Matching use of tools

All penetration is based on ports

Common port information and penetration methods

 Port number        Port services / Brief description of the agreement         Some possible penetration uses of ports  
tcp 21    ftp  Default data and command transfer port [ Can be transmitted in plaintext or encrypted ]   Allow anonymous upload and download , Blast , Sniffing ,win Raise the right , Remote execution (proftpd 1.3.5), Backdoors (proftpd,vsftp 2.3.4) 

tcp 22    ssh[ data ssl The encrypted ]     Blasting can be attempted based on the collected information ,v1 Version middleman ,ssh Tunnel and Intranet agent forwarding , File transfer , wait … Commonly used in linux Remote management …

tcp 23    telnet[ Plaintext transmission ]     Blast , Sniffing , Commonly used in routing , Swap landing , Weak password can be tried , There may be unexpected gains  

tcp 25    smtp[ Simple mail transfer protocol , Most of the linux This service may be enabled by default in the distribution ]     Mail forgery ,vrfy/expn  Query mail user information , You can use smtp-user-enum Tools come from running  

tcp/udp 53    dns[ Domain name resolution ]     Allow zone transfer ,dns hijacked , Cache poisoning , Deception and all kinds of dns Remote control of tunnel  

tcp/udp 69    tftp[ Simple file transfer protocol , No certification ]     Try to download the target and its various important configuration files  tcp 80-89,443,8440-8450,8080-8089    web[ Various common web Service port ]     Various commonly used web Service port , Try the classic top n,vpn,owa,webmail, The goal is oa, Various types java Console , Various servers web Management panel , Various types web Middleware vulnerability exploitation , Various types web Frame exploit, etc …… 

tcp 110    [ Post office protocol , Plaintext ciphertext ]     Try blasting , Sniffing  tcp 137,139,445    samba[smb Realization windows and linux File sharing between , Plaintext ]     Trial blasting and smb Exploitation of various remote execution vulnerabilities , Such as ,ms08-067,ms17-010, Sniffing, etc. …… 

tcp 143    imap[ Plaintext ciphertext ]     Try blasting  udp 161    snmp[ Plaintext ]     Burst default team string , Collect target Intranet Information  

tcp 389    ldap[ Lightweight directory access protocol ]    ldap Inject , Allow anonymous access , Weak password  tcp 512,513,514    linux rexec     Explode ,rlogin land  

tcp 873    rsync Backup service      Anonymous access , Upload files  tcp 1194    openvpn     Find a way to catch vpn account number , Access to Intranet  

tcp 1352    Lotus domino The mail service      Weak password , Information leakage , Blast  

tcp 1433    mssql database （ Open outreach ）     Inject , Raise the right ,sa Weak password , Blast 

tcp 1521    oracle database     tns Blast , Inject , play shell… 

tcp 1500    ispmanager  Hosting Control Panel      Weak password  

tcp 1025,111,2049    nfs     Improper permission configuration  

tcp 1723    pptp     Blast , Find a way to catch vpn account number , Access to Intranet  

tcp 2082,2083    cpanel Host management panel login      Weak password  

tcp 2181    zookeeper     Unauthorized access  

tcp 2601,2604    zebra route      Default password zerbra 

tcp 3128    squid Agency service      Weak password  

tcp 3312,3311    kangle Host management login      Weak password  

tcp 3306    mysql database      Inject , Raise the right , Blast  

tcp 3389    windows rdp Remote desktop     shift back door , Blast ,ms12-020[ Blue screen exp] 

tcp 4848    glassfish Console      Weak password  

tcp 4899    radmin Remote desktop management tools ,  Grasp the password expansion machine  

tcp 5000    sybase/DB2 database      Blast , Inject  

tcp 5432    postgresql database      Blast , Inject , Weak password  

tcp 5632    pcanywhere Remote desktop management tools      Grab the code , Code execution 

tcp 5900,5901,5902    vnc Remote desktop management tools      Weak password burst , If the information collection is not in place , The chances of success are very small  

tcp 5984    CouchDB     Unauthorized execution of any instruction  

tcp 6379    redis unauthorized      Unauthorized access can be attempted , Weak password burst  

