University of Texas Nmap and Sparta Vulnerability Scanning Report

Description

The continued reports about compromises and data exfiltrations concern our CISO. The CISO is deeply concerned about our Product Innovation Lair’s Lab (PILL) now that it has been upgraded. You can only get access to the PILL in the CSL. The PILL network is located at 192.168.101.150-205. Take care to not access anything below 150 as it will be logged and ensure you get no credit for this work. Using the Kali2 virtual machine scan the 150-205 range to see what boxes are on PILL and what may or may not be vulnerable. Then use any other tools you choose on the Kali2 VM to determine risks on PILL. But remember, the goal is not to exploit any of the machines on PILL. If you use a tool that exploits machines on PILL you may have points deducted. You can only access the internet in the seat (the even numbers) next to the target range machines if you need to do online research. You can login with your CSL accounts (firstname.lastname) on those machines. Special notes: 1) Access to the Target Range (TR).  2) All machines with TR access are identifiable with a sheet reading Target Range on the monitor 3) If the station is open and available, sit down and flip the sheet to the back of the monitor and log in with the .\MIL1 account on the whiteboard 5) Verify that you are on the correct network by placing the mouse icon above the network icon in the SYSTRAY prior to starting the exercise/project/homework. It should read Enterprise.net 6) Continue with your work to completion 7) If you compromise any machine on the Enterprise.net network, please inform a Lab Assistant immediately so they can reset the compromised machine 8) When finished please pull the Target Range paper back over to the front of the monitor so that additional students entering the lab can also access the correct network. 

POST

Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-25 18:14 CSTNSE: Loaded 148 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 18:14Completed NSE at 18:14, 0.00s elapsedInitiating NSE at 18:14Completed NSE at 18:14, 0.00s elapsedInitiating ARP Ping Scan at 18:14Scanning 55 hosts [1 port/host]Completed ARP Ping Scan at 18:14, 0.47s elapsed (55 total hosts)Initiating Parallel DNS resolution of 55 hosts. at 18:14Completed Parallel DNS resolution of 55 hosts. at 18:14, 0.00s elapsedNmap scan report for 192.168.101.151 [host down]Nmap scan report for 192.168.101.153 [host down]Nmap scan report for 192.168.101.159 [host down]Nmap scan report for 192.168.101.160 [host down]Nmap scan report for 192.168.101.161 [host down]Nmap scan report for 192.168.101.162 [host down]Nmap scan report for 192.168.101.163 [host down]Nmap scan report for 192.168.101.164 [host down]Nmap scan report for 192.168.101.172 [host down]Nmap scan report for 192.168.101.174 [host down]Nmap scan report for 192.168.101.175 [host down]Nmap scan report for 192.168.101.177 [host down]Nmap scan report for 192.168.101.178 [host down]Nmap scan report for 192.168.101.179 [host down]Nmap scan report for 192.168.101.180 [host down]Nmap scan report for 192.168.101.181 [host down]Nmap scan report for 192.168.101.182 [host down]Nmap scan report for 192.168.101.183 [host down]Nmap scan report for 192.168.101.184 [host down]Nmap scan report for 192.168.101.185 [host down]Nmap scan report for 192.168.101.186 [host down]Nmap scan report for 192.168.101.187 [host down]Nmap scan report for 192.168.101.188 [host down]Nmap scan report for 192.168.101.189 [host down]Nmap scan report for 192.168.101.190 [host down]Nmap scan report for 192.168.101.191 [host down]Nmap scan report for 192.168.101.193 [host down]Nmap scan report for 192.168.101.194 [host down]Nmap scan report