metasploitable3-nmap-script-vuln-scan.txt

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 19:03 IST
Nmap scan report for 192.168.56.103
Host is up (0.0013s latency).
Not shown: 65486 closed tcp ports (reset)
PORT      STATE SERVICE              VERSION
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1617/tcp  open  java-rmi             Java RMI
3000/tcp  open  http                 WEBrick httpd 1.3.1 (Ruby 2.3.3 (2016-11-21))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
3306/tcp  open  mysql                MySQL (blocked - too many connection errors)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3700/tcp  open  giop                 CORBA naming service
3820/tcp  open  ssl/giop             CORBA naming service
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
3920/tcp  open  ssl/exasoftport1?
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
4848/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
|_http-server-header: GlassFish Server Open Source Edition  4.0 
|_http-passwd: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /blog/: Blog
|   /weblog/: Blog
|_  /weblogs/: Blog
| http-phpmyadmin-dir-traversal: 
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|       
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   
|   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|   <html>
|   <head>
|       <title>Login</title>
|   <script type="text/javascript">
|   <!-- FIXME: add code to ensure we're the top-most frame -->
|       if (document.getElementById('layout-doc') != null) {
|           // Just refresh the page... login will take over
|           window.location = window.location;
|       }
|   </script>
|       <style type="text/css">
|           /* clickjacking defense */
|           body { display : none; }
|       </style>
|   <link rel="stylesheet" type="text/css" href="/theme/com/sun/webui/jsf/suntheme/css/css_master.css" />
|   <script type="text/javascript">
|   djConfig={
|       "isDebug": false,
|       "debugAtAllCosts": false,
|       "parseWidgets": false
|   };
|   </script>
|   <script type="text/javascript" src="/theme/META-INF/dojo/dojo.js"></script>
|   <script type="text/javascript" src="/theme/META-INF/json/json.js"></script>
|   <script type="text/javascript" src="/theme/META-INF/prototype/prototype.js"></script>
|   <script type="text/javascript" src="/theme/META-INF/com_sun_faces_ajax.js"></script>
|   <script type="text/javascript">
|   dojo.hostenv.setModulePrefix("webui.suntheme", "/theme/com/sun/webui/jsf/suntheme/javascript");
|   dojo.require('webui.suntheme.*');
|   </script>
|   <link id="sun_link5" rel="stylesheet" type="text/css" href="/resource/css/css_ns6up.css" />
|   
|   </head>
|   
|   <body id="body3" class="LogBdy" focus="loginform.j_username" style="background-color: #FFFFFF;">
|       <div id="header"class="LogTopBnd" style="background: url('/theme/com/sun/webui/jsf/suntheme/images/login/gradlogtop.jpg') repeat-x; height: 30px;"></div>
|       <div class="middle" style="background-image: url(/theme/com/sun/webui/jsf/suntheme/images/login/gradlogsides.jpg);background-repeat:repeat-x;background-position:left top; background-color: #D4DCE1;">
|           <div class="plugincontent" style="width1: 1px; visibility: visible;">
|   
|   <div style="height: 435px;background-image: url(/resource/community-theme/images/login-backimage-open.png);
|       background-repeat:no-repeat;background-position:left top; width: 720px; margin: auto;">
|       <div style="width: 460px; padding-top: 160px; margin-left: 310px;">
|   <img id="sun_image11" src="/resource/community-theme/images/login-product_name_open.png;jsessionid=28f8a3ed6da3494447742d8d0736" alt="GlassFish Server Open Source Edition" height="42" width="329" border="0" />
|           <form method="POST" class="form" name="loginform" action="j_security_check">
|           <table role="presentation">
|           <tr>
|               <td><label for="Login.username" style="font-weight: bold;">User Name:</label></td>
|               <td><input type="text" name="j_username" id="Login.username" tabindex="1" value=""></td>
|           </tr>
|           <tr>
|               <td><label for="Login.password" style="font-weight: bold;">Password:</label>
|               <td><input type="password" name="j_password" id="Login.password" tabindex="2">
|           <tr>
|               <td colspan="2" align="center">
|                   <input type="submit" class="Btn1"
|                       value="Login"
|                       title="Log In to GlassFish Administration Console" tabindex="3"
|                       onmouseover="javascript: if (this.disabled==0) this.className='Btn1Hov'"
|                       onmouseout="javascript: if (this.disabled==0) this.className='Btn1'"
|                       onblur="javascript: if (this.disabled==0) this.className='Btn1'"
|                       onfocus="javascript: if (this.disabled==0) this.className='Btn1Hov'"
|                       name="loginButton" id="loginButton">
|           	    <input type="hidden" name="loginButton.DisabledHiddenField" value="true" />
|       	    </td>
|   	    </tr>
|   	    </table>
|           </form>
|       </div>
|   </div>
|   
|               <script type="text/javascript">
|                   if (false) {
|                       //submitAndDisable(document.getElementById('loginButton'), 'Login');
|                       document.getElementById('loginButton').form.submit();
|                       //document.getElementById('loginButton').form.autocomplete="off";
|                   }
|               </script>
|           </div>
|       </div>
|       <div class="footer"
|           style="background-image: url(/theme/com/sun/webui/jsf/suntheme/images/login/gradlogbot.jpg);background-repeat:repeat-x;background-position:left top; color: #FFFFFF; background-color: #4A5C68">
|           <div id="copyright" style="width: 720px; margin-left: auto; margin-right: auto; padding: 5px;">
|               <span>Copyright \xC2\xA9 2005, 2013, Oracle and/or its affiliates. All rights reserved.  Oracle and Java are registered trademarks of Oracle and/or its  affiliates. Other names may be trademarks of their respective owners.</span>
|           </div>
|       </div>
|       <script src="/resource/js/cj.js"></script>
|   </body>
|   </html>
|   
|     References:
|       http://www.exploit-db.com/exploits/1244/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-trane-info: Problem with XML parsing of /evox/about
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.103
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: https://192.168.56.103:4848/
|     Form id: login.username
|_    Form action: j_security_check
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2010-0738: 
|_  /jmx-console/: Authentication was not required
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
5985/tcp  open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
7676/tcp  open  java-message-service Java Message Service 301
8009/tcp  open  ajp13                Apache Jserv (Protocol v1.3)
8019/tcp  open  qbdb?
8020/tcp  open  http                 Apache httpd
| http-enum: 
|   /tbook.csv: Snom IP Phone
|   /ui/vManage.do: VMWare
|   /images/printer.gif: Lexmark Printer
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|_  /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\log\dbpwdChange.log: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /tbook.csv: 
|     DCJSESSIONID: 
|       httponly flag not set
|   /ui/vManage.do: 
|     DCJSESSIONID: 
|       httponly flag not set
|   /cwhp/auditLog.do: 
|     DCJSESSIONID: 
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
8022/tcp  open  http                 Apache Tomcat/Coyote JSP engine 1.1
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /tbook.csv: 
|     DCJSESSIONID: 
|       httponly flag not set
|   /ui/vManage.do: 
|     DCJSESSIONID: 
|       httponly flag not set
|   /cwhp/auditLog.do: 
|     DCJSESSIONID: 
|_      httponly flag not set
|_http-server-header: Apache-Coyote/1.1
| http-enum: 
|   /tbook.csv: Snom IP Phone
|   /ui/vManage.do: VMWare
|   /images/printer.gif: Lexmark Printer
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|   /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
|_  /cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program%20Files\CSCOpx\log\dbpwdChange.log: Possible CiscoWorks (CuOM 8.0 and 8.5) Directory traversal (CVE-2011-0966) (Windows)
8027/tcp  open  papachi-p2p-srv?
8028/tcp  open  postgresql           PostgreSQL DB
8031/tcp  open  ssl/unknown
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
|             Modulus Type: Non-safe prime
|             Modulus Source: sun.security.provider/768-bit DSA group with 160-bit prime order subgroup
|             Modulus Length: 768
|             Generator Length: 768
|             Public Key Length: 768
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
8032/tcp  open  desktop-central      ManageEngine Desktop Central DesktopCentralServer
8080/tcp  open  http                 Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /sdk/../../../../../../../etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /../../../../../../../../../../etc/passwd: Possible path traversal in URI
|   /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_  ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/var/mobile/Library/AddressBook/AddressBook.sqlitedb: Possible iPhone/iPod/iPad generic file sharing app Directory Traversal (iOS)
|_http-server-header: GlassFish Server Open Source Edition  4.0 
| http-litespeed-sourcecode-download: 
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
|_/index.php source code:
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8181/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-server-header: GlassFish Server Open Source Edition  4.0 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-litespeed-sourcecode-download: 
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
|_/index.php source code:
| http-enum: 
|   /sdk/../../../../../../../etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /../../../../../../../../../../etc/passwd: Possible path traversal in URI
|_  /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_http-csrf: Couldn't find any CSRF vulnerabilities.
