The Open Web Application Security Project (OWASP) is a group that specifically monitors web attacks. OWASP maintains a list of the Top 10 Attacks on an ongoing basis.
This group also holds regular meetings at chapters throughout the world, providing resources and tools such as testing procedures, code review steps, and development guidelines.
The following are some of OWASP’s key publications:
• Software Assurance Maturity Model: Guidance on moving from a disorganized
software development process to one that focuses on continuous improvement
• Development Guide: Tips on secure coding practices and updates on the latest threats
• Testing Guide: A framework for performing penetration tests on software
• Guide to Building Secure Web Applications: Best practices for building security into
a web application
• Code Review Guide: Advice on code review
• Testing Guide: Code testing guidelines
• Application Security Verification Standards: A basis for testing web application technical security controls that provides developers with a list of requirements for secure development
I used the Kali Linux curl command to quickly get the Internet Information Services (IIS) information on my Windows 2012 server. Issue curl -h to show the command options.
root@kali:~# curl -h
Usage: curl [options...] <url>
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--basic Use HTTP Basic Authentication
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify the status of the server certificate
--cert-type <type> Certificate file type (DER/PEM/ENG)
--ciphers <list of ciphers> SSL ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed for connection
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data> Send cookies from string/file
-c, --cookie-jar <filename> Write cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--crlf Convert LF to CRLF in upload
--crlfile <file> Get a CRL list in PEM format from the given file
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data url encoded
--delegation <LEVEL> GSS-API delegation permission
--digest Use HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
-D, --dump-header <filename> Write the received headers to <filename>
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail silently (no output at all) on HTTP errors
--fail-early Fail on first transfer error, do not continue
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Use PASV/EPSV instead of PORT
-P, --ftp-port <address> Use PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL sequences and ranges using {} and []
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help This help text
--hostpubmd5 <md5> Acceptable MD5 hash of the host public key
-0, --http1.0 Use HTTP 1.0
--http1.1 Use HTTP 1.1
--http2 Use HTTP 2
--http2-prior-knowledge Use HTTP 2 without HTTP/1.1 Upgrade
--ignore-content-length Ignore the size of the remote resource
-i, --include Include protocol response headers in the output
-k, --insecure Allow insecure server connections when using SSL
--interface <name> Use network INTERFACE (or address)
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key file name
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Dump libcurl equivalent code of this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <num/range> Force use of RANGE for local port numbers
-L, --location Follow redirects
--location-trusted Like --location, and send auth to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail from this address
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <time> Maximum time allowed for the transfer
--metalink Process given URLs as metalink XML file
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for user name and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use its separate set of options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm Use HTTP NTLM authentication
--ntlm-wb Use HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--pass <phrase> Pass phrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> FILE/HASHES Public key to verify peer against
--post301 Do not switch to GET after following a 301
--post302 Do not switch to GET after following a 302
--post303 Do not switch to GET after following a 303
--preproxy [protocol://]host[:port] Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy [protocol://]host[:port] Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-cacert <file> CA certificate to verify peer against for proxy
--proxy-capath <dir> CA directory to verify peer against for proxy
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTS proxy
--proxy-ciphers <list> SSL ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Use Digest authentication on the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-insecure Do HTTPS proxy connections without verifying the proxy
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate Use HTTP Negotiate (SPNEGO) authentication on the proxy
--proxy-ntlm Use NTLM authentication on the proxy
--proxy-pass <phrase> Pass phrase for the private key for HTTPS proxy
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow security flaw for interop for HTTPS proxy
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 Use TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel Operate through a HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key file name
