Contents
Port 21: FTP
- NMAP Scripts:
nmap -p 21 --script ftp* <ip>
- Attempt Anon login:
- User: Anonymous
- Pass: Anonymous
Port 22: SSH
nmap -p 22 --script ssh* -oA ssh_scan <ip>ssh-keyscan <ip>ssh-vulnkey <ip> key.pub
Port 23: Telnet
Port 25/587: SMTP
nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24
Port 53: DNS (TCP)
- DNS Zone Transfers:
- [Linux]
dnsrecon -d <server> -t axfr - [Linux]
host -l test.com ns1.test.com - [Linux]
dig axfr test.com @ns1.test.com - [Windows]
nslookup -> set type=any -> ls -d test.com
- [Linux]
- DNSrecon:
dnsrecon -d TARGET -d /usr/share/wordlists/dnsmap.txt -t std
Port 79: Finger
finger root@<ip>finger admin@<ip>finger 'a b c d e f g h'@<ip>
Port 80: HTTP
Start Burp Suite NOW!
nikto http://192.168.56.1 -o nikto.txtdirb http://192.168.56.1 -r -o dirb.txt- Wordlists: /usr/share/wordlists/dirbuster
dirbuster- WPSscan
- [Update]
wpscan --update - [Enum Plugins]
wpscan --url <http://> --enumerate p - [Enum Themes]
wpscan --url <http://> --enumerate t - [Enum Users]
wpscan --url <http://> --enumerate u - [BF on Enum Users]
wpscan --url <http://> --wordlist <pass.txt> --threads 50 - [BF on Admin]
wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50
- [Update]
Port 110: POP3
Port 111: RPCbind
- RID Cycling: Attempting to enumeratre Users –
rpcclient -U "" TARGET- –>
Port 143: IMAP
Port 161: SNMP
- Find Hosts:
nmap -sU --open -p 161 192.168.1.0/24 -oG SNMP_hosts.txt
- Simple Enumeration:
nmap -p 161 --script snmp-enum <ip>snmp-check <ip>
- Community Enumeration:
onesixtyone -c community.txt -i <ip>
- After knowing the comminuty string:
snmpwalk -c <community_string> -v1 <ip>- [Enum Users]
snmpwalk -c public -v1 <ip> 1.3.6.1.4.1.77.1.2.25 - [Enum Open TCP Ports]
snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.6.13.1.3 - [Enum Patches (windows)]
snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.25.6.3.1.2
Port 389: LDAP
ldapsearch -h <ip> -p <port> -x -s base- -x: simple Authentication
- -s: scope (base, one, sub)
ldapsearch -LLL -x -H ldap://<FQDN> -b '' -s base '(objectclass=*)'
Port 443: HTTPS
Start Burp Suite NOW!
nikto http://192.168.56.1 -o nikto.txtdirb http://192.168.56.1 -r -o dirb.txt- Wordlists: /usr/share/wordlists/dirbuster
dirbuster- WPSscan
- [Update]
wpscan --update - [Enum Plugins]
wpscan --url <http://> --enumerate p - [Enum Themes]
wpscan --url <http://> --enumerate t - [Enum Users]
wpscan --url <http://> --enumerate u - [BF on Enum Users]
wpscan --url <http://> --wordlist <pass.txt> --threads 50 - [BF on Admin]
wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50
- [Update]
sslscan <ip>nmap -sV --script ssl-enum-ciphers -p 443 <ip>
Port 139/445: SMB
- Find Hosts:
nmap -v -p 139, 445 -oA SMB_Scan 10.11.1.0/24
- Enumeration:
nmblookup -A <ip>nbtscan <ip>nbtscan -r 192.168.1.1/24
smbclient -L //<IP>smbclient //MOUNT/share -I TARGET -Nsmbclient //<IP>/sharename -U <username>rpcclient -U "" TARGET- https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
enum4linux -a TARGET
- NMAP:
nmap -p 139, 445 --script smb* -oA smb_scan <ip>
- Password Spray:
crackmapexec smb -u users.txt -p passes.txt --local-auth 10.10.10.178 --continue-on-success
Port 514: Syslog
Port 1433/4: MS-SQL
Port 2049: NFS
You may need to install the nfs-common package:apt-get install nfs-common
- Check for Shares:
showmount -e <ip>mkdir /tmp/nfsmount -t nfs <ip>:<share> /tmp/nfs
When mounting the shares often times the User id (uid) will be checked as an “authetntication” to the share to make sure that only the user that owns the share can access the content, even though you have successfully mounted it on your local machine. As such, if you know the uid of the user in question you can create a user with the same userid witht he following command:
useradd -u 2000 lokii --> add a user (lokii) with a uid of 2000
Port 3128: Squid Proxy
Port 3306: MySQL
- Execute commands (one-liner):
mysql -u admin -padmin -c "show databases;set database mysql;select* from users;"
- Remote access:
mysql -u admin -padmin -h <ip>