Viewing Collection: web_static_analysis_generate_network_exposure_report

Simple
Advanced

_id	created_at	url	tool	result	summary
6a0d5d9c0f2a46dfb8d07e3c	Wed May 20 2026 07:07:08 GMT+0000 (Coordinated Universal Time)	https://pro.anveshaktool.in/	generate_network_exposure_report	{ "url": "https://pro.anveshaktool.in/", "category": "network_exposure", "timestamp": "2026-05-20T07:07:08.962969+00:00", "report": "### Open Port 80/tcp on 104.21.23.154\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 104.21.23.154 \|\n\nDescription \nPort 80/tcp is open on IP address `104.21.23.154`, indicating that the system accepts HTTP traffic. This is typically used for serving web content over unencrypted connections. The presence of this port does not inherently indicate a vulnerability but increases the attack surface by exposing services to potential reconnaissance and exploitation attempts.\n\nAn attacker can use tools like Nmap or Masscan to detect such open ports during initial enumeration phases.\n\nAttack Scenario (Proof of Concept) \n1. Attacker performs a scan using `nmap -p 80 104.21.23.154`.\n2. Confirms that port 80 is open.\n3. Sends an HTTP GET request to probe for hosted applications:\n ```bash\n curl http://104.21.23.154/\n ```\n4. Analyzes response headers and body to identify server software, application type, and possible vulnerabilities.\n\nBusiness Impact \nExposing unnecessary services increases the organization's attack surface. If misconfigured or outdated software runs behind this endpoint, it may lead to unauthorized access, data leakage, or service disruption.\n\nRemediation \n- Disable or restrict access to non-critical HTTP endpoints via firewall rules.\n- Ensure only necessary services are exposed publicly.\n- Implement TLS encryption (redirect from HTTP to HTTPS).\n- Regularly audit exposed services for vulnerabilities.\n- Reference: CWE-16, NIST SP 800-53 SC-7\n\n---\n\n### Open Port 443/tcp on 104.21.23.154\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 104.21.23.154 \|\n\nDescription \nPort 443/tcp is open on IP address `104.21.23.154`, indicating support for secure HTTPS communication. While encrypted, this still exposes the service to scanning and probing attacks aimed at identifying SSL/TLS configurations, certificate validity, and underlying web applications.\n\nAttackers commonly target this port to assess web infrastructure security posture.\n\nAttack Scenario (Proof of Concept) \n1. Attacker uses `nmap` to confirm port 443 is open:\n ```bash\n nmap -p 443 104.21.23.154\n ```\n2. Uses `openssl s_client` to inspect the TLS configuration:\n ```bash\n openssl s_client -connect 104.21.23.154:443\n ```\n3. Probes for known vulnerabilities like Heartbleed or weak cipher suites.\n\nBusiness Impact \nIf improperly configured, TLS termination points can expose sensitive information or allow man-in-the-middle attacks. Even if no immediate exploit exists, visibility into these services invites further targeted attacks.\n\nRemediation \n- Enforce strong TLS versions (e.g., TLS 1.2+) and disable older protocols.\n- Use hardened cipher suites; avoid deprecated algorithms.\n- Employ automated certificate management systems.\n- Monitor logs for suspicious activity targeting this port.\n- Reference: CWE-327, OWASP A07:2021 – Identification and Authentication Failures\n\n---\n\n### Open Port 80/tcp (http) on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nThe domain `pro.anveshaktool.in` has port 80 open, accepting HTTP requests. This suggests either intentional cleartext access or automatic redirection setup. Regardless, it contributes to the overall attack surface and should be reviewed for necessity and security implications.\n\nAttack Scenario (Proof of Concept) \n1. Perform DNS resolution and connect:\n ```bash\n dig +short pro.anveshaktool.in\n curl http://pro.anveshaktool.in\n ```\n2. Observe whether sensitive data flows over plaintext or if there’s a redirect chain.\n\nBusiness Impact \nInsecure transmission channels increase susceptibility to passive eavesdropping and active tampering. Regulatory frameworks like GDPR or PCI DSS penalize such exposures.\n\nRemediation \n- Force HTTPS globally across all subdomains.\n- Configure web server to return strict transport security headers.\n- Remove any unnecessary HTTP-only content.\n- Reference: CWE-311, OWASP A02:2021\n\n---\n\n### Open Port 443/tcp (https) on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nHTTPS port 443 is open on `pro.anveshaktool.in`, enabling encrypted communications. As the standard port for secure web browsing, it represents a critical component of the organization’s digital presence. However, improper implementation can introduce vulnerabilities such as expired certificates, weak ciphers, or insecure renegotiation settings.\n\nAttack Scenario (Proof of Concept) \n1. Check connectivity:\n ```bash\n curl -I https://pro.anveshaktool.in\n ```\n2. Analyze TLS handshake parameters:\n ```bash\n nmap --script ssl-enum-ciphers -p443 pro.anveshaktool.in\n ```\n\nBusiness Impact \nWeak TLS implementations erode customer confidence and violate compliance standards. They may enable downgrade attacks leading to intercepted sessions or forged identities.\n\nRemediation \n- Enforce modern TLS policies (minimum TLS 1.2).\n- Renew certificates automatically and monitor expiration dates.\n- Deploy OCSP stapling and certificate transparency logging.\n- Reference: CWE-295, RFC 7525\n\n---\n\n### Open Port 80/tcp Detected on 172.67.211.177\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 172.67.211.177 \|\n\nDescription \nHTTP port 80/tcp is open on IP address `172.67.211.177`. Typically serves as a redirector to HTTPS or hosts legacy content. Despite being insecure, many organizations leave it accessible for compatibility reasons, increasing exposure risks.\n\nDetected while scanning `https://pro.anveshaktool.in`.\n\nAttack Scenario (Proof of Concept) \n1. Scan identifies port:\n ```bash\n masscan -p80 172.67.211.177\n ```\n2. Requests page to check redirection behavior:\n ```bash\n curl -v http://172.67.211.177\n ```\n3. Looks for cleartext credentials or sensitive paths inadvertently served over HTTP.\n\nBusiness Impact \nData transmitted over HTTP is susceptible to interception. Users accessing login forms or submitting personal data over plain HTTP face significant privacy and integrity threats.\n\nRemediation \n- Redirect all HTTP traffic to HTTPS using permanent redirects (`301 Moved Permanently`).\n- Block direct access to HTTP unless explicitly required for legacy clients.\n- Reference: CWE-319, OWASP A02:2021 – Cryptographic Failures\n\n---\n\n### Open Port 443/tcp Detected on 172.67.211.177\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 172.67.211.177 \|\n\nDescription \nStandard HTTPS port 443/tcp is open on IP address `172.67.211.177`. Indicates active hosting of web-based resources protected by TLS. However, its presence also makes it a prime target for reconnaissance and exploitation efforts focused on SSL/TLS weaknesses or web application flaws.\n\nObserved during scan of `https://pro.anveshaktool.in`.\n\nAttack Scenario (Proof of Concept) \n1. Confirm port status:\n ```bash\n nmap -p443 172.67.211.177\n ```\n2. Test for SSL/TLS misconfigurations:\n ```bash\n sslscan 172.67.211.177:443\n ```\n3. Attempt to exploit outdated libraries or vulnerable endpoints.\n\nBusiness Impact \nA compromised HTTPS endpoint undermines user trust and compliance requirements. It may facilitate phishing campaigns, session hijacking, or full system compromise depending on backend logic.\n\nRemediation \n- Maintain updated TLS stacks and certificates.\n- Conduct regular penetration testing against web-facing assets.\n- Implement HSTS headers and certificate pinning where appropriate.\n- Reference: CWE-295, OWASP A07:2021\n\n---\n\n### Open Port 8080/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 8080/tcp is open and proxied through Cloudflare. This port may serve as an alternative HTTP endpoint for specific applications or microservices. Proxy-based architectures offer benefits but require robust configuration to maintain security boundaries.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p8080 pro.anveshaktool.in\n ```\n2. Test for bypass opportunities or hidden endpoints.\n\nBusiness Impact \nImproperly configured proxies can expose internal APIs or allow attackers to circumvent intended access controls.\n\nRemediation \n- Enforce strict proxy routing rules.\n- Monitor logs for anomalous access patterns.\n- Reference: CWE-602, OWASP API Security Top 10 – BOLA\n\n---\n\n### Open Port 8080/tcp Detected on 172.67.211.177\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 172.67.211.177 \|\n\nDescription \nPort 8080/tcp is open on IP address `172.67.211.177`. Commonly used as an alternative HTTP port, especially for proxy servers, application containers (like Tomcat), or developer test environments. Exposed without adequate protection, it may leak internal configurations or provide entry points for attackers.\n\nIdentified during a scan targeting `https://pro.anveshaktool.in`.\n\nAttack Scenario (Proof of Concept) \n1. Scan confirms availability:\n ```bash\n nmap -p8080 172.67.211.177\n ```\n2. Accesses the interface directly:\n ```bash\n curl http://172.67.211.177:8080\n ```\n3. Reviews banners, directory listings, or debug pages for exploitable flaws.\n\nBusiness Impact \nImproperly secured proxy or dev/test servers can serve as stepping stones for deeper compromise. Misconfigurations here have led to breaches involving source code leaks and unauthorized API access.\n\nRemediation \n- Limit access to trusted networks/IP ranges.\n- Remove default welcome pages and debugging features.\n- Apply authentication and authorization mechanisms.\n- Reference: CWE-16, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 8443/tcp (HTTP) — Cloudflare HTTP Proxy / pro.anveshaktool.in / 8443/tcp\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription\n\nPort 8443/tcp is open and actively serving HTTP traffic via a Cloudflare HTTP proxy. This indicates that the domain `pro.anveshaktool.in` is configured to route traffic through Cloudflare's edge network on this non-standard HTTPS port. While not inherently insecure, exposing services on alternative ports such as 8443 may indicate misconfigurations or deviations from standard practices, especially when used alongside or instead of port 443.\n\nThe presence of a reverse proxy like Cloudflare can obscure backend infrastructure details but also introduces potential attack vectors related to origin server exposure or bypass attempts. Attackers often scan for such alternate ports to discover hidden or less-protected entry points into internal systems.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker performs reconnaissance using tools like Nmap to enumerate open ports:\n\n```bash\nnmap -p 8443 -sV pro.anveshaktool.in\n```\n\nOutput confirms:\n```\nPORT STATE SERVICE VERSION\n8443/tcp open ssl/http Cloudflare http proxy\n```\n\nNext, they attempt to access the application over this port:\n\n```bash\ncurl -v https://pro.anveshaktool.in:8443/\n```\n\nThey observe responses indicating the use of Cloudflare, including headers such as:\n\n```\nServer: cloudflare\nCF-RAY: <value>\n```\n\nIf the origin server is improperly configured to accept direct connections outside of Cloudflare (e.g., by IP address), an attacker might try to bypass Cloudflare protections by identifying and targeting the origin directly.\n\nAlternatively, if legacy configurations exist, this port could expose vulnerable endpoints or outdated versions of applications that are no longer maintained.\n\nBusiness Impact\n\nWhile the mere existence of an open port routed through Cloudflare does not pose immediate risk, it increases the organization’s attack surface. It may lead to unintended information disclosure about infrastructure design choices or reveal deprecated services still accepting traffic. In worst-case scenarios involving origin server leaks or bypasses, attackers could exploit vulnerabilities otherwise mitigated by Cloudflare WAF or DDoS protection layers.\n\nAdditionally, compliance frameworks such as PCI-DSS or ISO 27001 require minimizing unnecessary network exposures, which makes even informational findings worth addressing.\n\nRemediation\n\nEnsure only necessary ports are exposed publicly. Standardize web traffic on well-known ports (i.e., 80 for HTTP, 443 for HTTPS). If port 8443 serves a legitimate business purpose (such as testing or staging environments), restrict its accessibility using firewall rules or Cloudflare Access policies.\n\nExample configuration adjustment in Cloudflare dashboard:\n\n- Navigate to Firewall > Tools\n- Create a filter based on `(http.host eq \"pro.anveshaktool.in\") and (cf.edge.server_port eq 8443)`\n- Apply action: Block or JS Challenge\n\nAlternatively, disable listening on port 8443 at the origin unless explicitly required.\n\nReference:\n- CWE-16: Configuration\n- NIST SP 800-53: SC-7 Boundary Protection\n\n---\n\n### Open Port 8443/tcp Detected on 172.67.211.177\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 172.67.211.177 \|\n\nDescription \nPort 8443/tcp is open on IP address `172.67.211.177`. This alternative HTTPS port often hosts administrative interfaces, internal APIs, or development environments. Its exposure increases risk due to less common usage patterns which might lack proper monitoring or hardening practices.\n\nThis port was identified during a scan targeting `https://pro.anveshaktool.in`.\n\nAttack Scenario (Proof of Concept) \n1. Attacker scans with `masscan`:\n ```bash\n masscan -p8443 172.67.211.177\n ```\n2. Connects via browser or CLI tool:\n ```bash\n curl https://172.67.211.177:8443\n ```\n3. Inspects returned content or error messages to determine purpose and version details.\n\nBusiness Impact \nUnintended exposure of backend or admin interfaces can result in privilege escalation, credential theft, or lateral movement within the network.\n\nRemediation \n- Restrict access to alternate HTTPS ports using firewalls or reverse proxies.\n- Apply authentication controls even when accessed internally.\n- Audit all custom ports for business necessity before public exposure.\n- Reference: CWE-1191, NIST SP 800-53 AC-4\n\n---\n\n### Open Port 8880/tcp (HTTP) — Cloudflare HTTP Proxy / pro.anveshaktool.in / 8880/tcp\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription\n\nPort 8880/tcp is open and hosts an HTTP service fronted by a Cloudflare HTTP proxy. This port is commonly associated with development servers, alternative HTTP interfaces, or custom API gateways. Its usage deviates from standard practice where secure web communications typically occur over port 443.