-Q, --quote Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--raw Do HTTP "raw"; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to a file named as the remote file
--remote-name-all Use the remote file name for all URLs
-R, --remote-time Set the remote file's time on the local output
-X, --request <command> Specify request command to use
--request-target Specify the target for this request
--resolve <host:port:address> Resolve the host+port to this address
--retry <num> Retry request if transient problems occur
--retry-connrefused Retry on connection refused (use with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-ir Enable initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-s, --silent Silent mode
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Enable username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass host name to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try SSL/TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-no-revoke Disable cert revocation checks (WinSSL)
--ssl-reqd Require SSL/TLS
-2, --sslv2 Use SSLv2
-3, --sslv3 Use SSLv3
--stderr Where to redirect stderr
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Use the TCP_NODELAY option
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-max <VERSION> Use TLSv1.0 or greater
--tlsauthtype <type> TLS authentication type
--tlspassword TLS password
--tlsuser <name> TLS user name
-1, --tlsv1 Use TLSv1.0 or greater
--tlsv1.0 Use TLSv1.0
--tlsv1.1 Use TLSv1.1
--tlsv1.2 Use TLSv1.2
--tlsv1.3 Use TLSv1.3
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--url <url> URL to work with
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
-w, --write-out <format> Use output FORMAT after completion
--xattr Store metadata in extended file attributes
root@kali:~# curl -I 192.168.1.130
HTTP/1.1 200 OK
Content-Length: 701
Content-Type: text/html
Last-Modified: Mon, 19 Feb 2018 15:51:41 GMT
Accept-Ranges: bytes
ETag: "e1f1bd8899a9d31:0"
Server: Microsoft-IIS/8.5
Date: Tue, 20 Mar 2018 07:41:51 GMT
I also ran nmap in order to gather a more detailed information on my Windows 2012 server.
root@kali:~# nmap -T4 -A -v 192.168.1.130 // INTENSIVE SCAN EQUIVALENT IN ZENMAP
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-20 00:48 PDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:48
Completed NSE at 00:48, 0.00s elapsed
Initiating NSE at 00:48
Completed NSE at 00:48, 0.00s elapsed
Initiating ARP Ping Scan at 00:48
Scanning 192.168.1.130 [1 port]
Completed ARP Ping Scan at 00:48, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:48
Completed Parallel DNS resolution of 1 host. at 00:48, 0.96s elapsed
Initiating SYN Stealth Scan at 00:48
Scanning 192.168.1.130 [1000 ports]
Discovered open port 445/tcp on 192.168.1.130
Discovered open port 80/tcp on 192.168.1.130
Discovered open port 139/tcp on 192.168.1.130
Discovered open port 135/tcp on 192.168.1.130
Discovered open port 49157/tcp on 192.168.1.130
Increasing send delay for 192.168.1.130 from 0 to 5 due to 14 out of 34 dropped probes since last increase.
Increasing send delay for 192.168.1.130 from 5 to 10 due to 17 out of 42 dropped probes since last increase.
Discovered open port 49159/tcp on 192.168.1.130
Discovered open port 49154/tcp on 192.168.1.130
Discovered open port 49152/tcp on 192.168.1.130
Discovered open port 49153/tcp on 192.168.1.130
Discovered open port 49156/tcp on 192.168.1.130
Discovered open port 49155/tcp on 192.168.1.130
Completed SYN Stealth Scan at 00:48, 17.13s elapsed (1000 total ports)
Initiating Service scan at 00:48
Scanning 11 services on 192.168.1.130
Service scan Timing: About 45.45% done; ETC: 00:50 (0:01:05 remaining)
Completed Service scan at 00:49, 58.63s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.130
adjust_timeouts2: packet supposedly had rtt of -151623 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151623 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151146 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151146 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152267 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152267 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152200 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152200 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152206 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152206 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.130.
Initiating NSE at 00:49
Completed NSE at 00:49, 5.30s elapsed
Initiating NSE at 00:49
Completed NSE at 00:49, 0.03s elapsed
Nmap scan report for 192.168.1.130
Host is up (0.0015s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:02:25:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2012|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2012 R2 Update 1, Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Uptime guess: 1.242 days (since Sun Mar 18 19:02:00 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| nbstat: NetBIOS name: WIN-RVKO5P0EO57, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:02:25:0b (Oracle VirtualBox virtual NIC)
| Names:
| WIN-RVKO5P0EO57<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WIN-RVKO5P0EO57<20> Flags: <unique><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-03-20 00:49:49
|_ start_date: 2018-03-19 10:02:07
TRACEROUTE
HOP RTT ADDRESS
1 1.48 ms 192.168.1.130
NSE: Script Post-scanning.
