
	http-title	Site doesn't have a title (text/html; charset=UTF-8).
	http-useragent-tester	Allowed User Agents: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) libwww lwp-trivial libcurl-agent/1.0 PHP/ Python-urllib/2.5 GT::WWW Snoopy MFC_Tear_Sample HTTP::Lite PHPCrawl URI::Fetch Zend_Http_Client http client PECL::HTTP Wget/1.13.4 (linux-gnu) WWW-Mechanize/1.34
	http-vhosts	127 names had status 404
	http-wordpress-enum	Nothing found amongst the top 100 resources,use --script-args search-limit=<number\|all> for deeper analysis)
	http-wordpress-users	[Error] Wordpress installation was not found. We couldn't find wp-login.php
	http-xssed	ERROR: Script execution failed (use -d to debug)
123	tcp	closed	ntp	reset
137	tcp	closed	netbios-ns	reset
138	tcp	closed	netbios-dgm	reset
139	tcp	open	netbios-ssn	syn-ack	Samba smbd	4.3.9-Ubuntu	workgroup: WORKGROUP
666	tcp	open	doom	syn-ack
	banner	PK\x03\x04\x14\x00\x02\x00\x08\x00d\x80\xC3Hp\xDF\x15\x81\xAA,\ x00\x00\x152\x00\x00\x0C\x00\x1C\x00message2.jpgUT\x09\x00\x03+\x9CQWJ\ x9CQWux\x0B\x00\x01\x04\xF5\x01\x00\x00\x04\x14\x00\x00\x00\xADz\x0B...
3306	tcp	open	mysql	syn-ack	MySQL	5.7.12-0ubuntu1
	banner	S\x00\x00\x00\x0A5.7.12-0ubuntu1\x00P\x00\x00\x00\x18\x19\x19(d k%>\x00\xFF\xF7\x08\x02\x00\xFF\x81\x15\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x007y\x05\x06N_'mHTo\x03\x00mysql_native_password\x00
	mysql-info	Protocol: 53 Version: .7.12-0ubuntu1 Thread ID: 8 Capabilities flags: 63487 Some Capabilities: InteractiveClient, ODBCClient, FoundRows, Support41Auth, LongPassword, Speaks41ProtocolOld, SupportsTransactions, SupportsLoadDataLocal, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, IgnoreSigpipes, SupportsCompression, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn Status: Autocommit Salt: Znl0\x01p\|LA'v92xxg._yf
12380	tcp	open	http	syn-ack	Apache httpd	2.4.18	(Ubuntu)
	http-chrono	Request times for /; avg: 907.11ms; min: 264.61ms; max: 3440.48ms
	http-comments-displayer	Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.102 Path: http://192.168.56.102:12380/ Line number: 345 Comment: /* Navigation Bar / Path: http://192.168.56.102:12380/ Line number: 92 Comment: / Animations / Path: http://192.168.56.102:12380/ Line number: 495 Comment: / border-bottom: 1px solid #DDDDDD; / Path: http://192.168.56.102:12380/ Line number: 4 Comment: <!-- Credit: http://www.creative-tim.com/product/coming-sssoon-page --> Path: http://192.168.56.102:12380/ Line number: 44 Comment: / Font Smoothing / Path: http://192.168.56.102:12380/ Line number: 305 Comment: / Inputs / Path: http://192.168.56.102:12380/ Line number: 51 Comment: / Typography / Path: http://192.168.56.102:12380/ Line number: 907 Comment: <!-- You can change the black color for the filter with those colors: blue, green, red, orange --> Path: http://192.168.56.102:12380/ Line number: 221 Comment: / Buttons fill .btn-fill / Path: http://192.168.56.102:12380/ Line number: 913 Comment: <!