Here is the output from an nmap scan I recently did on a host. I figured I'd post it just to see what kind of things you guys could come up with as in a plan of attack. Here you go!





Starting Nmap 4.65 ( http://nmap.org ) at 2008-11-16 15:04 Central Standard Time

Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.05s elapsed
Initiating SYN Stealth Scan at 15:04
Scanning ns2.hostdnsserver.com (.51.131.178) [1715 ports]
Discovered open port 80/tcp on 2.51.131.178
Discovered open port 25/tcp on .51.131.178
Discovered open port 21/tcp on .51.131.178
Discovered open port 443/tcp on 9.51.131.178
Discovered open port 53/tcp on 9.51.131.178
Discovered open port 3306/tcp on .51.131.178
Discovered open port 995/tcp on9.51.131.178
Completed SYN Stealth Scan at 15:05, 42.17s elapsed (1715 total ports)
Initiating Service scan at 15:05
Scanning 7 services on ns2.hostdnsserver.com (.51.131.178)
Completed Service scan at 15:05, 5.17s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against ns2.hostdnsserver.com (.51.131.178)
Insufficient responses for TCP sequencing (1), OS detection may be less accurate

Retrying OS detection (try #2) against ns2.hostdnsserver.com (.51.131.178)
Insufficient responses for TCP sequencing (1), OS detection may be less accurate

Initiating Traceroute at 15:05
.51.131.178: guessing hop distance at 13
Completed Traceroute at 15:05, 30.27s elapsed
Initiating Parallel DNS resolution of 13 hosts. at 15:05
Completed Parallel DNS resolution of 13 hosts. at 15:06, 5.52s elapsed
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 15:06
SCRIPT ENGINE Timing: About 92.86% done; ETC: 15:06 (0:00:02 remaining)
Completed SCRIPT ENGINE at 15:06, 32.20s elapsed
Host ns2.hostdnsserver.com (2.51.131.178) appears to be up ... good.
Scanned at 2008-11-16 15:04:32 Central Standard Time for 123s
Interesting ports on ns2.hostdnsserver.com (9.51.131.178):
Not shown: 1707 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp closed ssh
25/tcp open smtp Exim smtpd 4.69
| SMTPcommands: EHLO ns2.hostdnsserver.com Hello example.org [71.239.134.106],
SIZE 52428800, PIPELINING, AUTH PLAIN LOGIN, STARTTLS, 250 HELP
|_ HELP Commands supported:, , AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT
RSET HELP
53/tcp open domain?
| zone-transfer:
| hostdnsserver.com. SOA ns1.hostdnsserver.com. dnsadmin.ns1.hos
tdnsserver.com.
| hostdnsserver.com. MX hostdnsserver.com.

| hostdnsserver.com. NS ns1.hostdnsserver.com.

| hostdnsserver.com. NS ns2.hostdnsserver.com.

