Ports

Enumeration by ports

21 - FTP

nc <ip> 21

22 - SSH

23 - TELNET

25 - SMTP

53 - DNS (TCP & UDP)

67 & 68 - DHCP (UDP)

69 - TFTP (UDP)

80/443 - HTTP/S

source code

robots.txt

sitemap.xml

gobuster dir -u http://<ip>:<port> -w <word list location> -x html,php,txt,zip

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt

nikto -h http://<ip>

nikto -id bob:password -h http://<ip>/manager/html

test OWASP top 10

110 - POP3

111 - RPCbind

This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <ip>

139 & 445 - SMB

Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

#enum shares & users
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

#connect to share anonymous
smbclient //<ip>/anonymous

#connect as specific user
smbclient //<ip>/anonymous -U user

#recursively download
smbget -R smb://<ip>/anonymous

#Tool : enum4linux

enum4linux [options] ip
-U             get userlist
-M             get machine list
-N             get namelist dump (different from -U and-M)
-S             get sharelist
-P             get password policy information
-G             get group and member list
-A             all of the above (full basic enumeration)

#Tool : smbmap
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -h 10.1.3.30 -x 'net group "Domain Admins" /domain'

143 - IMAP

161 - SNMP

PreviousScanning NextExploitation

Last updated 4 years ago

Was this helpful?

111 - RPCbind

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <ip>

139 & 445 - SMB

Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.

Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

#enum shares & users
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

#connect to share anonymous
smbclient //<ip>/anonymous

#connect as specific user
smbclient //<ip>/anonymous -U user

#recursively download
smbget -R smb://<ip>/anonymous

#Tool : enum4linux

enum4linux [options] ip
-U             get userlist
-M             get machine list
-N             get namelist dump (different from -U and-M)
-S             get sharelist
-P             get password policy information
-G             get group and member list
-A             all of the above (full basic enumeration)

#Tool : smbmap
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -h 10.1.3.30 -x 'net group "Domain Admins" /domain'