Services on MrAzoth

Adobe Experience Manager (AEM)

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Adobe Experience Manager (AEM) is an enterprise content management system widely used by Fortune 500 companies for managing digital marketing content, assets, and websites. It is built on Apache Sling, Apache Felix (OSGi), and uses a JCR (Java Content Repository) backend called Apache Jackrabbit CRX. From a security perspective, AEM is one of the richest targets in enterprise web application testing: default credentials, dozens of exposed servlets, Dispatcher bypass techniques, data extraction via QueryBuilder, and paths to RCE make it a recurring finding in red team engagements.

Apache Solr

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Apache Solr is an open-source enterprise search platform built on Apache Lucene. It is commonly exposed internally and occasionally externally in corporate environments, cloud deployments, and data pipelines. Its rich HTTP API and Java internals make it a high-value target: unauthenticated admin panels, multiple deserialization vectors, SSRF handlers, and template injection have all led to full server compromise.

Default Ports:

Port	Service
8983	Solr HTTP API / Admin UI
9983	Solr inter-node communication (SolrCloud)
2181	ZooKeeper (embedded SolrCloud)

Recon and Fingerprinting

Service Detection

nmap -sV -p 8983,9983 TARGET_IP
nmap -sV -p 8983 --script http-title,http-headers TARGET_IP

Admin Panel Access

The Solr Admin UI is located at:

Apache ZooKeeper

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Apache ZooKeeper is a distributed coordination service used by Hadoop, Kafka, Solr, HBase, and many other distributed systems. It stores configuration data, distributed locks, service registry information, and other coordination state in a hierarchical namespace called “znodes.” When exposed without authentication, ZooKeeper is a goldmine: credentials, internal topology, cluster configuration, and secrets are frequently stored in plaintext znodes.

Default Ports:

Port	Service
2181	ZooKeeper client port (primary)
2182	ZooKeeper TLS client port
2888	Peer-to-peer communication
3888	Leader election
8080	AdminServer HTTP API (ZK 3.5+)

Recon and Fingerprinting

Service Detection

nmap -sV -p 2181,2182,2888,3888,8080 TARGET_IP
nmap -sV -p 2181 --script zookeeper-info TARGET_IP

Four Letter Words (4LW Commands)

ZooKeeper supports short text commands sent directly over TCP. These are often accessible without authentication:

Eclipse Jetty

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Eclipse Jetty is a widely deployed Java-based HTTP server and servlet container. It is commonly embedded in products such as Jenkins, SonarQube, Elasticsearch, and many enterprise Java applications. Jetty’s long history has produced several significant path traversal vulnerabilities, particularly around URL encoding and request parsing, leading to unauthorized access to WEB-INF contents, web.xml files, and sensitive application configuration.

Default Ports:

Port	Service
8080	HTTP
8443	HTTPS
8009	AJP (if configured)

Recon and Fingerprinting

Service Detection

nmap -sV -p 8080,8443 TARGET_IP
nmap -p 8080 --script http-headers,http-title,http-server-header TARGET_IP

Version Fingerprinting

# Server header reveals Jetty version
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "Server:"

# X-Powered-By header
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -i "X-Powered-By"

# Error page fingerprinting
curl -s http://TARGET_IP:8080/nonexistent_page_12345 | grep -i jetty

# Robots.txt / sitemap
curl -s http://TARGET_IP:8080/robots.txt
curl -s http://TARGET_IP:8080/sitemap.xml

Directory and Path Discovery

# Common Jetty paths
for path in "/" "/index.html" "/WEB-INF/" "/WEB-INF/web.xml" "/META-INF/" "/favicon.ico" "/.well-known/" "/test/" "/examples/" "/demo/"; do
  CODE=$(curl -s -o /dev/null -w "%{http_code}" "http://TARGET_IP:8080$path")
  echo "$CODE : http://TARGET_IP:8080$path"
done

CVE-2021-28164 — Path Traversal

CVSS: 5.3 Medium Affected: Jetty 9.4.37.v20210219 to 9.4.38.v20210224 Type: Path traversal in URI handling CWE: CWE-22

Enovia 3DEXPERIENCE Platform

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Enovia is Dassault Systèmes’ Product Lifecycle Management (PLM) application running on the 3DEXPERIENCE platform. It is deployed in aerospace, defense, automotive, pharmaceutical, and manufacturing industries. The platform manages CAD models, BOMs (Bills of Materials), engineering workflows, regulatory compliance documentation, and sensitive intellectual property. From a security perspective, 3DEXPERIENCE has a large REST API attack surface, complex access control, and numerous default configurations that can lead to unauthorized data access.

