Closed Kaicastledine closed 7 years ago
Chan9390
commented
7 years ago There has been situations where manage engine was listening on port 8022. Can you please check if port 8022 is open, if yes try the exploits. I had tested the exploits against ManageEngine and its working fine on my side. It would be better if you could give a nmap scan result of metasploitable 3 on your end.
Kaicastledine
commented
7 years ago Port 8022 is up and I can even run a credential check with metasploit which works correctly. Had to do a few times though and restarted metasploitable3.
Here is the All TCP scan
Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-12 15:01 BST
NSE: Loaded 144 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:01
Completed NSE at 15:01, 0.00s elapsed
Initiating NSE at 15:01
Completed NSE at 15:01, 0.00s elapsed
Initiating ARP Ping Scan at 15:01
Scanning 192.168.226.20 [1 port]
Completed ARP Ping Scan at 15:01, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:01
Completed Parallel DNS resolution of 1 host. at 15:01, 0.01s elapsed
Initiating SYN Stealth Scan at 15:01
Scanning 192.168.226.20 [65535 ports]
Discovered open port 8080/tcp on 192.168.226.20
Discovered open port 22/tcp on 192.168.226.20
Discovered open port 80/tcp on 192.168.226.20
Discovered open port 135/tcp on 192.168.226.20
Discovered open port 445/tcp on 192.168.226.20
Discovered open port 139/tcp on 192.168.226.20
Increasing send delay for 192.168.226.20 from 0 to 5 due to 11 out of 24 dropped probes since last increase.
Discovered open port 3389/tcp on 192.168.226.20
Discovered open port 3306/tcp on 192.168.226.20
Discovered open port 21/tcp on 192.168.226.20
Discovered open port 47001/tcp on 192.168.226.20
Increasing send delay for 192.168.226.20 from 5 to 10 due to 427 out of 1067 dropped probes since last increase.
SYN Stealth Scan Timing: About 3.93% done; ETC: 15:14 (0:12:37 remaining)
Discovered open port 49191/tcp on 192.168.226.20
Discovered open port 4848/tcp on 192.168.226.20
Discovered open port 3700/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 6.24% done; ETC: 15:18 (0:15:16 remaining)
SYN Stealth Scan Timing: About 8.61% done; ETC: 15:19 (0:16:06 remaining)
SYN Stealth Scan Timing: About 13.57% done; ETC: 15:21 (0:16:59 remaining)
Discovered open port 3820/tcp on 192.168.226.20
Discovered open port 49667/tcp on 192.168.226.20
Discovered open port 9300/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 25.83% done; ETC: 15:23 (0:15:59 remaining)
Discovered open port 3920/tcp on 192.168.226.20
Discovered open port 49199/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 32.16% done; ETC: 15:23 (0:14:54 remaining)
Discovered open port 8019/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 38.07% done; ETC: 15:24 (0:13:46 remaining)
SYN Stealth Scan Timing: About 43.56% done; ETC: 15:24 (0:12:39 remaining)
SYN Stealth Scan Timing: About 49.06% done; ETC: 15:24 (0:11:30 remaining)
Discovered open port 8028/tcp on 192.168.226.20
Discovered open port 49181/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 54.34% done; ETC: 15:24 (0:10:21 remaining)
SYN Stealth Scan Timing: About 59.62% done; ETC: 15:24 (0:09:11 remaining)
Discovered open port 49152/tcp on 192.168.226.20
Discovered open port 8686/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 64.90% done; ETC: 15:24 (0:08:01 remaining)
Discovered open port 49165/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 69.97% done; ETC: 15:24 (0:06:52 remaining)
Discovered open port 49153/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 75.24% done; ETC: 15:24 (0:05:41 remaining)
Discovered open port 49668/tcp on 192.168.226.20
Discovered open port 8585/tcp on 192.168.226.20
Discovered open port 8443/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 80.32% done; ETC: 15:24 (0:04:32 remaining)
Discovered open port 49178/tcp on 192.168.226.20
Discovered open port 8022/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 85.39% done; ETC: 15:24 (0:03:22 remaining)
Discovered open port 9200/tcp on 192.168.226.20
Discovered open port 49664/tcp on 192.168.226.20
Discovered open port 49669/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 90.45% done; ETC: 15:24 (0:02:12 remaining)
Discovered open port 8009/tcp on 192.168.226.20
Discovered open port 8282/tcp on 192.168.226.20
SYN Stealth Scan Timing: About 95.52% done; ETC: 15:24 (0:01:02 remaining)
Discovered open port 5985/tcp on 192.168.226.20
Discovered open port 8032/tcp on 192.168.226.20
Discovered open port 8444/tcp on 192.168.226.20
Discovered open port 8181/tcp on 192.168.226.20
Discovered open port 1617/tcp on 192.168.226.20
Discovered open port 8031/tcp on 192.168.226.20
Discovered open port 49155/tcp on 192.168.226.20
Discovered open port 7676/tcp on 192.168.226.20
Discovered open port 49154/tcp on 192.168.226.20
Completed SYN Stealth Scan at 15:29, 1641.29s elapsed (65535 total ports)
Initiating Service scan at 15:29
Scanning 44 services on 192.168.226.20
Completed Service scan at 15:31, 152.11s elapsed (44 services on 1 host)
Initiating OS detection (try #1) against 192.168.226.20
NSE: Script scanning 192.168.226.20.