\n\nExposing services on non-standard ports increases visibility during automated scans and may attract opportunistic attacks. Although protected by Cloudflare, improper routing rules or lack of strict origin authentication could allow malicious actors to probe backend infrastructure indirectly.\n\nThis configuration should be reviewed to ensure alignment with organizational security baselines and reduction of unnecessary exposure.\n\nAttack Scenario (Proof of Concept)\n\nUsing Nmap, an attacker identifies the open port:\n\n```bash\nnmap -p 8880 -sV pro.anveshaktool.in\n```\n\nResponse shows:\n\n```\nPORT STATE SERVICE VERSION\n8880/tcp open http Cloudflare http proxy\n```\n\nThey proceed to query the endpoint:\n\n```bash\ncurl -v http://pro.anveshaktool.in:8880/\n```\n\nHeaders returned include:\n\n```\nVia: 1.1 vegur\nServer: cloudflare\n```\n\nIn some cases, developers leave debug modes enabled or expose administrative panels on these ports without proper authentication. The attacker explores further with directory brute-forcing:\n\n```bash\nffuf -u http://pro.anveshaktool.in:8880/FUZZ -w /path/to/common-dirs.txt\n```\n\nDiscovering paths like `/admin`, `/debug`, or `/metrics` could yield sensitive insights or unauthorized access depending on backend implementation.\n\nBusiness Impact\n\nUnnecessary exposure of services on non-standard ports contributes to expanded attack surfaces and violates defense-in-depth principles. Even though Cloudflare provides a layer of protection, misconfigured origins or flawed logic within routing rules can undermine those safeguards.\n\nOrganizations relying on compliance regimes (GDPR, HIPAA, SOC 2) must justify all externally facing services. Leaving auxiliary ports open without clear documentation or business justification raises audit concerns and increases likelihood of downstream exploitation.\n\nRemediation\n\nAudit whether port 8880 is operationally essential. If not, disable it both at the origin server and within DNS/cloud provider settings.\n\nTo block traffic to this port via Cloudflare Firewall:\n\n1. Go to Security > WAF > Tools\n2. Add expression:\n ```\n (http.host eq \"pro.anveshaktool.in\") and (cf.edge.server_port eq 8880)\n ```\n3. Set action to Block\n\nAlternatively, enforce mutual TLS between Cloudflare and your origin server to prevent unauthorized access regardless of port exposure.\n\nReference:\n- CWE-16: Configuration\n- OWASP ASVS v4.0.3 – V1.3 Secure Communication Channels\n- NIST SP 800-53 Rev. 5 – AC-4 Information Flow Enforcement\n\n---\n\n### Open Port 2052/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2052/tcp is open and identified as running a Cloudflare HTTP proxy. This indicates that the domain utilizes Cloudflare CDN or WAF services. While beneficial for performance and basic DDoS mitigation, misconfigured origins or bypass techniques can expose backend infrastructure.\n\nAttack Scenario (Proof of Concept) \n1. Identify origin IP via DNS history or misconfigured headers:\n ```bash\n curl -H \"Host: pro.anveshaktool.in\" http://origin-ip:2052\n ```\n2. Probe for hidden directories or bypass protections.\n\nBusiness Impact \nBypassing edge-layer defenses allows attackers to reach raw backend servers, potentially exploiting vulnerabilities missed at the perimeter level.\n\nRemediation \n- Lock down origin server access to only accept traffic from Cloudflare IPs.\n- Set up proper header validation and rate limiting.\n- Reference: CWE-16, OWASP API Security Top 10 – BOLA\n\n---\n\n### Open Port 2053/tcp (http) — nginx on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2053/tcp is open and running an Nginx web server. Nginx is widely deployed for high-performance web serving and load balancing. Exposure of this port increases the likelihood of fingerprinting and exploitation based on known vulnerabilities in specific versions or modules.\n\nAttack Scenario (Proof of Concept) \n1. Fingerprint server version:\n ```bash\n curl -I http://pro.anveshaktool.in:2053\n ```\n2. Search for CVE entries related to discovered version:\n ```bash\n searchsploit nginx <version>\n ```\n\nBusiness Impact \nOutdated or misconfigured Nginx instances can become gateways for remote code execution, denial-of-service conditions, or unauthorized file access.\n\nRemediation \n- Keep Nginx updated to latest stable release.\n- Review configuration files for insecure directives (e.g., `autoindex on`).\n- Reference: CVE-2022-41741, CWE-400\n\n---\n\n### Open Port 2082/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2082/tcp is open and associated with a Cloudflare HTTP proxy. Similar to other Cloudflare-managed ports, this likely supports additional routing or caching functionality. However, inconsistent proxy configurations may reveal backend infrastructure or allow unintended access paths.\n\nAttack Scenario (Proof of Concept) \n1. Enumerate available ports:\n ```bash\n nmap -p2082 pro.anveshaktool.in\n ```\n2. Attempt to access internal services or bypass front-end restrictions.\n\nBusiness Impact \nMisuse of proxy layers can undermine intended access control models, allowing attackers to reach otherwise protected internal systems.\n\nRemediation \n- Validate that all proxy ports enforce consistent access policies.\n- Log and monitor unusual access patterns.\n- Reference: CWE-602, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 2083/tcp (http) — nginx on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2083/tcp is open and running an Nginx instance. Like other non-standard ports, this may host specialized services or act as part of a layered architecture. Without explicit documentation or restriction, it becomes another vector for unauthorized access or exploitation.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p2083 pro.anveshaktool.in\n ```\n2. Explore content or attempt brute-force login if authentication is present.\n\nBusiness Impact \nUndocumented or poorly maintained services increase the probability of successful intrusions. Attackers often focus on lesser-known ports to evade detection.\n\nRemediation \n- Document and justify each exposed service.\n- Apply least-privilege principles to service accounts.\n- Reference: CWE-1190, NIST SP 800-53 CM-7\n\n---\n\n### Open Port 2086/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2086/tcp is open and managed by a Cloudflare HTTP proxy. This port may be used for specific routing purposes, such as handling different types of traffic or integrating with third-party services. Improperly scoped permissions or routing rules can expose internal resources.\n\nAttack Scenario (Proof of Concept) \n1. Identify accessible routes:\n ```bash\n curl -k https://pro.anveshaktool.in:2086\n ```\n2. Test for path traversal or SSRF vulnerabilities.\n\nBusiness Impact \nProxy misconfigurations can lead to unauthorized access to internal APIs or databases, resulting in data exfiltration or service abuse.\n\nRemediation \n- Define clear routing policies for each proxy port.\n- Sanitize input and validate URLs passed to backend services.\n- Reference: CWE-918, OWASP API Security Top 10 – SSRF\n\n---\n\n### Open Port 2087/tcp (http) — nginx on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2087/tcp is open and running an Nginx web server. Given its non-standard nature, it may host administrative panels, staging environments, or auxiliary services. These often receive less attention than primary production sites, making them attractive targets for attackers.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p2087 pro.anveshaktool.in\n ```\n2. Attempt to access default dashboards or debug interfaces.\n\nBusiness Impact \nExposed admin panels or debug tools can grant attackers elevated privileges or insight into internal operations, facilitating more sophisticated attacks.\n\nRemediation \n- Restrict access to administrative interfaces using IP whitelisting or mutual TLS.\n- Remove default installations and sample files.\n- Reference: CWE-16, OWASP ASVS v4.0 Section 14\n\n---\n\n### Open Port 2095/tcp (http) — Cloudflare http proxy on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2095/tcp is open and routed through a Cloudflare HTTP proxy. This port may handle email-related services or custom integrations. Proxy-based setups require careful configuration to prevent unintended access or leakage of internal resources.\n\nAttack Scenario (Proof of Concept) \n1. Enumerate open ports:\n ```bash\n nmap -p2095 pro.anveshaktool.in\n ```\n2. Investigate responses for clues about backend services or misconfigurations.\n\nBusiness Impact \nEmail or integration endpoints exposed via proxy can be abused for spam relaying, credential harvesting, or phishing attacks.\n\nRemediation \n- Secure email gateways with SPF/DKIM/DMARC records.\n- Validate and sanitize inputs to prevent injection attacks.\n- Reference: CWE-93, OWASP Email Security Cheat Sheet\n\n---\n\n### Open Port 2096/tcp (http) — nginx on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 2096/tcp is open and running an Nginx server. This port may host specialized applications or act as a secondary ingress point. Due to its infrequent use, it may escape routine audits, increasing the risk of undetected vulnerabilities.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p2096 pro.anveshaktool.in\n ```\n2. Attempt to enumerate installed modules or plugins.\n\nBusiness Impact \nNeglected services can become backdoors for persistent access or serve as pivot points for lateral movement within the network.\n\nRemediation \n- Decommission unused or redundant services.\n- Implement centralized logging and alerting for all exposed ports.\n- Reference: CWE-1190, NIST SP 800-53 SI-4\n\n---\n\n### Open Port 8008/tcp (http) on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 8008/tcp is open and accepting HTTP traffic on `pro.anveshaktool.in`. This port is sometimes used for alternative web services or embedded device interfaces. Its exposure adds complexity to the network topology and increases the number of potential attack vectors.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p8008 pro.anveshaktool.in\n ```\n2. Access the service to determine its function:\n ```bash\n curl http://pro.anveshaktool.in:8008\n ```\n\nBusiness Impact \nUnmanaged or undocumented services pose ongoing risks due to lack of oversight and patching cycles.\n\nRemediation \n- Inventory and classify all listening services.\n- Apply uniform security baselines across all exposed ports.\n- Reference: CWE-1190, ISO/IEC 27001 Annex A.12.6.1\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 8015/tcp is open and identified as running FortiGuard Web Filtering, suggesting the presence of a Fortinet security appliance. While designed to protect users, exposing such appliances externally can create new attack surfaces, particularly if default credentials remain unchanged or firmware is outdated.\n\nAttack Scenario (Proof of Concept) \n1. Identify service:\n ```bash\n nmap -sV -p8015 pro.anveshaktool.in\n ```\n2. Attempt to log in with default credentials or exploit known vulnerabilities.\n\nBusiness Impact \nCompromised filtering devices can be repurposed for malicious activities, including malware distribution or traffic manipulation.\n\nRemediation \n- Change default passwords immediately after deployment.\n- Update firmware regularly according to vendor advisories.\n- Reference: CVE-2022-39952, CWE-798\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering on pro.anveshaktool.in\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| pro.anveshaktool.in \|\n\nDescription \nPort 8020/tcp is open and running FortiGuard Web Filtering. Similar to port 8015, this indicates continued reliance on Fortinet infrastructure. Multiple exposed proxy ports suggest complex routing or segmentation strategies, which must be carefully monitored and secured.\n\nAttack Scenario (Proof of Concept) \n1. Scan for open ports:\n ```bash\n nmap -p8020 pro.anveshaktool.in\n ```\n2. Probe for known exploits affecting Fortinet products.\n\nBusiness Impact \nMultiple exposed proxy services multiply the risk of successful compromise, especially if they share common vulnerabilities or misconfigurations.\n\nRemediation \n- Consolidate proxy functions under fewer, well-monitored ports.\n- Segment internal vs external access rigorously.\n- Reference: CVE-2023-27997, CWE-284", "summary": { "total": 22 } }	{ "total": 22 }
