Wednesday, January 25, 2012

My First Information Gathering

Information Gathering is the first step of hacking/pentesting, 
Its purpose is to get as much information on the target system by any means.

Information gathering divided into two : 
A. Technical
   Technical Information gathering use the tools available actively. Technical information gathering also divided into two more :
     1. Active Information Gathering
        This technique interact with the target system directly (ex. scanning).
     2. Passive Information Gathering
       This technique doesn't interact with the target system directly(ex.googling)
B. Non Technical
    This kind of information gathering doesn't involve the tools available actively (ex. social engineering)
Today, my sensei gave an assignment to perform a network and web information gathering at the network 192.168.0.xxx.
With a few knowledge of the tools used in information gathering I perform some test on the network.
So, here's my result of the information gathering.
First, I want to know the gateway of the network.
I use "route" command to do that
# route
I get the following output
Kernel IP routing table
Destination     Gateway           Genmask         Flags Metric Ref    Use Iface
default            192.168.0.10      0.0.0.0         UG    100    0        0   eth0
192.168.0.0   *                    255.255.255.0     U     0       0        0   eth0

From the output, we know that the gateway of the network is 192.168.0.10.


Ok, next I want to know the hosts that active in the network. 
I use nmap to do that (for the help to use nmap just type "nmap --help" in the console).
# nmap -sn 192.168.0.10/24
I get the following output

Spoiler:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-25 21:10 WIT
Nmap scan report for 192.168.0.21
Host is up (0.00035s latency).
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Nmap scan report for 192.168.0.24
Host is up (0.00030s latency).
MAC Address: 00:26:22:73:84:F3 (Compal Information (kunshan) CO.)
Nmap scan report for 192.168.0.25
Host is up (0.00021s latency).
MAC Address: 20:6A:8A:00:36:F2 (Wistron InfoComm Manufacturing(Kunshan)Co.)
Nmap scan report for 192.168.0.33
Host is up (0.00010s latency).
MAC Address: 00:25:64:67:3B:1D (Dell)
Nmap scan report for 192.168.0.37
Host is up (0.00010s latency).
MAC Address: 00:90:F5:8A:F5:B0 (Clevo CO.)
Nmap scan report for 192.168.0.40
Host is up (0.00040s latency).
MAC Address: 10:78:D2:36:65:A4 (Elitegroup Computer System CO.)
Nmap scan report for 192.168.0.47
Host is up (0.00013s latency).
MAC Address: 00:90:F5:8F:D5:B2 (Clevo CO.)
Nmap scan report for 192.168.0.48
Host is up (0.00018s latency).
MAC Address: 14:DA:E9:A1:64:80 (Unknown)
Nmap scan report for 192.168.0.49
Host is up (0.00041s latency).
MAC Address: 14:DA:E9:23:0B:A4 (Unknown)
Nmap scan report for 192.168.0.53
Host is up (0.00023s latency).
MAC Address: 20:6A:8A:40:45:C8 (Wistron InfoComm Manufacturing(Kunshan)Co.)
Nmap scan report for 192.168.0.55
Host is up.
Nmap scan report for 192.168.0.58
Host is up (0.00033s latency).
MAC Address: 00:23:8B:78:80:4F (Quanta Computer)
Nmap scan report for 192.168.0.59
Host is up (0.00017s latency).
MAC Address: 00:26:2D:91:45:56 (Wistron)
Nmap scan report for 192.168.0.60
Host is up (0.00023s latency).
MAC Address: 00:26:22:52:5F:C9 (Compal Information (kunshan) CO.)
Nmap done: 256 IP addresses (14 hosts up) scanned in 41.68 seconds