Initiating NSE at 15:31
Completed NSE at 15:35, 216.57s elapsed
Initiating NSE at 15:35
Completed NSE at 15:35, 1.03s elapsed
Nmap scan report for 192.168.226.20
Host is up (0.00015s latency).
Not shown: 65491 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
| ssh-hostkey:
| 2048 ff:18:4f:0b:4e:10:b1:9e:7c:24:29:83:00:15:fe:42 (RSA)
|_ 521 a6:99:08:f5:3e:24:3e:17:67:49:35:f9:24:27:31:98 (ECDSA)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
1617/tcp open java-rmi Java RMI Registry
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @192.168.225.15:49191
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
3306/tcp open mysql MySQL 5.5.20-log
| mysql-info:
| Protocol: 10
| Version: 5.5.20-log
| Thread ID: 27
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, Support41Auth, InteractiveClient, IgnoreSigpipes, LongPassword, LongColumnFlag, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: <Y-qtr_e^'C_2z53C5!C
|_ Auth Plugin Name: 83
3389/tcp open ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=metasploitable3
| Issuer: commonName=metasploitable3
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-07-10T11:22:33
| Not valid after: 2018-01-09T11:22:33
| MD5: e250 1333 62e6 4758 0a00 8787 84f6 b9aa
|_SHA-1: 6a1f 7e59 cadf dc86 6704 023c adad f3a6 44af ca8d
|_ssl-date: 2017-07-12T21:31:54+00:00; +7h00m00s from scanner time.
3700/tcp open giop CORBA naming service
|_giop-info: ERROR: Script execution failed (use -d to debug)
3820/tcp open ssl/giop CORBA naming service
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Issuer: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2013-05-15T05:33:38
| Not valid after: 2023-05-13T05:33:38
| MD5: 790d fccf 9932 2bbe 7736 404a 14e1 2d91
|_SHA-1: 4a57 58f5 9279 e82f 2a91 3c83 ca65 8d69 6457 5a72
|_ssl-date: 2017-07-12T21:31:52+00:00; +7h00m00s from scanner time.
3920/tcp open ssl/exasoftport1?
|_ssl-date: 2017-07-12T21:31:47+00:00; +7h00m00s from scanner time.
4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
|_hadoop-datanode-info:
|_hadoop-jobtracker-info:
|_hadoop-tasktracker-info:
|_hbase-master-info:
|_http-favicon: Unknown favicon MD5: 9D366148B38ABB908E96FFF2D8274D44
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: Login
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Issuer: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2013-05-15T05:33:38
| Not valid after: 2023-05-13T05:33:38
| MD5: 790d fccf 9932 2bbe 7736 404a 14e1 2d91
|_SHA-1: 4a57 58f5 9279 e82f 2a91 3c83 ca65 8d69 6457 5a72
|_ssl-date: 2017-07-12T21:31:49+00:00; +7h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7676/tcp open java-message-service Java Message Service 301
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8019/tcp open qbdb?
