Akash c

Apr 22, 2021

2 min read

Common ports enumeration and exploitation technique

Port 21 — FTP

We can find out the version of the FTP either by scanning with nmap or by connecting it using nc or ftp.

ftp 192.168.1.101
nc 192.168.1.101 21
nmap -sV 192.168.1.101 -p 21

Metasploit ftp_version module can be also used to scan a range of IP addresses and determine the version of any FTP servers that are running.

use auxiliary/scanner/ftp/ftp_version

ftp-servers may allow anonymous users to access the ftp server

anonymous : anonymous
anonymous : 
ftp : ftp

The Metasploit ftp_login auxiliary module can be used to perform brute force login attempts.

use auxiliary/scanner/ftp/ftp_version

Port 22— SSH

We can find out the version of the SSH either by scanning with nmap or by connecting it using nc.

nc 192.168.1.101 22
nmap -sV 192.168.1.101 -p 22

The Metasploit ssh_login module can be used to perform brute force login attempts.

use auxiliary/scanner/ssh/ssh_login

Port 25 — SMTP

We can find out the version of the SSH either by scanning with nmap, telnet, or by connecting it using nc.

nc 192.168.1.101 25
nmap -sV 192.168.1.101 -p 25
telnet 192.168.1.101 25

The Metasploit SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system

use auxiliary/scanner/smtp/smtp_enum

The Metasploit open relay module can be used to find out open relay vulnerability in SMTP server

use auxiliary/scanner/smtp/smtp_relay

Port 80/443 — HTTP

We can find out the version of the SSH either by scanning with nmap, telnet, or by connecting it using nc.

nc 192.168.1.101 80/443
nmap -sV 192.168.1.101 -p 80/443
telnet 192.168.1.101 80/443

Enumeration using nikto

nikto -h https://192.168.1.101
nikto -h http://192.168.1.101

The Metasploit dir_scanner module can be used to identify the existence of interesting directories in a given directory path.

auxiliary/scanner/http/dir_scanner

Port 139/445 — SMB

Enumerate Hostname

nmblookup -A [ip]

List Shares

  • smbmap -H [ip/hostname]
  • echo exit | smbclient -L \\\\[ip]
  • nmap --script smb-enum-shares -p 139,445 [ip]

Check Null Sessions

  • smbmap -H [ip/hostname]
  • rpcclient -U "" -N [ip]
  • smbclient \\\\[ip]\\[share name]

Check for smb Vulnerabilities using nmap

nmap --script smb-vuln* -p 139,445 [ip]

--

--

--

Self-learner |Bug Hunter|

Love podcasts or audiobooks? Learn on the go with our new app.

Try Knowable
Fraud.net

The Importance of Consortium Data for Fraud Prevention

Vinay Chikkam (Crypto Grammar)

Learn about the Oasis Network & Take a Short Quiz to Earn $ROSE https://coinmarketcap.com/alexandri

Jenney Clark

in

Digital Privacy Wise

Timehop Data Breach exposes 21 Million

Rian van der Merwe

in

Wildbit

GDPR: How small companies can get ready for it (and why you can’t just ignore it)

WorkQuest

WorkQuest Token audit

Wenzel Bartlett

in

The Internet Computer Review

NNS Tokenomics Changes for Decentralized Internet Computer Governance

bedri bulut

week sekiz

lunaray

Detailed explanation of Ethereum smart contract vulnerabilities

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash c

Akash c

Self-learner |Bug Hunter|

More from Medium

Gabriella Beltran

Mahler-isms of “Death in Venice”

Maria Owens

Sandbox Demo #1: Codenames

Matthew Escobar

CS373 Spring 2022: Matthew Escobar Blog #4: Boredom and Valentine’s

Murat Barlas

Constant Output Week 2

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable