Nmap - результат скана

Сканирую определенный сервер Nmap'ом и вот результат. В какой порт ломиться проще всего? Информации в интернете много, но какой путь проще понять не могу. Судя по всему все упирается в Fortigate файрвол.

Также там показаны ключи SSH. Они мне как то могут помочь?

Code:

Starting Nmap 6.25 ( [url]http://nmap.org[/url] ) at 2013-08-13 13:00 UTC Nmap scan report for lin9.nictr.com (93.187.204.153) Host is up (0.0023s latency). Not shown: 982 closed ports PORT     STATE SERVICE               VERSION 21/tcp   open  ftp                   ProFTPD 1.3.3c 22/tcp   open  ssh                   OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: 1024 b8:a4:15:73:00:b2:e8:c1:19:9d:1f:a6:3d:8e:d7:ce (DSA) |_2048 67:fe:74:41:06:a2:b6:ab:8f:d7:3e:12:3e:2e:68:9c (RSA) 25/tcp   open  smtp                  Exim smtpd 4.77 | smtp-commands: lin9.nictr.com Hello lin9.nictr.com [82.222.164.91], SIZE 20971520, PIPELINING, AUTH PLAIN LOGIN, STARTTLS, HELP,  |_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP  |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2013-08-13T12:54:16+00:00; -8m27s from local time. 53/tcp   open  domain                ISC BIND 9.3.6-20.P1.el5_8.5 | dns-nsid:  |_  bind.version: 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.5 80/tcp   open  http                  Apache httpd 2 |_http-title: Site doesn't have a title (text/html). 110/tcp  open  pop3                  Dovecot DirectAdmin pop3d |_pop3-capabilities: SASL(PLAIN) USER STLS RESP-CODES CAPA UIDL 111/tcp  open  rpcbind               2 (RPC #100000) | rpcinfo:  |   program version   port/proto  service |   100000  2            111/tcp  rpcbind |   100000  2            111/udp  rpcbind |   100024  1            915/udp  status |_  100024  1            918/tcp  status 119/tcp  open  tcpwrapped 143/tcp  open  imap                  Dovecot imapd |_imap-capabilities: ENABLE IMAP4rev1 more have Pre-login SASL-IR post-login listed capabilities LITERAL+ ID OK AUTH=PLAINA0001 STARTTLS LOGIN-REFERRALS IDLE 443/tcp  open  ssl/http              Apache httpd 2 |_http-title: Site doesn't have a title (text/html). |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2013-08-13T12:54:14+00:00; -8m26s from local time. 465/tcp  open  ssl/smtps? |_smtp-commands: Couldn't establish connection on port 465 |_ssl-date: 2013-08-13T13:02:46+00:00; +4s from local time. 587/tcp  open  smtp                  Exim smtpd 4.77 | smtp-commands: lin9.nictr.com Hello lin9.nictr.com [82.222.164.91], SIZE 20971520, PIPELINING, AUTH PLAIN LOGIN, STARTTLS, HELP,  |_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP  |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2013-08-13T12:54:15+00:00; -8m27s from local time. 993/tcp  open  ssl/imaps? |_ssl-date: 2013-08-13T13:02:44+00:00; +3s from local time. 995/tcp  open  pop3s? |_ssl-date: 2013-08-13T13:02:44+00:00; +3s from local time. 2222/tcp open  hbase-master          Apache Hadoop Hbase 1.43.0 (Registered to Nictr Internet Tescil) | flume-master-info:  |   Flume nodes: |   Zookeeper Master: |   Hbase Master Master: |   Enviroment:  |_  Config:  |_http-git: 0 |_http-methods: No Allow or Public header in OPTIONS response (status code 404) |_http-title: DirectAdmin Login 3306/tcp open  mysql                 MySQL (unauthorized) 8008/tcp open  http? |_http-methods: No Allow or Public header in OPTIONS response (status code 302) |_http-title: Did not follow redirect to [url]https://lin9.nictr.com:8010/[/url] 8010/tcp open  ssl/hadoop-jobtracker Apache Hadoop | flume-master-info:  |   Flume nodes: |   Zookeeper Master: |   Hbase Master Master: |   Enviroment:  |_  Config:  |_http-git: 0 |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: Web Filter Block Override | ssl-cert: Subject: commonName=Fortigate/organizationName=Fortinet/stateOrProvinceName=California/countryName=US | Not valid before: 2006-01-27T19:44:14+00:00 |_Not valid after:  2026-03-13T19:44:14+00:00 |_ssl-date: 2013-08-13T13:02:44+00:00; +3s from local time. |_sslv2: server still supports SSLv2 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [url]http://www.insecure.org/cgi-bin/servicefp-submit.cgi[/url] : SF-Port8008-TCP:V=6.25%I=7%D=8/13%Time=520A2E00%P=i686-pc-linux-gnu%r(GetR SF:equest,43,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://:8010/\r\n SF:Connection:\x20close\r\n\r\n")%r(FourOhFourRequest,66,"HTTP/1\.1\x20302 SF:\x20Found\r\nLocation:\x20https://:8010/nice%20ports%2C/Tri%6Eity\.txt% SF:2ebak\r\nConnection:\x20close\r\n\r\n")%r(GenericLines,42,"HTTP/1\.1\x2 SF:0302\x20Found\r\nLocation:\x20https://:8010\r\nConnection:\x20close\r\n SF:\r\n")%r(HTTPOptions,42,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20http SF:s://:8010\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,42,"HTTP/1\.1 SF:\x20302\x20Found\r\nLocation:\x20https://:8010\r\nConnection:\x20close\ SF:r\n\r\n")%r(SIPOptions,42,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20ht SF:tps://:8010\r\nConnection:\x20close\r\n\r\n"); Aggressive OS guesses: Linux 2.6.15 - 2.6.26 (95%), Linux 2.6.18 (95%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (95%), Vyatta router (Linux 2.6.26) (94%), Linux 2.6.28 (94%), Lexmark Z2400 printer (93%), Linux 2.6.16 - 2.6.28 (91%), Linux 3.2 (91%), Linux 3.2.0 (90%), Cisco Unified Communications Manager VoIP adapter (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OSs: Unix, Red Hat Enterprise Linux; Device: firewall; CPE: cpe:/o:redhat:enterprise_linux  TRACEROUTE (using port 113/tcp) HOP RTT     ADDRESS 1   0.33 ms lin9.nictr.com (93.187.204.153)  OS and Service detection performed. Please report any incorrect results at [url]http://nmap.org/submit/[/url] . Nmap done: 1 IP address (1 host up) scanned in 152.10 seconds

 

Версия ProFTPD 1.3.3c возможно уязвима. В metasploit есть эксплойт под него. Если прокатит, то получишь root удаленно. Удачи!

http://www.exploit-db.com/exploits/16921/

 

Спасибо. Только эксплоит обрывается на "Sending Backdoor Command" . Как я понял проблема с локальным IP и портом 4444.

Локальный хост это мой компьютер. То есть в модеме должен быть открыт порт 4444 и перенаправлен на мой локальный адрес (192.168.*.*) да?

 

Думаю, что да.