for 192.168.101.195 [host down]Nmap scan report for 192.168.101.196 [host down]Nmap scan report for 192.168.101.198 [host down]Nmap scan report for 192.168.101.199 [host down]Nmap scan report for 192.168.101.200 [host down]Nmap scan report for 192.168.101.201 [host down]Nmap scan report for 192.168.101.202 [host down]Nmap scan report for 192.168.101.204 [host down]Nmap scan report for 192.168.101.205 [host down]Initiating Parallel DNS resolution of 1 host. at 18:14Completed Parallel DNS resolution of 1 host. at 18:14, 0.00s elapsedInitiating SYN Stealth Scan at 18:14Scanning 18 hosts [1000 ports/host]Discovered open port 139/tcp on 192.168.101.156Discovered open port 139/tcp on 192.168.101.169Discovered open port 139/tcp on 192.168.101.203Discovered open port 25/tcp on 192.168.101.203Discovered open port 5900/tcp on 192.168.101.203Discovered open port 5900/tcp on 192.168.101.192Discovered open port 111/tcp on 192.168.101.203Discovered open port 111/tcp on 192.168.101.150Discovered open port 111/tcp on 192.168.101.155Discovered open port 554/tcp on 192.168.101.197Discovered open port 53/tcp on 192.168.101.203Discovered open port 53/tcp on 192.168.101.169Discovered open port 443/tcp on 192.168.101.170Discovered open port 445/tcp on 192.168.101.169Discovered open port 445/tcp on 192.168.101.203Discovered open port 3389/tcp on 192.168.101.154Discovered open port 21/tcp on 192.168.101.203Discovered open port 21/tcp on 192.168.101.197Discovered open port 3306/tcp on 192.168.101.203Discovered open port 23/tcp on 192.168.101.203Discovered open port 22/tcp on 192.168.101.169Discovered open port 22/tcp on 192.168.101.192Discovered open port 22/tcp on 192.168.101.203Discovered open port 22/tcp on 192.168.101.171Discovered open port 22/tcp on 192.168.101.173Discovered open port 80/tcp on 192.168.101.203Discovered open port 80/tcp on 192.168.101.197Discovered open port 514/tcp on 192.168.101.203Discovered open port 6000/tcp on 192.168.101.203Discovered open port 88/tcp on 192.168.101.192Discovered open port 49152/tcp on 192.168.101.197Completed SYN Stealth Scan against 192.168.101.155 in 0.89s (17 hosts left)Completed SYN Stealth Scan against 192.168.101.169 in 0.89s (16 hosts left)Completed SYN Stealth Scan against 192.168.101.150 in 0.90s (15 hosts left)Completed SYN Stealth Scan against 192.168.101.173 in 0.90s (14 hosts left)Completed SYN Stealth Scan against 192.168.101.170 in 0.90s (13 hosts left)Completed SYN Stealth Scan against 192.168.101.171 in 0.90s (12 hosts left)Discovered open port 22/tcp on 192.168.101.154Discovered open port 445/tcp on 192.168.101.156Discovered open port 3389/tcp on 192.168.101.152Discovered open port 3389/tcp on 192.168.101.158Discovered open port 443/tcp on 192.168.101.176Discovered open port 22/tcp on 192.168.101.152Discovered open port 135/tcp on 192.168.101.156Discovered open port 80/tcp on 192.168.101.176Discovered open port 2049/tcp on 192.168.101.203Discovered open port 8300/tcp on 192.168.101.176Discovered open port 6667/tcp on 192.168.101.203Discovered open port 1099/tcp on 192.168.101.203Discovered open port 512/tcp on 192.168.101.203Discovered open port 513/tcp on 192.168.101.203Discovered open port 1524/tcp on 192.168.101.203Completed SYN Stealth Scan against 192.168.101.197 in 21.65s (11 hosts left)Discovered open port 5432/tcp on 192.168.101.203Discovered open port 3283/tcp on 192.168.101.192Discovered open port 427/tcp on 192.168.101.176Discovered open port 9080/tcp on 192.168.101.176Discovered open port 2121/tcp on 192.168.101.203Discovered open port 902/tcp on 192.168.101.176Completed SYN Stealth Scan against 192.168.101.192 in 26.89s (10 hosts left)Completed SYN Stealth Scan against 192.168.101.158 in 27.02s (9 hosts left)Completed SYN Stealth