6a0df815edaa75ad624af851	Wed May 20 2026 18:06:13 GMT+0000 (Coordinated Universal Time)	https://www.veltris.com/	generate_network_exposure_report	{ "url": "https://www.veltris.com/", "category": "network_exposure", "timestamp": "2026-05-20T18:06:13.330637+00:00", "report": "### Open Port 443/tcp on 35.227.194.51\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 35.227.194.51 \|\n\nDescription \nPort 443/tcp is open on the host at IP address `35.227.194.51`. This port typically serves HTTPS traffic, indicating that a web server or application may be accessible over a secure encrypted connection. While not inherently insecure, exposing services publicly increases the attack surface and provides potential entry points for reconnaissance and exploitation.\n\nAn attacker can identify this by performing a TCP SYN scan using tools like Nmap or Naabu:\n```bash\nnmap -p 443 35.227.194.51\n```\n\nAttack Scenario (Proof of Concept) \n1. Attacker performs initial reconnaissance with:\n ```bash\n nmap -sS -p 443 35.227.194.51\n ```\n2. Confirms service banner via:\n ```bash\n nmap -sV -p 443 35.227.194.51\n ```\n3. Proceeds to enumerate SSL/TLS configurations and check for known vulnerabilities such as weak ciphers or expired certificates.\n\nBusiness Impact \nExposing unnecessary ports increases the organization's digital footprint and risk profile. If misconfigured, these endpoints could lead to unauthorized access, data leakage, or serve as pivot points during lateral movement within the infrastructure.\n\nRemediation \n- Restrict access to port 443 only from trusted sources using firewall rules or cloud security groups.\n- Ensure TLS configuration follows best practices (e.g., disable outdated protocols).\n- Regularly audit exposed services for relevance and necessity.\n- Reference: [CWE-16](https://cwe.mitre.org/data/definitions/16.html)\n\n---\n\n### Open Port 80/tcp on 35.227.194.51\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 35.227.194.51 \|\n\nDescription \nPort 80/tcp is open on the host at IP address `35.227.194.51`, commonly used for HTTP communication. The presence of this port indicates a potentially public-facing web server. Unencrypted HTTP traffic poses risks including eavesdropping and man-in-the-middle attacks unless properly redirected to HTTPS.\n\nAttackers often use scanning tools like Masscan or Nmap to detect open HTTP ports:\n```bash\nmasscan -p80 35.227.194.51\n```\n\nAttack Scenario (Proof of Concept) \n1. Scan reveals port 80 open:\n ```bash\n masscan -p80 35.227.194.51\n ```\n2. Fetch homepage content:\n ```bash\n curl http://35.227.194.51/\n ```\n3. Analyze response headers and content for version disclosures or misconfigurations.\n\nBusiness Impact \nUnsecured HTTP exposure can result in credential theft, session hijacking, or content tampering. It also violates compliance standards requiring encryption in transit.\n\nRemediation \n- Redirect all HTTP requests to HTTPS using proper rewrite rules.\n- Disable direct access to port 80 externally if not required.\n- Implement HSTS headers to enforce secure connections.\n- Reference: [OWASP A02:2021 – Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n\n---\n\n### Open Port 443/tcp on 34.120.190.48\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| https://www.veltris.com/, 34.120.190.48 \|\n\nDescription \nThe system exposes port 443/tcp on IP address `34.120.190.48` associated with domain `www.veltris.com`. This suggests an active HTTPS-enabled web service. Although standard practice, improper TLS setup or outdated software versions can introduce vulnerabilities.\n\nTools like Masscan or Nmap can be used to discover this:\n```bash\nmasscan -p443 34.120.190.48\n```\n\nAttack Scenario (Proof of Concept) \n1. Perform scan:\n ```bash\n masscan -p443 34.120.190.48 --rate=1000\n ```\n2. Enumerate certificate details:\n ```bash\n openssl s_client -connect www.veltris.com:443\n ```\n3. Check for deprecated cipher suites or expired certificates.\n\nBusiness Impact \nMisconfigured HTTPS can undermine user trust, expose sensitive information, and violate regulatory requirements around secure communications.\n\nRemediation \n- Enforce strong TLS policies (TLS 1.2+).\n- Renew SSL certificates before expiration.\n- Audit supported cipher suites regularly.\n- Reference: [CWE-310](https://cwe.mitre.org/data/definitions/310.html)\n\n---\n\n### Open Port 80/tcp on 34.120.190.48\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| https://www.veltris.com/, 34.120.190.48 \|\n\nDescription \nPort 80/tcp is open on IP address `34.120.190.48`, which resolves to `www.veltris.com`. This implies a web server accepting unencrypted HTTP traffic. Without automatic redirection to HTTPS, users may transmit credentials or other sensitive data insecurely.\n\nScanning commands include:\n```bash\nnmap -p80 34.120.190.48\n```\n\nAttack Scenario (Proof of Concept) \n1. Identify open port:\n ```bash\n nmap -p80 34.120.190.48\n ```\n2. Access page without encryption:\n ```bash\n curl http://www.veltris.com/\n ```\n3. Observe lack of redirect or warning indicators.\n\nBusiness Impact \nInsecure transmission of login forms or personal data can lead to interception, identity theft, and legal liability under privacy regulations.\n\nRemediation \n- Configure web server to automatically redirect HTTP to HTTPS.\n- Apply HSTS header to prevent downgrade attacks.\n- Remove or restrict unnecessary HTTP listeners.\n- Reference: [OWASP A07:2021 – Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n\n---\n\n### Open Port 80/tcp (HTTP) — nginx on www.veltris.com\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nNginx web server is running on port 80/tcp for `www.veltris.com`. While common, exposing internal server technology can aid attackers in fingerprinting and targeting known exploits specific to Nginx versions.\n\nEnumeration example:\n```bash\ncurl -I http://www.veltris.com/\n# Server: nginx\n```\n\nAttack Scenario (Proof of Concept) \n1. Detect server type:\n ```bash\n curl -I http://www.veltris.com/\n ```\n2. Search exploit databases for known Nginx vulnerabilities matching the version.\n3. Attempt directory traversal or misconfiguration exploitation.\n\nBusiness Impact \nRevealing backend technologies facilitates targeted attacks, increasing likelihood of successful compromise.\n\nRemediation \n- Remove or obfuscate identifying server headers (`Server:` field).\n- Keep Nginx updated to latest stable release.\n- Apply hardening guides per vendor recommendations.\n- Reference: [CWE-200](https://cwe.mitre.org/data/definitions/200.html)\n\n---\n\n### Open Port 443/tcp (HTTPS) — nginx on www.veltris.com\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nSecure web service is hosted on port 443/tcp using Nginx. As with HTTP, revealing server software helps adversaries tailor their approach. Additionally, older versions might contain exploitable flaws.\n\nExample detection:\n```bash\ncurl -Ik https://www.veltris.com/\n# Server: nginx\n```\n\nAttack Scenario (Proof of Concept) \n1. Identify server:\n ```bash\n curl -Ik https://www.veltris.com/\n ```\n2. Cross-reference version against vulnerability databases.\n3. Exploit known issues related to Nginx modules or configurations.\n\nBusiness Impact \nTechnology disclosure enables focused attacks, potentially leading to service disruption or unauthorized access.\n\nRemediation \n- Suppress server identification headers.\n- Maintain up-to-date Nginx installations.\n- Monitor for new CVEs affecting deployed components.\n- Reference: [CVE-2022-41741](https://nvd.nist.gov/vuln/detail/CVE-2022-41741)\n\n---\n\n### Open Port 8008/tcp (HTTP) on www.veltris.com\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nPort 8008/tcp is open and serving HTTP traffic on `www.veltris.com`. Non-standard ports increase visibility and may indicate development/test environments or alternative administrative interfaces left exposed unintentionally.\n\nDiscovery command:\n```bash\nnmap -p8008 www.veltris.com\n```\n\nAttack Scenario (Proof of Concept) \n1. Scan for non-standard ports:\n ```bash\n nmap -p8000-9000 www.veltris.com\n ```\n2. Probe endpoint:\n ```bash\n curl http://www.veltris.com:8008/\n ```\n3. Investigate returned content for debug info or admin panels.\n\nBusiness Impact \nAlternative HTTP services may bypass normal monitoring and controls, creating hidden attack vectors.\n\nRemediation \n- Close unused ports unless explicitly needed.\n- Protect alternate services behind authentication or IP whitelisting.\n- Conduct regular audits of listening services across infrastructure.\n- Reference: [CWE-1190](https://cwe.mitre.org/data/definitions/1190.html)\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy) — FortiGuard Web Filtering on www.veltris.com\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nPort 8015/tcp hosts an HTTP proxy identified as FortiGuard Web Filtering. Exposed proxies can be abused for anonymizing malicious traffic or bypassing filtering mechanisms.\n\nDetection:\n```bash\nnmap -sV -p8015 www.veltris.com\n```\n\nAttack Scenario (Proof of Concept) \n1. Identify proxy:\n ```bash\n nmap -sV -p8015 www.veltris.com\n ```\n2. Test proxy functionality:\n ```bash\n curl --proxy http://www.veltris.com:8015 http://example.com\n ```\n3. Abuse for outbound tunneling or evasion.\n\nBusiness Impact \nPublicly available proxies enable abuse by threat actors, damaging reputation and possibly violating acceptable usage policies.\n\nRemediation \n- Restrict proxy access to authorized networks.\n- Log and monitor proxy usage patterns.\n- Consider disabling if not operationally necessary.\n- Reference: [CWE-668](https://cwe.mitre.org/data/definitions/668.html)\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy) — FortiGuard Web Filtering on www.veltris.com\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nAnother instance of FortiGuard Web Filtering operates on port 8020/tcp. Similar concerns apply regarding unauthorized proxy usage and potential misuse.\n\nScan command:\n```bash\nnmap -sV -p8020 www.veltris.com\n```\n\nAttack Scenario (Proof of Concept) \n1. Confirm proxy availability:\n ```bash\n nmap -sV -p8020 www.veltris.com\n ```\n2. Route traffic through proxy:\n ```bash\n curl --proxy http://www.veltris.com:8020 http://targetsite.com\n ```\n\nBusiness Impact \nMultiple exposed proxies compound risk and complicate tracking of malicious activity originating from the asset.\n\nRemediation \n- Consolidate proxy functions behind centralized control.\n- Enforce strict access controls and logging.\n- Periodically review and decommission redundant services.\n- Reference: [CWE-668](https://cwe.mitre.org/data/definitions/668.html)\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Low \|\n\| CVSS Score \| 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| www.veltris.com \|\n\nDescription \nDomain `www.veltris.com` has been flagged on the DNS-based spam blacklist `list.quorum.to`. This indicates that the domain or its associated IP addresses have sent unsolicited email or exhibited behavior consistent with spam operations.\n\nVerification:\n```bash\ndig TXT +short 34.120.190.48.list.quorum.to\n```\n\nAttack Scenario (Proof of Concept) \n1. Query blacklists:\n ```bash\n dig TXT +short 34.120.190.48.list.quorum.to\n ```\n2. Confirm listing status.\n3. Use this knowledge to craft phishing campaigns leveraging compromised reputation.\n\nBusiness Impact \nBlacklisted domains suffer reduced deliverability, customer distrust, and possible sanctions from email providers.\n\nRemediation \n- Investigate root cause of spam listing (compromised mail relay, malware).\n- Request delisting from affected blacklists after remediation.\n- Implement SPF/DKIM/DMARC records to authenticate outgoing emails.\n- Reference: [OWASP Email Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Email_Security_Cheat_Sheet.html)", "summary": { "total": 10 } }	{ "total": 10 }
6a0e42cfff7cb8e001b1ffaf	Wed May 20 2026 23:25:03 GMT+0000 (Coordinated Universal Time)	https://springs.com.pk	generate_network_exposure_report	{ "url": "https://springs.com.pk", "category": "network_exposure", "timestamp": "2026-05-20T23:25:03.068487+00:00", "report": "### Open Port 80/tcp on 208.91.112.55\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription \nPort 80/tcp is open on IP address `208.91.112.55`, indicating that a web server or HTTP-based service is listening on this standard HTTP port. This exposure allows external entities to initiate communication with services running over unencrypted HTTP traffic.\n\nAn attacker can use tools like Nmap or curl to probe the endpoint for further information about the hosted application, version details, directory listings, or vulnerabilities such as misconfigurations or outdated software versions.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Identify open ports using nmap\nnmap -p 80 208.91.112.55\n\n# Retrieve basic HTTP response headers\ncurl -I http://208.91.112.55/\n\n# Attempt fingerprinting via banner grabbing\nnc 208.91.112.55 80\nGET / HTTP/1.1\nHost: 208.91.112.55\n```\n\nThis reconnaissance may reveal server identity, installed modules, or default pages which could lead to exploitation paths.\n\nBusiness Impact \nExposing port 80 without proper access controls increases the risk surface area by allowing unauthorized users to interact directly with internal systems. If not properly secured, it may expose sensitive content or provide an entry point into deeper infrastructure layers.\n\nRemediation \n- Restrict access to port 80 at the firewall level unless explicitly required.\n- Redirect all HTTP traffic to HTTPS (port 443).\n- Ensure no sensitive applications are exposed publicly via plaintext HTTP.\n- Apply principle of least privilege and restrict source IPs where possible.\n\n---\n\n### Open Port 8020/tcp on 208.91.112.55\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription \nPort 8020/tcp is open on IP address `208.91.112.55`. While non-standard, this port often hosts proxy servers, development environments, or custom HTTP interfaces. Without additional context from service detection, its purpose remains ambiguous but represents potential attack vectors due to lack of encryption or authentication mechanisms.\n\nAttackers typically scan ranges of high-numbered TCP ports to discover hidden administrative panels, debug interfaces, or legacy services inadvertently left accessible.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Scan for open ports including higher ranges\nnmap -p 8020 208.91.112.55\n\n# Probe the service manually\ncurl -v http://208.91.112.55:8020/\n```\n\nIf the service returns verbose error messages or exposes configuration files, attackers might gain insight into backend logic or credentials.\n\nBusiness Impact \nUnintended exposure of auxiliary services can result in lateral movement opportunities within the network, especially if these endpoints bypass normal monitoring or logging practices.\n\nRemediation \n- Audit and document all services bound to non-standard ports.\n- Disable unnecessary services or bind them only locally (`localhost`).\n- Implement strong authentication and TLS termination for externally facing services.\n- Monitor logs for suspicious activity targeting unusual ports.\n\n---\n\n### Open Port 443/tcp on 208.91.112.55\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription \nPort 443/tcp is open on IP address `208.91.112.55`, signifying that a secure HTTPS web server is active. Although encrypted, this still presents an attack surface for SSL/TLS-related issues, certificate mismanagement, or insecure configurations.\n\nAttackers commonly perform TLS handshake analysis, cipher suite enumeration, and certificate validation checks to assess weaknesses in cryptographic implementations.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Test supported TLS versions and ciphers\nopenssl s_client -connect 208.91.112.55:443 -tls1_2\n\n# Check certificate chain validity\necho \| openssl s_client -showcerts -connect 208.91.112.55:443 2>/dev/null \| openssl x509 -text -noout\n```\n\nWeak protocols (e.g., TLS 1.0), expired certificates, or self-signed certs increase vulnerability risks.\n\nBusiness Impact \nImproperly configured HTTPS can undermine user trust, violate compliance standards (PCI DSS, HIPAA), and allow man-in-the-middle attacks leading to credential theft or session hijacking.\n\nRemediation \n- Enforce modern TLS versions (minimum TLS 1.2).\n- Use strong cipher suites and disable weak ones (RC4, DES).\n- Regularly renew and validate SSL certificates.\n- Employ HSTS headers to enforce HTTPS usage.