8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
8028/tcp open postgresql PostgreSQL DB
8031/tcp open ssl/unknown
8032/tcp open desktop-central ManageEngine Desktop Central DesktopCentralServer
8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: GlassFish Server - Server Running
8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_ Potentially risky methods: PUT DELETE TRACE
|_http-server-header: GlassFish Server Open Source Edition 4.0
|_http-title: GlassFish Server - Server Running
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Issuer: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2013-05-15T05:33:38
| Not valid after: 2023-05-13T05:33:38
| MD5: 790d fccf 9932 2bbe 7736 404a 14e1 2d91
|_SHA-1: 4a57 58f5 9279 e82f 2a91 3c83 ca65 8d69 6457 5a72
|_ssl-date: 2017-07-12T21:31:47+00:00; +7h00m00s from scanner time.
8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/8.0.33
8443/tcp open ssl/https-alt?
8444/tcp open desktop-central ManageEngine Desktop Central DesktopCentralServer
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2
|_http-title: WAMPSERVER Homepage
8686/tcp open java-rmi Java RMI Registry
| rmi-dumpregistry:
| 192.168.225.15/7676/jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @192.168.225.15:49664
| extends
| java.rmi.server.RemoteStub
| extends
| java.rmi.server.RemoteObject
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @192.168.225.15:8686
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
9200/tcp open http Elasticsearch REST API 1.1.1 (name: Nico Minoru; Lucene 4.7)
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=UTF-8).
9300/tcp open vrace?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49165/tcp open unknown
49178/tcp open msrpc Microsoft Windows RPC
49181/tcp open msrpc Microsoft Windows RPC
49191/tcp open rmiregistry Java RMI
49199/tcp open tcpwrapped
49664/tcp open rmiregistry Java RMI
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
MAC Address: 00:0C:29:50:F7:A6 (VMware)
Device type: general purpose|media device
Running: Microsoft Windows 2008|10|7|8.1, Microsoft embedded
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_10 cpe:/h:microsoft:xbox_one cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2008 SP2 or Windows 10 or Xbox One, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.861 days (since Tue Jul 11 18:55:17 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; Device: remote management; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| nbstat: NetBIOS name: METASPLOITABLE3, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:50:f7:a6 (VMware)
| Names:
| METASPLOITABLE3<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ METASPLOITABLE3<20> Flags: <unique><active>
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: metasploitable3
| NetBIOS computer name: METASPLOITABLE3\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2017-07-12T14:31:51-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms 192.168.226.20
NSE: Script Post-scanning.
Initiating NSE at 15:35
Completed NSE at 15:35, 0.00s elapsed
Initiating NSE at 15:35
Completed NSE at 15:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2014.18 seconds
Raw packets sent: 135942 (5.984MB) | Rcvd: 134590 (5.386MB)
Thanks for the scan report. I think your issue is resolved, if yes please close it.
Kaicastledine
commented
7 years ago I don't see why the exploits don't run against that port however? Any ideas.
As far as I'm aware this is the right exploit for the job.
Chan9390
commented
7 years ago Try running the VM in bridged mode. There were some issues when running the exploits against metasploitable 3 running in host-only mode. But bridged mode allowed the exploits to work properly.
Kaicastledine
commented
7 years ago Could you confirm that all ports that should be are open btw ? I had issues with the setup so went through and installed the .bats myself as listed in the .json setup file. Wanted to cross check all the ports to make sure it was done correctly.
Chan9390
commented
7 years ago My nmap scan results (for easy mode) is as follows:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp open mysql MySQL 5.5.20-log
3389/tcp open ms-wbt-server Microsoft Terminal Service
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8019/tcp open qbdb?
8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8028/tcp open unknown
8031/tcp open ssl/unknown
8032/tcp open desktop-central ManageEngine Desktop Central DesktopCentralServer
8282/tcp open libelle?
8443/tcp open ssl/https-alt?
8444/tcp open desktop-central ManageEngine Desktop Central DesktopCentralServer
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
9200/tcp open http Elasticsearch REST API 1.1.1 (name: Siena Blaze; Lucene 4.7)
9300/tcp open vrace?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49179/tcp open msrpc Microsoft Windows RPC
49183/tcp open msrpc Microsoft Windows RPC
49189/tcp open unknownDont worry about the 49xxx ports, they change from VM to VM. It would be great to know what other issues you faced when setting up metasploitable 3.
