Skip to content

Instantly share code, notes, and snippets.

@dbarranco

dbarranco/gist:4523b677c0a88d6c750f45a7bcfa110d

Created January 15, 2018 18:58
Show Gist options
  • Save dbarranco/4523b677c0a88d6c750f45a7bcfa110d to your computer and use it in GitHub Desktop.
Save dbarranco/4523b677c0a88d6c750f45a7bcfa110d to your computer and use it in GitHub Desktop.
Download ZIP
nmap malware detection over Metasploitable2
Raw
gistfile1.txt
arp4@kali ➜ ~ nmap -v --script "malware" 192.168.159.131
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-15 13:57 EST
NSE: Loaded 10 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Initiating ARP Ping Scan at 13:57
Scanning 192.168.159.131 [1 port]
Completed ARP Ping Scan at 13:57, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:57
Completed Parallel DNS resolution of 1 host. at 13:57, 0.02s elapsed
Initiating SYN Stealth Scan at 13:57
Scanning 192.168.159.131 [1000 ports]
Discovered open port 25/tcp on 192.168.159.131
Discovered open port 445/tcp on 192.168.159.131
Discovered open port 22/tcp on 192.168.159.131
Discovered open port 3306/tcp on 192.168.159.131
Discovered open port 80/tcp on 192.168.159.131
Discovered open port 5900/tcp on 192.168.159.131
Discovered open port 21/tcp on 192.168.159.131
Discovered open port 53/tcp on 192.168.159.131
Discovered open port 139/tcp on 192.168.159.131
Discovered open port 111/tcp on 192.168.159.131
Discovered open port 23/tcp on 192.168.159.131
Discovered open port 8009/tcp on 192.168.159.131
Discovered open port 6667/tcp on 192.168.159.131
Discovered open port 513/tcp on 192.168.159.131
Discovered open port 512/tcp on 192.168.159.131
Discovered open port 1524/tcp on 192.168.159.131
Discovered open port 2049/tcp on 192.168.159.131
Discovered open port 514/tcp on 192.168.159.131
Discovered open port 6000/tcp on 192.168.159.131
Discovered open port 8180/tcp on 192.168.159.131
Discovered open port 5432/tcp on 192.168.159.131
Discovered open port 2121/tcp on 192.168.159.131
Discovered open port 1099/tcp on 192.168.159.131
Completed SYN Stealth Scan at 13:57, 1.25s elapsed (1000 total ports)
NSE: Script scanning 192.168.159.131.
Initiating NSE at 13:57
Completed NSE at 13:57, 9.11s elapsed
Nmap scan report for 192.168.159.131
Host is up (0.00017s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2011-2523 OSVDB:73573
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://osvdb.org/73573
|_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
|_http-malware-host: Host appears to be clean
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8009/tcp open ajp13
8180/tcp open unknown
|_http-malware-host: Host appears to be clean
MAC Address: 00:0C:29:06:5A:FD (VMware)
NSE: Script Post-scanning.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds
Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.160KB)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment