Common ports enumeration and exploitation technique

To determine the version of FTP running on a target system, there are a few methods that can be used. One option is to use the nmap tool to scan the target system and identify the version of FTP running. Another option is to establish a connection to the FTP service using a tool such as nc or ftp, and then use the appropriate commands to determine the version.

ftp 192.168.1.101
nc 192.168.1.101 21
nmap -sV 192.168.1.101 -p 21

Metasploit ftp_version module can be also used to scan a range of IP addresses and determine the version of any FTP servers that are running.

use auxiliary/scanner/ftp/ftp_version

ftp-servers may allow anonymous users to access the ftp server

anonymous : anonymous
anonymous : 
ftp : ftp

The Metasploit ftp_login auxiliary module can be used to perform brute force login attempts.

use auxiliary/scanner/ftp/ftp_version

Port 22— SSH

To determine the version of SSH running on a target system, there are a few methods that can be employed. One option is to use the nmap tool to scan the target system and identify the version of SSH running on it. Another option is to establish a connection to the SSH service using a tool such as nc, and then use the appropriate commands to determine the version.

nc 192.168.1.101 22
nmap -sV 192.168.1.101 -p 22

The Metasploit ssh_login module can be used to perform brute force login attempts.

use auxiliary/scanner/ssh/ssh_login

Port 25 — SMTP

To determine the version of SMTP running on a target system, there are several methods that can be employed. One option is to use the nmap tool to scan the target system and identify the version of SMTP running on it. Another option is to establish a connection to the SMTP service using tools such as telnet or nc, and then use appropriate commands to determine the version.

nc 192.168.1.101 25
nmap -sV 192.168.1.101 -p 25
telnet 192.168.1.101 25

The Metasploit SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system

use auxiliary/scanner/smtp/smtp_enum

The Metasploit open relay module can be used to find out open relay vulnerability in SMTP server

use auxiliary/scanner/smtp/smtp_relay

Port 80/443 — HTTP

To determine the version of HTTP running on a target system, several methods can be employed, such as:

• Using the nmap tool to scan the target system and identify the version of HTTP running on it.
• Establishing a connection to the HTTP service using tools such as telnet or nc and using appropriate commands to determine the version.

nc 192.168.1.101 80/443
nmap -sV 192.168.1.101 -p 80/443
telnet 192.168.1.101 80/443

Enumeration using nikto

nikto -h https://192.168.1.101
nikto -h http://192.168.1.101

The Metasploit dir_scanner module can be used to identify the existence of interesting directories in a given directory path.

auxiliary/scanner/http/dir_scanner   

Port 139/445 — SMB

Enumerate Hostname

nmblookup -A [ip]

List Shares

• smbmap -H [ip/hostname]
• echo exit | smbclient -L \\\\[ip]
• nmap --script smb-enum-shares -p 139,445 [ip]

Check Null Sessions

• smbmap -H [ip/hostname]
• rpcclient -U "" -N [ip]
• smbclient \\\\[ip]\\[share name]

Check for smb Vulnerabilities using nmap

nmap --script smb-vuln* -p 139,445 [ip]