Editing
430.ch Reconnaissance Report
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Network Service Findings == === Full TCP Scan Summary === IPv4 full TCP scan command: <pre> nmap -Pn -sS -T3 -p- --max-retries 2 83.228.241.21 83.228.241.25 -oN /root/recon-430ch/nmap-ipv4-full.txt </pre> IPv6 full TCP scan command: <pre> nmap -Pn -6 -sT -T3 -p- --max-retries 2 2001:1600:18:102::167 2001:1600:18:102::26f -oN /root/recon-430ch/nmap-ipv6-full.txt </pre> <code>83.228.241.21</code> / <code>2001:1600:18:102::167</code>: <pre> 22/tcp open ssh 80/tcp open http 443/tcp open https </pre> IPv4 notes: <pre> Not shown: 65532 filtered tcp ports (no-response) </pre> IPv6 notes: <pre> Not shown: 65532 filtered tcp ports (no-response) </pre> <code>83.228.241.25</code> / <code>2001:1600:18:102::26f</code>: IPv4: <pre> 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp filtered http-proxy </pre> IPv6: <pre> 22/tcp open ssh 80/tcp open http 443/tcp open https 5355/tcp open llmnr 6567/tcp open esp 8080/tcp open http-proxy </pre> Nmap labels for <code>5355</code>, <code>6567</code>, and <code>8080</code> should be interpreted carefully: * <code>5355</code> is conventionally LLMNR, but version probes did not complete with a more certain identification before being stopped. * <code>6567</code> was labeled <code>esp?</code> by nmap because the response fingerprint was not recognized. The port number and behavior align with a likely game service, especially Mindustry. * <code>8080</code> on IPv6 was confirmed by service detection as Apache HTTPD <code>2.4.67 (Debian)</code>. === Top-Port Version Scan === Top-port version scan found: <code>430.ch</code> host: <pre> 22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0) 80/tcp open http Caddy httpd 443/tcp open ssl/https? </pre> <code>ov.430.ch</code> host: <pre> 22/tcp open ssh OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0) 80/tcp open http Caddy httpd 443/tcp open ssl/https? 6567/tcp open esp? 8080/tcp filtered http-proxy (IPv4) 8080/tcp open http Apache httpd 2.4.67 ((Debian)) (IPv6) </pre> === Port 8080 on <code>ov.430.ch</code> === IPv6 direct request: <pre> curl -g -D - -o /dev/null 'http://[2001:1600:18:102::26f]:8080/' </pre> Result: <pre> HTTP/1.1 301 Moved Permanently Server: Apache/2.4.67 (Debian) X-Powered-By: PHP/8.3.32 X-Content-Type-Options: nosniff Vary: Accept-Encoding,Cookie Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Location: https://ov.430.ch/index.php/Main_Page Content-Type: text/html; charset=UTF-8 </pre> Same result with <code>Host: ov.430.ch</code>. Interpretation: * Apache/PHP/MediaWiki is directly reachable over IPv6 on port 8080. * On IPv4, nmap saw <code>8080/tcp</code> as <code>filtered</code>. * If Caddy is supposed to be the only public HTTP entry point, this is a firewall/bind-address mismatch. === Port 6567 on <code>ov.430.ch</code> === TCP version probes returned an unrecognized 8-byte binary response pattern on many payloads: <pre> \0\x06\xfe\x04... </pre> Nmap labeled it: <pre> 6567/tcp open esp? </pre> Targeted UDP checks: <pre> 6567/udp open|filtered esp 27015/udp closed halflife (on ov) 27016/udp closed unknown (on ov) </pre> On the main host, UDP checks for the small selected set were inconclusive: <pre> 6567/udp open|filtered 27015/udp open|filtered 27016/udp open|filtered </pre> Interpretation: * <code>6567</code> is the common/default Mindustry server port. * Public Mindustry server docs say to allow port <code>6567</code> TCP and UDP for server hosting. * This does not prove Mindustry, but it is a strong hypothesis. Reference used: * <code>https://mindustrygame.github.io/wiki/servers/</code> === Port 5355 on <code>ov.430.ch</code> === Full TCP scan found: <pre> 5355/tcp open llmnr </pre> This appeared on both IPv4 and IPv6 for the <code>ov.430.ch</code> host. Targeted UDP checks returned: <pre> 5355/udp open|filtered llmnr </pre> The version probes against TCP 5355 ran longer than useful and were stopped. No additional service fingerprint was collected. Interpretation: * Port 5355 is normally Link-Local Multicast Name Resolution (LLMNR). * LLMNR is not normally useful on the public Internet. * If this is truly LLMNR, it should not be exposed externally. * If it is another custom service on port 5355, it should be documented and access-controlled. === SSH === Both hosts expose SSH: <pre> OpenSSH 10.0p2 Debian 7+deb13u4 (protocol 2.0) </pre> Recommendation: * Keep password authentication disabled if possible. * Restrict SSH by source IP or VPN if feasible. * Ensure root login is disabled. * Monitor auth logs. No authentication attempts were made.
Summary:
Please note that all contributions to Marcopedia may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Marcopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
associated-pages
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Tools
What links here
Related changes
Page information
Online users in chat