Ports
Enumeration by ports
21 - FTP
nc <ip> 21
22 - SSH
23 - TELNET
25 - SMTP
53 - DNS (TCP & UDP)
67 & 68 - DHCP (UDP)
69 - TFTP (UDP)
80/443 - HTTP/S
source code
robots.txt
sitemap.xml
gobuster dir -u http://<ip>:<port> -w <word list location> -x html,php,txt,zip
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt
nikto -h http://<ip>
nikto -id bob:password -h http://<ip>/manager/html
test OWASP top 10
110 - POP3
111 - RPCbind
This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <ip>
139 & 445 - SMB
Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.
Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
#enum shares & users
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
#connect to share anonymous
smbclient //<ip>/anonymous
#connect as specific user
smbclient //<ip>/anonymous -U user
#recursively download
smbget -R smb://<ip>/anonymous
#Tool : enum4linux
enum4linux [options] ip
-U get userlist
-M get machine list
-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list
-A all of the above (full basic enumeration)
#Tool : smbmap
smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1
smbmap -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
smbmap -u 'apadmin' -p 'asdf1234!' -d ACME -h 10.1.3.30 -x 'net group "Domain Admins" /domain'
143 - IMAP
161 - SNMP
Last updated
Was this helpful?