| hostdnsserver.com. A 51.132.218

| ftp.hostdnsserver.com. A .51.132.218

| localhost.hostdnsserver.com. A 127.0.0.1

| mail.hostdnsserver.com. CNAME
| ns1.hostdnsserver.com. A 9.51.132.218

| ns2.hostdnsserver.com. A .51.131.178

| www.hostdnsserver.com. CNAME
|_ hostdnsserver.com. SOA ns1.hostdnsserver.com. dnsadmin.ns1.hos
tdnsserver.com.
80/tcp open http?
| robots.txt: /administrator/ /cache/ /components/
| /editor/ /help/ /images/ /includes/ /language/
| /mambots/ /media/ /modules/ /templates/
|_ /installation/
|_ HTML title: Redlands Astronomical Society
443/tcp open https?
|_ HTML title: Site doesn't have a title.
995/tcp open pop3s?
| SSLv2: server still supports SSLv2
|_ the server didn't offer any cyphers
3306/tcp open mysql?
| MySQL Server Information: Protocol: 10
| Version: 4.1.22-standard
| Thread ID: 2569642
| Some Capabilities: Connect with DB, Compress, Secure Connection
| Status: Autocommit
|_ Salt: )?Bn#_9<_L<+^yfq(mof
OS fingerprint not ideal because: Didn't receive UDP response. Please try again
with -sSU
Aggressive OS guesses: Motorola SURFboard 5100i cable modem (92%), Sagem F@st 33
02 DSL router (91%), Netcomm V300 VoIP gateway (91%), Avaya Communication Manage
r (Linux 2.6.11) (91%), Check Point ZoneAlarm Z100G firewall (91%), Linux 2.6.24
(Debian) (91%), HP Brocade 4100 switch; or Actiontec MI-424-WR, Linksys WRVS440
0N, or Netgear WNR834B wireless broadband router (91%), FreeBSD 6.2-RELEASE (91%
), HP 4200 PSA (Print Server Appliance) model J4117A (91%), HP Brocade 4Gb SAN s
witch (91%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=4.65%D=11/16%OT=21%CT=22%CU=%PV=N%G=N%TM=49208B5B%P=i686-pc-windows-windo
ws)
ECN(R=N)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=N)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=40%TOSI=20%CD=S%SI=S%DLI=S)


TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 15.00 192.168.1.1
2 ... 3 no response
4 16.00 te-9-1-ar01.elmhurst.il.chicago.comcast.net (68.87.230.129)
5 16.00 ge-1-2-ar03.area4.il.chicago.comcast.net (68.87.230.237)
6 16.00 68.86.90.49
7 15.00 68.86.89.58
8 47.00 gnax.ge2-13.br01.atl01.pccwbtn.net (63.216.31.130)
9 62.00 ATL-CORE-INT-GA.gnax.net (9.51.137.218)
10 62.00 l3-atl-7.gnax.net (.51.131.62)
11 47.00 ns2.hostdnsserver.com .51.131.178)

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.000 seconds
Raw packets sent: 3562 (160.976KB) | Rcvd: 444 (66.759KB)

Ping the fuck out of the IP's.

Debian is a real bitch to exploit in my experience, but apparently the operating system comes stock (unconfigured) in such a way that it makes a buffer overflow of apache's SSL service quite easy. You could start there, but you'd need to have decent C coding exp.

You're trying to hack the IBM corporation?

Maybe this is noobish, biut what about brute forcing port 21?

Wayhey! The HTTP port is open.. you know what that means!!!!

Wayhey! The HTTP port is open.. you know what that means!!!!

They surf the internet?

They surf the internet?


Lol. It means there's a running web server on the machine. You probably already knew this, but you never know.

I doubt it means anything, i was just jerking around.

I doubt it means anything, i was just jerking around.


Well, you could always go to the web address and look around for RFI exploits including stream wrappers. If you could connect it with a shell, that'd be much easier than trying to root the box. It's not likely, but definitely worth a shot; easiest to hardest method, always.

OMG, its time...

brinf on the PING OF DEATH :mad::mad::mad::mad:

OMG, its time...

brinf on the PING OF DEATH :mad::mad::mad::mad:



Bahahahhaha, that takes me back to 98. That shit only works with the highest of internet connections against the weakest (28k much?). Nowadays it needs to be a distributed DOS (DDOS), unless there's a specific exploit leaving the box vulnerable to a DOS.

I don't think you are aware what the ping of death is?

its a custom made ping that is larger than the buffer on the recievers side causing a buffer overflow

I don't think you are aware what the ping of death is?

its a custom made ping that is larger than the buffer on the recievers side causing a buffer overflow

You could shut down nigh any machine in the world so long as it was configured to respond.

Ping the fuck out of the IP's.

this. though do it on the open ports.

You guys completely missed the zone transfer.... They made such a big deal about it a month or two ago, about the huge flaw in BIND9. It happened to comcast.net, redtube.com, photobucket.com. All those pages looked like they were hacked because someone was able to update the DNS with bogus records, and not only that, but you can cause a DoS with bogus requests as well.