Good to go. We know that 14 hosts are active.
Next, I want to know what OS might the hosts running. 
Again, I use nmap to do that.
# nmap -O 192.168.0.10/24
by performing above command, I also can know the running service, open ports, and MAC address of the hosts. 
I get the following output
Spoiler:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-25 21:13 WIT
Nmap scan report for 192.168.0.21
Host is up (0.00036s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
10000/tcp open  snet-sensor-mgmt
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=22%CT=1%CU=31220%PV=Y%DS=1%DC=D%G=Y%M=080027%
OS:TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=CF%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS
OS:=7)SEQ(SP=CE%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS=7)SEQ(SP=D0%GCD=1%ISR=EF%TI=
OS:Z%CI=Z%II=I%TS=7)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5
OS:B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0
OS:%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=
OS:AS%O=M5B4ST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.24
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:26:22:73:84:F3 (Compal Information (kunshan) CO.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=139%CT=1%CU=32056%PV=Y%DS=1%DC=D%G=Y%M=002622
OS:%TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=C5%GCD=1%ISR=D3%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=
OS:M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3
OS:890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.25
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 20:6A:8A:00:36:F2 (Wistron InfoComm Manufacturing(Kunshan)Co.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=139%CT=1%CU=33451%PV=Y%DS=1%DC=D%G=Y%M=206A8A
OS:%TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=CC%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=
OS:M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3
OS:890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.33
Host is up (0.00018s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:25:64:67:3B:1D (Dell)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=139%CT=1%CU=40077%PV=Y%DS=1%DC=D%G=Y%M=002564
OS:%TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=CC%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%T
OS:S=8)SEQ(SP=CC%GCD=2%ISR=CE%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M5B4ST11NW6%O2=M5B
OS:4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W
OS:1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%
OS:O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=
OS:Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.40
Host is up (0.00029s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6566/tcp open  sane-port
MAC Address: 10:78:D2:36:65:A4 (Elitegroup Computer System CO.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=22%CT=1%CU=43800%PV=Y%DS=1%DC=D%G=Y%M=1078D2%
OS:TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=108%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=
OS:M5B4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.47
Host is up (0.00024s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:90:F5:8F:D5:B2 (Clevo CO.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=40544%PV=Y%DS=1%DC=D%G=Y%M=0090F5%
OS:TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=CC%GCD=1%ISR=D0%TI=Z%CI=Z%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=38
OS:90)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.48
Host is up (0.00026s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 14:DA:E9:A1:64:80 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=39129%PV=Y%DS=1%DC=D%G=Y%M=14DAE9%
OS:TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=C4%TI=Z%CI=Z%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=38
OS:90)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.49
Host is up (0.00026s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 14:DA:E9:23:0B:A4 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=37995%PV=Y%DS=1%DC=D%G=Y%M=14DAE9%
OS:TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=CA%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=38
OS:90)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.53
Host is up (0.00033s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 20:6A:8A:40:45:C8 (Wistron InfoComm Manufacturing(Kunshan)Co.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=139%CT=1%CU=33181%PV=Y%DS=1%DC=D%G=Y%M=206A8A
OS:%TM=4F200E52%P=i686-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=
OS:M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3
OS:890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.55
Host is up (0.000048s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.30
Network Distance: 0 hops

Nmap scan report for 192.168.0.58
Host is up (0.00031s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:23:8B:78:80:4F (Quanta Computer)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=31081%PV=Y%DS=1%DC=D%G=Y%M=00238B%
OS:TM=4F200E71%P=i686-pc-linux-gnu)SEQ(SP=CA%GCD=1%ISR=D3%TI=Z%CI=Z%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=38
OS:90)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.59
Host is up (0.00021s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:26:2D:91:45:56 (Wistron)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=40087%PV=Y%DS=1%DC=D%G=Y%M=00262D%
OS:TM=4F200E71%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D6%TI=Z%CI=Z%II=I%TS
OS:=8)SEQ(SP=C3%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M5B4ST11NW6%O2=M5B4
OS:ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1
OS:=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=3908%O
OS:=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y
OS:%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

Nmap scan report for 192.168.0.60
Host is up (0.00022s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
MAC Address: 00:26:22:52:5F:C9 (Compal Information (kunshan) CO.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=80%CT=1%CU=34563%PV=Y%DS=1%DC=D%G=Y%M=002622%
OS:TM=4F200E71%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CA%TI=Z%CI=Z%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=38
OS:90)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11N
OS:W6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (13 hosts up) scanned in 78.09 seconds



After that. I want to check all hosts that have an open 80 http port. I just open firefox and check all the ip one by one. 