Scan against 192.168.101.156 in 27.06s (8 hosts left)Completed SYN Stealth Scan against 192.168.101.154 in 27.34s (7 hosts left)Completed SYN Stealth Scan against 192.168.101.152 in 27.69s (6 hosts left)Discovered open port 8180/tcp on 192.168.101.203Completed SYN Stealth Scan against 192.168.101.165 in 27.77s (5 hosts left)Completed SYN Stealth Scan against 192.168.101.203 in 27.81s (4 hosts left)Discovered open port 8000/tcp on 192.168.101.176Completed SYN Stealth Scan against 192.168.101.166 in 28.12s (3 hosts left)Completed SYN Stealth Scan against 192.168.101.167 in 28.50s (2 hosts left)Completed SYN Stealth Scan against 192.168.101.176 in 28.74s (1 host left)Completed SYN Stealth Scan at 18:14, 28.81s elapsed (18000 total ports)Initiating Service scan at 18:14Scanning 54 services on 18 hostsCompleted Service scan at 18:16, 109.12s elapsed (54 services on 18 hosts)Initiating OS detection (try #1) against 18 hostsRetrying OS detection (try #2) against 6 hostsNSE: Script scanning 18 hosts.Initiating NSE at 18:16NSE: [ftp-bounce] Couldn’t resolve scanme.nmap.org, scanning 10.0.0.1 instead.NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.Completed NSE at 18:22, 351.87s elapsedInitiating NSE at 18:22Completed NSE at 18:22, 1.02s elapsedNmap scan report for 192.168.101.150Host is up (0.00063s latency).Not shown: 999 closed portsPORT    STATE SERVICE VERSION111/tcp open  rpcbind 2-4 (RPC #100000)| rpcinfo:|   program version   port/proto  service|   100000  2,3,4        111/tcp  rpcbind|_  100000  2,3,4        111/udp  rpcbindMAC Address: 00:0C:29:65:1B:9A (VMware)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 – 4.9Uptime guess: 19.904 days (since Wed Feb  5 20:40:30 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=261 (Good luck!)IP ID Sequence Generation: All zerosTRACEROUTEHOP RTT     ADDRESS1   0.63 ms 192.168.101.150Nmap scan report for 192.168.101.152Host is up (0.00033s latency).Not shown: 998 filtered portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|   2048 23:db:c7:d4:54:15:c9:12:28:3e:09:cc:c0:c5:07:ac (RSA)|   256 5b:c6:25:59:e4:c0:7c:21:b0:d8:be:bd:b7:6e:fd:8f (ECDSA)|_  256 8d:9c:bd:1e:d6:13:c5:f0:70:54:1f:07:ac:5b:56:ef (ED25519)3389/tcp open  ms-wbt-server xrdpMAC Address: 9E:2E:63:F8:AD:55 (Unknown)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.10 – 4.11, Linux 3.2 – 4.9Uptime guess: 13.504 days (since Wed Feb 12 06:16:36 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=253 (Good luck!)IP ID Sequence Generation: All zerosService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT     ADDRESS1   0.33 ms 192.168.101.152Nmap scan report for 192.168.101.154Host is up (0.00032s latency).Not shown: 998 filtered portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH 7.4 (protocol 2.0)| ssh-hostkey:|   2048 2f:18:34:5b:96:a1:e5:a2:32:82:6b:ab:c6:6d:cd:02 (RSA)|   256 da:93:ae:f7:28:13:08:d0:2b:84:66:6c:2e:f0:6d:08 (ECDSA)|_  256 5d:10:e7:72:49:e2:51:72:cb:f6:cc:4c:61:00:4e:66 (ED25519)3389/tcp open  ms-wbt-server xrdpMAC Address: 26:54:AB:85:4A:5E (Unknown)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.10 – 4.11, Linux 3.2 – 4.9Uptime guess: 2.577 days (since Sun Feb 23 04:31:29 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=264 (Good luck!)IP ID Sequence Generation: All zerosTRACEROUTEHOP RTT     ADDRESS1   0.32 ms 192.168.101.154Nmap scan report for 192.168.101.155Host is up (0.00060s latency).Not shown: 999 closed portsPORT    STATE SERVICE VERSION111/tcp open  rpcbind 2-4 (RPC #100000)| rpcinfo:|   program version   port/proto  service|   100000  2,3,4        111/tcp  rpcbind|_  100000  2,3,4        111/udp  rpcbindMAC Address: 00:0C:29:47:F0:0C (VMware)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 – 