Scanning and Enumeration

Scanning

root@kali:~# nmap -sC -sV -p21,80 10.10.10.5
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-19 22:23 EST
Nmap scan report for 10.10.10.5
Host is up (0.079s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 11-23-20  01:25PM                38650 example.aspx
| 03-17-17  04:37PM                  689 iisstart.htm
| 11-23-20  01:23PM                   17 test.txt
| 11-23-20  01:21PM                38559 welcome.aspx
|_03-17-17  04:37PM               184946 welcome.png
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds

Appears that we have anonymous FTP and Microsoft IIS httpd 7.5 running.

Enumeration

Port 21

• Anonymous login, this means that we can upload and download files. Knowing this we can upload a malicious file and establish a reverse shell.

Port 80

• Microsoft IIS httpd 7.5 is running

• Based on the files on port 21, we can access them, based on this information is very likley that we can put a reverse shell to us.