Recon Using Nmap

sudo nmap -sV -Pn -v -oN  Nmap/initial-billyboss billyboss

Output

Nmap scan report for billyboss (192.168.222.61)
Host is up (0.25s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
8081/tcp open  http          Jetty 9.4.18.v20190429
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Fri Jun 21 12:38:58 2024 -- 1 IP address (1 host up) scanned in 360.46 seconds

Enumeration

Using Dirsearch

sudo dirsearch -u <IP:port> -w /path/to/wordlist

Output for port 80

# Dirsearch started Fri Jun 21 12:45:51 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u <http://Billyboss> -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt

200    15KB  <http://Billyboss/favicon.ico>
404     1KB  <http://Billyboss/lost%2Bfound>
404     1KB  <http://Billyboss/lost+found>

Untitled

Finding exploits for Nexus repository manager 3.21.0-05

Untitled

so we can use SearchSploit

searchsploit Nexus

Untitled

It requires authentication

So let's create a wordlist, shall we ?

using Cewl we can create a custom wordlist