IBM MQ

Tue, 24 Feb 2026 00:00:00 +0000

Overview

IBM MQ (formerly MQSeries, WebSphere MQ) is an enterprise message-oriented middleware platform used in banking, finance, and large enterprise environments for reliable, transactional message delivery between applications. Exposed IBM MQ ports can enable attackers to enumerate queues, read and inject messages into business-critical message flows, and potentially escalate to application-level compromise. The protocol is binary but well-documented; several tools exist for security testing.

End of Support Notice (2026): IBM MQ 9.1 and 9.2 have reached End of Support. CVE-2021-38920 and similar vulnerabilities disclosed during their support window are critical for organizations still running these versions, as no further patches will be released. Current supported versions are 9.3 LTS and 10.0. If the target is running 9.1 or 9.2, treat all known CVEs as unpatched.

IBM WebSphere Application Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

IBM WebSphere Application Server (WAS) is an enterprise Java EE application server widely deployed in large financial institutions, insurance companies, and government agencies. It is frequently found in legacy environments running outdated versions. WebSphere’s administrative console, SOAP-based management interface, and complex deployment history have produced numerous security vulnerabilities including path traversal, authentication bypass, SOAP deserialization, and SSRF.

Default Ports:

Port	Service
9060	WAS Admin Console (HTTP)
9043	WAS Admin Console (HTTPS)
9080	Application HTTP
9443	Application HTTPS
8880	SOAP management port
8879	RMI port (alternative/complement to 8880 SOAP)
2809	IIOP bootstrap
9353	SIB service integration bus
7276	High Availability Manager
9810	Node Agent bootstrap port (clustered/ND environments)

Recon and Fingerprinting

nmap -sV -p 9060,9043,9080,9443,8880 TARGET_IP
nmap -p 9080 --script http-title,http-headers TARGET_IP

# Admin console discovery
curl -sv http://TARGET_IP:9060/ibm/console/ 2>&1 | grep -iE "websphere|ibm|console"
curl -sv https://TARGET_IP:9043/ibm/console/ -k 2>&1 | grep -iE "websphere|ibm|console"

# Version from error pages
curl -s http://TARGET_IP:9080/nonexistent_$(date +%s) | grep -i websphere

# HTTP headers
curl -I http://TARGET_IP:9080/

Version Detection Endpoints

# SOAP management API — get version
curl -s -k "https://TARGET_IP:8880/ibm/console/secure/isAlive.jsp"

# IBM console status
curl -s -k "https://TARGET_IP:9043/ibm/console/login.do"

# Admin console
for port in 9060 9043; do
  CODE=$(curl -sk -o /dev/null -w "%{http_code}" "https://TARGET_IP:$port/ibm/console/")
  echo "Port $port: $CODE"
done

# IBMWebAS server header
curl -s -I http://TARGET_IP:9080/ | grep -i "ibm\|websphere"

CVE-2020-4534 — Path Traversal

CVSS: 6.1 Medium Affected: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 (before specific fix packs) Type: Path traversal / open redirect CWE: CWE-22

Java RMI and RMI-IIOP

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Java RMI (Remote Method Invocation) is Java’s built-in mechanism for executing methods on objects in remote JVMs. The RMI registry, by default on port 1099, acts as a directory service for remote objects. Because RMI uses Java serialization for all object transport, exposed RMI endpoints are classic deserialization attack surfaces. When paired with outdated Commons Collections, Spring, or other library gadget chains, unauthenticated RCE is frequently achievable. RMI-IIOP extends this over the CORBA IIOP protocol.