Here is what I got.

IP address 192.168.0.47 , 192.168.0.48 , 192.168.0.49 , 192.168.0.58 , 192.168.0.59 , 192.168.0.60 run a web server. But the web its only apache's default "It works" html web. It means that these IPs is maybe another linux OS

I remember that ip 192.168.0.40 have some files in it the other day, so I check again that IP and my guess was right, It still opened and the files from the other day is still there too. 
And by the default web view we can see that this server run an Apache/2.2.16 (Ubuntu) Server at 192.168.0.40 on Port 80.
I want to check all information on this IP. So, I performed this command.
# nmap -A 192.168.0.40
And got this output.
Spoiler:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-25 21:52 WIT
Nmap scan report for 192.168.0.40
Host is up (0.00030s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.5p1 Debian 4ubuntu6 (protocol 2.0)
| ssh-hostkey: 1024 1b:bc:bb:7c:5d:22:57:10:e0:1e:b1:e0:da:ab:5e:7e (DSA)
|_2048 d1:7d:e9:a8:58:83:f6:1c:82:b4:f1:98:2d:7f:58:30 (RSA)
80/tcp   open  http       Apache httpd 2.2.16 ((Ubuntu))
|_http-title: Index of /
6566/tcp open  tcpwrapped
MAC Address: 10:78:D2:36:65:A4 (Elitegroup Computer System CO.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=22%CT=1%CU=40883%PV=Y%DS=1%DC=D%G=Y%M=1078D2%
OS:TM=4F20174D%P=i686-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=
OS:M5B4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11
OS:NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.0.40

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.13 seconds



Much information there. Opened ports, running service, route, etc. 

Ok, lets move to another IP.
Lets check 192.168.0.55
When I open that IP, I got a download dialog that want to download a file called "4IxHaWoE.~.part".
Lets download and open the file. Surprisingly, when I openend the file, lines of html code shown.
Spoiler:
<!DOCTYPE html>
<html lang="id" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>function envFlush(b){function a(c){for(var d in b)c[d]=b[d];}if(window.require){require.ensure(['Env'],a);}else{Env=window.Env||{};a(Env);}}
envFlush({"user":"0","locale":"id_ID","method":"GET","ps_limit":5,"ps_ratio":4,"svn_rev":492779,"static_base":"https:\/\/s-static.ak.facebook.com\/","www_base":"http:\/\/www.facebook.com\/","rep_lag":2,"fb_dtsg":"AQB7ORMc","ajaxpipe_token":"AXgHqCMEvaMP4L1S","lhsh":"MAQH2_si6","tracking_domain":"https:\/\/pixel.facebook.com","retry_ajax_on_network_error":"1","ajaxpipe_enabled":"1","html5_audio":"1","fbid_emoticons":"1"});</script><script>CavalryLogger=false;window._incorporate_fragment = true;window._script_path = "\/login.php";window._EagleEyeSeed="RKPX";</script><noscript> <meta http-equiv="refresh" content="0; URL=https://www.facebook.com/login.php?_fb_noscript=1" /> </noscript>
<meta name="robots" content="noodp, noydir" /><meta name="description" content=" Facebook adalah sarana sosial yang menghubungkan orang-orang dengan teman dan rekan mereka lainnya yang bekerja, belajar, dan hidup di sekitar mereka. Orang-orang menggunakan Facebook untuk menjaga hubungan dengan teman, bertukar foto tanpa batas, mengirim tautan dan video, dan mengetahui lebih jauh tentang orang-orang yang mereka temui." /><link rel="alternate" media="handheld" href="login.php" /><title>Masuk | Facebook</title>
<noscript><meta http-equiv="X-Frame-Options" content="deny" /></noscript>
    <link type="text/css" rel="stylesheet" href="https://s-static.ak.facebook.com/rsrc.php/v1/yQ/r/Roj8j-EbUhD.css" />
    <link type="text/css" rel="stylesheet" href="https://s-static.ak.facebook.com/rsrc.php/v1/yj/r/ASUWTuh0mD4.css" />

