Ports Recon
Banner Grabbing
telnet ip port
nc -nv ip port
curl -iv $ip
Port 21 - FTP
Nmap script scanning - will reveal anonymous access
nmap -Pn -n -vvv -p21 -sC -sV $ip
Checking anonymous access manually
ftp ip
ftp> USER anonymous
ftp> PASS anonymous
Easy view of FTP content - Browse to:
Uploading a binary or a webshell
ftp> binary
ftp> put file/name
Port 22 - SSH
Additional banner grabbing
ssh root@$ip
Port 53 - DNS
# Get nameservers and domain name of the IP address
nslookup
nslookup> server $target_ip
nslookup> $target
# o/p: ns1.example.com
# Get all sub-domains
host -l -a example.com $target_ip # or ns1.example.com
Port 79 - Finger
Run this script with following wordlist
/usr/share/metasploit-framework/data/wordlists/unix_users.txt
Port 80/443 - HTTP(S)
Get web server, version, potential OS
curl -i http://ip
Use Wappalyzer to identify technologies, web server, OS, database server deployed
View-Source of pages to find interesting comments, directories, technologies, web application being used, etc.
Finding hidden content
Scanning each sub-domain and interesting directory is a good idea
# Use small common wordlist first
# Use big wordlist next
# Use CMS specific wordlist if one is found
gobuster dir -u http://$ip -w /wordlist -o gobust.out
# Find technology specific content
gobuster dir -u http://$ip -w /wordlist -o gobust_php.out -x php
# Find hidden notes, readme, changelog
gobuster dir -u http://$ip -w /wordlist -o gobust_txt.out -x txt
Files to browse manually
/robots.txt
/sitemap.xml
# Make it throw an error
/doesnotexist
Run web server scanning
# Identifies CMS
# Identifies Shellshock
nikto -host $ip -o nikto.txt
Web application specific scanning
WordPress, use API
wpscan --url http://$ip -e p,t,u --detection-mode aggressive > wpscan.log
Drupal, found here
droopescan scan drupal http://$ip -t 32
Port 110 - POP3
# Login
telnet $ip 110
USER test
PASS test
# List and view mails
# O/P: <mail_number> <mail_length>
list
# View mail
retr <mail_number>
quit
Port 139/445 - SMB
General enumeration
nmap -Pn -n -p139,445 --script smb-* $ip
enum4linux -a $ip
Enumerate hostname
nmblookup -A $ip
Get version - script available here
./smbver.sh $ip [port]
msf>use auxiliary/scanner/smb/smb_version
List shares
Note: smbmap will state access type available, smbclient will NOT. To check access type using smbclient, it’s best to access each share, read a file, and write a file.
smbmap -H $ip
# Get share items recursively
smbmap -H $ip -R <share>
smbmap -H $ip -d <domain> -u <user> -p <password>
smbclient -L \\$ip -N
# Protocol Error?
smbclient -L \\$ip -N --option='client min protocol=NT1'
smbclient -L \\$ip -U <user>
Connecting to a share
# Anonymously
smbclient //$ip/share -N
# Authenticated
smbclient //$ip/share -U <username>
# Protocol Error?
smbclient //$ip/share -N --option='client min protocol=NT1'
Port 161 - SNMP
MIB Values Windows Parameters
-----------------------------------------------------------------------------------------------
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
-----------------------------------------------------------------------------------------------
# Brute force community strings
# echo public > community
# echo private >> community
# echo manager >> community
# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > snmp-ips
onesixtyone -c community -i snmp-ips
# Enumerate entire MIB tree
snmpwalk -c public -v1 $ip
# Enumerate specific MIB Value
snmpwalk -c public -v1 $ip $MIB_Value
snmp-check $ip
Port 2049 - NFS
# NFS < v4
# Enumerating shares available, and mount points
showmount -e $ip
showmount -a $ip
# Mounting, x = NFS Version
mount -t nfs -o vers=x $ip:<share> <local_dir>
# On target machine
# Find mount points on the target where SUID programs and scripts can be run from
mount | grep 'nosuid\|noexec'
Last updated