Mirai
Enumeration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-25 13:44 CEST Nmap scan report for 10.10.10.48 Host is up (0.024s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (EdDSA) 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 1402/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 32400/tcp open http Plex Media Server httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-cors: HEAD GET POST PUT DELETE OPTIONS |_http-title: Unauthorized 32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=9/25%OT=22%CT=1%CU=31804%PV=Y%DS=2%DC=T%G=Y%TM=59C8ECA OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%CI=I%TS=8)SEQ(SP=1 OS:06%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=A)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O OS:3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=7120%W2= OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 20.74 ms 10.10.14.1 2 21.57 ms 10.10.10.48 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 105.71 seconds |
1 2 3 4 5 6 |
root@kaiposecurity:~# curl -I 10.10.10.48:80 HTTP/1.1 404 Not Found X-Pi-hole: A black hole for Internet advertisements. Content-type: text/html; charset=UTF-8 Date: Thu, 28 Sep 2017 18:17:46 GMT Server: lighttpd/1.4.35 |
1 |
http://10.10.10.48/admin/index.php?login |
When following this link I get to the admin console. The password is generated on install and there is an option to get a new password, but that requires local access.
Another possibility is the Plex media server on port 32400. According to exploit-db there is an exploit that can bypass authentication.