UDP Ports: 53,69,111,161,500,623,2049
TCP Ports: 21,22,23,25,53,80,81,88,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3268,3269,3306,3389,4333,4786,4848,5432,5800,5900,5901,6000,6001,7001,8000,8080,8181,8443,10000,16992-16993,27017,32764
masscan -p <ports> --open --banners -oG <outputfile> -iL <inputfile>
nmap -sS -sV -p 21,22,23,25,53,80,81,88,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3268,3269,3306,3389,4333,4786,4848,5432,5800,5900,5901,6000,6001,7001,8000,8080,8181,8443,10000,16992-16993,27017,32764 --open -oA scans/nmap-tcp -iL targets.txt
nmap -sU -p 53,69,111,161,500,623,2049 --open -oA scans/nmap-udp -iL targets.txt
-When you have nmap scan results from a very large network, it helps to import the xml files into Sparta (installed by default on Kali). Sparta allows you to view results by host or service, and if you use sshuttle to proxy traffic through the PTK, you can right click on object in Sparta and run default nmap scripts against a service, brute-force the service using a GUI, http screenshot, take notes, and more.
cat scans/nmap-tcp.xml | aquatone -nmap -ports xlarge -out aquatone
Review Aqutone report. Check for printers or other network devices using default credentials, and if found check for LDAP connections and hijack the credentials using a 'passback attack'. Check for default credentials and vulnerable versions.
msfconsole
use auxiliary/scanner/smtp/smtp_relay
set RHOSTS <IP or File>
set MAILFROM <PoC email address>
set MAILTO <your email address>
run
Scan:
nmap -sV --script rpcinfo,nfs-showmount -iL [FILE] -p2049,111 --open
Mount open shares:
mount [NFS-SHARE]:[NFS-PATH] /mnt nfs –o nolock
msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts [TARGETS]
run