Posts: 250
Threads: 33
Joined: Jun 2013
Aku scan2 webistenya kok cuma keluar kayak gini ya hasilnya :
Code: nc -vv target.com 80
DNS fwd/rev mismatch: target.com != iix2-1.ssol.com
smantiara.sch.id [103.247.8.5] 80 (http) open
sent 0, rcvd 0
Posts: 813
Threads: 30
Joined: Apr 2012
(09-13-2013, 02:37 PM)Doel Wrote: Aku scan2 webistenya kok cuma keluar kayak gini ya hasilnya :
Code: nc -vv target.com 80
DNS fwd/rev mismatch: target.com != iix2-1.ssol.com
smantiara.sch.id [103.247.8.5] 80 (http) open
sent 0, rcvd 0
bisa jadi cuman port 80 aja yang dibuka bro.  nc emang kurang efektif buat port scanning. nc hanya menggunakan metode connection established saat connect. coba pake nmap aja.
(08-19-2013, 07:08 PM)M1+5C Wrote: thx udah share om, udah ane coba, jadinya gini
Code: root@m1+5c:~# nc -vv xxx.xxx.xxx.xxx 80
xxx.xxx.xxx.xxx: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [xxx.xxx.xxx.xxx] 80 (www) open
OPTIONS / HTTP/1.1
Host: xxx.xxx.xxx.xxx
HTTP/1.1 200 OK
Date: Mon, 19 Aug 2013 10:41:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private
trus ane coba PUT, gini hasilnya nya
Code: root@m1+5c:~# nc -vv xxx.xxx.xxx.xxx 80
xxx.xxx.xxx.xxx: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [xxx.xxx.xxx.xxx] 80 (www) open
PUT /test.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 10
xxxxxxxxxx
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Mon, 19 Aug 2013 11:00:38 GMT
Connection: close
Content-Length: 42
<h1>Bad Request (Invalid Header Name)</h1> sent 74, rcvd 171
itu, apanya yang salah om?trus, gimana caranya kita mengetahui direktory tersebut permission 777 atau tidak?
bisa jadi metode PUT di-disable oleh webserver
(07-03-2013, 12:03 PM)afrihhilal Wrote: om... ane mau tanya nih..
kan ane abis scan target pake nmap..
lah ntu ada keluaranya kek gini..
Code: nmap -Pn --script=vuln -T3 xxx.xxx.xxx.xxx
Starting Nmap 6.25 ( ) at 2013-07-01 23:10 WIT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (1.4s latency).
Not shown: 935 filtered ports, 59 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
|_http-frontpage-login: false
222/tcp open rsh-spx
8000/tcp open http-alt
|_http-frontpage-login: false
|_http-git: 0
|_http-huawei-hg5xx-vuln: false
| http-litespeed-sourcecode-download:
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <HTML><HEAD><TITLE>SHOUTcast Server</TITLE></HEAD><BODY><H3>Invalid resource</H3>
|_</BODY></HTML>
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
[color=#FFD700]| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| Description:
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| /admin.cgi [HEAD]
|
| References:
| https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
| /resources/glossary/http_verb_tampering.html
| /data/definitions/274.html
|_ /labs/htexploit/[/color]
[color=#FFD700]| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: VULNERABLE
| Description:
| Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.
| It accomplishes this by opening connections to the target web server and sending a partial request. By doing
| so, it starves the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
|_ /slowloris/[/color]
|_http-vuln-cve2010-0738: false
8001/tcp open vcom-tunnel
8080/tcp open http-proxy
| http-enum:
|_ /phpmyadmin/: phpMyAdmin
|_http-frontpage-login: false
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 OSVDB:74721
| Description:
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| /cgi-bin/cvename.cgi?name=CVE-2011-3192
| /74721
| /plugins/index.php?view=single&id=55976
|_ /fulldisclosure/2011/Aug/175
| http-vuln-cve2011-3368:
|_ ERROR: Got no answers from pipelined queries
Host script results:
|_firewall-bypass: false
bantuin dong om... :-bd
kemungkinan webserver masih vulverable dengan serangan tamper data (mengubah request) kita ke webserver dengan abritary request
(This post was last modified: 09-13-2013, 03:43 PM by alkaaf.)
Posts: 25
Threads: 1
Joined: Mar 2013
(09-13-2013, 03:37 PM)alkaaf Wrote: (08-19-2013, 07:08 PM)M1+5C Wrote: thx udah share om, udah ane coba, jadinya gini
Code: root@m1+5c:~# nc -vv xxx.xxx.xxx.xxx 80
xxx.xxx.xxx.xxx: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [xxx.xxx.xxx.xxx] 80 (www) open
OPTIONS / HTTP/1.1
Host: xxx.xxx.xxx.xxx
HTTP/1.1 200 OK
Date: Mon, 19 Aug 2013 10:41:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private
trus ane coba PUT, gini hasilnya nya
Code: root@m1+5c:~# nc -vv xxx.xxx.xxx.xxx 80
xxx.xxx.xxx.xxx: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [xxx.xxx.xxx.xxx] 80 (www) open
PUT /test.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 10
xxxxxxxxxx
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Mon, 19 Aug 2013 11:00:38 GMT
Connection: close
Content-Length: 42
<h1>Bad Request (Invalid Header Name)</h1> sent 74, rcvd 171
itu, apanya yang salah om?trus, gimana caranya kita mengetahui direktory tersebut permission 777 atau tidak?
bisa jadi metode PUT di-disable oleh webserver
ternyata 411 method PUT nya, dan ane ngak tau arti 411 =))
Code: nmap --script=http-methods.nse --script-args http-methods.retest=1 xxx.xxx.xxx
Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-06 23:02 WIT
Nmap scan report for xxx.xxx.xxx
Host is up (0.090s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
| http-methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
| Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| See http://nmap.org/nsedoc/scripts/http-methods.html
| OPTIONS / -> HTTP/1.1 200 OK
|
| TRACE / -> HTTP/1.1 501 Not Implemented
|
| GET / -> HTTP/1.1 200 OK
|
| HEAD / -> HTTP/1.1 200 OK
|
| COPY / -> HTTP/1.1 400 Bad Request
|
| PROPFIND / -> HTTP/1.1 411 Length Required
|
| SEARCH / -> HTTP/1.1 411 Length Required
|
| LOCK / -> HTTP/1.1 403 Forbidden
|
| UNLOCK / -> HTTP/1.1 400 Bad Request
|
| DELETE / -> HTTP/1.1 403 Forbidden
|
| PUT / -> HTTP/1.1 411 Length Required
|
| POST / -> HTTP/1.1 405 Method Not Allowed
|
| MOVE / -> HTTP/1.1 403 Forbidden
|
| MKCOL / -> HTTP/1.1 403 Forbidden
|
|_PROPPATCH / -> HTTP/1.1 403 Forbidden
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 17.83 seconds
 :- :-
|