Kaicastledine
commented
7 years ago I had managed to create the VMware version only to find you could not use the vagrant up + vmware without a license so went back to Virtualbox method.
The virtual box one seem to of only run some of the scripts listed in the .json file.
I found this out because loads of services were not running or being shown as open ports in a scan.
I went to re-create the VM with different version of Vagrant/virtualbox but no luck.
Ended up with a VM without IIS working at all so not FTP and other services.
I then used the .bat files with a bit of editing to then run them and finish the setup myself.
Let me know if you want anything or more details, happy to help.
Kaicastledine
commented
7 years ago I laughed so hard when I realised what was overlooked with this ! Such a fail with the exploit settings!
wardatariq555
commented
11 months ago i am facing the same issue
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-15 06:13 EST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH 7.1 (protocol 2.0) 80/tcp open http Microsoft IIS httpd 7.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1617/tcp open java-rmi Java RMI 3306/tcp open mysql MySQL 5.5.20-log 3389/tcp open tcpwrapped 3700/tcp open giop CORBA naming service 3820/tcp open ssl/giop CORBA naming service 3920/tcp open ssl/exasoftport1? 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 7676/tcp open java-message-service Java Message Service 301 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8020/tcp open http Apache httpd 8027/tcp open papachi-p2p-srv? 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8383/tcp open http Apache httpd 8484/tcp open http Jetty winstone-2.8 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) 8686/tcp open java-rmi Java RMI 9200/tcp open wap-wsp? 9300/tcp open vrace? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49199/tcp open java-rmi Java RMI 49200/tcp open tcpwrapped 49201/tcp open msrpc Microsoft Windows RPC 49202/tcp open msrpc Microsoft Windows RPC 49257/tcp open ssh Apache Mina sshd 0.8.0 (protocol 2.0) 49258/tcp open jenkins-listener Jenkins TcpSlaveAgentListener 50189/tcp open java-rmi Java RMI 50213/tcp open unknown 50214/tcp open unknown 50215/tcp open unknown
[] Started reverse TCP handler on 192.168.56.102:4444 [] Creating JSP stager [] Uploading JSP stager KKRrN.jsp... [-] Exploit aborted due to failure: unknown: The server returned 503, but 200 was expected. [!] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/KKRrN.jsp' on the target [] Exploit completed, but no session was created.
any guidance ?
AJpacific
commented
2 months ago i am facing the same issue
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-15 06:13 EST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH 7.1 (protocol 2.0) 80/tcp open http Microsoft IIS httpd 7.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1617/tcp open java-rmi Java RMI 3306/tcp open mysql MySQL 5.5.20-log 3389/tcp open tcpwrapped 3700/tcp open giop CORBA naming service 3820/tcp open ssl/giop CORBA naming service 3920/tcp open ssl/exasoftport1? 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 7676/tcp open java-message-service Java Message Service 301 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8020/tcp open http Apache httpd 8027/tcp open papachi-p2p-srv? 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8181/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8383/tcp open http Apache httpd 8484/tcp open http Jetty winstone-2.8 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) 8686/tcp open java-rmi Java RMI 9200/tcp open wap-wsp? 9300/tcp open vrace? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49199/tcp open java-rmi Java RMI 49200/tcp open tcpwrapped 49201/tcp open msrpc Microsoft Windows RPC 49202/tcp open msrpc Microsoft Windows RPC 49257/tcp open ssh Apache Mina sshd 0.8.0 (protocol 2.0) 49258/tcp open jenkins-listener Jenkins TcpSlaveAgentListener 50189/tcp open java-rmi Java RMI 50213/tcp open unknown 50214/tcp open unknown 50215/tcp open unknown
[] Started reverse TCP handler on 192.168.56.102:4444 [] Creating JSP stager [] Uploading JSP stager KKRrN.jsp... [-] Exploit aborted due to failure: unknown: The server returned 503, but 200 was expected. [!] This exploit may require manual cleanup of '../webapps/DesktopCentral/jspf/KKRrN.jsp' on the target [] Exploit completed, but no session was created.
any guidance ?
any solution for this error?
Issue Description
Manageengine_connectionid_write exploit has failed.
Keep getting " Exploit Failed [Unreachable]: Rex::connectionREfused The connection was refused by the remote host.
Have toggled the firewall on/off as well as part of testing but still it won't run.
Host System
Command Output