Only 2 Open Ports

[Broken Angel]

I know the questions cannot be too direct but I cannot help it. One of the websites that I want to play with only has 2 ports open.

80 and 443 and this really looks tight... How to go ahead...


?????

[Broken Angel]

BTW KALI ROLLING SUCKS TO THE CORE.

ALL HAIL FOR BACKTRACK



Edit 1: Wow loved using all CAPS after ages to flame an OS rofl...

[bad_brain]

well, that's http and https, that's pretty much the maximum ports you can expect of a web server...^^
in case you meant the server has just those 2 ports open: possible it's a dedicated web server only, but usually you should expect at least ftp being available if end-users have access to it and it's shared hosting.
doing a full range port scan will help, maybe they simply run their other services on unassigned ports.

[Broken Angel]

Found 6 domains hosted on the same web server as

Yeah it sure is a dedicated server. All the domains hosted are of the same company... now going for the full scan...

nmap rules lol...

[bad_brain]

http://www.yougetsignal.com/tools/web-s ... eb-server/" onclick="window.open(this.href);return false;

[Broken Angel]

Sorry was out of town... want me to post results with the name of the site of just pm you for educational purposes???

[bad_brain]

feel free to post it, nothing illegal about that.

[Broken Angel]

Found 6 domains hosted on the same web server as parallelkingdom.com (199.91.251.30).

parallelkingdom.com

pk3.parallelkingdom.com

pk4.parallelkingdom.com

pkadmin.perblue.com

play.parallelkingdom.com

http://www.parallelkingdom.com" onclick="window.open(this.href);return false;

[bad_brain]

ewww.....Microsoft server.

[Broken Angel]

Yeah they do have a Microsoft server but then I was looking for some exploits on Metasploit and couldnt find any there... any help with the same???

Also even if I find something will I need an Open Port or something???

[bad_brain]

of course, an open port means there is a service listening for connections, without an open port there is no service running...and where is nothing there is also nothing to exploit.

best is to run a full range port scan, because many services either use unassigned ports* or can be adjusted to use ports different than the default.
a full range scan is of course far from being stealth....


* unassigned ports are ports 1024 and up.

[ayu]

I will assume that you have legal rights to "play around", have a written contract with this "customer" and so on.

So ...

You could do a full port scan as b_b suggested, and hope they have some other services running.
You will however most likely have much more success in checking for "stuff" in the web application or the web server.

Example: parallelkingdom.com/ProbablyDoesNotExist

You'll get a 404-message, from which we can see that they are most likely running an IIS 6 server.
IIS 5 and up to 8 (sometimes 8.5 as well in rare cases) are in 9/10 cases vulnerable to the shortname enumeration attack.

https://github.com/irsdl/IIS-ShortName-Scanner" onclick="window.open(this.href);return false;

This tool will most likely be able to give you the short version names of all the files and folders in the web root directory structure.
From that you can guess or brute force other names, bla bla etc.

Your first step is never "attack" or "look for exploits", it's always a full scale reconnaissance.
This way you will be able to choose the best course of action instead of picking the "first best one".

Other "relatively passive" steps would be to run your browser through the Burp proxy (a very good tool) and have it passively scan for vulnerabilities while you casually browse the website.