Created
January 15, 2018 18:58
-
-
Save dbarranco/4523b677c0a88d6c750f45a7bcfa110d to your computer and use it in GitHub Desktop.
nmap malware detection over Metasploitable2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
arp4@kali ➜ ~ nmap -v --script "malware" 192.168.159.131 | |
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-15 13:57 EST | |
NSE: Loaded 10 scripts for scanning. | |
NSE: Script Pre-scanning. | |
Initiating NSE at 13:57 | |
Completed NSE at 13:57, 0.00s elapsed | |
Initiating ARP Ping Scan at 13:57 | |
Scanning 192.168.159.131 [1 port] | |
Completed ARP Ping Scan at 13:57, 0.22s elapsed (1 total hosts) | |
Initiating Parallel DNS resolution of 1 host. at 13:57 | |
Completed Parallel DNS resolution of 1 host. at 13:57, 0.02s elapsed | |
Initiating SYN Stealth Scan at 13:57 | |
Scanning 192.168.159.131 [1000 ports] | |
Discovered open port 25/tcp on 192.168.159.131 | |
Discovered open port 445/tcp on 192.168.159.131 | |
Discovered open port 22/tcp on 192.168.159.131 | |
Discovered open port 3306/tcp on 192.168.159.131 | |
Discovered open port 80/tcp on 192.168.159.131 | |
Discovered open port 5900/tcp on 192.168.159.131 | |
Discovered open port 21/tcp on 192.168.159.131 | |
Discovered open port 53/tcp on 192.168.159.131 | |
Discovered open port 139/tcp on 192.168.159.131 | |
Discovered open port 111/tcp on 192.168.159.131 | |
Discovered open port 23/tcp on 192.168.159.131 | |
Discovered open port 8009/tcp on 192.168.159.131 | |
Discovered open port 6667/tcp on 192.168.159.131 | |
Discovered open port 513/tcp on 192.168.159.131 | |
Discovered open port 512/tcp on 192.168.159.131 | |
Discovered open port 1524/tcp on 192.168.159.131 | |
Discovered open port 2049/tcp on 192.168.159.131 | |
Discovered open port 514/tcp on 192.168.159.131 | |
Discovered open port 6000/tcp on 192.168.159.131 | |
Discovered open port 8180/tcp on 192.168.159.131 | |
Discovered open port 5432/tcp on 192.168.159.131 | |
Discovered open port 2121/tcp on 192.168.159.131 | |
Discovered open port 1099/tcp on 192.168.159.131 | |
Completed SYN Stealth Scan at 13:57, 1.25s elapsed (1000 total ports) | |
NSE: Script scanning 192.168.159.131. | |
Initiating NSE at 13:57 | |
Completed NSE at 13:57, 9.11s elapsed | |
Nmap scan report for 192.168.159.131 | |
Host is up (0.00017s latency). | |
Not shown: 977 closed ports | |
PORT STATE SERVICE | |
21/tcp open ftp | |
| ftp-vsftpd-backdoor: | |
| VULNERABLE: | |
| vsFTPd version 2.3.4 backdoor | |
| State: VULNERABLE (Exploitable) | |
| IDs: CVE:CVE-2011-2523 OSVDB:73573 | |
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04. | |
| Disclosure date: 2011-07-03 | |
| Exploit results: | |
| Shell command: id | |
| Results: uid=0(root) gid=0(root) | |
| References: | |
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb | |
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523 | |
| http://osvdb.org/73573 | |
|_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html | |
22/tcp open ssh | |
23/tcp open telnet | |
25/tcp open smtp | |
53/tcp open domain | |
80/tcp open http | |
|_http-malware-host: Host appears to be clean | |
111/tcp open rpcbind | |
139/tcp open netbios-ssn | |
445/tcp open microsoft-ds | |
512/tcp open exec | |
513/tcp open login | |
514/tcp open shell | |
1099/tcp open rmiregistry | |
1524/tcp open ingreslock | |
2049/tcp open nfs | |
2121/tcp open ccproxy-ftp | |
3306/tcp open mysql | |
5432/tcp open postgresql | |
5900/tcp open vnc | |
6000/tcp open X11 | |
6667/tcp open irc | |
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277 | |
8009/tcp open ajp13 | |
8180/tcp open unknown | |
|_http-malware-host: Host appears to be clean | |
MAC Address: 00:0C:29:06:5A:FD (VMware) | |
NSE: Script Post-scanning. | |
Initiating NSE at 13:57 | |
Completed NSE at 13:57, 0.00s elapsed | |
Read data files from: /usr/bin/../share/nmap | |
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds | |
Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.160KB) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment