Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
1. To collect information:
- Ports and services are used that allow the pentester to obtain information about the system, network, or services running on the target host.
- **Ports:**
- **ping:** icmp – check host availability.
- **ssh:** 22, 2222, 10022 – scan for an SSH server.
- **http/https:** 80, 443, 8080 (category top1) – scan web services to collect information.
- **snmp:** 161 – collect information via the SNMP protocol.
- **smtp/pop3/imap:** 25, 587, 465, 2525 (SMTP), 110, 995 (POP3), 143, 993 (IMAP) – collect information about mail services.
- **ftp:** 21, 2121 – getting FTP server banner.
- **rdp:** 3389, 13389, 33899, 33389 – defining RDP server.
- **nfs:** 2049 – collecting information about network file storage.
- **elasticsearch:** 9200, 9300 – scanning for Elasticsearch services.
- **ldap:** 389 – checking LDAP server.
- **zookeeper:** 2181, 2888, 3888 – collecting information about Zookeeper cluster.
- **consul:** 8500, 8300, 8301, 8302 – receiving data about service management system.
2. For brute force:
- Ports and services on which brute force attacks can potentially be performed to guess passwords.
- **Ports:**
- **ssh:** 22, 2222, 10022 – guessing SSH passwords.
- **ftp:** 21, 2121 – guessing FTP server credentials.
- **rdp:** 3389, 13389, 33899, 33389 – guessing RDP credentials.
- **mssql:** 1433, 1434, 1435, mssqlntlm – guessing Microsoft SQL Server credentials.
- **mysql:** 3306, 3307, 3308, 33060, 33066 – guessing MySQL credentials.
- **postgresql:** 5432 – PostgreSQL credentials bruteforce attack.
- **pop3:** 110, 995 – POP3 server bruteforce attack.
- **imap:** 143, 993 – IMAP server bruteforce attack.
- **telnet:** 23 – Telnet server password bruteforce attack.
- **vnc:** 5900, 5901, 5800 – VNC server password bruteforce attack.
- **redis:** 6379 – Redis server bruteforce attack.
- **mongodb:** 27017, 27018, 27019 – MongoDB credentials bruteforce attack.
- **cassandra:** 9042, 7000 – Cassandra bruteforce attack.
3. To check exploits:
- Ports and services that may contain vulnerabilities used for further exploitation.
- **Ports:**
- **windows:** 445 (SMB), 3389 (RDP) – using exploits for Windows systems.
- **mssql:** 1433, 1434 – exploitation of Microsoft SQL Server vulnerabilities.
- **mysql:** 3306 – exploitation of MySQL vulnerabilities.
- **oracle:** 1521 – exploitation of Oracle Database vulnerabilities.
- **elasticsearch:** 9200 – exploitation of Elasticsearch vulnerabilities.
- **jboss:** 45566, 4446, 3873, 5001 – exploitation of JBoss vulnerabilities.
- **couchdb:** 5984 – CouchDB exploitation.
- **docker:** 2375, 2376 – Docker API exploitation.
- **memcache:** 11211 – Memcached exploitation.
- **websphere:** 8880, 2809, 9100, 11006 – IBM WebSphere exploitation.
- **jndi:** 1098, 1099, 1100 – Java Naming and Directory Interface (JNDI) exploitation.
- **ajp:** 8009 – Apache JServ Protocol (AJP) exploitation.
- **php-xdebug:** 9000 – PHP Xdebug remote debugging exploitation.
- Ports and services are used that allow the pentester to obtain information about the system, network, or services running on the target host.
- **Ports:**
- **ping:** icmp – check host availability.
- **ssh:** 22, 2222, 10022 – scan for an SSH server.
- **http/https:** 80, 443, 8080 (category top1) – scan web services to collect information.
- **snmp:** 161 – collect information via the SNMP protocol.
- **smtp/pop3/imap:** 25, 587, 465, 2525 (SMTP), 110, 995 (POP3), 143, 993 (IMAP) – collect information about mail services.
- **ftp:** 21, 2121 – getting FTP server banner.
- **rdp:** 3389, 13389, 33899, 33389 – defining RDP server.
- **nfs:** 2049 – collecting information about network file storage.
- **elasticsearch:** 9200, 9300 – scanning for Elasticsearch services.
- **ldap:** 389 – checking LDAP server.
- **zookeeper:** 2181, 2888, 3888 – collecting information about Zookeeper cluster.
- **consul:** 8500, 8300, 8301, 8302 – receiving data about service management system.
2. For brute force:
- Ports and services on which brute force attacks can potentially be performed to guess passwords.
- **Ports:**
- **ssh:** 22, 2222, 10022 – guessing SSH passwords.
- **ftp:** 21, 2121 – guessing FTP server credentials.
- **rdp:** 3389, 13389, 33899, 33389 – guessing RDP credentials.
- **mssql:** 1433, 1434, 1435, mssqlntlm – guessing Microsoft SQL Server credentials.
- **mysql:** 3306, 3307, 3308, 33060, 33066 – guessing MySQL credentials.
- **postgresql:** 5432 – PostgreSQL credentials bruteforce attack.
- **pop3:** 110, 995 – POP3 server bruteforce attack.
- **imap:** 143, 993 – IMAP server bruteforce attack.
- **telnet:** 23 – Telnet server password bruteforce attack.
- **vnc:** 5900, 5901, 5800 – VNC server password bruteforce attack.
- **redis:** 6379 – Redis server bruteforce attack.
- **mongodb:** 27017, 27018, 27019 – MongoDB credentials bruteforce attack.
- **cassandra:** 9042, 7000 – Cassandra bruteforce attack.
3. To check exploits:
- Ports and services that may contain vulnerabilities used for further exploitation.
- **Ports:**
- **windows:** 445 (SMB), 3389 (RDP) – using exploits for Windows systems.
- **mssql:** 1433, 1434 – exploitation of Microsoft SQL Server vulnerabilities.
- **mysql:** 3306 – exploitation of MySQL vulnerabilities.
- **oracle:** 1521 – exploitation of Oracle Database vulnerabilities.
- **elasticsearch:** 9200 – exploitation of Elasticsearch vulnerabilities.
- **jboss:** 45566, 4446, 3873, 5001 – exploitation of JBoss vulnerabilities.
- **couchdb:** 5984 – CouchDB exploitation.
- **docker:** 2375, 2376 – Docker API exploitation.
- **memcache:** 11211 – Memcached exploitation.
- **websphere:** 8880, 2809, 9100, 11006 – IBM WebSphere exploitation.
- **jndi:** 1098, 1099, 1100 – Java Naming and Directory Interface (JNDI) exploitation.
- **ajp:** 8009 – Apache JServ Protocol (AJP) exploitation.
- **php-xdebug:** 9000 – PHP Xdebug remote debugging exploitation.