-- H1 can have 2 designs: "logo" and "logo cursive" --> Path: http://192.168.56.102:12380/ Line number: 802 Comment: / For demo purpose / Path: http://192.168.56.102:12380/ Line number: 904 Comment: <!-- Change the image source '/images/default.jpg' with your favourite image. --> Path: http://192.168.56.102:12380/ Line number: 278 Comment: / End Buttons fill / Path: http://192.168.56.102:12380/ Line number: 902 Comment: <!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! --> Path: http://192.168.56.102:12380/ Line number: 27 Comment: / General overwrite */
	http-csrf	Couldn't find any CSRF vulnerabilities.
	http-date	Sun, 28 Aug 2016 02:26:06 GMT; -4h59m48s from local time.
	http-devframework	Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
	http-dombased-xss	Couldn't find any DOM based XSS.
	http-drupal-enum	Nothing found amongst the top 100 resources,use --script-args number=<number\|all> for deeper analysis)
	http-errors	Spidering limited to: maxpagecount=40; withinhost=192.168.56.102 Found the following error pages: Error Code: 400 http://192.168.56.102:12380/
	http-feed	Couldn't find any feeds.
	http-fileupload-exploiter
	http-frontpage-login	false
	http-headers	Date: Sun, 28 Aug 2016 02:26:09 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Fri, 03 Jun 2016 16:55:33 GMT ETag: "6a16a-53462974b46e8" Accept-Ranges: bytes Content-Length: 434538 Dave: Soemthing doesn't look right here Connection: close Content-Type: text/html (Request type: GET)
	http-litespeed-sourcecode-download	Request with null byte did not work. This web server might not be vulnerable
	http-methods	Supported Methods: OPTIONS GET HEAD POST
	http-mobileversion-checker	No mobile version detected.
	http-referer-checker	Couldn't find any cross-domain scripts.
	http-server-header	Apache/2.4.18 (Ubuntu)
	http-sitemap-generator	Directory structure: Longest directory structure: Depth: 0 Dir: / Total files found (by extension):
	http-slowloris-check	VULNERABLE: Slowloris DOS attack State: LIKELY VULNERABLE IDs: CVE:CVE-2007-6750 Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service. Disclosure date: 2009-09-17 References: http://ha.ckers.org/slowloris/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
	http-stored-xss	Couldn't find any stored XSS vulnerabilities.
	http-title	Site doesn't have a title (text/html).
	http-useragent-tester	Allowed User Agents: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) libwww lwp-trivial libcurl-agent/1.0 PHP/ Python-urllib/2.5 GT::WWW Snoopy MFC_Tear_Sample HTTP::Lite PHPCrawl URI::Fetch Zend_Http_Client http client PECL::HTTP Wget/1.13.4 (linux-gnu) WWW-Mechanize/1.34
	http-vhosts	127 names had status 400
	http-wordpress-enum	Nothing found amongst the top 100 resources,use --script-args search-limit=<number\|all> for deeper analysis)
	http-wordpress-users	[Error] Wordpress installation was not found. We couldn't find wp-login.php
	http-xssed	ERROR: Script execution failed (use -d to debug)