    <script type="text/javascript" src="https://s-static.ak.facebook.com/rsrc.php/v1/yL/r/DGi4ETtSn2_.js"></script>
  <script type="text/javascript">window.Bootloader && Bootloader.done(["pIp71"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="https://s-static.ak.facebook.com/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="https://s-static.ak.facebook.com/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="login_page UIPage_LoggedOut ff3 mac Locale_id_ID">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="blueBarHolder" class="loggedOut"><div id="blueBar"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="https://www.facebook.com/" title="Ke Beranda Facebook"><i class="fb_logo img sp_69c1xs sx_f12f5d"><u>Logo Facebook</u></i></a><div class="rfloat"></div></div></div><div class="signup_bar_container"><div class="signup_box clearfix"><a class="signup_btn uiButton uiButtonSpecial uiButtonLarge" role="button" href="https://www.facebook.com/r.php?locale=id_ID"><span class="uiButtonText">Mendaftar</span></a><span class="signup_box_content"><span>Facebook membantu Anda terhubung dan berbagi dengan orang-orang dalam kehidupan Anda.</span></span></div></div></div></div><div id="globalContainer"><div id="content" class="fb_content clearfix"><div class="UIFullPage_Container"><div class="mvl ptm uiInterstitial login_page_interstitial uiInterstitialLarge uiBoxWhite"><div class="uiHeader uiHeaderBottomBorder mhl mts uiHeaderPage interstitialHeader"><div class="clearfix uiHeaderTop"><div class="uiHeaderActions rfloat"></div><div><h2 tabindex="0" class="uiHeaderTitle">Masuk Facebook</h2></div></div></div><div class="phl ptm uiInterstitialContent"><div class="login_form_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,€,´,水,Д,Є" /><input type="hidden" name="lsd" value="" autocomplete="off" /><div id="loginform" style=""><input type="hidden" autocomplete="off" id="return_session" name="return_session" value="0" /><input type="hidden" autocomplete="off" id="legacy_return" name="legacy_return" value="1" /><input type="hidden" autocomplete="off" id="display" name="display" value="" /><input type="hidden" autocomplete="off" id="session_key_only" name="session_key_only" value="0" /><input type="hidden" autocomplete="off" id="trynum" name="trynum" value="1" /><input type="hidden" name="charset_test" value="&euro;,&acute;,€,´,水,Д,Є" /><input type="hidden" autocomplete="off" id="lsd" name="lsd" value="" /><input type="hidden" autocomplete="off" name="timezone" value="" id="uwiycf_1" /><div class="form_row clearfix "><label for="email" id="label_email" class="login_form_label">Email:</label><input type="text" class="inputtext" id="email" name="email" value="" onkeypress="formchange()" /></div><div class="form_row clearfix "><label for="pass" id="label_pass" class="login_form_label">Kata sandi:</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div><div class="persistent"><div class="uiInputLabel"><input id="persist_box" type="checkbox" value="1" name="persistent" class="uiInputLabelCheckbox" /><label for="persist_box">Biarkan saya tetap masuk</label></div></div><input type="hidden" autocomplete="off" id="default_persistent" name="default_persistent" value="0" /><div id="buttons" class="form_row clearfix"><label class="login_form_label"></label><div id="login_button_inline"><label class="uiButton uiButtonConfirm uiButtonLarge" for="uwiycf_2"><input value="Masuk" name="login" onclick="" type="submit" id="uwiycf_2" /></label></div><div id="register_link">atau <strong><a href="http://www.facebook.com/r.php?possible_fb_user=0&amp;is_enabled=1&amp;next=&amp;locale=id_ID" target="_blank" rel="nofollow" id="reg_btn_link" tabindex="-1">Mendaftar Facebook</a></strong></div></div><p class="reset_password form_row"><a href="http://www.facebook.com/recover.php?locale=id_ID" target="" tabindex="-1">Lupa kata sandi Anda?</a></p></div></form>
</div></div></div><ul class="uiList uiListHorizontal clearfix ptm localeSelectorList"><li class="uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;id_ID&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Indonesian">Bahasa Indonesia</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;en_US&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="English (US)">English (US)</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;es_LA&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Spanish">Español</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;pt_BR&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Portuguese (Brazil)">Português (Brasil)</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;fr_FR&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="French (France)">Français (France)</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;de_DE&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="German">Deutsch</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;it_IT&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Italian">Italiano</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="rtl" href="login.php" onclick="intl_set_cookie_locale(&quot;ar_AR&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Arabic">العربية</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;hi_IN&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Hindi">हिन्दी</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a dir="ltr" href="login.php" onclick="intl_set_cookie_locale(&quot;zh_CN&quot;, &quot;https:\/\/www.facebook.com\/login.php&quot;);" title="Simplified Chinese (China)">中文(简体)</a></li><li class="plm uiListItem  uiListHorizontalItemBorder uiListHorizontalItem"><a class="showMore" rel="dialog" href="https://www.facebook.com/ajax/intl/language_dialog.php?uri=https%3A%2F%2Fwww.facebook.com%2Flogin.php&amp;source=TOP_LOCALES_DIALOG" title="Tampilkan