\n- Reference: [OWASP Transport Layer Protection](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)\n\n---\n\n### Open Port 8008/tcp on 208.91.112.55\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription \nPort 8008/tcp is open on IP address `208.91.112.55`. Commonly used for alternative HTTP services or reverse proxies, this port lacks standardized protection models compared to well-known ports like 80 or 443.\n\nSuch services may be less hardened against common web threats and more prone to misconfiguration errors due to reduced visibility during audits.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Enumerate service behavior\ncurl -v http://208.91.112.55:8008/\n\n# Fuzz directories or parameters\nffuf -u http://208.91.112.55:8008/FUZZ -w /path/to/dir-wordlist.txt\n```\n\nExposed APIs or test endpoints behind this port may leak internal data structures or accept malformed inputs leading to injection flaws.\n\nBusiness Impact \nInsecure deployment of alternate HTTP interfaces can expose internal APIs, staging environments, or debugging tools to public networks, increasing insider threat risks and unauthorized system manipulation.\n\nRemediation \n- Limit accessibility to trusted sources only.\n- Deploy WAF rulesets tailored to protect non-standard HTTP ports.\n- Remove or harden any testing/staging deployments before production release.\n- Conduct regular penetration tests focused on non-standard ports.\n\n---\n\n### Open Port 8015/tcp on 208.91.112.55\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription \nPort 8015/tcp is open on IP address `208.91.112.55`. Like other high-numbered ports, this one may host specialized services such as API gateways, reverse proxies, or embedded device interfaces. The absence of explicit identification makes it difficult to determine whether appropriate protections exist.\n\nAttackers frequently target obscure ports to find backdoors, undocumented features, or poorly maintained services.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Basic connectivity check\ntelnet 208.91.112.55 8015\n\n# Send crafted requests\nprintf \"GET / HTTP/1.1\\r\\nHost: 208.91.112.55:8015\\r\\n\\r\\n\" \| nc 208.91.112.55 8015\n```\n\nResponses may include server banners, redirect locations, or error traces revealing underlying architecture.\n\nBusiness Impact \nUndocumented or forgotten services pose significant operational and security risks, particularly when they remain unpatched or unmaintained over time.\n\nRemediation \n- Document and inventory all services operating on non-standard ports.\n- Decommission unused or obsolete services immediately.\n- Apply consistent patch management policies across all exposed assets.\n- Integrate automated scanning tools to detect rogue services.\n\n---\n\n### Open Port 80/tcp (HTTP) – nginx 1.29.1 on springs.com.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nThe domain `springs.com.pk` has port 80 open and serves HTTP traffic via nginx version 1.29.1. While functional, exposing HTTP instead of enforcing HTTPS leaves communications vulnerable to interception and tampering.\n\nAdditionally, identifying the exact version helps attackers correlate known exploits tied to that build number.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Confirm server version disclosure\ncurl -I http://springs.com.pk/\n\n# Search exploit databases for nginx 1.29.1\nsearchsploit nginx 1.29\n```\n\nKnown vulnerabilities in older releases may allow remote code execution or denial-of-service conditions under certain configurations.\n\nBusiness Impact \nFailure to encrypt web traffic violates best practices and regulatory requirements. Version disclosures facilitate targeted attacks and reduce overall defense-in-depth posture.\n\nRemediation \n- Redirect all HTTP traffic to HTTPS using permanent redirects.\n- Suppress server version headers in nginx config:\n ```nginx\n server_tokens off;\n ```\n- Keep nginx updated to latest stable branch.\n- Reference: [CWE-200: Information Exposure](https://cwe.mitre.org/data/definitions/200.html)\n\n---\n\n### Open Port 443/tcp (HTTPS) – nginx 1.29.1 on springs.com.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nPort 443 is open on `springs.com.pk` and utilizes nginx 1.29.1 for serving HTTPS traffic. Despite encryption, disclosing the exact server version enables attackers to research associated vulnerabilities and tailor their approach accordingly.\n\nMoreover, improper TLS setup or missing security headers can weaken the effectiveness of HTTPS implementation.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Inspect TLS settings and header presence\ncurl -s --insecure -D - https://springs.com.pk/\n\n# Analyze TLS handshake with sslscan\nsslscan springs.com.pk\n```\n\nMissing security headers (HSTS, X-Frame-Options) leave clients susceptible to clickjacking or downgrade attacks.\n\nBusiness Impact \nEven though HTTPS provides confidentiality, poor implementation undermines user privacy and opens avenues for advanced persistent threats.\n\nRemediation \n- Enable recommended security headers in nginx:\n ```nginx\n add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;\n add_header X-Frame-Options DENY;\n add_header X-Content-Type-Options nosniff;\n ```\n- Update nginx regularly to mitigate disclosed vulnerabilities.\n- Validate certificate chains and implement OCSP stapling.\n\n---\n\n### Open Port 8008/tcp (HTTP) on springs.com.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nPort 8008 on `springs.com.pk` runs an HTTP service. As a non-standard port, it may indicate a secondary web interface, microservice, or development environment. These types of services often have relaxed security postures and limited oversight.\n\nAttackers leverage automated scanners to identify such endpoints and attempt to exploit them for initial footholds.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Access the service directly\ncurl http://springs.com.pk:8008/\n\n# Perform directory brute-force\ngobuster dir -u http://springs.com.pk:8008/ -w /usr/share/wordlists/dirb/common.txt\n```\n\nExposed admin panels or debug modes can grant unauthorized control over backend processes.\n\nBusiness Impact \nSecondary HTTP services increase complexity and difficulty in maintaining uniform security baselines. They also expand the attack surface unnecessarily.\n\nRemediation \n- Evaluate necessity of exposing this service externally.\n- Apply rate limiting and authentication measures.\n- Log and monitor access attempts to detect anomalies.\n- Consider consolidating services onto fewer standardized ports.\n\n---\n\n### Open Port 8015/tcp (HTTP Proxy) – FortiGuard Web Filtering on springs.com.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nPort 8015 on `springs.com.pk` operates as an HTTP proxy identified as FortiGuard Web Filtering. Proxies inherently act as intermediaries between clients and origin servers, potentially introducing new attack vectors related to forwarding behaviors, caching logic, or access control bypasses.\n\nMisconfigured proxies can become pivot points for tunneling malicious traffic or evading perimeter defenses.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Test proxy functionality\ncurl --proxy http://springs.com.pk:8015 http://example.com/\n\n# Attempt SSRF-style abuse\ncurl -x http://springs.com.pk:8015 http://internal-api.local/admin\n```\n\nSuccessful proxy misuse can enable attackers to reach otherwise inaccessible internal resources.\n\nBusiness Impact \nPublicly exposed filtering proxies can be abused to circumvent corporate policies, exfiltrate data, or launch internal reconnaissance campaigns.\n\nRemediation \n- Restrict proxy access to authorized IP addresses.\n- Implement strict egress filtering and logging.\n- Disable anonymous proxy capabilities unless absolutely necessary.\n- Review vendor documentation for hardening guidelines.\n\n---\n\n### Open Port 8020/tcp (HTTP Proxy) – FortiGuard Web Filtering on springs.com.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nSimilar to port 8015, port 8020 on `springs.com.pk` functions as another instance of FortiGuard Web Filtering acting as an HTTP proxy. Multiple proxy instances suggest either redundancy or segmentation strategies, both of which require careful configuration to prevent unintended access patterns.\n\nEach exposed proxy multiplies the risk of misconfiguration and increases the burden of securing each individual endpoint.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Verify proxy operation\ncurl --proxy http://springs.com.pk:8020 http://google.com/\n\n# Try accessing local network resources\ncurl -x http://springs.com.pk:8020 http://192.168.1.1/\n```\n\nIf allowed, this could lead to lateral movement inside the organization’s private subnet.\n\nBusiness Impact \nMultiple exposed proxies complicate incident response efforts and create redundant pathways for attackers to traverse protected boundaries undetected.\n\nRemediation \n- Consolidate proxy services wherever feasible.\n- Enforce mutual TLS authentication for inter-service communication.\n- Audit proxy logs for signs of abuse or anomalous routing decisions.\n- Apply zero-trust principles to limit lateral traversal possibilities.\n\n---\n\n### Host Flagged on Blacklist list.quorum.to: SPAM\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Low \|\n\| CVSS Score \| 2.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| springs.com.pk \|\n\nDescription \nDomain `springs.com.pk` appears on the DNS blacklist `list.quorum.to` categorized as a spam source. Being blacklisted indicates prior involvement in unsolicited email distribution, possibly due to compromised mail relays, phishing sites, or botnet participation.\n\nBlacklisting affects deliverability rates and damages organizational reputation among partners and customers alike.\n\nAttack Scenario (Proof of Concept) \n```bash\n# Query DNSBL status\ndig +short TXT springs.com.pk.list.quorum.to\n```\n\nA positive match confirms listing, suggesting ongoing abuse originating from the domain/IP space.\n\nBusiness Impact \nEmail delivery failures, customer complaints, and brand degradation occur when domains are flagged as spam sources. Regulatory fines may apply depending on jurisdictional laws governing digital marketing ethics.\n\nRemediation \n- Investigate root cause of spam classification (compromised accounts, malware infections).\n- Request delisting from affected blacklists after remediation.\n- Implement SPF/DKIM/DMARC records to authenticate outbound emails.\n- Monitor SMTP logs for suspicious relay activity.\n- Reference: [OWASP Email Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Email_Security_Cheat_Sheet.html)", "summary": { "total": 11 } }	{ "total": 11 }
6a0f4a5037cadc7ccde99aaa	Thu May 21 2026 18:09:20 GMT+0000 (Coordinated Universal Time)	https://eveen.pk/	generate_network_exposure_report	{ "url": "https://eveen.pk/", "category": "network_exposure", "timestamp": "2026-05-21T18:09:20.643798+00:00", "report": "### Open Port 2083/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 2083/tcp is open on IP address `23.227.38.65`. This port is commonly associated with cPanel's secure webmail interface or alternative HTTPS services. The exposure of such ports can indicate potential attack vectors if not properly secured or firewalled. An attacker may use tools like Nmap or Masscan to enumerate open ports and determine running services.\n\nAttack Scenario (Proof of Concept) \nAn attacker performs a basic scan using Nmap:\n```bash\nnmap -p 2083 23.227.38.65\n```\nIf the service responds, they might attempt to connect via browser or curl:\n```bash\ncurl https://23.227.38.65:2083/\n```\nDepending on configuration, this could expose login interfaces or backend systems that should not be publicly accessible without proper authentication or access control.\n\nBusiness Impact \nExposing unnecessary administrative or internal services increases the attack surface. If misconfigured, these endpoints can lead to unauthorized access, privilege escalation, or exploitation of known vulnerabilities in outdated software versions.\n\nRemediation \n- Restrict access to port 2083/tcp using firewall rules (e.g., iptables, AWS Security Groups).\n- Ensure only authorized IPs or networks have access.\n- Disable or remove unused services from public-facing infrastructure.\n- Regularly audit exposed ports and services for compliance with least-privilege principles.\n\n---\n\n### Open Port 2095/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 2095/tcp is open on IP address `23.227.38.65`. It typically corresponds to cPanel’s Webmail interface over HTTP. Exposing this port publicly may allow attackers to gain insight into hosting configurations or attempt brute-force attacks against user accounts.\n\nAttack Scenario (Proof of Concept) \nUsing Nmap:\n```bash\nnmap -sV -p 2095 23.227.38.65\n```\nIf responsive, an attacker accesses:\n```\nhttp://23.227.38.65:2095\n```\nThey may then try common credentials or exploit weak password policies to gain access to email accounts hosted under cPanel.\n\nBusiness Impact \nUnauthorized access to email accounts can result in phishing campaigns, credential theft, data exfiltration, and reputational harm due to compromised communications.\n\nRemediation \n- Enforce strong authentication mechanisms including MFA.\n- Limit access to trusted IP ranges via firewalling.\n- Redirect all traffic to HTTPS (port 2096) instead of exposing insecure HTTP.\n- Monitor logs for suspicious login attempts.\n\n---\n\n### Open Port 8015/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 8015/tcp is open on IP address `23.227.38.65`. While non-standard, it may host custom applications or development servers. Without further identification, its purpose remains ambiguous but still contributes to the overall attack surface.\n\nAttack Scenario (Proof of Concept) \nScanning with Nmap:\n```bash\nnmap -A -p 8015 23.227.38.65\n```\nIf banners reveal application details, attackers may probe for known exploits or misconfigurations:\n```bash\nnc 23.227.38.65 8015\nGET / HTTP/1.1\nHost: 23.227.38.65\n```\n\nBusiness Impact \nUnidentified services increase risk by providing unknown entry points that may lack monitoring, patching, or hardening practices.\n\nRemediation \n- Identify and document the service running on port 8015.\n- Apply appropriate security controls based on function.\n- Remove or restrict access to non-critical or undocumented services.\n\n---\n\n### Open Port 8080/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 8080/tcp is widely used as an alternate HTTP server port, often for reverse proxies, development environments, or containerized apps. Its presence indicates possible exposure of internal or staging systems directly to the internet.