Remote Operating System Detection

Used port: 21/tcp (open)
Used port: 20/tcp (closed)
Used port: 40303/udp (closed)
OS match: Linux 3.2 - 4.4 (100%)

OS identified but the fingerprint was requested at scan time. (click to expand)

Host Script Output

Script Name	Output
dns-brute	Can't guess domain of "192.168.56.102"; use dns-brute.domain script argument.
fcrdns	FAIL (No PTR record)
firewalk	HOP HOST PROTOCOL BLOCKED PORTS 0 192.168.56.5 tcp 1-10
ipidseq	All zeros
msrpc-enum	NT_STATUS_OBJECT_NAME_NOT_FOUND
nbstat	NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) Names: RED<00> Flags: <unique><active> RED<03> Flags: <unique><active> RED<20> Flags: <unique><active> WORKGROUP<00> Flags: <group><active> WORKGROUP<1e> Flags: <group><active> Statistics: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
p2p-conficker	Checking for Conficker.C or higher... Check 1 (port 50063/tcp): CLEAN (Timeout) Check 2 (port 10167/tcp): CLEAN (Timeout) Check 3 (port 34474/udp): CLEAN (Failed to receive data) Check 4 (port 29075/udp): CLEAN (Failed to receive data) 0/4 checks are positive: Host is CLEAN or ports are blocked
path-mtu	PMTU == 1500
qscan	PORT FAMILY MEAN (us) STDDEV LOSS (%) 20 0 230.30 47.67 0.0% 21 0 261.90 49.67 0.0% 22 0 263.50 75.89 0.0% 53 0 245.90 44.88 0.0% 80 0 250.89 56.03 10.0% 139 0 275.90 88.14 0.0% 666 0 257.80 71.84 0.0% 3306 0 230.90 43.02 0.0% 12380 0 238.30 54.61 0.0%
smb-enum-domains	Builtin Groups: n/a Users: n/a Creation time: unknown Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords Account lockout disabled RED Groups: n/a Users: n/a Creation time: unknown Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords Account lockout disabled
smb-enum-sessions	<nobody>
smb-enum-shares	account_used: guest IPC$: Type: STYPE_IPC_HIDDEN Comment: IPC Service (red server (Samba, Ubuntu)) Users: 3 Max Users: <unlimited> Path: C:\tmp Anonymous access: READ/WRITE Current user access: READ/WRITE kathy: Type: STYPE_DISKTREE Comment: Fred, What are we doing here? Users: 0 Max Users: <unlimited> Path: C:\var\samba\ Anonymous access: READ Current user access: READ print$: Type: STYPE_DISKTREE Comment: Printer Drivers Users: 0 Max Users: <unlimited> Path: C:\var\lib\samba\printers Anonymous access: <none> Current user access: <none> tmp: Type: STYPE_DISKTREE Comment: All temporary files should be stored here Users: 0 Max Users: <unlimited> Path: C:\var\tmp Anonymous access: READ/WRITE Current user access: READ/WRITE
smb-ls	Volume \\192.168.56.102\kathy SIZE TIME FILENAME <DIR> 2016-06-03 11:52:52 . <DIR> 2016-06-06 16:39:56 .. <DIR> 2016-06-05 10:02:27 kathy_stuff 64 2016-06-05 10:02:27 kathy_stuff\todo-list.txt <DIR> 2016-06-05 10:04:14 backup 5961 2016-06-05 10:03:45 backup\vsftpd.conf 6321767 2015-04-27 12:14:46 backup\wordpress-4.tar.gz Volume \\192.168.56.102\tmp SIZE TIME FILENAME <DIR> 2016-08-27 21:26:23 . <DIR> 2016-06-06 16:39:56 .. 274 2016-06-05 10:32:58 ls
smb-mbenum	DFS Root RED 0.0 red server (Samba, Ubuntu) Potential Browser RED 0.0 red server (Samba, Ubuntu) Print server RED 0.0 red server (Samba, Ubuntu) Server RED 0.0 red server (Samba, Ubuntu) Server service RED 0.0 red server (Samba, Ubuntu) Unix server RED 0.0 red server (Samba, Ubuntu) Windows NT/2000/XP/2003 server RED 0.0 red server (Samba, Ubuntu) Workstation RED 0.0 red server (Samba, Ubuntu)
smb-os-discovery	OS: Windows 6.1 (Samba 4.3.9-Ubuntu) Computer name: red NetBIOS computer name: RED Domain name: FQDN: red System time: 2016-08-28T03:25:58+01:00
smb-security-mode	account_used: guest authentication_level: user challenge_response: supported message_signing: disabled (dangerous, but default)
smb-system-info	ERROR: Script execution failed (use -d to debug)
smb-vuln-cve2009-3103	VULNERABLE: SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) State: VULNERABLE IDs: CVE:CVE-2009-3103 Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." Disclosure date: 2009-09-08 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
smb-vuln-ms10-054	ERROR: Script execution failed (use -d to debug)
smb-vuln-ms10-061	false
smb-vuln-regsvc-dos	VULNERABLE: Service regsvc in Microsoft Windows systems vulnerable to denial of service State: VULNERABLE The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes while working on smb-enum-sessions.
smbv2-enabled	Server supports SMBv2 protocol
traceroute-geolocation	HOP RTT ADDRESS GEOLOCATION 1 0.49 192.168.56.102 - ,-

Misc Metrics (click to expand)

Metric	Value
Ping Results	arp-response
System Uptime	681 seconds (last reboot: Sun Aug 28 02:21:31 2016)
Network Distance	1 hops
TCP Sequence Prediction	Difficulty=252 (Good luck!)
IP ID Sequence Generation	All zeros