4.9Uptime guess: 36.447 days (since Mon Jan 20 07:38:55 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=261 (Good luck!)IP ID Sequence Generation: All zerosTRACEROUTEHOP RTT     ADDRESS1   0.60 ms 192.168.101.155Nmap scan report for WIN-IHR719BBSLU.ENTERPRISE.NET (192.168.101.156)Host is up (0.00051s latency).Not shown: 997 filtered portsPORT    STATE SERVICE      VERSION135/tcp open  msrpc        Microsoft Windows RPC139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: ENTERPRISE)MAC Address: B6:6E:63:C5:B3:12 (Unknown)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Microsoft Windows 2016OS CPE: cpe:/o:microsoft:windows_server_2016OS details: Microsoft Windows Server 2016Uptime guess: 28.180 days (since Tue Jan 28 14:02:48 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=257 (Good luck!)IP ID Sequence Generation: IncrementalService Info: Host: ARCHER; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: -14m33s, deviation: 4h37m08s, median: -2h54m34s| nbstat: NetBIOS name: ARCHER, NetBIOS user: <unknown>, NetBIOS MAC: b6:6e:63:c5:b3:12 (unknown)| Names:|   ARCHER<00>           Flags: <unique><active>|   ENTERPRISE<00>       Flags: <group><active>|_  ARCHER<20>           Flags: <unique><active>| smb-os-discovery:|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)|   Computer name: ARCHER|   NetBIOS computer name: ARCHER\x00|   Domain name: ENTERPRISE.NET|   Forest name: ENTERPRISE.NET|   FQDN: ARCHER.ENTERPRISE.NET|_  System time: 2020-02-25T13:21:59-08:00| smb-security-mode:|   account_used: <blank>|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)| smb2-security-mode:|   2.02:|_    Message signing enabled but not required| smb2-time:|   date: 2020-02-25 15:22:25|_  start_date: 2020-01-28 11:20:17TRACEROUTEHOP RTT     ADDRESS1   0.51 ms WIN-IHR719BBSLU.ENTERPRISE.NET (192.168.101.156)Nmap scan report for W10DSKTP.ENTERPRISE.NET (192.168.101.158)Host is up (0.00054s latency).Not shown: 999 filtered portsPORT     STATE SERVICE            VERSION3389/tcp open  ssl/ms-wbt-server?|_ssl-date: 2020-02-25T21:21:46+00:00; -2h55m19s from scanner time.MAC Address: 56:83:D7:21:81:BB (Unknown)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning (JUST GUESSING): FreeBSD 6.X (94%)OS CPE: cpe:/o:freebsd:freebsd:6.2Aggressive OS guesses: FreeBSD 6.2-RELEASE (94%)No exact OS matches for host (test conditions non-ideal).Uptime guess: 29.046 days (since Mon Jan 27 17:16:42 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=257 (Good luck!)IP ID Sequence Generation: IncrementalHost script results:|_clock-skew: mean: -2h55m19s, deviation: 0s, median: -2h55m19sTRACEROUTEHOP RTT     ADDRESS1   0.54 ms W10DSKTP.ENTERPRISE.NET (192.168.101.158)Nmap scan report for khan.ENTERPRISE.NET (192.168.101.165)Host is up (0.00054s latency).All 1000 scanned ports on khan.ENTERPRISE.NET (192.168.101.165) are filteredMAC Address: 3A:82:44:A0:AE:C5 (Unknown)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT     ADDRESS1   0.54 ms khan.ENTERPRISE.NET (192.168.101.165)Nmap scan report for JabbaDHut.ENTERPRISE.NET (192.168.101.166)Host is up (0.00058s latency).All 1000 scanned ports on JabbaDHut.ENTERPRISE.NET (192.168.101.166) are filteredMAC Address: 82:8B:6F:08:FB:90 (Unknown)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT     ADDRESS1   0.58 ms JabbaDHut.ENTERPRISE.NET (192.168.101.166)Nmap scan report for Workstation.ENTERPRISE.NET (192.168.101.167)Host is up (0.00030s latency).All 1000 scanned ports on Workstation.ENTERPRISE.NET (192.168.101.167) are filteredMAC Address: 3A:7C:E3:C4:D9:5B (Unknown)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT     ADDRESS1   0.30 ms Workstation.ENTERPRISE.NET (192.168.101.167)Nmap scan report for Win7-Old.ENTERPRISE.NET (192.168.101.168)Host is up (0.00026s latency).All 1000 scanned ports on Win7-Old.ENTERPRISE.NET (192.168.101.168) are filteredMAC Address: 32:AE:A9:23:93:6F (Unknown)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT     ADDRESS1   0.26 ms Win7-Old.ENTERPRISE.NET (192.168.101.168)Nmap scan report for docker-host.enterprise.net (192.168.101.169)Host is up (0.00047s latency).Not shown: 996 closed portsPORT    STATE SERVICE     VERSION22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|   2048 a6:20:7e:0a:6d:52:e2:69:9e:59:92:7e:37:c7:64:a2 (RSA)|   256 34:b2:9a:ff:9e:14:8d:60:41:f4:38:ee:4f:69:c8:9a (ECDSA)|_  256 9f:c1:12:0a:37:22:f1:25:cb:60:43:11:c4:b3:ba:af (ED25519)53/tcp  open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)| dns-nsid:|_  bind.version: 9.10.3-P4-Ubuntu139/tcp open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)MAC Address: C6:5A:33:EA:90:03 (Unknown)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 – 4.9Uptime guess: 39.326 days (since Fri Jan 17 10:32:37 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=261 (Good luck!)IP ID Sequence Generation: All zerosService Info: Host: DOCKER-HOST; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: mean: -2h42m23s, deviation: 3h28m09s, median: -4h42m34s| nbstat: NetBIOS name: DOCKER-HOST, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)| Names:|   DOCKER-HOST<00>      Flags: <unique><active>|   DOCKER-HOST<03>      Flags: <unique><active>|   DOCKER-HOST<20>      Flags: <unique><active>|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>|   WORKGROUP<00>        Flags: <group><active>|   WORKGROUP<1d>        Flags: <unique><active>|_  WORKGROUP<1e>        Flags: <group><active>| smb-os-discovery:|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)|   Computer name: docker-host|   NetBIOS computer name: DOCKER-HOST\x00|   Domain name: enterprise.net|   FQDN: docker-host.enterprise.net|_  System time: 2020-02-25T13:34:30-06:00| smb-security-mode:|   account_used: guest|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)| smb2-security-mode:|   2.02:|_    Message signing enabled but not required| smb2-time:|   date: 2020-02-25 13:34:15|_  start_date: N/ATRACEROUTEHOP RTT     ADDRESS1   0.47 ms docker-host.enterprise.net (192.168.101.169)Nmap scan report for heartbleed.enterprise.net (192.168.101.170)Host is up (0.00036s latency).Not shown: 999 closed portsPORT    STATE SERVICE   VERSION443/tcp open  ssl/https nginx/1.1.19|_http-server-header: nginx/1.1.19|_http-title: 400 The plain HTTP request was sent to HTTPS port|_ssl-date: 2020-02-25T19:34:24+00:00; -4h42m34s from scanner time.MAC Address: 76:65:3E:02:4D:1A (Unknown)Device type: general purposeRunning: Linux 2.6.X|3.XOS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3OS details: Linux 2.6.32 – 3.10Uptime guess: 39.326 days (since Fri Jan 17 10:32:47 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=260 (Good luck!)IP ID Sequence Generation: All zerosHost script results:|_clock-skew: mean: -4h42m34s, deviation: 0s, median: -4h42m34sTRACEROUTEHOP RTT     ADDRESS1   0.36 ms heartbleed.enterprise.net (192.168.101.170)Nmap scan report for shellshock.ENTERPRISE.NET (192.168.101.171)Host is up (0.00040s latency).Not shown: 999 closed portsPORT   STATE SERVICE VERSION

Papers will be 5-7 single-spaced pages in length (font size 12). The title page does not count as one of the pages for the report. Proper referencing is a must. The bibliography will not count as one of the page requirements. Appendices will not count as pages for the report and should contain supporting comments you make in the paper—like detailed vulnerability data(use the paper to present summary data). All references will be properly cited throughout the report.