\n\nAttack Scenario (Proof of Concept) \nAccessing the endpoint:\n```bash\ncurl http://23.227.38.65:8080\n```\nIf it returns content, attackers will analyze headers, directory listings, or error messages for clues about underlying technology stacks.\n\nBusiness Impact \nMisconfigured reverse proxies or dev/test environments exposed to production networks pose risks of information disclosure, lateral movement, or bypassing perimeter defenses.\n\nRemediation \n- Ensure no sensitive or internal-only resources are served on port 8080.\n- Implement WAF or rate-limiting protections.\n- Restrict external access unless explicitly required.\n\n---\n\n### Open Port 8008/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 8008/tcp is another non-standard HTTP port sometimes used for debugging, alternate web interfaces, or legacy systems. Like other non-standard ports, its exposure adds complexity to asset management and increases vulnerability discovery chances.\n\nAttack Scenario (Proof of Concept) \nUsing netcat or browser:\n```bash\ntelnet 23.227.38.65 8008\n```\nOr:\n```bash\ncurl http://23.227.38.65:8008\n```\nAttackers look for default pages, debug outputs, or unauthenticated APIs.\n\nBusiness Impact \nDebugging interfaces or test deployments left online can leak system internals, API keys, or source code fragments.\n\nRemediation \n- Audit and decommission any temporary or testing services.\n- Block public access to non-production ports at the network level.\n- Enable logging and alerting for unexpected connections.\n\n---\n\n### Open Port 8020/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 8020/tcp is not assigned to any standard protocol and may run proprietary or custom applications. Unknown services represent blind spots in visibility and control.\n\nAttack Scenario (Proof of Concept) \nNmap scan:\n```bash\nnmap -sV -p 8020 23.227.38.65\n```\nIf banner grabbing reveals service info, attackers may attempt fingerprinting or exploit known weaknesses.\n\nBusiness Impact \nUndocumented or unsupported services introduce unpredictability and elevate risk of zero-day exploitation or insider threats.\n\nRemediation \n- Identify and classify the service behind port 8020.\n- Apply principle of least privilege; disable if unnecessary.\n- Maintain updated inventories of all listening services.\n\n---\n\n### Open Port 8443/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nPort 8443/tcp is frequently used as an alternative HTTPS port, especially when 443 is already occupied. It may serve administrative panels, API gateways, or third-party integrations.\n\nAttack Scenario (Proof of Concept) \nConnecting securely:\n```bash\ncurl -k https://23.227.38.65:8443\n```\nIf valid SSL/TLS handshake occurs, attackers inspect certificate metadata and attempt to exploit vulnerabilities in TLS implementations or backend logic.\n\nBusiness Impact \nImproperly configured SSL termination or backend services can lead to man-in-the-middle attacks, session hijacking, or exposure of sensitive data.\n\nRemediation \n- Validate SSL certificates and enforce modern cipher suites.\n- Restrict access to necessary roles only.\n- Log and monitor traffic patterns for anomalies.\n\n---\n\n### Open Port 80/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nHTTP service running on port 80/tcp is standard for serving websites. However, if not redirected to HTTPS, it exposes users to plaintext communication risks.\n\nAttack Scenario (Proof of Concept) \nBasic connection:\n```bash\ncurl http://23.227.38.65\n```\nIf successful, attackers can intercept cookies, inject malicious scripts, or perform downgrade attacks.\n\nBusiness Impact \nLack of encryption leads to eavesdropping, tampering, and potential compromise of user sessions or transmitted data.\n\nRemediation \n- Redirect all HTTP requests to HTTPS using HSTS headers.\n- Enforce TLS 1.2+ across all endpoints.\n- Deploy Let’s Encrypt or enterprise-grade certificates.\n\n---\n\n### Open Port 443/tcp on 23.227.38.65\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 23.227.38.65 \|\n\nDescription \nHTTPS service on port 443/tcp ensures encrypted communication between clients and the server. Proper implementation mitigates many passive and active network-based threats.\n\nAttack Scenario (Proof of Concept) \nSecure browsing:\n```bash\ncurl -v https://23.227.38.65\n```\nAttackers may check for expired certs, weak protocols, or vulnerable cipher suites during reconnaissance.\n\nBusiness Impact \nWell-configured HTTPS protects confidentiality and integrity. Misconfiguration, however, undermines trust and opens avenues for MITM attacks.\n\nRemediation \n- Use tools like Qualys SSL Labs to assess TLS posture.\n- Renew certificates before expiration.\n- Disable deprecated protocols (SSLv3, TLS 1.0).\n\n---\n\n### Open Port 80/tcp (http) on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nThe domain `eveen.pk` listens on port 80/tcp for HTTP traffic. As with any HTTP endpoint, failure to redirect to HTTPS leaves communications vulnerable to interception.\n\nAttack Scenario (Proof of Concept) \nBrowser navigation or CLI tool:\n```bash\ncurl http://eveen.pk\n```\nIf response includes forms or session tokens, attackers can capture them in transit.\n\nBusiness Impact \nData transmitted over HTTP lacks protection, increasing susceptibility to credential theft, session fixation, and content injection.\n\nRemediation \n- Implement automatic redirection from HTTP to HTTPS.\n- Set up HSTS header with preload directive.\n- Monitor for mixed-content warnings.\n\n---\n\n### Open Port 443/tcp (https) on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nHTTPS service on port 443/tcp provides encrypted communication for `eveen.pk`, ensuring privacy and authenticity. Correct deployment prevents most passive surveillance and some active attacks.\n\nAttack Scenario (Proof of Concept) \nSecure request:\n```bash\ncurl -I https://eveen.pk\n```\nInspecting response headers helps identify issues like missing security headers or outdated TLS settings.\n\nBusiness Impact \nProper HTTPS implementation enhances customer confidence and meets regulatory requirements for data protection.\n\nRemediation \n- Periodically review TLS configurations and certificate validity.\n- Add Content-Security-Policy and X-Frame-Options headers.\n- Employ certificate pinning where feasible.\n\n---\n\n### Open Port 2052/tcp (http) – Cloudflare http proxy on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 2052/tcp hosts a Cloudflare-managed HTTP proxy for `eveen.pk`. This setup allows CDN acceleration and DDoS mitigation but also introduces reliance on third-party infrastructure.\n\nAttack Scenario (Proof of Concept) \nDirect access:\n```bash\ncurl http://eveen.pk:2052\n```\nAttackers may attempt to bypass Cloudflare protections by targeting origin servers directly.\n\nBusiness Impact \nOver-reliance on CDNs without securing origins can undermine their benefits and leave gaps in defense layers.\n\nRemediation \n- Lock down direct access to origin IPs.\n- Configure firewall rules to accept traffic only from Cloudflare ranges.\n- Monitor for attempts to reach origin outside CDN.\n\n---\n\n### Open Port 2053/tcp (http) – nginx on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nNginx serves HTTP traffic on port 2053/tcp for `eveen.pk`. Nginx is robust but requires careful tuning to avoid misconfigurations leading to information leakage or denial-of-service.\n\nAttack Scenario (Proof of Concept) \nBanner grabbing:\n```bash\nnmap -sV -p 2053 eveen.pk\n```\nFollowed by probing for default paths or hidden files:\n```bash\ngobuster dir -u http://eveen.pk:2053 -w /usr/share/dirb/wordlists/common.txt\n```\n\nBusiness Impact \nExposed web servers increase likelihood of path traversal, SSRF, or buffer overflow exploits depending on version and configuration.\n\nRemediation \n- Keep Nginx updated to latest stable release.\n- Hide server version in responses (`server_tokens off;`).\n- Implement rate limiting and request filtering.\n\n---\n\n### Open Port 2082/tcp (http) – Cloudflare http proxy on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nAnother Cloudflare-managed HTTP proxy operates on port 2082/tcp. Multiple proxy ports suggest complex routing or legacy support structures which complicate security oversight.\n\nAttack Scenario (Proof of Concept) \nEnumeration:\n```bash\nnmap -p 2082 eveen.pk\n```\nThen accessing:\n```bash\ncurl http://eveen.pk:2082\n```\nAttackers may compare behavior across different proxy ports to find inconsistencies or bypasses.\n\nBusiness Impact \nMultiple ingress points multiply opportunities for misconfiguration and reduce clarity around who owns each service.\n\nRemediation \n- Consolidate redundant proxy endpoints.\n- Document ownership and responsibilities clearly.\n- Regularly audit and retire obsolete ports.\n\n---\n\n### Open Port 2083/tcp (http) – nginx on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nThis instance of Nginx runs on port 2083/tcp, likely supporting secure webmail or admin functions. Given its association with cPanel, improper access controls could yield significant privileges.\n\nAttack Scenario (Proof of Concept) \nBrute-force login attempts:\n```bash\nhydra -l admin -P passwords.txt eveen.pk http-get /login -s 2083\n```\nAlternatively, scanning for known vulnerabilities:\n```bash\nnikto -h http://eveen.pk:2083\n```\n\nBusiness Impact \nCompromise of administrative portals enables full control over hosted domains, databases, and user accounts.\n\nRemediation \n- Enforce two-factor authentication.\n- Rotate default credentials immediately after installation.\n- Restrict access geographically or by role.\n\n---\n\n### Open Port 2086/tcp (http) – Cloudflare http proxy on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nYet another Cloudflare-managed HTTP proxy on port 2086/tcp. Repeated use of similar proxy configurations suggests either intentional redundancy or poor architectural planning.\n\nAttack Scenario (Proof of Concept) \nComparative analysis:\n```bash\ncurl -H \"Host: eveen.pk\" http://<origin_ip>:2086\n```\nAttackers seek differences in caching, routing, or security enforcement among various proxy ports.\n\nBusiness Impact \nInconsistent proxy behaviors create exploitable discrepancies that adversaries can leverage to evade detection or bypass restrictions.\n\nRemediation \n- Standardize proxy configurations across all ports.\n- Centralize logging and monitoring for all edge nodes.\n- Retire unused or duplicate proxy instances.\n\n---\n\n### Open Port 2087/tcp (http) – nginx on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nRunning Nginx on port 2087/tcp implies yet another distinct service layer. With multiple Nginx instances, coordination becomes critical to prevent conflicting policies or overlapping responsibilities.\n\nAttack Scenario (Proof of Concept) \nVersion-specific exploit testing:\n```bash\nsearchsploit nginx <version>\n```\nThen crafting targeted payloads:\n```bash\nmsfconsole -q -x 'use exploit/linux/http/nginx_chunked_size; set RHOSTS eveen.pk; set RPORT 2087; run'\n```\n\nBusiness Impact \nOutdated or poorly maintained Nginx installations are susceptible to remote code execution, memory corruption, or DoS conditions.\n\nRemediation \n- Automate updates and patch cycles.\n- Harden Nginx configurations with security modules.\n- Conduct regular penetration tests focusing on web stack components.\n\n---\n\n### Open Port 2095/tcp (http) – Cloudflare http proxy on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nAs previously noted, port 2095/tcp usually relates to cPanel webmail. When fronted by Cloudflare, additional considerations arise regarding caching, origin shielding, and access logging.\n\nAttack Scenario (Proof of Concept) \nBypassing Cloudflare:\n```bash\ndig +short A eveen.pk\n# Then connecting directly to returned IP(s)\ncurl http://<origin_ip>:2095\n```\nAttackers aim to circumvent WAF protections or abuse misrouted traffic.\n\nBusiness Impact \nOrigin bypasses nullify CDN advantages and expose raw backend infrastructure to direct attacks.\n\nRemediation \n- Prevent DNS resolution of origin IPs.\n- Enforce strict hostname validation in Nginx/Virtual Host configs.\n- Monitor for unusual spikes in direct-to-origin traffic.\n\n---\n\n### Open Port 2096/tcp (http) – nginx on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 2096/tcp typically serves cPanel’s secure webmail interface. Hosting this on Nginx rather than Apache may imply customization or containerization efforts requiring extra scrutiny.\n\nAttack Scenario (Proof of Concept) \nDirectory enumeration:\n```bash\ndirb http://eveen.pk:2096 /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt\n```\nFollowed by form-based attacks or XSS injection attempts.\n\nBusiness Impact \nWebmail interfaces contain highly sensitive personal and business correspondence, making them prime targets for espionage or blackmail.\n\nRemediation \n- Sanitize input fields rigorously.\n- Apply Content Security Policy (CSP) headers.\n- Educate users on recognizing phishing attempts.\n\n---\n\n### Open Port 8008/tcp (http) on eveen.pk\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 8008/tcp again appears here for `eveen.pk`, reinforcing earlier concerns about inconsistent service mapping and unclear architectural boundaries.\n\nAttack Scenario (Proof of Concept) \nReconnaissance:\n```bash\nwhatweb http://eveen.pk:8008\n```\nIdentifying technologies used facilitates targeted exploitation strategies.\n\nBusiness Impact \nAmbiguous service roles hinder incident response and increase time-to-detection for breaches involving obscure ports.\n\nRemediation \n- Map and label all services comprehensively.\n- Establish naming conventions and documentation standards.\n- Decommission redundant or undocumented services promptly.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering / eveen.pk / eveen.pk:8015\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 8015/tcp is open and identified by Nmap as running an HTTP proxy service associated with Fortinet's FortiGuard Web Filtering solution. This configuration typically indicates that the system acts as a forward or reverse proxy for filtering web traffic. While not inherently insecure, exposing such services directly on public interfaces can provide attackers with insight into internal infrastructure or potentially bypass access controls if misconfigured.\n\nThe presence of this port may indicate that the organization uses Fortinet appliances for content filtering or secure web gateway functionality. Attackers often scan for known proxy ports to identify intermediary systems that might allow them to relay malicious traffic or probe internal networks indirectly.