Port 21: FTP

  • NMAP Scripts:
    • nmap -p 21 --script ftp* <ip>
  • Attempt Anon login:
      • User: Anonymous
      • Pass: Anonymous

Port 22: SSH

  • nmap -p 22 --script ssh* -oA ssh_scan <ip>
  • ssh-keyscan <ip>
  • ssh-vulnkey <ip> key.pub

Port 23: Telnet


Port 25/587: SMTP

  • nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24

Port 53: DNS (TCP)

  • DNS Zone Transfers:
    • [Linux] dnsrecon -d test.com -t axfr
    • [Linux] host -l test.com ns1.test.com
    • [Linux] dig axfr test.com @ns1.test.com
    • [Windows] nslookup -> set type=any -> ls -d test.com
  • DNSrecon:
    • dnsrecon -d TARGET -d /usr/share/wordlists/dnsmap.txt -t std

Port 79: Finger


Port 80: HTTP

Start Burp Suite NOW!

  • nikto http://192.168.56.1 -o nikto.txt
  • dirb http://192.168.56.1 -r -o dirb.txt
    • Wordlists: /usr/share/wordlists/dirbuster
  • dirbuster
  • WPSscan
    • [Update] wpscan --update
    • [Enum Plugins] wpscan --url <http://> --enumerate p
    • [Enum Themes] wpscan --url <http://> --enumerate t
    • [Enum Users] wpscan --url <http://> --enumerate u
    • [BF on Enum Users] wpscan --url <http://> --wordlist <pass.txt> --threads 50
    • [BF on Admin] wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50

Port 110: POP3


Port 111: RPCbind

  • RID Cycling: Attempting to enumeratre Users –
    • rpcclient -U "" TARGET
    • –>

Port 143: IMAP


Port 161: SNMP

  • Find Hosts:
    • nmap -sU --open -p 161 192.168.1.0/24 -oG SNMP_hosts.txt
  • Simple Enumeration:
    • nmap -p 161 --script snmp-enum <ip>
    • snmp-check <ip>
  • Community Enumeration:
    • onesixtyone -c community.txt -i <ip>
  • After knowing the comminuty string:
    • snmpwalk -c <community_string> -v1 <ip>
    • [Enum Users] snmpwalk -c public -v1 <ip> 1.3.6.1.4.1.77.1.2.25
    • [Enum Open TCP Ports] snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.6.13.1.3
    • [Enum Patches (windows)] snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.25.6.3.1.2

Port 443: HTTPS

Start Burp Suite NOW!

  • nikto http://192.168.56.1 -o nikto.txt
  • dirb http://192.168.56.1 -r -o dirb.txt
    • Wordlists: /usr/share/wordlists/dirbuster
  • dirbuster
  • WPSscan
    • [Update] wpscan --update
    • [Enum Plugins] wpscan --url <http://> --enumerate p
    • [Enum Themes] wpscan --url <http://> --enumerate t
    • [Enum Users] wpscan --url <http://> --enumerate u
    • [BF on Enum Users] wpscan --url <http://> --wordlist <pass.txt> --threads 50
    • [BF on Admin] wpscan --url <http://> --wordlist <pass.txt> --username admin --threads 50
  • sslscan <ip>
  • nmap -sV --script ssl-enum-ciphers -p 443 <ip>

Port 139/445: SMB

  • Find Hosts:
    • nmap -v -p 139, 445 -oA SMB_Scan 10.11.1.0/24
  • Enumeration:
    • nmblookup -A <ip>
    • nbtscan <ip>
      • nbtscan -r 192.168.1.1/24
    • smbclient -L //<IP>
    • smbclient //MOUNT/share -I TARGET -N
    • rpcclient -U "" TARGET
    • enum4linux -a TARGET
  • NMAP:
    • nmap -p 139, 445 --script smb* -oA smb_scan <ip>

Port 514: Syslog


Port 1433/4: MS-SQL


Port 2049: NFS

You may need to install the nfs-common package:
apt-get install nfs-common

  • Check for Shares:
    • showmount -e <ip>
    • mkdir /tmp/nfs
    • mount -t nfs <ip>:<share> /tmp/nfs

When mounting the shares often times the User id (uid) will be checked as an “authetntication” to the share to make sure that only the user that owns the share can access the content, even though you have successfully mounted it on your local machine. As such, if you know the uid of the user in question you can create a user with the same userid witht he following command:

useradd -u 2000 lokii --> add a user (lokii) with a uid of 2000


Port 3128: Squid Proxy


Port 3306: MySQL

  • Execute commands (one-liner):
    • mysql -u admin -padmin -c "show databases;set database mysql;select* from users;"
  • Remote access:
    • mysql -u admin -padmin -h <ip>

Port 3389: RDP


Port 5432: Postgres


Port 5900: VNC


Port 6000: X11