lebih banyak bahasa">…</a></li></ul></div></div><div id="pageFooter" data-referrer="page_footer"><div id="contentCurve"></div><div class="clearfix" id="footerContainer"><div class="mrl lfloat" role="contentinfo"><div class="fsm fwn fcg"><span> Facebook © 2012</span></div></div><div class="navigation fsm fwn fcg" role="navigation"><a href="http://www.facebook.com/mobile/?ref=pf" title="Cobalah Facebook Seluler.">Seluler</a> · <a href="http://www.facebook.com/find-friends?ref=pf" title="Temukan siapa saja di web.">Cari Teman</a> · <a href="http://www.facebook.com/badges/?ref=pf" title="Sisipkan lencana Facebook di situs web Anda.">Lencana</a> · <a href="http://www.facebook.com/directory/people/" title="Jelajahi direktori orang kami.">Orang</a> · <a href="http://www.facebook.com/directory/pages/" title="Jelajahi direktori halaman kami.">Halaman</a> · <a href="http://www.facebook.com/facebook" accesskey="8" title="Baca blog kami, temukan pusat sumber daya, dan cari peluang kerja.">Tentang</a> · <a href="http://www.facebook.com/campaign/landing.php?placement=pflo&amp;campaign_id=402047449186&amp;extra_1=auto" title="Beriklan di Facebook.">Iklan</a> · <a href="http://www.facebook.com/pages/create.php?ref_type=sitefooter" title="Buat Halaman">Buat Halaman</a> · <a href="http://developers.facebook.com/?ref=pf" title="Kembangkan aplikasi di platform kami.">Pengembang</a> · <a href="http://www.facebook.com/careers/?ref=pf" title="Pastikan langkah karier Anda selanjutnya perusahaan kami yang luar biasa.">Karier</a> · <a href="http://www.facebook.com/privacy/explanation" title="Bacalah tentang privasi Anda dan Facebook.">Privasi</a> · <a href="http://www.facebook.com/legal/terms?ref=pf" accesskey="9" title="Baca ketentuan layanan kami.">Ketentuan</a> · <a href="http://www.facebook.com/help/?ref=pf" accesskey="0" title="Kunjungi Pusat Bantuan kami.">Bantuan</a></div></div></div></div><script type="text/javascript">/*<![CDATA[*/function si_cj(m){setTimeout(function(){new Image().src="https:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&t=1239"+"&m="+m;},5000);}if(top!=self && !false){try{if(parent!=top){throw 1;}var si_cj_d=["apps.facebook.com","\/pages\/","apps.beta.facebook.com"];var href=top.location.href.toLowerCase();for(var i=0;i<si_cj_d.length;i++){if (href.indexOf(si_cj_d[i])>=0){throw 1;}}si_cj("3 ");}catch(e){si_cj("1 \t");window.document.write("\u003cstyle>body * {display:none !important;}\u003c\/style>\u003ca href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display:block !important;padding:10px\">\u003ci class=\"img sp_cxh3bh sx_9d80f2\" style=\"display:block !important\">\u003c\/i>Menuju Facebook.com\u003c\/a>");/*yO7r9BZS*/}}/*]]>*/</script><script>envFlush({"ffid1":"P93J-ew0_9ka92G_VSTepQ","ffid2":"5jrBFgQHpnDcOv8uRsS9Jg","ffid3":"cjFjS1QtSmRwZlZoVmo3SmdrMElnU0J2","ffid4":"QT21WPNOxsNN3xHqKXDyvQ","ffver":63083});</script><script type="text/javascript">Bootloader.setResourceMap({"IkwJB":{"type":"css","permanent":1,"src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yQ\/r\/Roj8j-EbUhD.css"},"Byo5c":{"type":"css","permanent":1,"src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yj\/r\/ASUWTuh0mD4.css"},"2AhYj":{"type":"css","permanent":1,"src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/y3\/r\/v-E_b_D0r5A.css"},"2tnMT":{"type":"css","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yY\/r\/HzGYyo4ICnw.css"},"rqVxj":{"type":"css","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/y3\/r\/j1bykAWTb6F.css"},"sXN+H":{"type":"css","permanent":1,"src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yR\/r\/gw6iaWTPBQU.css"}});Bootloader.setResourceMap({"3qyfR":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yj\/r\/DEXIlEry3ad.js"},"WFWma":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yG\/r\/sB1aIzlN73w.js"},"pzflD":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yn\/r\/42YTqUuYh7E.js"},"\/aY9u":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/ys\/r\/Ge-EYiUZ_1P.js"},"aiHHx":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yA\/r\/UK1Pgfo5xBV.js"},"FtHRN":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yb\/r\/ssyJs7ZBTuF.js"},"aZc\/7":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/y7\/r\/3hgJBSQfzSQ.js"},"rJD1l":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yn\/r\/wkt2XUMEfgd.js"},"fC5IV":{"type":"js","src":"https:\/\/s-static.ak.facebook.com\/rsrc.php\/v1\/yZ\/r\/P2Y6RS4Nv0p.js"}});
Bootloader.enableBootload({"dom":["3qyfR"],"dom-html":["3qyfR"],"error-signal":["3qyfR","pzflD"],"async":["3qyfR"],"dialog":["3qyfR","IkwJB"],"iframe-shim":["3qyfR","\/aY9u"],"maxlength-form-listener":["3qyfR","\/aY9u"],"dom-form":["3qyfR"],"PhotoTheater":["3qyfR","IkwJB","aiHHx"],"PhotoTagger":["3qyfR","IkwJB"],"TagToken":["3qyfR","FtHRN","aiHHx"],"TagTokenizer":["3qyfR","FtHRN","aiHHx","IkwJB"],"fb-photos-theater-css":["2AhYj","2tnMT","rqVxj"],"animation":["3qyfR"],"Hovercard":["3qyfR","IkwJB"],"live-js":["3qyfR","aZc\/7"],"photocrop2":["3qyfR","sXN+H","rJD1l"],"fb-photos-photo-css":["IkwJB"],"fb-photos-snowbox-css":["IkwJB"],"video-rotate-snowbox":["3qyfR","fC5IV"],"dom-scroll":["3qyfR"],"PhotoSnowbox":["3qyfR","IkwJB"],"Toggler":["3qyfR","IkwJB"],"ajaxpipe":["3qyfR"],"Tooltip":["3qyfR","IkwJB"],"input-methods":["3qyfR"],"async-signal":["3qyfR"],"cookie":["3qyfR"],"dimension-tracking":["3qyfR"],"detect-broken-proxy-cache":["3qyfR"]});Arbiter.registerCallback(InitialJSLoader.callback, ["BOOTLOAD\/ROADRUNNER_READY"]);Arbiter.registerCallback(function() {InitialJSLoader.load(["3qyfR","WFWma"]);Arbiter.inform("BOOTLOAD\/ROADRUNNER_READY", true, Arbiter.BEHAVIOR_STATE);}, [OnloadEvent.ONLOAD_DOMCONTENT_CALLBACK]);</script><script type="text/javascript">
Bootloader.configurePage(["IkwJB","Byo5c"]);
Bootloader.done(["jDr+c","yZtFc"]);