\n\nAttack Scenario (Proof of Concept) \nAn attacker performs reconnaissance using tools like `nmap` or `proxycheck` to detect open proxies:\n\n```bash\nnmap -p 8015 --script http-open-proxy eveen.pk\n```\n\nIf successful, they may attempt to route traffic through the proxy:\n\n```bash\ncurl --proxy http://eveen.pk:8015 http://internal-service.local\n```\n\nThis could lead to unauthorized access to internal resources or abuse of the proxy for anonymizing attacks.\n\nBusiness Impact \nExposing internal proxy services increases the attack surface and provides potential pathways for lateral movement within the network. If improperly configured, these endpoints can be abused for data exfiltration, scanning internal hosts, or launching further targeted attacks against backend systems.\n\nRemediation \n- Restrict access to port 8015/tcp at the firewall level to only trusted IP ranges.\n- Ensure that the FortiGuard Web Filtering appliance is properly hardened and updated.\n- Disable unnecessary proxy exposure unless explicitly required for business operations.\n- Monitor logs from Fortinet devices for signs of misuse.\n- Reference: CWE-16 (Configuration), NIST SP 800-53 SC-7 (Boundary Protection)\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering / eveen.pk / eveen.pk:8020\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nSimilar to port 8015, port 8020/tcp is also identified as hosting an HTTP proxy linked to Fortinet’s FortiGuard Web Filtering platform. The dual presence of multiple proxy ports suggests either redundancy, segmentation, or different policy zones managed by the same device. These ports should be reviewed for necessity and restricted appropriately.\n\nSuch configurations are common in enterprise environments but pose risks when exposed without proper authentication or logging mechanisms.\n\nAttack Scenario (Proof of Concept) \nUsing automated scanning tools such as Burp Suite or custom scripts, an attacker identifies both 8015 and 8020 as active proxies:\n\n```bash\nfor port in 8015 8020; do\n curl -x http://eveen.pk:$port http://example.com\ndone\n```\n\nThey then test whether internal addresses can be accessed via the proxy:\n\n```bash\ncurl -x http://eveen.pk:8020 http://192.168.1.10/admin\n```\n\nSuccessful responses indicate improper restrictions and possible internal reconnaissance opportunities.\n\nBusiness Impact \nUnauthorized use of exposed proxy services can result in unauthorized access to sensitive internal applications, violation of compliance requirements, and increased risk of data breaches due to indirect exploitation paths.\n\nRemediation \n- Audit all proxy-enabled ports and remove those not essential for operation.\n- Implement strict ACLs limiting access to authorized users or systems.\n- Enable detailed logging and alerting for proxy usage anomalies.\n- Regularly update firmware and review default configurations on Fortinet appliances.\n- Reference: CWE-16, NIST SP 800-53 AC-4 (Information Flow Enforcement)\n\n---\n\n### Open Port 8080/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8080\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 8080/tcp is open and identified as being served by a Cloudflare HTTP proxy. This implies that the domain is fronted by Cloudflare’s CDN or security services, which intercept and forward requests to origin servers. However, direct access to this port outside of standard routing (e.g., bypassing DNS resolution) may expose backend infrastructure details or misconfigurations.\n\nWhile Cloudflare generally enhances security, exposing alternative ports like 8080 without appropriate safeguards can undermine its protective benefits.\n\nAttack Scenario (Proof of Concept) \nAn attacker attempts to connect directly to the origin server behind Cloudflare:\n\n```bash\ncurl -H \"Host: eveen.pk\" http://[origin_ip]:8080/\n```\n\nAlternatively, they may try to enumerate subdomains or hidden services hosted on non-standard ports:\n\n```bash\nffuf -u http://eveen.pk:8080/FUZZ -w wordlist.txt\n```\n\nIf successful, this could reveal unprotected administrative panels or staging environments.\n\nBusiness Impact \nBypassing Cloudflare protections exposes backend infrastructure to direct probing and exploitation. It undermines DDoS mitigation, WAF rules, and rate-limiting policies enforced at the edge layer.\n\nRemediation \n- Block direct access to origin IPs on non-standard ports using firewall rules.\n- Configure origin servers to reject requests not routed through Cloudflare.\n- Enforce mutual TLS between Cloudflare and origin servers where feasible.\n- Review Cloudflare settings to ensure no unintended ports are exposed publicly.\n- Reference: CWE-16, OWASP API1:2019 – Broken Object Level Authorization\n\n---\n\n### Open Port 8443/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8443\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 8443/tcp is open and recognized as another instance of a Cloudflare-managed HTTP proxy, likely serving HTTPS traffic. Commonly used as an alternative SSL/TLS endpoint, this port may host legacy or secondary services. Its visibility increases the likelihood of enumeration and targeted attacks aimed at identifying weak points in the TLS setup or backend logic.\n\nMisconfiguration here could allow attackers to downgrade connections or exploit outdated cipher suites.\n\nAttack Scenario (Proof of Concept) \nAn attacker tests for SSL/TLS vulnerabilities on port 8443:\n\n```bash\nsslscan eveen.pk:8443\n```\n\nThey may also check for certificate mismatches or expired certificates:\n\n```bash\nopenssl s_client -connect eveen.pk:8443 -servername eveen.pk\n```\n\nAdditionally, they might attempt to access internal APIs or debug endpoints:\n\n```bash\ncurl -k https://eveen.pk:8443/api/debug\n```\n\nAny success indicates poor hardening practices and potential entry vectors.\n\nBusiness Impact \nImproper handling of encrypted communications can lead to man-in-the-middle attacks, credential theft, and exposure of sensitive user data. Regulatory violations related to encryption standards (PCI-DSS, HIPAA) may occur if insecure protocols are detected.\n\nRemediation \n- Disable support for deprecated TLS versions (<1.2).\n- Enforce strong cipher suites and disable weak algorithms.\n- Redirect all traffic to port 443 where possible.\n- Regularly audit SSL/TLS configurations using tools like Mozilla Observatory or Qualys SSL Labs.\n- Reference: CWE-327 (Use of Weak Cryptographic Algorithm), OWASP A03:2017 – Sensitive Data Exposure\n\n---\n\n### Open Port 8880/tcp (http) — Cloudflare http proxy / eveen.pk / eveen.pk:8880\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| eveen.pk \|\n\nDescription \nPort 8880/tcp is open and attributed to a Cloudflare HTTP proxy. Often used for development, testing, or alternate routing scenarios, this port may serve non-production content or act as a fallback path. Public accessibility introduces additional risk surfaces, especially if it serves less-protected or debug-oriented interfaces.\n\nOrganizations sometimes overlook securing auxiliary ports during deployment cycles, making them attractive targets for initial compromise stages.\n\nAttack Scenario (Proof of Concept) \nAn attacker scans for accessible debug pages or developer consoles:\n\n```bash\ndirb http://eveen.pk:8880 /usr/share/dirb/wordlists/common.txt\n```\n\nThey may also look for version disclosures or error messages indicating underlying frameworks:\n\n```bash\ncurl -v http://eveen.pk:8880/\n```\n\nIf found, these artifacts can guide more sophisticated follow-up attacks targeting specific software flaws.\n\nBusiness Impact \nUnsecured auxiliary ports increase the probability of early-stage compromises, including information leakage about internal architecture, credentials embedded in source code, or access to management dashboards.\n\nRemediation \n- Remove or restrict access to non-critical ports like 8880 unless absolutely necessary.\n- Apply consistent authentication and authorization across all application layers.\n- Conduct regular penetration tests focused on identifying shadow IT assets.\n- Implement centralized monitoring and alerting for anomalous access patterns on non-standard ports.\n- Reference: CWE-16, OWASP ASVS v4.0 – V1 Architecture, Design and Threat Modeling Requirements", "summary": { "total": 25 } }	{ "total": 25 }
6a0f60cb12f44e6c4312c4ea	Thu May 21 2026 19:45:15 GMT+0000 (Coordinated Universal Time)	https://ep.gov.pk/	generate_network_exposure_report	{ "url": "https://ep.gov.pk/", "category": "network_exposure", "timestamp": "2026-05-21T19:45:15.418640+00:00", "report": "### Open Port 8020/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nPort 8020/TCP is open on the host at IP address `124.109.52.82`. This port is commonly associated with services such as Apache Tomcat AJP (Apache JServ Protocol), which typically runs on ports like 8009 or 8020 depending on configuration. An open port indicates that a service is actively listening for incoming connections. While not inherently insecure, exposing non-standard HTTP or application-specific ports increases the attack surface by providing additional entry points for reconnaissance and exploitation.\n\nAn attacker can use tools like Nmap or Masscan to enumerate open ports and then proceed with targeted fingerprinting using banners or protocol-specific probes.\n\nAttack Scenario (Proof of Concept) \nA malicious actor performs initial reconnaissance using Nmap:\n\n```bash\nnmap -p 8020 -sV 124.109.52.82\n```\n\nIf the service responds with an identification such as \"Apache Tomcat\" or similar, they may attempt further probing via crafted AJP requests or exploit known vulnerabilities related to exposed management interfaces.\n\nExample payload targeting potential misconfigured AJP connector:\n```http\nGET /manager/html HTTP/1.1\nHost: 124.109.52.82:8020\nAuthorization: Basic YWRtaW46YWRtaW4=\n```\n\nThis could lead to unauthorized access if default credentials are used or if authentication has been disabled.\n\nBusiness Impact \nExposing internal administrative or backend communication protocols increases risk of compromise due to unpatched software, weak configurations, or credential exposure. Even though this finding itself does not indicate a vulnerability, it contributes to information leakage and expands the scope for lateral movement within the infrastructure.\n\nRemediation \n- Restrict access to port 8020 from external networks using firewall rules.\n- If AJP functionality is required internally only, bind the service to localhost (`127.0.0.1`) instead of all interfaces.\n- Disable unnecessary connectors in server configuration files (e.g., `server.xml` for Tomcat).\n- Regularly audit exposed services and ensure they align with business requirements.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nPort 8015/TCP is open on the system located at `124.109.52.82`. This port is often used by custom applications, middleware systems, or development environments but lacks standardization. Its presence suggests either a bespoke web service or auxiliary component tied to another primary service running on the host. Without proper context or documentation, identifying its purpose requires active probing and banner grabbing techniques.\n\nAttackers frequently scan ranges of high-numbered TCP ports to discover hidden or undocumented services that might have weaker security controls than standard ones.\n\nAttack Scenario (Proof of Concept) \nUsing curl or netcat to probe the endpoint:\n\n```bash\ncurl http://124.109.52.82:8015/\nnc -zv 124.109.52.82 8015\n```\n\nIf a response is returned indicating a web-based interface or API, attackers will analyze headers, paths, and endpoints for signs of vulnerable components or debug features enabled in production.\n\nFor instance, requesting `/status`, `/health`, or `/debug/pprof` endpoints common in GoLang or Node.js apps may yield sensitive runtime diagnostics.\n\nBusiness Impact \nUnintended disclosure of internal services exposes organizations to risks including unauthorized data access, denial-of-service conditions, or privilege escalation opportunities. It also complicates compliance audits where visibility into all listening services is mandatory.\n\nRemediation \n- Identify and document the service bound to port 8015.\n- Remove or restrict public accessibility unless explicitly required.\n- Apply principle of least privilege when configuring network listeners.\n- Implement centralized logging and monitoring around unusual port activity.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nThe discovery of an open port 8008/TCP on `124.109.52.82` indicates that some form of service—potentially an alternative HTTP listener—is accepting inbound traffic. Historically, port 8008 was designated for HTTP Alternate, although modern usage varies widely across different platforms and frameworks. Commonly seen in embedded devices, IoT appliances, or containerized microservices, this port should be treated with caution during assessments.\n\nReconnaissance tools such as Shodan or direct scanning can easily detect such services, making them targets for automated attacks.\n\nAttack Scenario (Proof of Concept) \nAn attacker initiates a basic GET request to determine the nature of the service:\n\n```bash\ncurl -I http://124.109.52.82:8008\n```\n\nIf it returns a valid HTTP status code along with headers like `Server: lighttpd` or `X-Powered-By`, more advanced enumeration begins. They may try accessing well-known paths like `/admin`, `/config`, or `/api`.\n\nAlternatively, sending malformed input could expose stack traces or error pages revealing underlying technologies or versions susceptible to exploits.\n\nBusiness Impact \nInsecure deployment practices leading to unintended exposure of alternate HTTP interfaces increase organizational risk profiles significantly. These interfaces often lack robust authentication mechanisms or logging capabilities compared to mainline services.\n\nRemediation \n- Confirm whether port 8008 serves a legitimate business function; remove otherwise.\n- Enforce strong authentication and encryption (HTTPS) if accessible externally.\n- Audit and harden service configurations against insecure defaults.\n- Monitor logs for anomalous access patterns indicative of probing behavior.\n\nReference: CWE-16 – Configuration\n\n---\n\n### Open Port 443/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| https://ep.gov.pk/ \|\n\nDescription \nPort 443/TCP is open on the asset `124.109.52.82`, corresponding to the domain `https://ep.gov.pk/`. As the standard port for HTTPS traffic, this represents the secure web interface for the site. Although expected for most public-facing websites, the mere fact of being open still constitutes part of the overall network footprint and must be evaluated alongside other findings for holistic risk posture analysis.\n\nAttackers routinely target HTTPS services for certificate inspection, cipher suite weaknesses, TLS downgrade attempts, and exploitation of outdated SSL/TLS implementations.\n\nAttack Scenario (Proof of Concept) \nUsing OpenSSL to inspect the TLS handshake:\n\n```bash\nopenssl s_client -connect ep.gov.pk:443 -servername ep.gov.pk\n```\n\nReview supported ciphersuites, certificate validity period, issuer chain, and presence of deprecated protocols like SSLv3 or TLS 1.0. Tools like testssl.sh automate comprehensive checks:\n\n```bash\ntestssl.sh https://ep.gov.pk\n```\n\nAdditionally, directory brute-forcing or virtual host enumeration may reveal hidden content or subdomains hosted behind the same IP.\n\nBusiness Impact \nWhile essential for delivering encrypted communications, improperly configured TLS settings undermine trustworthiness and expose users to man-in-the-middle attacks, session hijacking, or credential theft. Non-compliance with industry standards (PCI DSS, HIPAA) may result in legal ramifications.\n\nRemediation \n- Ensure TLS version 1.2 or higher is enforced.\n- Deploy HSTS headers and redirect all HTTP traffic to HTTPS.\n- Renew certificates before expiration and utilize certificate transparency logs.\n- Employ Perfect Forward Secrecy (PFS) and disable weak cryptographic algorithms.\n\nReference: CWE-327 – Use of a Broken or Risky Cryptographic Algorithm \nOWASP Top Ten: A07:2021 – Identification and Authentication Failures", "summary": { "total": 4 } }	{ "total": 4 }