8282/tcp  open  http                 Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|   /axis2/axis2-web/HappyAxis.jsp: Apache Axis2
|   /axis2/: Apache Axis2
|_  /docs/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
8383/tcp  open  http                 Apache httpd
|_http-server-header: Apache
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
8443/tcp  open  ssl/https-alt?
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
|             Modulus Type: Non-safe prime
|             Modulus Source: sun.security.provider/768-bit DSA group with 160-bit prime order subgroup
|             Modulus Length: 768
|             Generator Length: 768
|             Public Key Length: 768
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
8444/tcp  open  desktop-central      ManageEngine Desktop Central DesktopCentralServer
8484/tcp  open  http                 Jetty winstone-2.8
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Jetty(winstone-2.8)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /log/: Logs
|   /robots.txt: Robots file
|   /install/: Potentially interesting folder
|   /script/: Potentially interesting folder
|   /secured/: Potentially interesting folder (401 Unauthorized)
|_  /target/: Potentially interesting folder
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.103
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.103:8484/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/newJob
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/newJob
|     Form id: name
|     Form action: createItem
|     
|     Path: http://192.168.56.103:8484/credential-store/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/api/
|     Form id: search-box-minwidth
|     Form action: /api/search/
|     
|     Path: http://192.168.56.103:8484/search/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/editDescription
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/editDescription
|     Form id: 
|     Form action: submitDescription
|     
|     Path: http://192.168.56.103:8484/asynchPeople/
|     Form id: search-box-minwidth
|     Form action: /search/
|     
|     Path: http://192.168.56.103:8484/view/All/builds
|     Form id: search-box-minwidth
|_    Form action: /view/All/search/
8585/tcp  open  http                 Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|_  /uploads/: Potentially interesting folder w/ directory listing
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-server-header: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-sql-injection: 
|   Possible sqli for queries:
|_    http://192.168.56.103:8585/?phpinfo=1%27%20OR%20sqlspider
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
8686/tcp  open  java-rmi             Java RMI
9200/tcp  open  elasticsearch        Elastic elasticsearch 1.1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=UTF-8
|     Content-Length: 80
|     handler found for uri [/nice%20ports%2C/Tri%6Eity.txt%2ebak] and method [GET]
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json; charset=UTF-8
|     Content-Length: 309
|     "status" : 200,
|     "name" : "Lodestone",
|     "version" : {
|     "number" : "1.1.1",
|     "build_hash" : "f1585f096d3f3985e73456debdc1a0745f512bbc",
|     "build_timestamp" : "2014-04-16T14:27:12Z",
|     "build_snapshot" : false,
|     "lucene_version" : "4.7"
|     "tagline" : "You Know, for Search"
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; charset=UTF-8
|     Content-Length: 0
|   RTSPRequest, SIPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/plain; charset=UTF-8
|_    Content-Length: 0
9300/tcp  open  vrace?
47001/tcp open  http                 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC
49168/tcp open  unknown
49172/tcp open  java-rmi             Java RMI
49186/tcp open  tcpwrapped
49204/tcp open  ssh                  Apache Mina sshd 0.8.0 (protocol 2.0)
49205/tcp open  jenkins-listener     Jenkins TcpSlaveAgentListener
49271/tcp open  msrpc                Microsoft Windows RPC
49272/tcp open  msrpc                Microsoft Windows RPC
49342/tcp open  java-rmi             Java RMI
49345/tcp open  unknown
49346/tcp open  unknown
49347/tcp open  unknown
MAC Address: 08:00:27:E3:8F:C9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7::sp1
OS details: Microsoft Windows 7 SP1
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; Device: remote management; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED

TRACEROUTE
HOP RTT     ADDRESS
1   1.31 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 797.73 seconds