onloadRegister(function (){$("uwiycf_1").value = tz_calculate(1326077871)});
onloadRegister(function (){FbDesktopDetect.patchLoginForm()});
onloadRegister(function (){window.loading_page_chrome = true;});
onloadRegister(function (){window.loading_page_chrome = false;});
onloadRegister(function (){useragent();});
onafterloadRegister(function (){Bootloader.loadComponents(["cookie","dom"], function(){ setCookie("gz", 0, 1000 * 60 * 60 * 24 * 7); var style = { position: 'absolute',              top: '-1000px', left: '-1000px',              width: '1px', height: '1px' };document.body.appendChild($N("iframe", { src : "/common/gzip_detect.php/gzip.html", style: style })); });});
onafterloadRegister(function (){Bootloader.loadComponents(["dimension-tracking"], function(){  });});
onafterloadRegister(function (){Bootloader.loadComponents(["detect-broken-proxy-cache"], function(){ detect_broken_proxy_cache("0", "c_user") });});
</script><script type="text/javascript">if(!window.ge)window.ge=function(a){return document.getElementById(a);};window.onload=function(a){return function(){var b=ge('email'),c=ge('pass');try{if(b&&!b.value){b.focus();}else if(c)c.focus();}catch(d){if(!(d.number==-2146826178))throw d;}return a&&a.call(window);};}(window.onload);function formchange(){(ge('persistent')||{}).checked=0;}function pop(a){window.open(a);}function reload_on_new_cookie(a){if(getCookie('c_user')||getCookie('csm'))window.location=a;}function begin_polling_login_cookies(a){setInterval(function(){reload_on_new_cookie(a);},5000);}
</script></body>
</html>