6a0ff581eaf2c9077db90d2c	Fri May 22 2026 06:19:45 GMT+0000 (Coordinated Universal Time)	https://ep.gov.pk/	generate_network_exposure_report	{ "url": "https://ep.gov.pk/", "category": "network_exposure", "timestamp": "2026-05-22T06:19:45.975063+00:00", "report": "### Open Port 8020/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nPort 8020/tcp is open on the IP address `124.109.52.82`. This port has been identified by the tool Naabu during a network scan. While not inherently insecure, exposed ports increase the attack surface of a system and should be evaluated for necessity and proper configuration. The service running on this port was later identified via Nmap as an HTTP proxy associated with FortiGuard Web Filtering.\n\nAttack Scenario (Proof of Concept) \nAn attacker performs a port scan using tools like `nmap` or `masscan`, identifying that port 8020 is open. They then attempt to interact with the service:\n\n```bash\nnmap -sV -p 8020 124.109.52.82\n```\n\nIf misconfigured, such proxies may allow unauthorized access to internal resources or act as pivot points for further lateral movement within the network.\n\nBusiness Impact \nUnnecessary exposure of services increases risk of exploitation, especially if default credentials or known vulnerabilities exist. It also provides attackers additional entry vectors into the organization’s infrastructure.\n\nRemediation \nEnsure only required ports are publicly accessible. If this port serves no external purpose, restrict access at the firewall level. Review whether FortiGuard Web Filtering requires public accessibility; typically, these services should be internal or behind authentication.\n\n---\n\n### Open Port 8015/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nPort 8015/tcp is open on the IP address `124.109.52.82`. Identified via Naabu, this port was later confirmed by Nmap to host an HTTP proxy service branded as FortiGuard Web Filtering. Exposed proxy servers can pose significant risks if improperly configured, including allowing bypassing of content filtering policies or acting as intermediaries for malicious traffic.\n\nAttack Scenario (Proof of Concept) \nThe attacker uses `curl` or similar tools to test connectivity through the proxy:\n\n```bash\ncurl --proxy http://124.109.52.82:8015 http://example.com/\n```\n\nIf successful, they might use it to mask their origin or bypass local restrictions.\n\nBusiness Impact \nPublicly exposed proxy endpoints can lead to abuse for anonymizing attacks, exfiltration of sensitive data, or circumvention of corporate web filters—potentially leading to compliance violations or compromise.\n\nRemediation \nRestrict access to this port unless absolutely necessary for business operations. Ensure strong authentication mechanisms are enforced if public exposure is required. Apply vendor-specific hardening guidelines from Fortinet regarding FortiGuard deployments.\n\n---\n\n### Open Port 8008/tcp on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 124.109.52.82 \|\n\nDescription \nPort 8008/tcp is open on the IP address `124.109.52.82`. Scanned using Naabu, this port was later identified by Nmap as hosting an HTTP service. Alternate HTTP ports often indicate non-standard configurations which may lack standard protections such as WAFs or hardened server settings.\n\nAttack Scenario (Proof of Concept) \nUsing `curl` or browser-based testing:\n\n```bash\ncurl http://124.109.52.82:8008/\n```\n\nThis reveals information about backend systems or applications potentially less protected than those on standard ports.\n\nBusiness Impact \nExposing alternative HTTP ports without adequate protection increases the likelihood of successful reconnaissance and exploitation attempts against underprotected services.\n\nRemediation \nAudit all non-standard HTTP(S) ports for necessity. Implement consistent security controls across all listening web interfaces. Where possible, redirect or disable alternate ports unless explicitly needed.\n\n---\n\n### Open Port 80/tcp Detected on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| https://ep.gov.pk/ \|\n\nDescription \nStandard HTTP port 80/tcp is open on the asset `124.109.52.82`, associated with the domain ep.gov.pk. Identified via Masscan, this represents typical web server behavior but still contributes to overall network footprint visibility.\n\nAttack Scenario (Proof of Concept) \nA basic HTTP GET request confirms availability:\n\n```bash\ncurl http://124.109.52.82/\n```\n\nFurther enumeration could involve directory brute-forcing or fingerprinting techniques to identify underlying technologies.\n\nBusiness Impact \nWhile expected for websites, unencrypted HTTP remains vulnerable to man-in-the-middle interception and should ideally redirect to HTTPS.\n\nRemediation \nImplement automatic redirection from HTTP to HTTPS. Enforce HSTS headers where appropriate. Monitor logs for suspicious activity targeting plaintext communication channels.\n\n---\n\n### Open Port 443/tcp Detected on 124.109.52.82\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| https://ep.gov.pk/ \|\n\nDescription \nSecure HTTPS port 443/tcp is open on `124.109.52.82`. Identified via Masscan, this is essential for encrypted communications. However, Nmap classified the service as “tcpwrapped,” indicating potential wrapping or filtering logic applied before reaching the actual TLS endpoint.\n\nAttack Scenario (Proof of Concept) \nUse OpenSSL to inspect certificate details:\n\n```bash\nopenssl s_client -connect 124.109.52.82:443\n```\n\nCheck for weak cipher suites, expired certificates, or improper SSL/TLS configurations.\n\nBusiness Impact \nImproper TLS setup can expose users to eavesdropping, downgrade attacks, or trust issues undermining secure transactions.\n\nRemediation \nEnsure valid, up-to-date certificates are used. Disable outdated protocols (SSLv2/v3). Employ modern cipher suites aligned with industry best practices (e.g., TLS 1.2+).\n\n---\n\n### Open Port 80/tcp (http) — Microsoft-HTTPAPI/2.0\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| ep.gov.pk \|\n\nDescription \nNmap identifies that port 80 hosts an HTTP service powered by Microsoft HTTP API version 2.0 (`Microsoft-HTTPAPI/2.0`). This usually indicates a lightweight embedded web server component rather than full IIS deployment, commonly seen in .NET self-hosted applications or administrative interfaces.\n\nAttack Scenario (Proof of Concept) \nEnumerate directories or endpoints using Burp Suite or `gobuster`:\n\n```bash\ngobuster dir -u http://ep.gov.pk -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt\n```\n\nLook for hidden APIs or debug pages exposing sensitive functionality.\n\nBusiness Impact \nMisconfigured embedded HTTP servers can leak internal paths, expose debugging features, or provide unintended access to application internals.\n\nRemediation \nReview application codebase for unnecessary exposure of development endpoints. Restrict access based on role-based authorization. Regularly audit exposed routes for unintended disclosure.\n\n---\n\n### Open Port 443/tcp (tcpwrapped)\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| ep.gov.pk \|\n\nDescription \nPort 443/tcp appears open but returns a “tcpwrapped” response when scanned with Nmap. This suggests that some form of middleware (such as xinetd or stunnel) intercepts connections prior to reaching the final destination service. Such wrappers obscure true service identity and complicate vulnerability assessments.\n\nAttack Scenario (Proof of Concept) \nAttempt direct connection using OpenSSL:\n\n```bash\nopenssl s_client -connect ep.gov.pk:443\n```\n\nIf wrapped incorrectly, unexpected responses or timeouts may occur, revealing wrapper presence or misconfiguration.\n\nBusiness Impact \nObscured service identification hinders both legitimate monitoring and incident response efforts while potentially masking insecure configurations beneath the wrapper layer.\n\nRemediation \nVerify integrity and configuration of any TCP wrapping layers. Ensure encryption termination occurs securely and logging/tracing capabilities remain intact despite obfuscation.\n\n---\n\n### Open Port 8008/tcp (http)\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| ep.gov.pk \|\n\nDescription \nAnother instance of an HTTP listener found on port 8008/tcp for the domain `ep.gov.pk`. As previously noted, alternate HTTP ports require careful scrutiny due to reduced likelihood of robust security implementation compared to primary web services.\n\nAttack Scenario (Proof of Concept) \nInitiate probing with `nikto` or manual inspection:\n\n```bash\nnikto -h http://ep.gov.pk:8008\n```\n\nIdentify banners, error messages, or default landing pages indicative of development/test environments.\n\nBusiness Impact \nAlternate HTTP listeners may serve outdated software versions or contain debugging artifacts, increasing susceptibility to exploitation.\n\nRemediation \nConduct regular audits of all active ports. Remove or restrict access to non-production services. Apply uniform patch management and hardening procedures across all listening HTTP instances.\n\n---\n\n### Open Port 8015/tcp (http-proxy) — FortiGuard Web Filtering\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| ep.gov.pk \|\n\nDescription \nPort 8015/tcp exposes an HTTP proxy service labeled as FortiGuard Web Filtering. These appliances are designed to filter internet-bound traffic but exposing them externally introduces risk of misuse or unauthorized access.\n\nAttack Scenario (Proof of Concept) \nTest proxy functionality:\n\n```bash\ncurl --proxy http://ep.gov.pk:8015 http://ifconfig.me/ip\n```\n\nSuccessful execution would confirm ability to route arbitrary requests through the proxy.\n\nBusiness Impact \nExposed filtering proxies can be abused for anonymization, evasion of policy enforcement, or relaying malicious traffic originating from trusted domains.\n\nRemediation \nLimit access to this port strictly to authorized internal networks. Audit proxy rules regularly. Enable authentication and logging for all proxy activities.\n\n---\n\n### Open Port 8020/tcp (http-proxy) — FortiGuard Web Filtering\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) \|\n\| Category \| network_exposure \|\n\| Asset / URL \| ep.gov.pk \|\n\nDescription \nSimilar to port 8015, port 8020/tcp runs another instance of FortiGuard Web Filtering configured as an HTTP proxy. Multiple proxy instances suggest complex routing or redundancy strategies, each expanding the organization's attack surface.\n\nAttack Scenario (Proof of Concept) \nRepeat earlier proxy tests:\n\n```bash\ncurl --proxy http://ep.gov.pk:8020 http://ifconfig.me/ip\n```\n\nDetermine if different filtering rules or access levels apply between proxy instances.\n\nBusiness Impact \nMultiple exposed proxy endpoints multiply opportunities for abuse, particularly if inconsistent policies govern each one.\n\nRemediation \nConsolidate proxy usage wherever feasible. Standardize access control and filtering rules. Continuously monitor proxy logs for anomalies or signs of abuse.", "summary": { "total": 10 } }	{ "total": 10 }