tcp 7001,7002    weblogic Console     java Deserialization , Weak password  

tcp 7778    kloxo     Host panel login  

tcp 8000    Ajenti Hosting Control Panel      Weak password  

tcp 8443    plesk Hosting Control Panel      Weak password  

tcp 8069    zabbix     Remote execution ,sql Inject  

tcp 8080-8089    Jenkins,jboss     Deserialization , Console weak password  

tcp 9080-9081,9090    websphere Console     java Deserialization / Weak password  

tcp 9200,9300    elasticsearch     Remote execution  

tcp 10000    webmin linux host web Control panel entry      Weak password  

tcp 11211    memcached     Unauthorized access  

tcp 27017,27018    mongodb     Blast , Unauthorized access  

tcp 3690    svn service     svn Let the cat out of the , Unauthorized access  

tcp 50000    SAP Management Console     Remote execution  

tcp 50070,50030    hadoop     The default port is not authorized to access 

1、Nmap Typical use

• The host found

  Identify hosts on the network . For example, list responses TCP and / or ICMP A host that requests or opens a specific port .

• Port scanning

  Enumerate the open ports on the target host .

• Version checking

  Ask the network service on the remote device to determine the application name and version number .

• OS testing

  Determine the operating system and hardware characteristics of the network device .

• Vulnerability of software version detection

  Vulnerability of software version detection （Nmap Script for ）

2、Nmap Description of common scanning parameters

3、Nmap Script classification

auth: Handle authentication certificate （ Bypass authentication ） Script for （ Detect weak passwords ）

broadcast: Probe more services on LAN , Such as dhcp/dns/sqlserver Etc

brute: Provide violent solutions , For common applications such as http/snmp etc.

default: Use -sC or -A Option to scan the default script , Provides basic script scanning capabilities

discovery: More information about the Internet , Such as SMB enumeration 、SNMP Query etc.

dos: Used for denial of service attacks

exploit: Exploit known vulnerability to invade system

external: Using third party databases or resources , For example, to whois analysis

fuzzer: The script for the fuzzy test , Send abnormal package to target machine , Detect potential vulnerabilities intrusive: Invasive scripts , This kind of script may trigger the other party's IDS/IPS Recording or shielding of

malware: Detect if the target machine is infected with a virus 、 Open the back door and other information

safe: Such and intrusive contrary , Belongs to security script

version: Responsible for enhanced services and version scanning （Version Detection） Function script

vuln: Responsible for checking whether the target machine has common vulnerabilities （Vulnerability）, If there is MS08_067,MS17_010 etc.

auth,brute,vuln Is a common script

4、 example

Common scanning

-sP ： Conduct ping scanning （ Print out pairs ping Scan responding hosts , No further testing ( Such as port scan or operating system probe )）
nmap -sP 192.168.110.0/24（ This command can be used to detect which machines are in the LAN ）

-sS ： Semi open scan （ Not 3 A handshake tcp scanning ）
Use the most frequent scanning option ：SYN scanning , Also called semi open scan , It doesn't open a complete TCP Connect , Fast execution , Efficient （ A complete tcp Connection needs 3 The second handshake , and -sS Option not required 3 The second handshake ）
advantage ：Nmap send out SYN Package to remote host , however It will not generate any sessions , The target host hardly logs the connection .（ Prevent the other party from judging as scanning attack ）, Scanning speed is fast , Efficient , Most frequently used at work
shortcoming ： It needs to root/administrator Permissions to perform

mamp -sS 192.168.110.14

nmap -sS -p 1-65535 192.168.3.110.4 （ Scan all open ports of the target - Semi open ）

sT：3 The second handshake tcp Scan
advantage ： Ordinary users can also use .
shortcoming ： This kind of scan is easy to detect , A large number of connection requests and error messages will be recorded in the log of the target host , Because it has to be done 3 The second handshake , Low efficiency , Slow speed , It is recommended to use -sS

sV： Scan the open service of the target address （ port ） Version of
Version detection is used to scan the version of the software running on the target host and port .
nmap -sV 192.168.110.247

-O： Scan the target address for the operating system version
nmap -O 192.168.110.247

-A：OS distinguish , Version detection , Script scanning and comprehensive scanning
nmap -A 192.168.110.247

-Pn -A Bypass the firewall for a full scan
nmap -Pn -A 192.168.110.247

Script use

nmap --script=auth 192.168.3.26 Weak password scanning

nmap --script=brute 192.168.3.26

nmap --script=vuln 192.168.3.26