Initiating NSE at 00:49
Completed NSE at 00:49, 0.00s elapsed
Initiating NSE at 00:49
Completed NSE at 00:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.70 seconds
Raw packets sent: 1925 (85.774KB) | Rcvd: 1600 (65.090KB)
I tried using the Mircorosft's URL Scan but seems it's not supported on IIS 8.5 so I used the URL Rewrite tool instead. Just download and follow the installation wizard.
The URL Rewrite won't show up in the IIS Manager unless the IIS is restarted. Issue the iisreset /stop and iisreset /start in PowerShell.
Open IIS Manager and click on URL Rewrite.
Click View Server Variables.
Under Actions > click Add > type a name for Server variable name > click OK.
Click Back to Rules > right-click under Outbound rules > Add Rule(s).
Choose Blank rule > click OK.
Type a Name > choose Server Variable under Matching scope > type a Variable Name > leave the default on Variable value and Using: > type .* under Pattern.
I retest and noticed the Server: field is now blank on the curl command output.
root@kali:~# nmap -T4 -A -v 192.168.1.130
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-20 22:23 PDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:23
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (0 waiting)
NSE Timing: About 0.00% done
Completed NSE at 22:23, 0.00s elapsed
Initiating NSE at 22:23
Completed NSE at 22:23, 0.00s elapsed
Initiating ARP Ping Scan at 22:23
Scanning 192.168.1.130 [1 port]
Completed ARP Ping Scan at 22:23, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:23
Completed Parallel DNS resolution of 1 host. at 22:23, 13.00s elapsed
Initiating SYN Stealth Scan at 22:23
Scanning 192.168.1.130 [1000 ports]
Discovered open port 135/tcp on 192.168.1.130
Discovered open port 445/tcp on 192.168.1.130
Discovered open port 139/tcp on 192.168.1.130
Discovered open port 80/tcp on 192.168.1.130
Increasing send delay for 192.168.1.130 from 0 to 5 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 192.168.1.130 from 5 to 10 due to 15 out of 36 dropped probes since last increase.
Discovered open port 49154/tcp on 192.168.1.130
Discovered open port 49152/tcp on 192.168.1.130
Discovered open port 49153/tcp on 192.168.1.130
Discovered open port 49157/tcp on 192.168.1.130
Discovered open port 49156/tcp on 192.168.1.130
Discovered open port 49158/tcp on 192.168.1.130
Discovered open port 49155/tcp on 192.168.1.130
Completed SYN Stealth Scan at 22:23, 15.91s elapsed (1000 total ports)
Initiating Service scan at 22:23
Scanning 11 services on 192.168.1.130
Service scan Timing: About 45.45% done; ETC: 22:25 (0:01:04 remaining)
Completed Service scan at 22:24, 61.64s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.130
adjust_timeouts2: packet supposedly had rtt of -151702 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151702 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152061 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152061 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153953 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153953 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153790 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153790 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153707 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153707 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.130.
Initiating NSE at 22:24
Completed NSE at 22:24, 5.30s elapsed
Initiating NSE at 22:24
Completed NSE at 22:24, 0.01s elapsed
Nmap scan report for 192.168.1.130
Host is up (0.0012s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: <empty>
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:02:25:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2012|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2012 R2 Update 1, Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Uptime guess: 0.869 days (since Tue Mar 20 01:33:58 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| nbstat: NetBIOS name: WIN-RVKO5P0EO57, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:02:25:0b (Oracle VirtualBox virtual NIC)
| Names:
| WIN-RVKO5P0EO57<20> Flags: <unique><active>
| WIN-RVKO5P0EO57<00> Flags: <unique><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-03-20 22:24:34
|_ start_date: 2018-03-20 01:34:00
TRACEROUTE
HOP RTT ADDRESS
1 1.21 ms 192.168.1.130
NSE: Script Post-scanning.
Initiating NSE at 22:24
Completed NSE at 22:24, 0.00s elapsed
Initiating NSE at 22:24
Completed NSE at 22:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.50 seconds
Raw packets sent: 1912 (85.202KB) | Rcvd: 1537 (62.566KB)
This group also holds regular meetings at chapters throughout the world, providing resources and tools such as testing procedures, code review steps, and development guidelines.