6a11b8315fc497eb9914e08b	Sat May 23 2026 14:22:41 GMT+0000 (Coordinated Universal Time)	https://uppolice.gov.in/	generate_network_exposure_report	{ "url": "https://uppolice.gov.in/", "category": "network_exposure", "timestamp": "2026-05-23T14:22:41.812953+00:00", "report": "### [No Open Ports Found / uppolice.gov.in / N/A]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| uppolice.gov.in \|\n\nDescription\n\nThis finding indicates that during scanning, no open TCP or UDP ports were identified on the host `uppolice.gov.in`. This may suggest either:\n- The system is not actively listening for incoming connections.\n- A firewall or filtering mechanism is blocking all scanned ports.\n- The system was offline or unreachable at the time of scan.\n\nThe tool used to detect this condition was `naabu`, which performs fast port scans using SYN scanning techniques by default.\n\nIt should be noted that while no open ports were detected, this does not necessarily indicate a secure configuration; it simply means no services were exposed during the scan window.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker attempting to fingerprint available services might use tools such as `nmap` or `masscan` to enumerate open ports:\n\n```bash\nnmap -p- uppolice.gov.in\n```\n\nIf no ports respond, the attacker may attempt to:\n- Scan from different geographic locations or IP ranges.\n- Use fragmented packets or timing evasion techniques (`--defeat-rst-ratelimit`) to bypass simple firewalls.\n- Perform service-specific scans targeting common web/application ports like 80, 443, 8080, etc.\n\nIn some cases, stealthier reconnaissance methods (e.g., ICMP-based discovery or passive DNS enumeration) can still yield useful intelligence even when active port scanning fails.\n\nBusiness Impact\n\nWhile having no open ports reduces direct exposure to remote exploitation, it also implies limited accessibility for legitimate users or systems. If intended services are unreachable due to misconfigured firewalls or network policies, business operations relying on those endpoints will suffer downtime or degraded performance.\n\nAdditionally, overly restrictive configurations without proper monitoring can mask underlying issues such as accidental service shutdowns or infrastructure outages.\n\nRemediation\n\nEnsure that necessary services are accessible only to authorized entities via appropriate access control lists (ACLs), firewalls, and segmentation strategies.\n\nWhere applicable:\n- Review firewall rules to ensure they align with operational requirements.\n- Implement logging and alerting mechanisms to detect unintended service unavailability.\n- Conduct periodic connectivity tests to validate availability of critical services.\n\n---\n\n### [Open Port 443/tcp Detected / 208.91.112.55 / tcp/443]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription\n\nPort 443/tcp is commonly associated with HTTPS traffic, indicating that an SSL/TLS-enabled HTTP server is running on this address. During the masscan operation, this port was observed to be open and responsive.\n\nThis suggests that there is likely a web application or reverse proxy serving content over encrypted channels on this endpoint. However, further analysis would be required to determine the nature of the hosted service, its version, and potential vulnerabilities.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker could begin interacting with the service using standard tools:\n\n```bash\ncurl -v https://208.91.112.55\n```\n\nThey may then proceed with:\n- Certificate inspection to gather domain names and issuer information.\n- Directory brute-forcing using tools like `gobuster`.\n- Vulnerability scanning with tools such as `nikto` or `testssl.sh`.\n\nExample directory enumeration command:\n```bash\ngobuster dir -u https://208.91.112.55 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\n```\n\nIf weak TLS configurations exist, attackers may exploit known cipher suites or protocol downgrade attacks.\n\nBusiness Impact\n\nExposing HTTPS services increases the attack surface but is often necessary for public-facing applications. Misconfigurations in SSL/TLS settings or outdated software versions can lead to man-in-the-middle attacks, credential theft, or compliance violations under standards such as PCI-DSS or HIPAA.\n\nRemediation\n\nEnsure that:\n- Only strong encryption protocols (TLS 1.2+) are enabled.\n- Weak ciphers and deprecated algorithms are disabled.\n- Certificates are valid, properly configured, and renewed automatically.\n- Access logs are monitored for suspicious activity.\n\nUse tools like Mozilla's SSL Configuration Generator to harden TLS stacks.\n\nReference: [OWASP Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)\n\n---\n\n### [Open Port 80/tcp Detected / 208.91.112.55 / tcp/80]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| 208.91.112.55 \|\n\nDescription\n\nPort 80/tcp corresponds to plain-text HTTP communication. Its presence indicates that a web server is accepting unencrypted requests on this interface. While convenient for legacy compatibility or internal use, exposing HTTP services publicly poses significant risks unless explicitly protected by intermediaries such as load balancers or WAFs.\n\nThis finding was detected using `masscan`.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker can interact directly with the HTTP service:\n\n```bash\ncurl http://208.91.112.55/\n```\n\nThey may perform actions including:\n- Enumerating directories and files.\n- Attempting login brute-force against exposed interfaces.\n- Exploiting insecure headers or missing security controls.\n\nSample header inspection:\n```bash\ncurl -I http://208.91.112.55/\n```\n\nWithout HTTPS enforcement, sensitive data transmitted over this channel (such as credentials or session tokens) can be intercepted by adversaries on shared networks.\n\nBusiness Impact\n\nUnsecured HTTP services expose organizations to eavesdropping, session hijacking, and injection attacks. Additionally, many modern browsers flag non-HTTPS sites as “not secure,” potentially damaging user trust and brand reputation.\n\nRegulatory frameworks such as GDPR emphasize protecting personal data in transit, making plaintext HTTP a liability.\n\nRemediation\n\nImplement the following measures:\n- Redirect all HTTP traffic to HTTPS using permanent redirects (HTTP 301).\n- Enforce HSTS (HTTP Strict Transport Security) headers.\n- Disable unnecessary cleartext HTTP listeners where possible.\n\nApache example redirect rule:\n```apache\n<VirtualHost :80>\n ServerName example.com\n Redirect permanent / https://example.com/\n</VirtualHost>\n```\n\nCWE-319: Cleartext Transmission of Sensitive Information \n[OWASP A02:2021 – Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n\n---\n\n### [Open Port 443/tcp (HTTPS) / uppolice.gov.in / tcp/443]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| uppolice.gov.in \|\n\nDescription\n\nPort 443/tcp is confirmed as open and hosts an HTTPS service on the domain `uppolice.gov.in`. This represents the primary entry point for secure communications with the website. It supports encrypted browsing sessions essential for transmitting confidential data between clients and servers.\n\nIdentified via `nmap_scan`, this port typically serves web pages, APIs, or administrative panels depending on backend architecture.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker initiates interaction with the HTTPS service:\n\n```bash\ncurl -v https://uppolice.gov.in\n```\n\nThey may then:\n- Analyze response headers for security indicators (X-Frame-Options, CSP, etc.)\n- Test for certificate validity and expiration dates.\n- Probe for known vulnerabilities in the web stack (e.g., Apache/Nginx versions).\n\nUsing `testssl.sh`:\n```bash\ntestssl.sh https://uppolice.gov.in\n```\n\nMisconfigured SSL parameters or outdated components increase susceptibility to exploits such as BEAST, POODLE, or Heartbleed.\n\nBusiness Impact\n\nAs the main public-facing interface, any compromise here could result in full site defacement, unauthorized access to databases, or impersonation of law enforcement personnel—particularly concerning given the `.gov.in` TLD.\n\nCompliance failures related to encryption standards may incur legal penalties or audit findings.\n\nRemediation\n\nApply best practices for securing HTTPS deployments:\n- Enable Perfect Forward Secrecy (PFS).\n- Remove support for obsolete protocols (SSLv2/SSLv3).\n- Regularly update certificates and underlying software stacks.\n\nNginx sample TLS configuration:\n```nginx\nssl_protocols TLSv1.2 TLSv1.3;\nssl_ciphers HIGH:!aNULL:!MD5;\nssl_prefer_server_ciphers on;\n```\n\nCWE-297: Improper Validation of Certificate with Host Mismatch \n[OWASP A07:2021 – Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n\n---\n\n### [Open Port 8008/tcp (HTTP) / uppolice.gov.in / tcp/8008]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| uppolice.gov.in \|\n\nDescription\n\nPort 8008/tcp is identified as hosting an HTTP service. Unlike standard ports 80 or 443, this alternative port may serve development environments, internal dashboards, or auxiliary services not meant for general public consumption.\n\nIts exposure raises concerns about unintended accessibility and lack of authentication or authorization controls.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker probes the alternate port:\n\n```bash\ncurl http://uppolice.gov.in:8008/\n```\n\nThey may discover:\n- Debugging interfaces or API endpoints.\n- Administrative panels lacking login protection.\n- Internal metrics or status pages revealing infrastructure details.\n\nTools like Burp Suite or ZAP can automate probing of such endpoints for hidden functionality.\n\nBusiness Impact\n\nUnauthorized access to internal services exposes sensitive operational data, facilitates lateral movement within the network, and undermines perimeter defenses. Even seemingly benign debug pages can leak stack traces, environment variables, or database connection strings.\n\nRemediation\n\nRestrict access to non-standard ports using:\n- Firewall ACLs limiting source IPs.\n- Reverse proxies enforcing authentication before reaching backend services.\n- Removal of unnecessary listeners entirely.\n\nExample iptables rule:\n```bash\niptables -A INPUT -p tcp --dport 8008 -j DROP\n```\n\nAlternatively, bind services to localhost only:\n```ini\nbind_address = 127.0.0.1\n```\n\nCWE-1190: Daemon Uses Unprotected Communication Channel \n[OWASP A01:2021 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n\n---\n\n### [Open Port 8015/tcp (HTTP Proxy – FortiGuard Web Filtering) / uppolice.gov.in / tcp/8015]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| uppolice.gov.in \|\n\nDescription\n\nPort 8015/tcp is identified as running an HTTP proxy service branded as Fortinet’s FortiGuard Web Filtering solution. These appliances act as intermediaries for outbound web traffic, applying filtering rules based on threat intelligence feeds.\n\nHowever, exposing such a device externally introduces risk if improperly configured, especially if it allows unrestricted proxy usage or lacks authentication.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker attempts to route traffic through the proxy:\n\n```bash\ncurl --proxy http://uppolice.gov.in:8015 http://target-site.com\n```\n\nIf successful, they gain anonymized internet access routed through your organization’s infrastructure, potentially masking malicious behavior or violating acceptable use policies.\n\nAdditionally, misconfigured proxies may allow tunneling protocols or bypass filtering logic altogether.\n\nBusiness Impact\n\nImproperly secured proxies enable abuse scenarios including:\n- Circumvention of corporate web filters.\n- Concealment of malicious activities behind trusted IP addresses.\n- Bandwidth misuse leading to increased costs or degraded performance.\n\nLegal ramifications arise if third-party actors conduct illegal activities using compromised proxy infrastructure.\n\nRemediation\n\nSecure proxy deployments require:\n- Strong authentication mechanisms (LDAP/RADIUS integration).\n- Explicit deny-all policies except for designated roles.\n- Logging and monitoring of proxy transactions.\n\nFortiOS CLI example:\n```fortios\nconfig firewall proxy-policy\n edit 1\n set action accept\n set srcintf \"internal\"\n set dstintf \"external\"\n set srcaddr \"all\"\n set dstaddr \"all\"\n set schedule \"always\"\n set service \"webfilter\"\n set action deny\n next\nend\n```\n\nCWE-441: Unintended Proxy or Intermediary ('Confused Deputy') \n[OWASP A05:2021 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n\n---\n\n### [Open Port 8020/tcp (HTTP Proxy – FortiGuard Web Filtering) / uppolice.gov.in / tcp/8020]\n\n\| Field \| Value \|\n\|---\|---\|\n\| Severity \| Info \|\n\| CVSS Score \| N/A \|\n\| Category \| network_exposure \|\n\| Asset / URL \| uppolice.gov.in \|\n\nDescription\n\nSimilar to port 8015, port 8020/tcp runs another instance of Fortinet’s FortiGuard Web Filtering proxy. Multiple proxy instances may indicate redundancy, load balancing, or segmented policy enforcement across departments or zones.\n\nHowever, each additional listener expands the attack surface and requires independent validation for correct deployment and access restrictions.\n\nAttack Scenario (Proof of Concept)\n\nAn attacker repeats earlier proxy testing procedures:\n\n```bash\ncurl --proxy http://uppolice.gov.in:8020 http://target-site.com\n```\n\nThey may find differences in filtering behavior, authentication requirements, or routing capabilities compared to other proxy ports.\n\nAutomated scanners like `proxychains` combined with custom scripts can systematically test multiple proxy endpoints simultaneously.\n\nBusiness Impact\n\nEach exposed proxy increases complexity and likelihood of misconfiguration. Inconsistent policies across proxies may create gaps exploitable by adversaries seeking unfettered internet access or evasion opportunities.\n\nOrganizations face reputational harm and regulatory scrutiny if their infrastructure becomes complicit in cybercrime.\n\nRemediation\n\nConsolidate proxy configurations and enforce centralized management:\n- Standardize filtering profiles and access policies.\n- Audit and remove redundant or unused proxy listeners.\n- Monitor logs for anomalous proxy usage patterns.\n\nFortiOS GUI recommendation:\nNavigate to Security Profiles > Web Filter*, review assigned policies per interface, and disable unused ones.\n\nCWE-1007: Insufficient Visual Distinction of Homograph Characters (Not directly relevant but highlights importance of clear labeling and distinction among similar assets.)\n\n[OWASP A05:2021 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)", "summary": { "total": 7 } }	{ "total": 7 }
6a13749f11563b5a758d079e	Sun May 24 2026 21:58:55 GMT+0000 (Coordinated Universal Time)	https://cp-club-vjti.vercel.app/	generate_network_exposure_report	{ "url": "https://cp-club-vjti.vercel.app/", "category": "network_exposure", "timestamp": "2026-05-24T21:58:55.250782+00:00", "report": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "summary": { "total": 13 } }	{ "total": 13 }
6a13e2cdd7f9ee4baa997ca0	Mon May 25 2026 05:49:01 GMT+0000 (Coordinated Universal Time)	https://cp-club-vjti.vercel.app/	generate_network_exposure_report	{ "url": "https://cp-club-vjti.vercel.app/", "category": "network_exposure", "timestamp": "2026-05-25T05:49:01.186976+00:00", "report": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "summary": { "total": 13 } }	{ "total": 13 }
6a13e65c884a4427a78749ce	Mon May 25 2026 06:04:12 GMT+0000 (Coordinated Universal Time)	https://cp-club-vjti.vercel.app/	generate_network_exposure_report	{ "url": "https://cp-club-vjti.vercel.app/", "category": "network_exposure", "timestamp": "2026-05-25T06:04:12.149082+00:00", "report": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.", "summary": { "total": 13 } }	{ "total": 13 }

Rename Collection

Tools

Export Standard

Export --jsonArray

Import --mongoexport json

Collection Stats

Documents	17
Total doc size	214.99 KB
Average doc size	12.65 KB
Pre-allocated size	272 KB
Indexes	1
Total index size	36 KB
Padding factor
Extents

Indexes

Name	Columns	Size	Attributes	Actions
_id_	_id ASC	36 KB		DEL