JBoss Application Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

JBoss Application Server (now WildFly) is a Java EE-compliant application server developed by Red Hat. Legacy JBoss installations (versions 3.x through 6.x) are infamous for unauthenticated remote code execution, primarily through exposed management consoles and Java deserialization vulnerabilities. Versions 4.x and 5.x in particular are found frequently in legacy enterprise environments and are among the most exploitable services during penetration tests.

Default Ports:

Port	Service
8080	HTTP / Web Console / JMX Console
8443	HTTPS
4444	JBoss Remoting / JNDI
4445	JBoss Remoting (secondary)
1099	RMI Registry
8009	AJP Connector
9990	WildFly Admin Console (newer versions)
9999	WildFly Management Native

Recon and Fingerprinting

nmap -sV -p 8080,8443,4444,4445,1099,9990 TARGET_IP
nmap -p 8080 --script http-title,http-headers,http-server-header TARGET_IP

# Check for JBoss headers
curl -sv http://TARGET_IP:8080/ 2>&1 | grep -iE "server:|X-Powered-By:|jboss"

# Version from status page
curl -s http://TARGET_IP:8080/status
curl -s http://TARGET_IP:8080/web-console/ServerInfo.jsp

# Error page fingerprint
curl -s http://TARGET_IP:8080/nopage_$(date +%s) | grep -i "jboss\|jbossas\|wildfly"

Sensitive URLs to Probe

# JMX Console (unauthenticated in JBoss 4.x by default)
curl -sv http://TARGET_IP:8080/jmx-console/

# Web Console
curl -sv http://TARGET_IP:8080/web-console/

# Admin Console
curl -sv http://TARGET_IP:8080/admin-console/

# JBoss WS
curl -sv http://TARGET_IP:8080/jbossws/

# Management API (WildFly/JBoss 7+)
curl -sv http://TARGET_IP:9990/management

# Invoker servlet
curl -sv http://TARGET_IP:8080/invoker/JMXInvokerServlet
curl -sv http://TARGET_IP:8080/invoker/EJBInvokerServlet

CVE-2017-12149 vs CVE-2015-7501 — Endpoint Distinction

These two CVEs are frequently conflated. They use the same ysoserial CommonsCollections gadgets but target different endpoints with different underlying components:

Modbus Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Modbus is a serial communication protocol developed in 1979 for use with PLCs (Programmable Logic Controllers). It has become a de facto standard in industrial communication and is widely deployed in ICS (Industrial Control Systems) and SCADA environments. Modbus/TCP exposes the protocol over TCP port 502 and, critically, has no built-in authentication or encryption. Any device that can reach port 502 can read sensor data, write to coils and registers, and potentially manipulate physical processes.

MQTT Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe messaging protocol designed for IoT devices, sensor networks, and machine-to-machine communication. It runs over TCP and is commonly deployed in smart home systems, industrial IoT, healthcare devices, fleet management, and building automation. MQTT brokers are frequently exposed with no authentication, and even when authentication is enabled, it is often transmitted in cleartext. Unauthenticated MQTT access can expose sensitive sensor data, device commands, and organizational operational data.

Oracle TNS Listener

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Oracle Database exposes a TNS (Transparent Network Substrate) Listener on port 1521 that acts as the gateway for all database connections. The listener process, when misconfigured or running a vulnerable version, can be exploited for information disclosure, poisoning attacks, SID brute forcing, and full database access through default credentials. Oracle databases are among the highest-value targets in enterprise pentests due to the sensitive business data they contain.

Default Ports:

Oracle WebLogic Server

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Oracle WebLogic Server is a Java EE application server widely deployed in enterprise and financial sector environments. It is one of the most targeted middleware products due to its proprietary T3 protocol, IIOP support, and long history of critical deserialization vulnerabilities. WebLogic CVEs frequently receive CVSS 9.8 scores and have been used in ransomware deployment, cryptomining campaigns, and APT lateral movement.