The following are some of OWASP’s key publications:
• Software Assurance Maturity Model: Guidance on moving from a disorganized
software development process to one that focuses on continuous improvement
• Development Guide: Tips on secure coding practices and updates on the latest threats
• Testing Guide: A framework for performing penetration tests on software
• Guide to Building Secure Web Applications: Best practices for building security into
a web application
• Code Review Guide: Advice on code review
• Testing Guide: Code testing guidelines
• Application Security Verification Standards: A basis for testing web application technical security controls that provides developers with a list of requirements for secure development
I used the Kali Linux curl command to quickly get the Internet Information Services (IIS) information on my Windows 2012 server. Issue curl -h to show the command options.
root@kali:~# curl -h
Usage: curl [options...] <url>
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--basic Use HTTP Basic Authentication
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify the status of the server certificate
--cert-type <type> Certificate file type (DER/PEM/ENG)
--ciphers <list of ciphers> SSL ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed for connection
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data> Send cookies from string/file
-c, --cookie-jar <filename> Write cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--crlf Convert LF to CRLF in upload
--crlfile <file> Get a CRL list in PEM format from the given file
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data url encoded
--delegation <LEVEL> GSS-API delegation permission
--digest Use HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
-D, --dump-header <filename> Write the received headers to <filename>
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail silently (no output at all) on HTTP errors
--fail-early Fail on first transfer error, do not continue
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Use PASV/EPSV instead of PORT
-P, --ftp-port <address> Use PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL sequences and ranges using {} and []
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help This help text
--hostpubmd5 <md5> Acceptable MD5 hash of the host public key
-0, --http1.0 Use HTTP 1.0
--http1.1 Use HTTP 1.1
--http2 Use HTTP 2
--http2-prior-knowledge Use HTTP 2 without HTTP/1.1 Upgrade
--ignore-content-length Ignore the size of the remote resource
-i, --include Include protocol response headers in the output
-k, --insecure Allow insecure server connections when using SSL
--interface <name> Use network INTERFACE (or address)
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key file name
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Dump libcurl equivalent code of this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <num/range> Force use of RANGE for local port numbers
-L, --location Follow redirects
--location-trusted Like --location, and send auth to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail from this address
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <time> Maximum time allowed for the transfer
--metalink Process given URLs as metalink XML file
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for user name and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use its separate set of options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm Use HTTP NTLM authentication
--ntlm-wb Use HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--pass <phrase> Pass phrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> FILE/HASHES Public key to verify peer against
--post301 Do not switch to GET after following a 301
--post302 Do not switch to GET after following a 302
--post303 Do not switch to GET after following a 303
--preproxy [protocol://]host[:port] Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy [protocol://]host[:port] Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-cacert <file> CA certificate to verify peer against for proxy
--proxy-capath <dir> CA directory to verify peer against for proxy
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTS proxy
--proxy-ciphers <list> SSL ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Use Digest authentication on the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-insecure Do HTTPS proxy connections without verifying the proxy
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate Use HTTP Negotiate (SPNEGO) authentication on the proxy
--proxy-ntlm Use NTLM authentication on the proxy
--proxy-pass <phrase> Pass phrase for the private key for HTTPS proxy
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow security flaw for interop for HTTPS proxy
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 Use TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel Operate through a HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key file name
-Q, --quote Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--raw Do HTTP "raw"; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to a file named as the remote file
--remote-name-all Use the remote file name for all URLs
-R, --remote-time Set the remote file's time on the local output
-X, --request <command> Specify request command to use
--request-target Specify the target for this request
--resolve <host:port:address> Resolve the host+port to this address
--retry <num> Retry request if transient problems occur
--retry-connrefused Retry on connection refused (use with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-ir Enable initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-s, --silent Silent mode
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Enable username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass host name to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try SSL/TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-no-revoke Disable cert revocation checks (WinSSL)
--ssl-reqd Require SSL/TLS
-2, --sslv2 Use SSLv2
-3, --sslv3 Use SSLv3
--stderr Where to redirect stderr
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Use the TCP_NODELAY option
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-max <VERSION> Use TLSv1.0 or greater
--tlsauthtype <type> TLS authentication type
--tlspassword TLS password
--tlsuser <name> TLS user name
-1, --tlsv1 Use TLSv1.0 or greater
--tlsv1.0 Use TLSv1.0
--tlsv1.1 Use TLSv1.1
--tlsv1.2 Use TLSv1.2
--tlsv1.3 Use TLSv1.3
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--url <url> URL to work with
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
-w, --write-out <format> Use output FORMAT after completion
--xattr Store metadata in extended file attributes
root@kali:~# curl -I 192.168.1.130
HTTP/1.1 200 OK
Content-Length: 701
Content-Type: text/html
Last-Modified: Mon, 19 Feb 2018 15:51:41 GMT
Accept-Ranges: bytes
ETag: "e1f1bd8899a9d31:0"
Server: Microsoft-IIS/8.5
Date: Tue, 20 Mar 2018 07:41:51 GMT
I also ran nmap in order to gather a more detailed information on my Windows 2012 server.