Looks like a Facebook homepage. Don't know what to do next with this server. Lets move to the last interesting IP address, 192.168.0.21.
Open it in browser and got the following web.
Lets try to explore it.
Ok, so this web is using PHP, so there must be a phpmyadmin folder in it. After some trial and error testing I found out that the phpmyadmin folder is located at 192.168.0.21/php/phpMyAdmin/

I want to know the version of the phpmyadmin, so when the login window appear I just clicked "Cancel" to bring the "failed login" page. And this is what I got. 
The version of the phpmyadmin is "phpMyAdmin 2.6.3-pl1"
Don't know the true password and haven't mastered the password cracking technique, I leave it.

Then I playing a little with the URL. 
original url : http://192.168.0.21/index1.php?help=true&connect=true
I added ' in the end of the url and got the following error
added url : http://192.168.0.21/index1.php?help=true&connect=true'
Warning: include(true\') [function.include]: failed to open stream: No such file or directory in /var/www/index1.php on line 18
Warning: include() [function.include]: Failed opening 'true\'' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/index1.php on line 18

from the error we know that the directory of the web is still the default at /var/www. And we also that the server is using pear too.

And the last, I perform the nmap command againts the system 
# nmap -A 192.168.0.21
I got the following output 
Spoiler:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-01-25 21:36 WIT
Nmap scan report for 192.168.0.21
Host is up (0.00052s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=1/25%OT=22%CT=1%CU=33310%PV=Y%DS=1%DC=D%G=Y%M=080027%
OS:TM=4F2013A9%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS
OS:=7)SEQ(SP=CD%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS=7)SEQ(SP=CF%GCD=1%ISR=EF%TI=
OS:Z%CI=Z%II=I%TS=7)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5
OS:B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0
OS:%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=
OS:AS%O=M5B4ST11NW6%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 1 hop
Service Info: OS: Linux

Host script results:
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesnt support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Name: MSHOME\Unknown
|_  System time: 2012-01-26 04:37:26 UTC-6

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 192.168.0.21

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.81 seconds





And thats all I can get.   :)