Default Ports:

Port	Service
7001	HTTP (Admin Console, T3, IIOP — all multiplexed)
7002	HTTPS (Admin Console, T3S, IIOPS)
7003	HTTP (managed servers)
7004	HTTPS (managed servers)
7070	HTTP alternative
4007	Coherence cluster
5556	Node Manager

T3 and IIOP on 7001: Both T3 and IIOP are multiplexed on port 7001. Connection filters that block T3 often do not block IIOP. Test both protocols independently.

RabbitMQ Management

Tue, 24 Feb 2026 00:00:00 +0000

Overview

RabbitMQ is a widely deployed open-source message broker implementing AMQP, MQTT, and STOMP protocols. Its management plugin exposes an HTTP API and web UI on port 15672. The notorious default credentials (guest/guest) and comprehensive management REST API make exposed RabbitMQ instances a frequent finding in internal penetration tests. Access to the management interface allows full enumeration of virtual hosts, queues, exchanges, bindings, and message interception/injection.

Default Ports:

Port	Service
5672	AMQP (unencrypted)
5671	AMQP over TLS
15672	Management HTTP API / Web UI
15671	Management HTTPS
25672	Erlang distribution (inter-node)
4369	EPMD (Erlang Port Mapper Daemon)
1883	MQTT plugin
61613	STOMP plugin
15674	STOMP over WebSocket
15692	Prometheus metrics (no auth by default)

Recon and Fingerprinting

Step 0 — Prometheus Metrics Endpoint (Pre-Authentication Intel)

Before attempting any credentials, check the Prometheus metrics endpoint. It is enabled by the rabbitmq_prometheus plugin and by default requires no authentication:

RTSP — Real Time Streaming Protocol

Tue, 24 Feb 2026 00:00:00 +0000

Overview

RTSP (Real Time Streaming Protocol, RFC 2326) is an application-layer protocol for controlling media streaming servers. It is used extensively in IP cameras, NVRs (Network Video Recorders), DVRs, media servers, and surveillance infrastructure. RTSP is commonly found on port 554 and is frequently misconfigured to allow unauthenticated stream access. Exposed RTSP streams are a significant privacy and security risk in corporate, industrial, and residential environments.

Default Ports:

Port	Service
554	RTSP (standard)
8554	RTSP (alternative)
8080	RTSP over HTTP tunneling
1935	RTMP (related streaming protocol)

Protocol Overview

RTSP is a stateful protocol that uses HTTP-like methods:

SMBGhost — CVE-2020-0796

Tue, 24 Feb 2026 00:00:00 +0000

Overview

CVE-2020-0796, commonly known as SMBGhost (also referred to as CoronaBlue or EternalDarkness), is a pre-authentication remote code execution vulnerability in the SMBv3 (Server Message Block version 3.1.1) compression handling subsystem of the Windows TCP/IP network stack. With a CVSS score of 10.0, it affects Windows 10 versions 1903 and 1909, and the Windows Server Semi-Annual Channel releases version 1903 and 1909.

This vulnerability is wormable — it can propagate without user interaction, similar to EternalBlue (MS17-010). Unlike EternalBlue, SMBGhost targets a newer protocol version and requires no prior knowledge of the target system.

Swagger / OpenAPI Endpoint Testing in Infrastructure

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Swagger UI is the most widely deployed tool for visualizing and interacting with REST API specifications. When encountered during an infrastructure penetration test, a Swagger UI endpoint represents a complete map of an application’s API attack surface: all endpoints, parameters, data models, authentication schemes, and sometimes internal paths are exposed. Beyond information disclosure, several attack vectors specific to Swagger UI and OpenAPI spec handling — including SSRF via configUrl, XSS via spec injection, and authentication bypass — make it a high-priority finding.

Telnet — Modern Attack Surface and CVE-2026-24061

Tue, 24 Feb 2026 00:00:00 +0000

Overview

Telnet (TELetype NETwork, RFC 854) is a decades-old protocol operating on TCP port 23 that provides an unencrypted bidirectional text communication channel. In 2026, Telnet continues to appear in pentests and red team engagements — on embedded devices, industrial controllers, medical devices, network equipment, IoT sensors, smart building systems, and legacy operational technology. It also appears on Linux servers still running inetutils-telnetd, where a critical authentication bypass was disclosed in early 2026.