root@kali:~# nmap -T4 -A -v 192.168.1.130 // INTENSIVE SCAN EQUIVALENT IN ZENMAP
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-20 00:48 PDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:48
Completed NSE at 00:48, 0.00s elapsed
Initiating NSE at 00:48
Completed NSE at 00:48, 0.00s elapsed
Initiating ARP Ping Scan at 00:48
Scanning 192.168.1.130 [1 port]
Completed ARP Ping Scan at 00:48, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:48
Completed Parallel DNS resolution of 1 host. at 00:48, 0.96s elapsed
Initiating SYN Stealth Scan at 00:48
Scanning 192.168.1.130 [1000 ports]
Discovered open port 445/tcp on 192.168.1.130
Discovered open port 80/tcp on 192.168.1.130
Discovered open port 139/tcp on 192.168.1.130
Discovered open port 135/tcp on 192.168.1.130
Discovered open port 49157/tcp on 192.168.1.130
Increasing send delay for 192.168.1.130 from 0 to 5 due to 14 out of 34 dropped probes since last increase.
Increasing send delay for 192.168.1.130 from 5 to 10 due to 17 out of 42 dropped probes since last increase.
Discovered open port 49159/tcp on 192.168.1.130
Discovered open port 49154/tcp on 192.168.1.130
Discovered open port 49152/tcp on 192.168.1.130
Discovered open port 49153/tcp on 192.168.1.130
Discovered open port 49156/tcp on 192.168.1.130
Discovered open port 49155/tcp on 192.168.1.130
Completed SYN Stealth Scan at 00:48, 17.13s elapsed (1000 total ports)
Initiating Service scan at 00:48
Scanning 11 services on 192.168.1.130
Service scan Timing: About 45.45% done; ETC: 00:50 (0:01:05 remaining)
Completed Service scan at 00:49, 58.63s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.130
adjust_timeouts2: packet supposedly had rtt of -151623 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151623 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151146 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151146 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152267 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152267 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152200 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152200 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152206 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152206 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.130.
Initiating NSE at 00:49
Completed NSE at 00:49, 5.30s elapsed
Initiating NSE at 00:49
Completed NSE at 00:49, 0.03s elapsed
Nmap scan report for 192.168.1.130
Host is up (0.0015s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:02:25:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2012|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2012 R2 Update 1, Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Uptime guess: 1.242 days (since Sun Mar 18 19:02:00 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| nbstat: NetBIOS name: WIN-RVKO5P0EO57, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:02:25:0b (Oracle VirtualBox virtual NIC)
| Names:
| WIN-RVKO5P0EO57<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WIN-RVKO5P0EO57<20> Flags: <unique><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-03-20 00:49:49
|_ start_date: 2018-03-19 10:02:07
TRACEROUTE
HOP RTT ADDRESS
1 1.48 ms 192.168.1.130
NSE: Script Post-scanning.
Initiating NSE at 00:49
Completed NSE at 00:49, 0.00s elapsed
Initiating NSE at 00:49
Completed NSE at 00:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.70 seconds
Raw packets sent: 1925 (85.774KB) | Rcvd: 1600 (65.090KB)
I tried using the Mircorosft's URL Scan but seems it's not supported on IIS 8.5 so I used the URL Rewrite tool instead. Just download and follow the installation wizard.
The URL Rewrite won't show up in the IIS Manager unless the IIS is restarted. Issue the iisreset /stop and iisreset /start in PowerShell.
Open IIS Manager and click on URL Rewrite.
Click View Server Variables.
Under Actions > click Add > type a name for Server variable name > click OK.
Click Back to Rules > right-click under Outbound rules > Add Rule(s).
Choose Blank rule > click OK.
Type a Name > choose Server Variable under Matching scope > type a Variable Name > leave the default on Variable value and Using: > type .* under Pattern.
I retest and noticed the Server: field is now blank on the curl command output.
root@kali:~# nmap -T4 -A -v 192.168.1.130
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-20 22:23 PDT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:23
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE: Active NSE Script Threads: 1 (0 waiting)
NSE Timing: About 0.00% done
Completed NSE at 22:23, 0.00s elapsed
Initiating NSE at 22:23
Completed NSE at 22:23, 0.00s elapsed
Initiating ARP Ping Scan at 22:23
Scanning 192.168.1.130 [1 port]
Completed ARP Ping Scan at 22:23, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:23
Completed Parallel DNS resolution of 1 host. at 22:23, 13.00s elapsed
Initiating SYN Stealth Scan at 22:23
Scanning 192.168.1.130 [1000 ports]
Discovered open port 135/tcp on 192.168.1.130
Discovered open port 445/tcp on 192.168.1.130
Discovered open port 139/tcp on 192.168.1.130
Discovered open port 80/tcp on 192.168.1.130
Increasing send delay for 192.168.1.130 from 0 to 5 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 192.168.1.130 from 5 to 10 due to 15 out of 36 dropped probes since last increase.
Discovered open port 49154/tcp on 192.168.1.130
Discovered open port 49152/tcp on 192.168.1.130
Discovered open port 49153/tcp on 192.168.1.130
Discovered open port 49157/tcp on 192.168.1.130
Discovered open port 49156/tcp on 192.168.1.130
Discovered open port 49158/tcp on 192.168.1.130
Discovered open port 49155/tcp on 192.168.1.130
Completed SYN Stealth Scan at 22:23, 15.91s elapsed (1000 total ports)
Initiating Service scan at 22:23
Scanning 11 services on 192.168.1.130
Service scan Timing: About 45.45% done; ETC: 22:25 (0:01:04 remaining)
Completed Service scan at 22:24, 61.64s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.130
adjust_timeouts2: packet supposedly had rtt of -151702 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -151702 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152061 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152061 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153953 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153953 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153790 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153790 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153707 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -153707 microseconds. Ignoring time.
NSE: Script scanning 192.168.1.130.
Initiating NSE at 22:24
Completed NSE at 22:24, 5.30s elapsed
Initiating NSE at 22:24
Completed NSE at 22:24, 0.01s elapsed
Nmap scan report for 192.168.1.130
Host is up (0.0012s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: <empty>
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:02:25:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 2012|7|8.1
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2012 R2 Update 1, Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Uptime guess: 0.869 days (since Tue Mar 20 01:33:58 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| nbstat: NetBIOS name: WIN-RVKO5P0EO57, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:02:25:0b (Oracle VirtualBox virtual NIC)
| Names:
| WIN-RVKO5P0EO57<20> Flags: <unique><active>
| WIN-RVKO5P0EO57<00> Flags: <unique><active>
|_ WORKGROUP<00> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-03-20 22:24:34
|_ start_date: 2018-03-20 01:34:00
TRACEROUTE
HOP RTT ADDRESS
1 1.21 ms 192.168.1.130
NSE: Script Post-scanning.
Initiating NSE at 22:24
Completed NSE at 22:24, 0.00s elapsed
Initiating NSE at 22:24
Completed NSE at 22:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.50 seconds
Raw packets sent: 1912 (85.202KB) | Rcvd: 1537 (62.566KB)
No comments:
Post a Comment